HDF System

Describes a system's authorization boundary, components, and interconnections. Maps to OSCAL SSP system-characteristics and FedRAMP system inventory.

Version	v3.1.0
$id	https://mitre.github.io/hdf-libs/schemas/hdf-system/v3.1.0
Download	hdf-system.schema.json

Properties

Field	Type	Required	Description
systemId	string (uuid)	no	Stable UUID (RFC 4122) for this system. Enables cross-document correlation independent of file location. Optional in casual use, expected in production documents.
owner	Identity	no	Team or individual responsible for this system's authorization and compliance. Maps to OSCAL responsible-party with role 'system-owner'.
name	string	yes	Human-readable system name. Example: 'Enterprise Portal Production'.
identifier	string	no	System identifier from an authoritative source. Example: eMASS system ID, FedRAMP package ID.
identifierScheme	string (uri-reference)	no	URI identifying the scheme of the system identifier. Example: 'https://emass.mil', 'https://fedramp.gov'.
description	string	no	Description of the system's purpose and mission.
authorizationStatus	Authorization_Status	no	Current Authorization to Operate (ATO) status.
authorizationDate	string (date-time)	no	Date the current authorization status was granted. ISO 8601 format.
categorizationLevel	Categorization_Level	no	FIPS 199 security categorization (impact level).
boundaryDescription	string	no	Description of the system's authorization boundary. Example: network CIDR blocks, cloud VPC IDs, physical locations.
components	Component[]	yes	System components within the authorization boundary. Uses the full polymorphic Component type with stable identity (componentId), external references, and SBOM support.
controlDesignations	Control_Designation[]	no	Declares which controls are common, hybrid, or system-specific, and which component provides them. Maps to NIST SP 800-53 control designations and OSCAL leveraged-authorizations.
dataFlows	Data_Flow[]	no	Inter-component data flows describing how components communicate. Supports local, cross-system, and external flows. Replaces the interconnections[] field.
labels	Map<string, string>	no	Optional key-value labels for grouping and querying systems.
integrity	Integrity	no	Cryptographic integrity information for verifying this system document has not been tampered with.
version	string	no	Version of this system document.
generator	Generator	no	Information about the tool that generated this system document.

Example

{
  "name": "Enterprise Portal Production",
  "identifier": "SYS-2024-00142",
  "identifierScheme": "https://emass.mil",
  "authorizationStatus": "authorized",
  "authorizationDate": "2025-06-15T00:00:00Z",
  "categorizationLevel": "moderate",
  "boundaryDescription": "All resources in prod VPC (10.0.0.0/16)",
  "components": [
    {
      "name": "WebTier",
      "type": "application",
      "componentId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "description": "RHEL 9 web servers running the portal",
      "baselineRefs": [
        "RHEL9-STIG",
        "DISA-Container-STIG"
      ],
      "sbomRef": "https://artifacts.agency.gov/sbom/webtier-2026-03.cdx.json",
      "sbomFormat": "cyclonedx"
    },
    {
      "name": "DatabaseTier",
      "type": "database",
      "componentId": "11111111-2222-3333-4444-555555555555",
      "baselineRefs": [
        "PostgreSQL-15-STIG"
      ]
    }
  ],
  "dataFlows": [
    {
      "from": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "to": "11111111-2222-3333-4444-555555555555",
      "protocol": "jdbc",
      "port": 5432,
      "direction": "unidirectional",
      "description": "Web tier connects to database"
    }
  ]
}

Embedded Primitives

These types are embedded from shared primitive schemas.

amendments/v3.1.0

Override_Type

The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk.

Impact_Override

An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.

Field	Type	Required	Description
value	number	yes	The overridden impact score (0.0–1.0).

Standalone_Override

A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.

Field	Type	Required	Description
type	Override_Type	yes	The type of amendment.
requirementId	string	yes	The ID of the requirement being amended. Must match a requirement ID in the referenced baseline.
baselineRef	string	no	Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs.
status	Result_Status	no	The new status this amendment sets. Optional when only impact is being overridden.
impact	Impact_Override	no	Override to the requirement's impact score. At least one of status or impact must be set.
reason	string	yes	Justification for this amendment.
appliedBy	Identity	yes	Identity of who applied this amendment.
appliedAt	string (date-time)	yes	When this amendment was applied. ISO 8601 format.
expiresAt	string (date-time)	yes	When this amendment expires and must be reviewed. No permanent amendments. ISO 8601 format.
evidence	Evidence[]	no	Supporting evidence (screenshots, logs, URLs, documents).
signature	Signature	no	Digital signature for non-repudiation.
previousChecksum	Checksum	no	Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment.
milestones	Milestone[]	no	Remediation milestones (primarily for POA&M type amendments).
inheritedFrom	string (uuid)	no	componentId of the local component that provides this control. Set when the provider is in the same system. Omit for external or cross-system providers; the reason field explains the source. Primarily used with type 'inherited'.
componentRef	string (uuid)	no	componentId of the component this amendment is scoped to. When set, the amendment only applies to the specified component. When omitted, the amendment applies system-wide.

Example

{
  "type": "waiver",
  "requirementId": "SV-257777",
  "baselineRef": "RHEL9-STIG",
  "status": "passed",
  "reason": "Compensating control: session timeout set to 15 min",
  "appliedBy": {
    "type": "email",
    "identifier": "ao@agency.gov"
  },
  "appliedAt": "2026-01-15T10:00:00Z",
  "expiresAt": "2026-06-30T00:00:00Z",
  "evidence": [
    {
      "type": "url",
      "data": "https://jira.agency.gov/CYBER-4521",
      "description": "ISSM approval with compensating control documentation"
    }
  ]
}

common/v3.1.0

Hash_Algorithm

Supported cryptographic hash algorithms for checksums and integrity verification.

Requirement_Group

Describes a group of requirements, such as those defined in a single file.

Field	Type	Required	Description
id	string	yes	The unique identifier for the group. Example: the relative path to the file specifying the requirements.
title	string	no	The title of the group - should be human readable.
requirements	string[]	yes	The set of requirements as specified by their ids in this group. Example: 'SV-238196'.

Dependency

A dependency for a baseline. Can include relative paths or URLs for where to find the dependency.

Field	Type	Required	Description
name	string	no	The name or assigned alias.
url	string (uri-reference)	no	The address of the dependency.
branch	string	no	The branch name for a git repo.
path	string	no	The relative path if the dependency is locally available.
statusMessage	string	no	The reason for the status if it is 'failed' or 'skipped'.
status	string	no	The status. Should be: 'loaded', 'failed', or 'skipped'.
git	string (uri)	no	The location of the git repo. Example: 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'.
supermarket	string	no	The 'user/profilename' attribute for a Supermarket server.
compliance	string	no	The 'user/profilename' attribute for an Automate server.

Example

{
  "name": "ubuntu-22.04-baseline",
  "url": "https://github.com/my-org/ubuntu-22.04-stig-baseline",
  "git": "https://github.com/my-org/ubuntu-22.04-stig-baseline.git",
  "branch": "main",
  "status": "loaded"
}

Reference

A reference to an external document.

Source_Location

The explicit location of a requirement within source code.

Field	Type	Required	Description
ref	string	no	Path to the file that this requirement originates from.
line	number	no	The line on which this requirement is located.

Example

{
  "ref": "controls/SV-260476.rb",
  "line": 1
}

Supported_Platform

A supported platform target. Example: the platform name being 'ubuntu'.

Field	Type	Required	Description
platformFamily	string	no	The platform family. Example: 'redhat'.
platformName	string	no	The platform name - can include wildcards. Example: 'debian'.
platform	string	no	The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'.
release	string	no	The release of the platform. Example: '20.04' for 'ubuntu'.

Checksum

Cryptographic checksum for baseline integrity verification.

Field	Type	Required	Description
algorithm	Hash_Algorithm	yes	The hash algorithm used for the checksum.
value	string	yes	The checksum value.

Example

{
  "algorithm": "sha256",
  "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

Identity

Represents an identity that performed an action, such as capturing evidence or applying an override.

Field	Type	Required	Description
identifier	string	yes	The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
type	"email" | "username" | "system" | "simple" | "other"	yes	The type of identifier. Use 'email' for email addresses, 'username' for user accounts, 'system' for automated systems, 'simple' for basic string identifiers without additional classification, or 'other' for custom identity systems.
description	string	no	Optional description of the identity or identity system, particularly useful when type is 'other'.

Example

{
  "type": "email",
  "identifier": "admin@example.com"
}

Evidence

Supporting evidence for a finding or override, such as screenshots, code samples, log excerpts, or URLs.

Field	Type	Required	Description
type	"screenshot" | "code" | "log" | "url" | "file" | "other"	yes	The type of evidence being provided.
data	string	yes	The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs: the raw text. For URLs: the URL string.
description	string	no	Human-readable description of what this evidence shows.
mimeType	string	no	MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'.
encoding	string	no	Encoding used for the data. Example: 'base64', 'utf-8'.
size	number	no	Size of the evidence data in bytes.
capturedAt	string (date-time)	no	Timestamp when this evidence was captured. ISO 8601 format.
capturedBy	Identity	no	Identity of who or what captured this evidence.

Example

{
  "type": "screenshot",
  "data": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
  "description": "Screenshot showing firewall configuration with required ports blocked",
  "mimeType": "image/png",
  "encoding": "base64",
  "size": 95,
  "capturedAt": "2025-12-14T10:30:00Z",
  "capturedBy": {
    "identifier": "security-auditor@example.com",
    "type": "email"
  }
}

Remediation

Reference to automated remediation resources for implementing security controls. Points to external automation content like Ansible playbooks, Terraform scripts, or vendor-provided remediation tools.

Field	Type	Required	Description
uri	string (uri)	yes	URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts, etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content, vendor-provided scripts.
checksum	Checksum	no	Optional cryptographic checksum for verifying the integrity of remediation resources fetched from the URI. Recommended for security when referencing external automation scripts.

Example

{
  "uri": "https://github.com/ansible-lockdown/RHEL9-STIG/tree/main/tasks"
}

Verification_Method

Verification method containing the public key needed to verify a digital signature. Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.

Field	Type	Required	Description
type	string	yes	The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018', 'Ed25519VerificationKey2020'.
controller	string	yes	The entity that controls this verification method. Can be a DID, URI, or other identifier.
publicKeyJwk	Map<string, any>	no	Public key in JSON Web Key format.
publicKeyPem	string	no	Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----'.
publicKeyBase58	string	no	Public key in Base58 format, commonly used with Ed25519 keys.

Milestone

A milestone or task within a POA&M remediation plan.

Field	Type	Required	Description
description	string	yes	Description of this milestone or task.
estimatedCompletion	string (date-time)	yes	Estimated completion date. ISO 8601 format.
status	"pending" | "inProgress" | "completed"	yes	Current status of this milestone.
completedAt	string (date-time)	no	Actual completion timestamp. ISO 8601 format.
completedBy	Identity	no	Identity of who completed this milestone.

Signature

A digital signature following W3C Data Integrity Proofs pattern. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic signing methods via JWK, PEM, or Base58 key formats.

Field	Type	Required	Description
type	string	yes	The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018', 'Ed25519Signature2020'.
created	string (date-time)	yes	When the signature was created. ISO 8601 format.
creator	Identity	yes	The identity that created this signature.
signatureValue	string	yes	The base64-encoded or base58-encoded signature value.
proofPurpose	string	yes	The purpose of this signature. Example: 'attestation', 'authentication', 'assertionMethod'.
verificationMethod	Verification_Method	yes	The verification method containing the public key for signature verification.
nonce	string	no	Random value to prevent replay attacks.
challenge	string	no	Challenge value from the verifier, used in challenge-response authentication.
domain	string	no	Domain restriction for the signature, prevents cross-domain replay attacks.

Example

{
  "type": "JsonWebSignature2020",
  "created": "2025-12-14T10:00:00Z",
  "creator": {
    "identifier": "security-team@example.com",
    "type": "email"
  },
  "signatureValue": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEYCIQDvKbtLRhWAa",
  "proofPurpose": "attestation",
  "verificationMethod": {
    "type": "JsonWebKey2020",
    "controller": "did:example:123456789abcdefghi",
    "publicKeyJwk": {
      "kty": "RSA",
      "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV",
      "e": "AQAB"
    }
  }
}

Baseline_Metadata

Shared metadata fields for baselines. Used in both standalone baseline documents and evaluated baseline results.

Field	Type	Required	Description
name	string	no	The name - must be unique.
title	string	no	The title - should be human readable.
maintainer	string	no	The maintainer(s).
copyright	string	no	The copyright holder(s).
copyrightEmail	string	no	The email address or other contact information of the copyright holder(s).
license	string	no	The copyright license. Example: 'Apache-2.0'.
summary	string	no	The summary. Example: the Security Technical Implementation Guide (STIG) header.
version	string	no	The version of the baseline.
supports	Supported_Platform[]	no	The set of supported platform targets.
status	string	no	The status. Example: 'loaded'.
labels	Map<string, string>	no	Optional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings.

Example

{
  "name": "rhel-9-stig-baseline",
  "title": "Red Hat Enterprise Linux 9 STIG Baseline",
  "maintainer": "MITRE SAF Team",
  "copyright": "The MITRE Corporation",
  "copyrightEmail": "saf@mitre.org",
  "license": "Apache-2.0",
  "summary": "InSpec baseline for RHEL 9 STIG compliance",
  "version": "1.0.0",
  "supports": [
    {
      "platformName": "redhat",
      "platformFamily": "redhat",
      "release": "9"
    }
  ],
  "status": "loaded"
}

Requirement_Core

Core requirement fields shared between baseline requirements and evaluated requirements. Contains the fundamental requirement definition without assessment results.

Field	Type	Required	Description
id	string	no	The requirement identifier. Example: 'SV-238196'.
title	string	no	The title - is nullable.
descriptions	object[]	no	Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'.
impact	number	no	The impactfulness or severity (0.0 to 1.0).
refs	Reference[]	no	The set of references to external documents.
tags	Map<string, any>	no	A set of tags - usually metadata like CCI, STIG ID, severity.
code	string	no	The raw source code of the requirement. Set to null for manual-only requirements or requirements not yet implemented. Note that if this is an overlay, it does not include the underlying source code.
sourceLocation	Source_Location	no	The explicit location of the requirement within the source code.

Example

{
  "id": "SV-238196",
  "title": "The Ubuntu operating system must enforce password complexity",
  "impact": 0.5,
  "tags": {
    "nist": [
      "IA-5"
    ],
    "severity": "medium",
    "cci": [
      "CCI-000192"
    ]
  },
  "refs": [
    {
      "url": "https://public.cyber.mil/stigs/"
    }
  ],
  "descriptions": [
    {
      "label": "default",
      "data": "Use of a complex password helps to increase the time and resources required to compromise the password."
    },
    {
      "label": "check",
      "data": "Verify the value of 'minlen' in /etc/security/pwquality.conf."
    }
  ]
}

Severity

Severity rating for a requirement. Typically derived from the numeric impact score.

Cloud_Provider

Cloud service provider identifier.

component/v3.1.0

Base_Component

Base properties shared by all component types. Extends the Target concept with stable identity, external references, and SBOM embedding.

Field	Type	Required	Description
type	string	yes	Component type discriminator. Same values as Target types.
name	string	yes	Human-readable name for this component.
componentId	string (uuid)	no	Stable UUID (RFC 4122) for this component. Required in hdf-system documents, optional in hdf-results. Enables cross-document correlation, diffing, and data flow references.
description	string	no	Description of this component's role or purpose.
owner	Identity	no	Team or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system.
externalIds	Map<string, string>	no	Map of external identifier scheme to value. Well-known schemes: aws (instance ID), azure (resource ID), cmdb (asset ID), emass (system ID), cve (CVE ID). Custom schemes are allowed.
labels	Map<string, string>	no	Optional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings.
sbom	any	no	Embedded CycloneDX or SPDX SBOM document representing this component's software inventory. The sbomFormat field determines which format constraints apply.
sbomRef	string (uri-reference)	no	URI reference to an external CycloneDX or SPDX SBOM document for this component. May be a relative path, absolute URI, or fragment identifier.
sbomFormat	"cyclonedx" | "spdx"	no	Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
baselineRefs	string[]	no	Names of baselines that apply to this component.
inputOverrides	Input_Override[]	no	System-specific overrides for baseline input values.
targetSelector	Target_Selector	no	Label selector to match targets belonging to this component during migration. Targets with matching labels are automatically included.

Component

A system component. Uses discriminated union pattern with 'type' field as discriminator. Superset of Target with identity, external IDs, and SBOM support.

Host_Component

A physical or virtual server, workstation, or network device.

Field	Type	Required	Description
type	"host"	no
fqdn	string (hostname)	no	Fully qualified domain name.
ipAddress	string (ipv4) | string (ipv6)	no	IP address of the host.
macAddress	string	no	MAC address in colon-separated hexadecimal format.
osName	string	no	Operating system name.
osVersion	string	no	Operating system version.

Example

{
  "type": "host",
  "name": "web-server-prod-01",
  "componentId": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d",
  "fqdn": "web01.prod.example.com",
  "ipAddress": "10.0.1.50",
  "osName": "Ubuntu",
  "osVersion": "22.04 LTS",
  "externalIds": {
    "cmdb": "ASSET-12345",
    "aws": "i-0abc123def456789"
  }
}

Container_Image_Component

A static container image (not running).

Field	Type	Required	Description
type	"containerImage"	no
imageId	string	no	Container image ID.
registry	string	no	Container registry. Example: 'docker.io'.
repository	string	no	Repository name. Example: 'library/nginx'.
tag	string	no	Image tag. Example: '1.25'.
digest	string	no	Image digest for immutable reference.

Container_Instance_Component

A running container instance.

Field	Type	Required	Description
type	"containerInstance"	no
containerId	string	no	Running container ID.
image	string	no	Image the container was started from.
runtime	string	no	Container runtime. Example: 'docker', 'containerd', 'cri-o'.

Container_Platform_Component

A container orchestration platform (Kubernetes, OpenShift, ECS, etc.).

Field	Type	Required	Description
type	"containerPlatform"	no
platformType	string	no	Platform type. Example: 'kubernetes', 'openshift', 'ecs', 'docker-swarm'.
clusterName	string	no	Cluster name.
namespace	string	no	Namespace within the cluster, if applicable.
version	string	no	Platform version.

Cloud_Account_Component

A cloud provider account (AWS account, Azure subscription, GCP project).

Field	Type	Required	Description
type	"cloudAccount"	no
provider	Cloud_Provider	no	Cloud provider.
accountId	string	no	Cloud account identifier.
region	string	no	Cloud region, if applicable.

Example

{
  "type": "cloudAccount",
  "name": "Production AWS Account",
  "componentId": "f1e2d3c4-b5a6-4978-8069-1a2b3c4d5e6f",
  "provider": "aws",
  "accountId": "123456789012",
  "region": "us-east-1"
}

Cloud_Resource_Component

A specific cloud resource (EC2 instance, S3 bucket, Azure VM, etc.).

Field	Type	Required	Description
type	"cloudResource"	no
provider	Cloud_Provider	no	Cloud provider.
resourceType	string	no	Type of cloud resource. Example: 'ec2:instance', 's3:bucket'.
resourceId	string	no	Provider-specific resource identifier.
arn	string	no	Amazon Resource Name (AWS only).
region	string	no	Cloud region where the resource resides.

Repository_Component

A code repository (for SAST tools).

Field	Type	Required	Description
type	"repository"	no
url	string (uri)	no	Repository URL.
branch	string	no	Branch that was scanned.
commit	string	no	Commit SHA that was scanned.

Application_Component

A running application or API (for DAST tools).

Field	Type	Required	Description
type	"application"	no
url	string (uri)	no	Application URL (for DAST tools).
version	string	no	Application version.
environment	string	no	Environment. Example: 'production', 'staging', 'development'.

Artifact_Component

A software artifact or dependency (for SCA tools).

Field	Type	Required	Description
type	"artifact"	no
packageManager	string	no	Package manager. Example: 'npm', 'maven', 'pip', 'nuget'.
packageName	string	no	Package name.
version	string	no	Package version.
checksum	string	no	Package checksum for verification.

Network_Component

A network segment or network device.

Field	Type	Required	Description
type	"network"	no
cidr	string	no	Network CIDR block.
gateway	string	no	Network gateway address.

Database_Component

A database instance.

Field	Type	Required	Description
type	"database"	no
engine	string	no	Database engine. Example: 'postgresql', 'mysql', 'oracle', 'mssql'.
version	string	no	Database version.
host	string	no	Database host.
port	integer	no	Database port.

data-flow/v3.1.0

Cross_System_Reference

Reference to a component in a different system document, enabling cross-boundary data flow modeling.

Field	Type	Required	Description
systemRef	string (uri-reference)	yes	URI reference to the hdf-system document containing the target component. May be a relative path, absolute URI, or fragment identifier.
componentId	string (uuid)	yes	UUID of the component in the referenced system.

External_Endpoint

An endpoint outside all modeled systems (e.g., a third-party API, public internet, or partner system not represented in HDF).

Field	Type	Required	Description
external	"true"	yes	Must be true. Discriminator indicating this endpoint is outside all modeled systems.
description	string	yes	Human-readable description of the external endpoint. Example: 'Third-party payment gateway (Stripe API)'.

Data_Flow_Endpoint

A data flow endpoint: either a local component (UUID), a component in another system (cross-system reference), or an external endpoint outside all modeled systems.

Data_Flow

A data flow between two endpoints. The 'from' endpoint is always a local component; the 'to' endpoint can be local, cross-system, or external. Use 'direction' to indicate whether data flows one-way or both ways.

Field	Type	Required	Description
from	string (uuid)	yes	UUID of the local component that is one end of this data flow. Always references a component in the current system document.
to	Data_Flow_Endpoint	yes	The other end of this data flow. Can be a local component (UUID), a cross-system component reference, or an external endpoint.
protocol	string	no	Communication protocol. Examples: 'http', 'https', 'grpc', 'ssh', 'jdbc', 'k8s-api', 'socket', 'sftp'.
port	integer	no	Network port number.
direction	"unidirectional" | "bidirectional"	no	Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional' means data flows in both directions (e.g., request/response).
description	string	no	Human-readable description of this data flow's purpose and the data exchanged.
authentication	string	no	Authentication mechanism used for this connection. Examples: 'mTLS', 'OAuth2', 'API key', 'SAML', 'Kerberos'.

Example

{
  "from": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "to": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "protocol": "https",
  "port": 443,
  "direction": "bidirectional",
  "description": "REST API calls from WebTier to API Gateway",
  "authentication": "mTLS"
}

extensions/v3.1.0

Status_Override

An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.

Field	Type	Required	Description
type	Override_Type	yes	The type of override applied to this requirement.
status	Result_Status	no	The new status this override sets for the requirement. Optional when only impact is being overridden.
impact	Impact_Override	no	Override to the requirement's impact score. At least one of status or impact must be set.
reason	string	yes	Explanation for why this override was applied.
appliedBy	Identity	yes	Identity of who applied this override. For simple cases, use type 'simple' with just an identifier.
appliedAt	string (date-time)	yes	Timestamp when this override was applied. ISO 8601 format.
expiresAt	string (date-time)	yes	Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format.
signature	Signature	no	Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods.
evidence	Evidence[]	no	Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations.
previousChecksum	Checksum	no	SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement.

Example

{
  "type": "waiver",
  "status": "notApplicable",
  "reason": "This control does not apply to containerized environments as the application runs in ephemeral containers without persistent storage",
  "appliedBy": {
    "identifier": "security-team@example.com",
    "type": "email"
  },
  "appliedAt": "2025-12-01T10:00:00Z",
  "expiresAt": "2026-12-01T00:00:00Z"
}

POAM

Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change the effectiveStatus - the requirement remains in its current state while the POA&M tracks remediation efforts.

Field	Type	Required	Description
type	"remediation" | "mitigation" | "riskAcceptance" | "vendorDependency"	yes	The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
explanation	string	yes	Detailed explanation of the plan, including what actions will be taken.
appliedBy	Identity	yes	Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier.
appliedAt	string (date-time)	yes	Timestamp when this POA&M was created. ISO 8601 format.
expiresAt	string (date-time)	no	Optional expiration date for this POA&M requiring review/renewal. ISO 8601 format.
milestones	Milestone[]	no	Optional array of milestones tracking progress toward completion.
signature	Signature	no	Optional digital signature for enhanced trust and non-repudiation.
evidence	Evidence[]	no	Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation.
previousChecksum	Checksum	no	SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement.

Example

{
  "type": "remediation",
  "explanation": "Upgrade OpenSSL to version 3.0.x to address CVE-2024-XXXXX vulnerability. Root cause: outdated dependency version in base image.",
  "appliedBy": {
    "identifier": "devops-team@example.com",
    "type": "email"
  },
  "appliedAt": "2025-12-01T09:00:00Z",
  "milestones": [
    {
      "description": "Update base Docker image to use OpenSSL 3.0.x",
      "estimatedCompletion": "2025-12-15T00:00:00Z",
      "status": "completed",
      "completedAt": "2025-12-10T16:30:00Z",
      "completedBy": {
        "identifier": "alice.smith",
        "type": "username"
      }
    },
    {
      "description": "Deploy updated image to production",
      "estimatedCompletion": "2025-12-20T00:00:00Z",
      "status": "inProgress"
    },
    {
      "description": "Verify vulnerability no longer present via security scan",
      "estimatedCompletion": "2025-12-22T00:00:00Z",
      "status": "pending"
    }
  ]
}

Generator

Information about the tool that generated this HDF file.

Field	Type	Required	Description
name	string	yes	The name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
version	string	yes	The version of the tool. Example: '5.22.3'.

Tool

The security tool that produced the assessment data represented in this HDF file. Aligns with SARIF, OSCAL, and CycloneDX terminology.

Field	Type	Required	Description
name	string	no	The name of the security tool that produced the data. Examples: 'gosec', 'Semgrep', 'OpenSCAP', 'AWS Config', 'Nessus'. Omit if the tool cannot be identified.
version	string	no	Version of the source tool, if available in the tool's output. Example: '5.22.3'.
format	string	no	The file format, if it is a recognized named format shared by multiple tools. Examples: 'SARIF', 'XCCDF'. Omit for tool-specific formats where the tool name already implies the format (Nessus XML, gosec JSON).

Integrity

Cryptographic integrity information for verifying the HDF file has not been tampered with. If algorithm is provided, checksum must also be provided, and vice versa.

Field	Type	Required	Description
algorithm	Hash_Algorithm	no	The hash algorithm used for the checksum.
checksum	string	no	The checksum value.
signature	string	no	Optional cryptographic signature.
signedBy	string	no	Identifier of who signed this file.

Example

{
  "algorithm": "sha256",
  "checksum": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

result/v3.1.0

Result_Status

The status of an individual test result. 'notApplicable' indicates the requirement does not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g., requires manual verification).

Requirement_Result

A test within a requirement and its results and findings such as how long it took to run.

Field	Type	Required	Description
status	Result_Status	yes	The status of this test within the requirement. Example: 'failed'.
codeDesc	string	yes	A description of this test. Example: 'limits.conf * is expected to include ["hard", "maxlogins", "10"]'.
runTime	number	no	The execution time in seconds for the test.
startTime	string (date-time)	yes	The time at which the test started.
resource	string	no	The resource used in the test. Example: 'file', 'command', 'service'.
resourceId	string	no	The unique identifier of the resource. Example: '/etc/passwd'.
message	string	no	An explanation of the test result. Typically provided for failed tests, errors, or to explain why a test was not applicable or not reviewed.
exception	string	no	The type of exception if an exception was thrown.
backtrace	string[]	no	The stacktrace/backtrace of the exception if one occurred.

Example

{
  "status": "passed",
  "codeDesc": "File /etc/ssh/sshd_config content is expected to match /Protocol\\s+2/",
  "startTime": "2025-06-15T10:30:00Z",
  "runTime": 0.015
}

Requirement_Description

A labeled description for a requirement, such as fix text or check instructions.

Field	Type	Required	Description
label	string	yes	The type of description. Examples: 'fix', 'check', 'rationale'.
data	string	yes	The text of the description.

Example

{
  "label": "default",
  "data": "Verify the SSH daemon is configured to only use FIPS-validated key exchange algorithms."
}

system/v3.1.0

Authorization_Status

Authorization to Operate (ATO) status for the system.

Categorization_Level

FIPS 199 security categorization level (impact level).

Input_Override

An override of a baseline input value for a specific component. Enables system-specific tailoring of baseline parameters.

Field	Type	Required	Description
baselineRef	string	no	Name of the baseline this override applies to. If omitted, applies to all baselines that define this input.
inputName	string	yes	Name of the input being overridden. Must match an Input.name in the referenced baseline.
value	any	yes	The overridden value. Should match the type of the original input.
justification	string	no	Rationale for why this override is needed.
approvedBy	Identity	no	Identity of the person or system that approved this override.

Target_Selector

A label selector that matches targets by label key-value pairs. All specified labels must match (AND logic). Example: { "labels.component": "WebTier" } matches targets with labels.component = "WebTier".

Control_Designation

Declares a control's designation within a system — whether it is common (provided by another component or system), system-specific (implemented locally), or hybrid (shared responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP by-component provided/inherited semantics.

Field	Type	Required	Description
controlId	string	yes	The control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline requirement's tags.
designation	"common" | "system-specific" | "hybrid"	yes	NIST SP 800-53 control designation. 'common': fully provided by another component or system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid': shared responsibility between provider and inheritor.
providedBy	string (uuid)	no	componentId of a local component that provides this control. Omit when the provider is an external system.
systemRef	string (uri-reference)	no	Reference to another hdf-system document whose component provides this control. Use when the provider is in a different system. Omit when the provider is local.
inheritedBy	string (uuid)[]	no	componentIds that inherit this control. If omitted, all components in the system inherit it.
description	string	yes	Justification for this designation — who provides the control, why it's inherited, and any relevant authorization references.

Example

{
  "controlId": "IA-2",
  "designation": "common",
  "providedBy": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "inheritedBy": [
    "11111111-2222-3333-4444-555555555555"
  ],
  "description": "User identification and authentication provided by Keycloak SSO via SAML 2.0."
}