{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json","$schemaVersion":"0.0.1","$comment":"Draft schema. Not finalized — structure may change.","title":"FedRAMP Common Definitions","description":"Shared type definitions referenced by other FedRAMP schemas.","$defs":{"certificationPackageOverviewUri":{"type":"string","format":"uri","title":"Certification Package Overview","description":"Full URI of the provider's Certification Package Overview document."},"nRating":{"type":"integer","title":"Potential Agency Impact N-Rating","description":"See VER-EVA-EPA or IEC-CSO-EFI for N1–N5 definitions.","enum":[1,2,3,4,5]},"detection":{"type":"object","title":"Detection","required":["detectedAt","detectionSource"],"properties":{"detectedAt":{"type":"string","format":"date-time","title":"Detected At"},"detectionSource":{"type":"string","title":"Detection Source","description":"Tool or activity that identified the vulnerability (e.g., scanner, penetration test, bug bounty)."}}},"painReductionEvent":{"type":"object","title":"PAIN Reduction Event","required":["reducedAt","rating"],"properties":{"reducedAt":{"type":"string","format":"date-time","title":"Reduced At"},"rating":{"$ref":"#/$defs/nRating","title":"Rating After Reduction"}}},"vulnerabilityDetail":{"type":"object","title":"Vulnerability Detail","description":"Required information for a single detected vulnerability per VER-RPT-VDT.","required":["providerTrackingId","detection","vulnerabilityDescription"],"properties":{"providerTrackingId":{"type":"string","title":"Provider Tracking ID","description":"Provider's internally assigned identifier for this vulnerability."},"detection":{"$ref":"#/$defs/detection"},"vulnerabilityDescription":{"type":"string","title":"Vulnerability Description","description":"Description of the vulnerability."},"potentialAgencyImpact":{"type":"string","title":"Potential Agency Impact","description":"Description of the potential impact."},"evaluationCompletedAt":{"type":"string","format":"date-time","title":"Evaluation Completed At","description":"When evaluation was completed. The clock for VER-TFR-MAV runs from this date."},"isInternetReachable":{"type":"boolean","title":"Is Internet-Reachable","description":"IRV classification per VER-EVA-EIR."},"isLikelyExploitable":{"type":"boolean","title":"Is Likely Exploitable","description":"LEV classification per VER-EVA-ELX and VER-EVA-AIA."},"currentRating":{"$ref":"#/$defs/nRating","title":"Current Rating","description":"Currently estimated Potential Agency Impact N-rating."},"projectedNextReduction":{"type":"object","title":"Projected Next Reduction","description":"Next planned mitigation step. Omit if fully mitigated or none planned.","required":["estimatedAt","targetRating"],"properties":{"estimatedAt":{"type":"string","format":"date-time","title":"Estimated At"},"targetRating":{"$ref":"#/$defs/nRating","title":"Target Rating"}}},"overdueStatus":{"type":"object","title":"Overdue Status","description":"See VER-TFR-EVU and VER-TFR-MAV for overdue definitions.","required":["isOverdue"],"properties":{"isOverdue":{"type":"boolean","title":"Is Overdue"},"explanation":{"type":"string","title":"Explanation"}},"if":{"properties":{"isOverdue":{"const":true}}},"then":{"required":["explanation"]}},"supplementaryRiskInformation":{"type":"string","title":"Supplementary Risk Information","description":"Per VER-RPT-VDT field 11 and VER-RPT-NID."},"finalDisposition":{"type":"string","title":"Final Disposition","description":"Omit if still active.","enum":["Fully Mitigated","Partially Mitigated","False Positive"]}}},"acceptedVulnerabilityInfo":{"type":"object","title":"Accepted Vulnerability Info","description":"Required information for a single accepted vulnerability per VER-RPT-AVI.","required":["vulnerabilityDetail","acceptanceRationale"],"properties":{"vulnerabilityDetail":{"$ref":"#/$defs/vulnerabilityDetail"},"acceptanceRationale":{"type":"string","title":"Acceptance Rationale","description":"Explanation of why this is an accepted vulnerability."}}},"reportPeriodDateTime":{"type":"object","title":"Report Period","required":["from","to"],"properties":{"from":{"type":"string","format":"date-time","title":"From"},"to":{"type":"string","format":"date-time","title":"To"}}},"reportPeriodDate":{"type":"object","title":"Report Period","required":["from","to"],"properties":{"from":{"type":"string","format":"date","title":"From"},"to":{"type":"string","format":"date","title":"To"}}}}}