Severity for cnspec controls - what is the best approach when no severity exists?

[scottford-io]

I am adding severity to a number of controls in cnspec-policies and while some controls line up with Benchmarks like CIS, others do not. Anyone have suggestions on how to create a sane default for severity on security controls?