emasser 3.10.0 → 3.22.0

data/lib/emasser/help/approvalCac_post_mapper.md

@@ -6,15 +6,16 @@ Field             Data Type  Details
 -------------------------------------------------------------------------------------------------
 systemId          Integer    [Required] Unique system identifier 
 controlAcronym    String     [Required] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
-complianceStatus  String     [Read-Only] Compliance status of the control.
-currentStageName  String     [Read-Only] Current role.
-currentStage      Integer    [Read-Only] Current step in the Control Approval Chain.
-totalStages       Integer    [Read-Only] Total number of steps in Control Approval Chain.
+
 comments*         String     [Conditional] Comments related to package approval chain. 10,000 Characters.
 
+
 *Comments are not a required field at the first role of the CAC but are required at the second
 role of the CAC. Comments cannot exceed 10,000 characters.
 
+POST requests will only yield successful results if the Security Control is at the first
+stage of the CAC. If the control is not at the first stage, an error will be returned
+
 Example:
 
-bundle exec exe/emasser post cac add --systemId [value] --controlAcronym [value] --comments [value]
+bundle exec exe/emasser post pac add [-s, --systemId] <value> [-a, --controlAcronym] <value> [-c, --comments] <value>

data/lib/emasser/help/approvalPac_post_mapper.md

@@ -10,11 +10,7 @@ workflow      String     [Required] Values include the following: (Assess and Au
 name          String     [Required] Package name. 100 Characters.
 comments      String     [Required] Comments related to package approval chain. 4000 Characters.
 
-currentRole   String     [Read-Only] Current role in active package.
-currentStep   Integer    [Read-Only] Current step in the package Approval Chain.
-totalSteps    Integer    [Read-Only] Total number of steps in Package Approval Chain.
-
 
 Example:
 
-bundle exec exe/emasser post pac add --systemId [value] --workflow [value] --name [value] --comments [value]
+bundle exec exe/emasser post pac add [-s, --systemId] <value> [-f, --workflow] <value> [-n, --name] <value> [-c --comments] <value>

data/lib/emasser/help/artifacts_del_mapper.md

@@ -4,6 +4,6 @@ Provide single file or a space/comma delimited list of file names to be removed
 
 Example:
 
-bundle exec exe/emasser delete artifacts remove --systemId [value] --files [value] 
+bundle exec exe/emasser delete artifacts remove [-s, --systemId] <value> [-f, --files] <value> 
 or
-bundle exec exe/emasser delete artifacts remove --systemId [value] --files [value ... value] 
+bundle exec exe/emasser delete artifacts remove [-s, --systemId] <value> [-f, --files] <value ... value>

data/lib/emasser/help/artifacts_post_mapper.md

@@ -3,57 +3,46 @@ Endpoint request parameters/fields
 Field                   Data Type  Details
 -------------------------------------------------------------------------------------------------
 systemId                Integer    [Required] Unique eMASS identifier. Will need to provide correct number.
+files*                  String     [Required] Artifact file(s) to post to the given system
 isTemplate              Boolean    [Required] Indicates whether an artifact is a template.
-type*                   String     [Required] Values include the following: (Procedure, Diagram, Policy, Labor,
+type**                  String     [Required] Values include the following: (Procedure, Diagram, Policy, Labor,
                                               Document, Image, Other, Scan Result, Auditor Report)
-category*               String     [Required] Values include the following: (Implementation Guidance, Evidence)
-files                   String     [Required] File names (to include path) to be uploaded into eMASS as artifacts
+category**              String     [Required] Values include the following: (Implementation Guidance, Evidence)
 
-description             String     [Optional] Artifact description. 2000 Characters.
-refPageNumber           String     [Optional] Artifact reference page number. 50 Characters.
-ccis                    String     [Optional] CCIs associated with artifact.
-controls                String     [Optional] Control acronym associated with the artifact. NIST SP 800-53 Revision 4 defined.
-artifactExpirationDate  Date       [Optional] Date Artifact expires and requires review. In Unix Date Format
-lastReviewedDate        Date       [Optional] Date Artifact was last reviewed. In Unix Date Format
 
-isInherited             Boolean    [Read-Only] Indicates whether an artifact is inherited.
-mimeContentType         String     [Read-Only] Standard MIME content type derived from file extension.
-fileSize                String     [Read-Only] File size of attached artifact.
+isBulk                  Boolean    [Optional] If no value is specified, the default is false, and an individual
+                                              artifact file is expected. When set to true, a .zip file is expected
+                                              which can contain multiple artifact files.
 
-* May also accept custom artifact type or category values set by system administrators.
+\* The CLI accepts a single (can be a zip file) or multiple files were the CLI archives them into a zip file.
 
-The request body of a POST request through the Artifact Endpoint accepts a single binary file with file extension.zip only.
+** May also accept custom artifact type or category values set by system administrators.
 
-This accepted .zip file should contain one or more files corresponding to existing artifacts or new artifacts that will be created upon successful receipt.
+The body of a request through the Artifacts POST endpoint accepts a single binary file.
+Two Artifact POST methods are currently accepted: individual and bulk.
 
-Filename uniqueness throughout eMASS will be enforced by the API.
+Filename uniqueness within an eMASS system will be enforced by the API for both methods.
 
-Upon successful receipt of a file, if a file within the .zip is matched via filename to an artifact existing within the application, the file associated with the artifact will be updated.
+For POST requests that should result in a single artifact, the request should include the file.
 
-If no artifact is matched via filename to the application, a new artifact will be created with the following default values. Any values not specified below will be blank.
+For POST requests that should result in the creation of many artifacts, the request should include
+a single file with the extension ".zip" only and the parameter isBulk should be set to true.
+This .zip file should contain one or more files corresponding to existing artifacts or new
+artifacts that will be created upon successful receipt.
+
+Upon successful receipt of one or many artifacts, if a file is matched via filename to an artifact
+existing within the application, the file associated with the artifact will be updated.
+
+If no artifact is matched via filename to the application, a new artifact will be created with
+the following default values. Any values not specified below will be null.
   - isTemplate: false
   - type: other
   - category: evidence
 
 To update values other than the file itself, please submit a PUT request.
 
-Business Rules
-- Artifact cannot be saved if the file does not have the following file extensions:
-  - .docx,.doc,.txt,.rtf,.xfdl,.xml,.mht,.mhtml,.html,.htm,.pdf
-  - .mdb,.accdb,.ppt,.pptx,.xls,.xlsx,.csv,.log
-  - .jpeg,.jpg,.tiff,.bmp,.tif,.png,.gif
-  - .zip,.rar,.msg,.vsd,.vsw,.vdx, .z{#}, .ckl,.avi,.vsdx
-- Artifact cannot be saved if File Name (fileName) exceeds 1,000 characters
-- Artifact cannot be saved if Description (description) exceeds 2,000 characters
-- Artifact cannot be saved if Reference Page Number (refPageNumber) exceeds 50 characters
-- Artifact cannot be saved if the file does not have an allowable file extension/type.
-- Artifact version cannot be saved if an Artifact with the same file name already exist in the system.
-- Artifact cannot be saved if the file size exceeds 30MB.
-- Artifact cannot be saved if the Last Review Date is set in the future.
-
-
 Example:
 
-bundle exec exe/emasser post artifacts upload --systemId [value] [--isTemplate or --no-isTemplate] --type [value] --category [value] --files[value...value]
+bundle exec exe/emasser post artifacts upload [-s, --systemId] <value> [-f, --files] <value...value> [-B, --isBulk or --no-isBulk] -[-T, --isTemplate or --no-isTemplate] [-t, --type] <value> [-c, --category] <value>
 
 Note: The example does not list any optional fields

data/lib/emasser/help/artifacts_put_mapper.md

@@ -4,31 +4,50 @@ Field                   Data Type  Details
 -------------------------------------------------------------------------------------------------
 systemId                Integer    [Required] Unique eMASS identifier. Will need to provide correct number.
 filename                String     [Required] File name should match exactly one file within the provided zip file.
-                        Binary     [Required] Application/zip file. Max 30MB per artifact.
 isTemplate              Boolean    [Required] Indicates whether an artifact is a template.
 type*                   String     [Required] Values include the following: (Procedure, Diagram, Policy, Labor,
                                               Document, Image, Other, Scan Result, Auditor Report)
 category*               String     [Required] Values include the following: (Implementation Guidance, Evidence)
 
+name                    String     [Optional] Artifact name. Character Limit = 100.
 description             String     [Optional] Artifact description. 2000 Characters.
 refPageNumber           String     [Optional] Artifact reference page number. 50 Characters.
-ccis                    String     [Optional] CCIs associated with artifact.
 controls                String     [Optional] Control acronym associated with the artifact. NIST SP 800-53 Revision 4 defined.
-artifactExpirationDate  Date       [Optional] Date Artifact expires and requires review. In Unix Date Format
+assessmentProcedures    String     [Optional] The Security Control Assessment Procedure being associated with the artifact.
+expirationDate          Date       [Optional] Date artifact expires and requires review. Unix date format.
 lastReviewedDate        Date       [Optional] Date Artifact was last reviewed. In Unix Date Format
+signedDate              Date       [Optional] Date artifact was signed. In Unix Date Format
 
-isInherited             Boolean    [Read-Only] Indicates whether an artifact is inherited.
-mimeContentType         String     [Read-Only] Standard MIME content type derived from file extension.
-fileSize                String     [Read-Only] File size of attached artifact.
 
 * May also accept custom artifact category values set by system administrators.
 
-
 Updates one artifact in a system - the API endpoint provide the capability of updating multiple artifacts concurrently, however this CLI only supports updating one Artifact at the time.
 
-The file name provided should match exactly one file within the previously uploaded zip file.
 
+The body of a request through the Artifacts PUT endpoint accepts the fields in the below Sample Request Body.
+Name and isTemplate are non-nullable fields, so name will default to the filename, while isTemplate will
+default to false if those fields are not specified in the PUT.
+
+Also, note that one-to-many fields (controls and ccis) will also be replaced with the values specified in the PUT.
+If existing control or cci mappings exist in eMASS, the values in the PUT will not append, but rather replace all
+existing control and cci mappings with the values in the request body.
+
+Note that the PUT request will replace all existing data with the field/value combinations included in the request body. If any fields are not included, the absent fields will become null.
+
+Business Rules
+- Artifact cannot be saved if File Name (fileName) exceeds 1,000 characters
+- Artifact cannot be saved if Name (name) exceeds 100 characters
+- Artifact cannot be saved if Description (description) exceeds 10,000 characters
+- Artifact cannot be saved if Reference Page Number (refPageNumber) exceeds 50 characters
+- Artifact cannot be saved if the file does not have an allowable file extension/type.
+- Artifact version cannot be saved if an Artifact with the same file name already exist in the system.
+- Artifact cannot be saved if the file size exceeds 30MB.
+- Artifact cannot be saved if the Last Review Date is set in the future.
+- Artifact cannot be saved if the following fields are missing data:
+  -  Filename
+  -  Type
+  -  Category
 
 Example:
 
-bundle exec exe/emasser put artifacts update --systemId [value] [--isTemplate or --no-isTemplate] --type [value] --category [value] --files[value...value]
+bundle exec exe/emasser put artifacts update [-s, --systemId] <value> [-f, --filename] <value> [-T, --isTemplate or --no-isTemplate] [-t, --type] <value> [-c, --category] <value> 

data/lib/emasser/help/cloudresource_post_mapper.md

@@ -15,11 +15,12 @@ cspAccountId             String    [Optional] System/owner's CSP account ID/numb
 cspRegion                String    [Optional] CSP region of system.
 isBaseline               Boolean   [Optional] True/false flag for providing results as baseline.
                                               If true, all existing compliance results for the resourceId will be replaced by results in the current call.
-
+Tags Object
 tags                     Object    [Optional] Informational tags associated to results for other metadata
-  text                   String    [Optional] Tag metadata information
+  text                     String    [Optional] Tag metadata information
 
-complianceResults        Object    [Required] Compliance result information
+Compliance Results Object
+complianceResults        Object  [Required] Compliance result information
   cspPolicyDefinitionId    String  [Required] Unique identifier/compliance namespace for CSP/Resource’s
                                             policy definition/compliance check.
   policyDefinitionTitle    String  [Required] Friendly policy/compliance check title. Recommend short title

data/lib/emasser/help/controls_put_mapper.md

@@ -9,6 +9,16 @@ controlDesignation       String    [Required] Values include the following: (Com
 estimatedCompletionDate  Date      [Required] Field is required for Implementation Plan
 implementationNarrative  String    [Required] Includes Security Control comments.
 
+commonControlProvider   String     [Conditional] Values include the following: (DoD, Component, Enclave)
+naJustification         String     [Conditional] Provide justification for Security Controls deemed Not Applicable to the system.
+slcmCriticality         String     [Conditional] Criticality of Security Control regarding SLCM. Character Limit = 2,000
+slcmFrequency           String     [Conditional] Values include the following: (Constantly, Daily, Weekly, Monthly, Quarterly,
+                                                 Semi-Annually, Annually, Every,Two Years, Every Three Years, Undetermined)
+slcmMethod              String     [Conditional] Values include the following: (Automated, Semi-Automated, Manual, Undetermined)
+slcmReporting           String     [Conditional] Method for reporting Security Controls for SLCM. Character Limit = 2,000
+slcmTracking            String     [Conditional] How Non-Compliant Security Controls will be tracked for SLCM. Character Limit = 2,000
+slcmComments            String     [Conditional] Additional comments for Security Control regarding SLCM. Character Limit = 4,000
+
 implementationStatus    String     [Optional] Values include the following: (Planned, Implemented, Inherited, Not Applicable, Manually Inherited)
 severity                String     [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
 vulnerabilitySummary    String     [Optional] Include vulnerability summary. Character Limit = 2,000.
@@ -20,26 +30,24 @@ impactDescription       String     [Optional] Include description of Security Co
 residualRiskLevel       String     [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
 testMethod              String     [Optional] Values include the following: ('Test', 'Interview', 'Examine', 'Test, Interview',
                                               'Test, Examine', 'Interview, Examine', 'Test, Interview, Examine')
+mitigations             String     [Optional] Identify any mitigations in place for the Non-Compliant Security Control's vulnerabilities. Character Limit = 2,000.
+applicationLayer        String     [Optional] If the Financial Management (Navy) overlay is applied to the system,
+                                              this field appears and can be populated. Character Limit = 2,000. Navy only.
+databaseLayer           String     [Optional] If the Financial Management (Navy) overlay is applied to the system,
+                                              this field appears and can be populated. Character Limit = 2,000. Navy only.
+operatingSystemLayer    String     [Optional] If the Financial Management (Navy) overlay is applied to the system,
+                                              this field appears and can be populated. Character Limit = 2,000. Navy only.
 
-commonControlProvider   String     [Conditional] Values include the following: (DoD, Component, Enclave)
-naJustification         String     [Conditional] Provide justification for Security Controls deemed Not Applicable to the system.
-slcmCriticality         String     [Conditional] Criticality of Security Control regarding SLCM. Character Limit = 2,000
-slcmFrequency           String     [Conditional] Values include the following: (Constantly, Daily, Weekly, Monthly, Quarterly,
-                                                 Semi-Annually, Annually, Every,Two Years, Every Three Years, Undetermined)
-slcmMethod              String     [Conditional] Values include the following: (Automated, Semi-Automated, Manual, Undetermined)
-slcmReporting           String     [Conditional] Method for reporting Security Controls for SLCM. Character Limit = 2,000
-slcmTracking            String     [Conditional] How Non-Compliant Security Controls will be tracked for SLCM. Character Limit = 2,000
-slcmComments            String     [Conditional] Additional comments for Security Control regarding SLCM. Character Limit = 4,000
 
-name                     String    [Read-Only] Name of control as defined in NIST SP 800-53 Revision 4.
-ccis                     String    [Read-Only] Comma separated list of CCIs associated with the control.
-isInherited              Boolean   [Read-Only] Indicates whether a control is inherited.
-modifiedByOverlays       String    [Read-Only] List of overlays that affect the control.
-includedStatus           String    [Read-Only] Indicates the manner by which a control was included in the system's categorization. 
-complianceStatus         String    [Read-Only] Compliance status of the control.
+Business Rules
 
+Risk Assessment
+  - Risk Assessment information cannot be updated if a Security Control is “Inherited.”
+  - Risk Assessment information cannot be updated for a DIACAP system record.
+  - Risk Assessment information cannot be updated if Security Control does not exist in the system record.
 
-Business Rules
+
+Implementation Plan
 
 The following fields are required based on the value of the `implementationStatus` field
   |Value                   |Required Fields

data/lib/emasser/help/hardware_post_mapper.md

@@ -0,0 +1,41 @@
+Endpoint request parameters/fields
+
+Field                   Data Type  Details
+-------------------------------------------------------------------------------------------------
+systemId                Integer    [Required] Unique eMASS identifier. Will need to provide correct number.
+assetName               String     [Required] Name of the hardware asset.
+
+publicFacingFqdn        String     [Conditional] Public facing FQDN. Only applicable if Public Facing is set to true.
+publicFacingIpAddress   String     [Conditional] Public facing IP address. Only applicable if Public Facing is set to true.
+publicFacingUrls        String     [Conditional] Public facing URL(s). Only applicable if Public Facing is set to true.
+
+componentType*          String     [Optional] Component type of the hardware asset.
+nickname                String     [Optional] Nickname of the hardware asset. Character Limit = 100.
+assetIpAddress          String     [Optional] IP address of the hardware asset. Character Limit = 100.
+publicFacing            Boolean    [Optional] Public facing is defined as any asset that is accessible from a commercial connection.
+virtualAsset            Boolean    [Optional] Determine if this is a virtual hardware asset. The default value is false.
+manufacturer            String     [Optional] Manufacturer of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+modelNumber             String     [Optional] Model number of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+serialNumber            String     [Optional] Serial number of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+OsIosFwVersion          String     [Optional] OS/iOS/FW version of the hardware asset. Character Limit = 100.
+memorySizeType          String     [Optional] Memory size / type of the hardware asset. Character Limit = 100.
+location                String     [Optional] Location of the hardware asset. Character Limit = 250.
+approvalStatus**        String     [Optional] Approval status of the hardware asset.
+criticalAsset           Boolean    [Optional] Indicates whether the asset is a critical information system asset. The default value is false.
+
+
+* Component Types default values include the following options, however custom values can be entered to create new options:
+  Firewall, IDS/IPS, KVM, Router, Server, Switch, Workstation
+** Approval Status default values include the following options, however custom values can be entered to create new options:
+  Approved - DISA UC APL, Approved - FIPS 140-2, Approved - NIAP CCVES,
+  Approved - NSA Crypto, Approved - NSA CSfC, In Progress, Unapproved
+
+
+Example:
+
+bundle exec exe/emasser post hardware add [-s, --systemId] <value> [-a, --assetName] <value>
+
+Note: The example does not list any optional or conditional fields

data/lib/emasser/help/hardware_put_mapper.md

@@ -0,0 +1,42 @@
+Endpoint request parameters/fields
+
+Field                   Data Type  Details
+-------------------------------------------------------------------------------------------------
+systemId                Integer    [Required] Unique eMASS identifier. Will need to provide correct number.
+hardwareId              String     [Required] GUID identifying the specific hardware asset.
+assetName               String     [Required] Name of the hardware asset.
+
+publicFacingFqdn        String     [Conditional] Public facing FQDN. Only applicable if Public Facing is set to true.
+publicFacingIpAddress   String     [Conditional] Public facing IP address. Only applicable if Public Facing is set to true.
+publicFacingUrls        String     [Conditional] Public facing URL(s). Only applicable if Public Facing is set to true.
+
+componentType*          String     [Optional] Component type of the hardware asset.
+nickname                String     [Optional] Nickname of the hardware asset. Character Limit = 100.
+assetIpAddress          String     [Optional] IP address of the hardware asset. Character Limit = 100.
+publicFacing            Boolean    [Optional] Public facing is defined as any asset that is accessible from a commercial connection.
+virtualAsset            Boolean    [Optional] Determine if this is a virtual hardware asset. The default value is false.
+manufacturer            String     [Optional] Manufacturer of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+modelNumber             String     [Optional] Model number of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+serialNumber            String     [Optional] Serial number of the hardware asset. Populated with “Virtual” by default if Virtual Asset is true,
+                                              however this can be overridden. Character Limit = 100.
+OsIosFwVersion          String     [Optional] OS/iOS/FW version of the hardware asset. Character Limit = 100.
+memorySizeType          String     [Optional] Memory size / type of the hardware asset. Character Limit = 100.
+location                String     [Optional] Location of the hardware asset. Character Limit = 250.
+approvalStatus**        String     [Optional] Approval status of the hardware asset.
+criticalAsset           Boolean    [Optional] Indicates whether the asset is a critical information system asset. The default value is false.
+
+
+* Component Types default values include the following options, however custom values can be entered to create new options:
+  Firewall, IDS/IPS, KVM, Router, Server, Switch, Workstation
+** Approval Status default values include the following options, however custom values can be entered to create new options:
+  Approved - DISA UC APL, Approved - FIPS 140-2, Approved - NIAP CCVES,
+  Approved - NSA Crypto, Approved - NSA CSfC, In Progress, Unapproved
+
+
+Example:
+
+bundle exec exe/emasser post hardware add [-s, --systemId] <value> [-h, --hardwareId] <value> [-a, --assetName] <value>
+
+Note: The example does not list any optional or conditional fields

data/lib/emasser/help/milestone_del_mapper.md

@@ -8,4 +8,4 @@ The last milestone can not be deleted, at-least on must exist.
 
 Example:
 
-bundle exec exe/emasser delete milestones remove--systemId [value] --poamId [value] --milestoneId [value]
+bundle exec exe/emasser delete milestones remove [-s, --systemId] <value> [-p, --poamId] <value> [-m, --milestoneId] <value>

data/lib/emasser/help/milestone_post_mapper.md

@@ -9,6 +9,8 @@ poamId                  Integer    [Required] Unique item identifier
 description             String     [Required] Provide a description of the milestone. 2000 Characters 
 scheduledCompletionDate Date       [Required] Schedule completion date - Unix date format
 
+Note: Business rules associated with Milestones endpoints fields are provided within the POA&Ms Endpoint
+
 Example:
 
-bundle exec exe/emasser put milestones add --systemId [value] --poamId [value] --description [value] --scheduledCompletionDate [value]
+bundle exec exe/emasser post milestones add [-s, --systemId] <value> [-p, --poamId] <value> [-d, --description] <value> [c, --scheduledCompletionDate] <value>

data/lib/emasser/help/milestone_put_mapper.md

@@ -9,15 +9,8 @@ milestoneId             Integer    [Required] Unique milestone identifier
 poamId                  Integer    [Required] unique item identifier
 description             String     [Required] Provide a description of the milestone. 2000 Characters 
 scheduledCompletionDate Date       [Required] In Unix date format ü
-isActive                Boolean    [Optional] Set to false only in the case where POA&M PUT would delete
-                                              specified milestone. Not available for other requests
 
 
-Set the field "isActive" to false only in the case where POA&M PUT would delete specified milestone. Not available  for other requests
-
-If a field is misrepresented (wrong value)the following response may be provided by the server:
-Response body: {"meta":{"code":500,"errorMessage":"Sorry! Something went wrong on our end. Please contact emass_support@bah.com for assistance."}}
-
 Example:
 
-bundle exec exe/emasser put milestones update --systemId [value] --poamId [value] --milestoneId [value] --description [value] --scheduledCompletionDate [value]
+bundle exec exe/emasser post milestones update [-s, --systemId] <value> [-p, --poamId] <value> [-m, --milestoneId] <value> [-d, --description] <value> [c, --scheduledCompletionDate] <value>

data/lib/emasser/help/poam_del_mapper.md

@@ -2,4 +2,4 @@ Remove one or many poa&m items in a system
 
 Example:
 
-bundle exec exe/emasser delete poams remove --systemId [value] --poamId [value]
+bundle exec exe/emasser delete poams remove [-s, --systemId] <value> [-p, --poamId] <value>

data/lib/emasser/help/poam_post_mapper.md

@@ -1,13 +1,13 @@
 Endpoint request body parameters/fields
 
-Field                   Data Type  Details
--------------------------------------------------------------------------------------------------
-systemId                 Integer   [Required] Unique eMASS identifier. Will need to provide correct number.
-status                   String    [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable).
-vulnerabilityDescription String    [Required] Provide a description of the POA&M Item. 2000 Characters.
-sourceIdentVuln          String    [Required] Include Source Identifying Vulnerability text. 2000 Characters.
-pocOrganization          String    [Required] Organization/Office represented. 100 Characters.
-resources                String    [Required] List of resources used. 250 Characters.
+Field                          Data Type  Details
+------------------------------------------------------------------------------------------------------
+systemId                       Integer   [Required] Unique eMASS identifier. Will need to provide correct number.
+status                         String    [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable).
+vulnerabilityDescription       String    [Required] Provide a description of the POA&M Item. 2000 Characters.
+sourceIdentifyingVulnerability String    [Required] Include Source Identifying Vulnerability text. 2000 Characters.
+pocOrganization                String    [Required] Organization/Office represented. 100 Characters.
+resources                      String    [Required] List of resources used. 250 Characters.
 
 milestones               JSON      [Conditional] Please see Notes 1 for more details.
 pocFirstName             String    [Conditional] First name of POC. 100 Characters.
@@ -19,9 +19,28 @@ scheduledCompletionDate  Date      [Conditional] Required for ongoing and comple
 completionDate           Date      [Conditional] Field is required for completed POA&M items. Unix time format.
 comments                 String    [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters.
 
+Required for VA. Optional for Army and USCG.
+identifiedInCFOAuditOrOtherReview    Boolean [Required]    If not specified, this field will be set to false because it does not accept a null value.
+personnelResourcesFundedBaseHours    Number  [Conditional] Displays numbers to the second decimal point
+personnelResourcesCostCode           String  [Conditional] Required if Personnel Resources: Funded Base Hours or Personnel Resources: Unfunded Base Hours is populated.
+personnelResourcesUnfundedBaseHours  Number  [Conditional] Displays numbers to the second decimal point (e.g., 100.00).
+personnelResourcesNonfundingObstacle String  [Conditional] Required if Personnel Resources: Unfunded Base Hours is populated
+personnelResourcesNonfundingObstacleOtherReason String [Conditional] Required if the value “Other” is populated for the field Personnel Resources: Non-Funding Obstacle.
+nonPersonnelResourcesFundedAmount    Number  [Conditional] At least one of the following is required and must be completed for each POA&M Item:
+                                                           Personnel Resources: Funded Base Hours, Personnel Resources: Unfunded Base Hours
+                                                           Non-Personnel Resources: Funded Amount, Non-Personnel Resources: Unfunded Amount
+nonPersonnelResourcesCostCode        String  [Conditional] Required if Non-Personnel Resources: Funded Amount or Non-Personnel Resources: Unfunded Amount is populated.
+nonPersonnelResourcesUnfundedAmount  Number  [Conditional] At least one of the following is required and must be completed for each POA&M Item:
+                                                           Personnel Resources: Funded Base Hours, Personnel Resources: Unfunded Base Hours
+                                                           Non-Personnel Resources: Funded Amount, Non-Personnel Resources: Unfunded Amount
+nonPersonnelResourcesNonfundingObstacle String [Conditional] Required if Non-Personnel Resources: Unfunded Amount is populated.
+nonPersonnelResourcesNonfundingObstacleOtherReason String [Conditional] Required if the value “Other” is populated for the field
+                                                                        Non-Personnel Resources: Non-Funding Obstacle.
+
+
 externalUid              String    [Optional] Unique identifier external to the eMASS application for use with associating POA&M Items. 100 Characters.
 controlAcronym           String    [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
-cci                      String    [Optional] CCI associated with the test result.
+assessmentProcedure      String    [Optional] The Security Control Assessment Procedures being associated with the POA&M Item.
 securityChecks           String    [Optional] Security Checks that are associated with the POA&M.
 rawSeverity              String    [Optional] Values include the following: (I, II, III)
 relevanceOfThreat        String    [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
@@ -32,10 +51,16 @@ residualRiskLevel        String    [Optional] Values include the following: (Ver
 recommendations          String    [Optional] Include recommendations. Character Limit 2,000.
 mitigation               String    [Optional] Include mitigation explanation. 2000 Characters.
 
-isInherited              String    [Read-Only] Indicates whether a POA&M Item is inherited.
-reviewStatus             string    [Read-Only] Values include the following options: (Not Approved, Under Review, Approved)
-extensionDate            Date      [Read-Only] Value returned for a POA&M Item with review status "Approved" and has a milestone
-                                               with a scheduled completion date that extends beyond the POA&M Item’s scheduled completion date.
+Navy Only
+resultingResidualRiskLevelAfterProposedMitigations String [Optional] Indicate the risk level expected after any proposed mitigations
+                                                                     are implemented. Proposed mitigations should be appropriately
+                                                                     documented as POA&M milestones.
+predisposingConditions String [Optional] A predisposing condition is a condition existing within an organization,
+                                         a mission or business process, enterprise architecture, information system/PIT,
+                                         or environment of operation, which affects (i.e., increases or decreases) the likelihood
+                                         that threat events, once initiated, result in adverse impacts.
+threatDescription      String [Optional] Describe the identified threat(s) and relevance to the information system.
+devicesAffected        String [Optional] List any affected devices by hostname. If all devices in the information system are affected, state 'system' or 'all'.
 
 **If a milestone Id is provided the POA&M with the provided milestone Id is updated and the new POA&M milestones is set to null.**
 
@@ -84,7 +109,8 @@ The following parameters/fields have the following character limitations:
 
 Example:
 
-bundle exec exe/emasser post poams add --systemId [value] --status [value] --vulnerabilityDescription [value] --sourceIdentVuln [value] --pocOrganization [value] --resources [value]
+bundle exec exe/emasser post poams add [-s, --systemId] <value> --status <value> --vulnerabilityDescription <value>
+ --sourceIdentifyingVulnerability <value> --pocOrganization <value> --resources <value>
 
 Notes:
 1 - The format for milestones is:

data/lib/emasser/help/poam_put_mapper.md

@@ -1,15 +1,15 @@
 Endpoint request parameters/fields
 
-Field                   Data Type  Details
+Field                           Data Type  Details
 -------------------------------------------------------------------------------------------------
-systemId                 Integer   [Required] Unique eMASS identifier. Will need to provide correct number.
-poamId                   Integer   [Required] Unique POA&M identifier. Will need to provide correct number.
-displayPoamId            Integer   [Required] Globally unique identifier for individual POA&M Items, seen on the front-end as "ID".
-status                   String    [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable.
-vulnerabilityDescription String    [Required] Provide a description of the POA&M Item. 2000 Characters.
-sourceIdentVuln          String    [Required] Include Source Identifying Vulnerability text. 2000 Characters.
-pocOrganization          String    [Required] Organization/Office represented. 100 Characters.
-resources                String    [Required] List of resources used. 250 Characters.
+systemId                        Integer   [Required] Unique eMASS identifier. Will need to provide correct number.
+poamId                          Integer   [Required] Unique POA&M identifier. Will need to provide correct number.
+displayPoamId                   Integer   [Required] Globally unique identifier for individual POA&M Items, seen on the front-end as "ID".
+status                          String    [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable.
+vulnerabilityDescription        String    [Required] Provide a description of the POA&M Item. 2000 Characters.
+sourceIdentifyingVulnerability  String    [Required] Include Source Identifying Vulnerability text. 2000 Characters.
+pocOrganization                 String    [Required] Organization/Office represented. 100 Characters.
+resources                       String    [Required] List of resources used. 250 Characters.
 
 milestones               JSON      [Conditional] Please see Notes 1 for more details.
 pocFirstName             String    [Conditional] First name of POC. 100 Characters.
@@ -20,26 +20,51 @@ severity                 String    [Conditional] Values include the following: (
 scheduledCompletionDate  Date      [Conditional] Required for ongoing and completed POA&M items. Unix time format.
 completionDate           Date      [Conditional] Field is required for completed POA&M items. Unix time format.
 comments                 String    [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters.
-isActive                 Boolean   [Conditional] Optionally used in PUT to delete milestones when updating a POA&M
+isActive                 Boolean   [Conditional] Prevent creating a new milestone if one is already exists.
+
+Required for VA. Optional for Army and USCG.
+identifiedInCFOAuditOrOtherReview    Boolean [Required]    If not specified, this field will be set to false because it does not accept a null value.
+personnelResourcesFundedBaseHours    Number  [Conditional] Displays numbers to the second decimal point
+personnelResourcesCostCode           String  [Conditional] Required if Personnel Resources: Funded Base Hours or Personnel Resources: Unfunded Base Hours is populated.
+personnelResourcesUnfundedBaseHours  Number  [Conditional] Displays numbers to the second decimal point (e.g., 100.00).
+personnelResourcesNonfundingObstacle String  [Conditional] Required if Personnel Resources: Unfunded Base Hours is populated
+personnelResourcesNonfundingObstacleOtherReason String [Conditional] Required if the value “Other” is populated for the field Personnel Resources: Non-Funding Obstacle.
+nonPersonnelResourcesFundedAmount    Number  [Conditional] At least one of the following is required and must be completed for each POA&M Item:
+                                                           Personnel Resources: Funded Base Hours, Personnel Resources: Unfunded Base Hours
+                                                           Non-Personnel Resources: Funded Amount, Non-Personnel Resources: Unfunded Amount
+nonPersonnelResourcesCostCode        String  [Conditional] Required if Non-Personnel Resources: Funded Amount or Non-Personnel Resources: Unfunded Amount is populated.
+nonPersonnelResourcesUnfundedAmount  Number  [Conditional] At least one of the following is required and must be completed for each POA&M Item:
+                                                           Personnel Resources: Funded Base Hours, Personnel Resources: Unfunded Base Hours
+                                                           Non-Personnel Resources: Funded Amount, Non-Personnel Resources: Unfunded Amount
+nonPersonnelResourcesNonfundingObstacle String [Conditional] Required if Non-Personnel Resources: Unfunded Amount is populated.
+nonPersonnelResourcesNonfundingObstacleOtherReason String [Conditional] Required if the value “Other” is populated for the field
+                                                                        Non-Personnel Resources: Non-Funding Obstacle.
+
 
 externalUid              String    [Optional] Unique identifier external to the eMASS application for use with associating POA&M Items. 100 Characters.
 controlAcronym           String    [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
-cci                      String    [Optional] CCI associated with the test result.
+assessmentProcedure      String    [Optional] The Security Control Assessment Procedures being associated with the POA&M Item.
 securityChecks           String    [Optional] Security Checks that are associated with the POA&M.
 rawSeverity              String    [Optional] Values include the following: (I, II, III)
-
 relevanceOfThreat        String    [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
 likelihood               String    [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
 impact                   String    [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
-impactDescription        String    [Optional] Include description of Security Control's impact.
+impactDescription        String    [Optional] Include description of Security Control’s impact.
 residualRiskLevel        String    [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
 recommendations          String    [Optional] Include recommendations. Character Limit 2,000.
 mitigation               String    [Optional] Include mitigation explanation. 2000 Characters.
 
-isInherited              String    [Read-Only] Indicates whether a POA&M Item is inherited.
-reviewStatus             string    [Read-Only] Values include the following options: (Not Approved, Under Review, Approved)
-extensionDate            Date      [Read-Only] Value returned for a POA&M Item with review status "Approved" and has a milestone
-                                               with a scheduled completion date that extends beyond the POA&M Item’s scheduled completion date.
+Navy Only
+resultingResidualRiskLevelAfterProposedMitigations String [Optional] Indicate the risk level expected after any proposed mitigations
+                                                                     are implemented. Proposed mitigations should be appropriately
+                                                                     documented as POA&M milestones.
+predisposingConditions String [Optional] A predisposing condition is a condition existing within an organization,
+                                         a mission or business process, enterprise architecture, information system/PIT,
+                                         or environment of operation, which affects (i.e., increases or decreases) the likelihood
+                                         that threat events, once initiated, result in adverse impacts.
+threatDescription      String [Optional] Describe the identified threat(s) and relevance to the information system.
+devicesAffected        String [Optional] List any affected devices by hostname. If all devices in the information system are affected, state 'system' or 'all'.
+
 
 If any poc information is provided all POC fields are required. See additional details for POC fields below.
 To delete a milestone through the POA&M PUT you must include it as inactive by setting isActive=false.
@@ -97,7 +122,7 @@ The following parameters/fields have the following character limitations:
 
 Example:
 
-bundle exec exe/emasser put poams update --systemId [value] --poamId [value] --status [value] --vulnerabilityDescription [value] --sourceIdentVuln [value] --reviewStatus [value]
+bundle exec exe/emasser put poams update [-s, --systemId] <value> [-p, --poamId] <value> --status <value> --vulnerabilityDescription <value> --sourceIdentifyingVulnerability <value> --pocOrganization <value> --resources <value>
 
 Notes:
 1 - The format for milestones is: