emasser 3.4.1 → 3.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +8 -8
- data/.env-example +12 -12
- data/.github/release-drafter.yml +15 -15
- data/.github/workflows/codeql-analysis.yml +70 -70
- data/.github/workflows/draft-release.yml +15 -15
- data/.github/workflows/gh-pages.yml +32 -32
- data/.github/workflows/push-to-docker-mail.yml +28 -28
- data/.github/workflows/push-to-docker.yml +35 -35
- data/.github/workflows/release.yml +42 -42
- data/.github/workflows/rubocop.yml +23 -23
- data/.github/workflows/test-cli.yml +39 -72
- data/.gitignore +19 -19
- data/.mergify.yml +25 -25
- data/.rubocop.yml +83 -80
- data/.rubocop_todo.yml +27 -27
- data/CHANGELOG.md +16 -16
- data/Dockerfile +44 -44
- data/Gemfile +8 -8
- data/Gemfile.lock +108 -104
- data/LICENSE.md +15 -15
- data/README.md +178 -178
- data/Rakefile +18 -18
- data/_config.yml +1 -1
- data/docs/features.md +1501 -1436
- data/docs/redoc/index.html +1230 -1230
- data/emasser.gemspec +44 -44
- data/exe/emasser +5 -5
- data/lib/emasser/cli.rb +37 -37
- data/lib/emasser/configuration.rb +49 -49
- data/lib/emasser/constants.rb +26 -26
- data/lib/emasser/delete.rb +148 -148
- data/lib/emasser/errors.rb +14 -14
- data/lib/emasser/get.rb +1194 -949
- data/lib/emasser/help/approvalCac_post_mapper.md +20 -20
- data/lib/emasser/help/approvalPac_post_mapper.md +20 -20
- data/lib/emasser/help/artifacts_del_mapper.md +9 -9
- data/lib/emasser/help/artifacts_post_mapper.md +59 -59
- data/lib/emasser/help/artifacts_put_mapper.md +34 -34
- data/lib/emasser/help/cloudresource_post_mapper.md +62 -62
- data/lib/emasser/help/cmmc_get_mapper.md +4 -4
- data/lib/emasser/help/container_post_mapper.md +44 -44
- data/lib/emasser/help/controls_put_mapper.md +74 -74
- data/lib/emasser/help/milestone_del_mapper.md +11 -11
- data/lib/emasser/help/milestone_post_mapper.md +14 -14
- data/lib/emasser/help/milestone_put_mapper.md +23 -23
- data/lib/emasser/help/poam_del_mapper.md +5 -5
- data/lib/emasser/help/poam_post_mapper.md +93 -93
- data/lib/emasser/help/poam_put_mapper.md +107 -107
- data/lib/emasser/help/staticcode_clear_mapper.md +16 -16
- data/lib/emasser/help/staticcode_post_mapper.md +21 -21
- data/lib/emasser/help/testresults_post_mapper.md +21 -21
- data/lib/emasser/help.rb +11 -11
- data/lib/emasser/input_converters.rb +21 -21
- data/lib/emasser/options_parser.rb +20 -20
- data/lib/emasser/output_converters.rb +115 -111
- data/lib/emasser/post.rb +830 -830
- data/lib/emasser/put.rb +588 -588
- data/lib/emasser/version.rb +5 -5
- data/lib/emasser.rb +19 -19
- metadata +16 -10
@@ -1,74 +1,74 @@
|
|
1
|
-
Endpoint request parameters/fields
|
2
|
-
|
3
|
-
Field Data Type Details
|
4
|
-
-------------------------------------------------------------------------------------------------
|
5
|
-
systemId Integer [Required] Unique eMASS identifier. Will need to provide correct number.
|
6
|
-
acronym String [Required] Required to match the NIST SP 800-53 Revision 4.
|
7
|
-
responsibleEntities String [Required] Include written description of Responsible Entities that are responsible for the Security Control.
|
8
|
-
controlDesignation String [Required] Values include the following: (Common, System-Specific, Hybrid)
|
9
|
-
estimatedCompletionDate Date [Required] Field is required for Implementation Plan
|
10
|
-
implementationNarrative String [Required] Includes Security Control comments.
|
11
|
-
|
12
|
-
implementationStatus String [Optional] Values include the following: (Planned, Implemented, Inherited, Not Applicable, Manually Inherited)
|
13
|
-
severity String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
14
|
-
vulnerabilitySummary String [Optional] Include vulnerability summary. Character Limit = 2,000.
|
15
|
-
recommendations String [Optional] Include recommendations. Character Limit = 2,000.
|
16
|
-
relevanceOfThreat String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
17
|
-
likelihood String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
18
|
-
impact String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
19
|
-
impactDescription String [Optional] Include description of Security Control's impact.
|
20
|
-
residualRiskLevel String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
21
|
-
testMethod String [Optional] Values include the following: ('Test', 'Interview', 'Examine', 'Test, Interview',
|
22
|
-
'Test, Examine', 'Interview, Examine', 'Test, Interview, Examine')
|
23
|
-
|
24
|
-
commonControlProvider String [Conditional] Values include the following: (DoD, Component, Enclave)
|
25
|
-
naJustification String [Conditional] Provide justification for Security Controls deemed Not Applicable to the system.
|
26
|
-
slcmCriticality String [Conditional] Criticality of Security Control regarding SLCM. Character Limit = 2,000
|
27
|
-
slcmFrequency String [Conditional] Values include the following: (Constantly, Daily, Weekly, Monthly, Quarterly,
|
28
|
-
Semi-Annually, Annually, Every,Two Years, Every Three Years, Undetermined)
|
29
|
-
slcmMethod String [Conditional] Values include the following: (Automated, Semi-Automated, Manual, Undetermined)
|
30
|
-
slcmReporting String [Conditional] Method for reporting Security Controls for SLCM. Character Limit = 2,000
|
31
|
-
slcmTracking String [Conditional] How Non-Compliant Security Controls will be tracked for SLCM. Character Limit = 2,000
|
32
|
-
slcmComments String [Conditional] Additional comments for Security Control regarding SLCM. Character Limit = 4,000
|
33
|
-
|
34
|
-
name String [Read-Only] Name of control as defined in NIST SP 800-53 Revision 4.
|
35
|
-
ccis String [Read-Only] Comma separated list of CCIs associated with the control.
|
36
|
-
isInherited Boolean [Read-Only] Indicates whether a control is inherited.
|
37
|
-
modifiedByOverlays String [Read-Only] List of overlays that affect the control.
|
38
|
-
includedStatus String [Read-Only] Indicates the manner by which a control was included in the system's categorization.
|
39
|
-
complianceStatus String [Read-Only] Compliance status of the control.
|
40
|
-
|
41
|
-
|
42
|
-
Business Rules
|
43
|
-
|
44
|
-
The following fields are required based on the value of the `implementationStatus` field
|
45
|
-
|Value |Required Fields
|
46
|
-
|------------------------|--------------------------------------------------------
|
47
|
-
|Planned or Implemented |controlDesignation, estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmMethod, slcmTracking, slcmComments
|
48
|
-
|Not Applicable |naJustification, controlDesignation, responsibleEntities
|
49
|
-
|Manually Inherited |controlDesignation, estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmMethod, slcmTracking, slcmComments
|
50
|
-
|
51
|
-
Implementation Plan cannot be updated if a Security Control is "Inherited" except for the following fields:
|
52
|
-
- Common Control Provider (commonControlProvider)
|
53
|
-
- Security Control Designation (controlDesignation)
|
54
|
-
|
55
|
-
The following parameters/fields have the following character limitations:
|
56
|
-
- Implementation Plan information cannot be saved if the fields below exceed 2,000 character limits:
|
57
|
-
- N/A Justification (naJustification)
|
58
|
-
- Responsible Entities (responsibleEntities)
|
59
|
-
- Implementation Narrative (implementationNarrative)
|
60
|
-
- Criticality (slcmCriticality)
|
61
|
-
- Reporting (slcmReporting)
|
62
|
-
- Tracking (slcmTracking)
|
63
|
-
- Vulnerability Summary (vulnerabilitySummary)
|
64
|
-
- Recommendations (recommendations)
|
65
|
-
- Implementation Plan information cannot be saved if the fields below exceed 4,000 character limits:
|
66
|
-
- SLCM Comments (slcmComments)
|
67
|
-
|
68
|
-
Implementation Plan information cannot be updated if Security Control does not exist in the system record.
|
69
|
-
|
70
|
-
Example:
|
71
|
-
|
72
|
-
bundle exec exe/emasser put controls update --systemId [value] --acronym [value] --responsibleEntities [value] --controlDesignation [value] --estimatedCompletionDate [value] --implementationNarrative [value]
|
73
|
-
|
74
|
-
Note: The example is only showing the required fields. Refer to instructions listed above for conditional and optional fields requirements.
|
1
|
+
Endpoint request parameters/fields
|
2
|
+
|
3
|
+
Field Data Type Details
|
4
|
+
-------------------------------------------------------------------------------------------------
|
5
|
+
systemId Integer [Required] Unique eMASS identifier. Will need to provide correct number.
|
6
|
+
acronym String [Required] Required to match the NIST SP 800-53 Revision 4.
|
7
|
+
responsibleEntities String [Required] Include written description of Responsible Entities that are responsible for the Security Control.
|
8
|
+
controlDesignation String [Required] Values include the following: (Common, System-Specific, Hybrid)
|
9
|
+
estimatedCompletionDate Date [Required] Field is required for Implementation Plan
|
10
|
+
implementationNarrative String [Required] Includes Security Control comments.
|
11
|
+
|
12
|
+
implementationStatus String [Optional] Values include the following: (Planned, Implemented, Inherited, Not Applicable, Manually Inherited)
|
13
|
+
severity String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
14
|
+
vulnerabilitySummary String [Optional] Include vulnerability summary. Character Limit = 2,000.
|
15
|
+
recommendations String [Optional] Include recommendations. Character Limit = 2,000.
|
16
|
+
relevanceOfThreat String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
17
|
+
likelihood String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
18
|
+
impact String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
19
|
+
impactDescription String [Optional] Include description of Security Control's impact.
|
20
|
+
residualRiskLevel String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
21
|
+
testMethod String [Optional] Values include the following: ('Test', 'Interview', 'Examine', 'Test, Interview',
|
22
|
+
'Test, Examine', 'Interview, Examine', 'Test, Interview, Examine')
|
23
|
+
|
24
|
+
commonControlProvider String [Conditional] Values include the following: (DoD, Component, Enclave)
|
25
|
+
naJustification String [Conditional] Provide justification for Security Controls deemed Not Applicable to the system.
|
26
|
+
slcmCriticality String [Conditional] Criticality of Security Control regarding SLCM. Character Limit = 2,000
|
27
|
+
slcmFrequency String [Conditional] Values include the following: (Constantly, Daily, Weekly, Monthly, Quarterly,
|
28
|
+
Semi-Annually, Annually, Every,Two Years, Every Three Years, Undetermined)
|
29
|
+
slcmMethod String [Conditional] Values include the following: (Automated, Semi-Automated, Manual, Undetermined)
|
30
|
+
slcmReporting String [Conditional] Method for reporting Security Controls for SLCM. Character Limit = 2,000
|
31
|
+
slcmTracking String [Conditional] How Non-Compliant Security Controls will be tracked for SLCM. Character Limit = 2,000
|
32
|
+
slcmComments String [Conditional] Additional comments for Security Control regarding SLCM. Character Limit = 4,000
|
33
|
+
|
34
|
+
name String [Read-Only] Name of control as defined in NIST SP 800-53 Revision 4.
|
35
|
+
ccis String [Read-Only] Comma separated list of CCIs associated with the control.
|
36
|
+
isInherited Boolean [Read-Only] Indicates whether a control is inherited.
|
37
|
+
modifiedByOverlays String [Read-Only] List of overlays that affect the control.
|
38
|
+
includedStatus String [Read-Only] Indicates the manner by which a control was included in the system's categorization.
|
39
|
+
complianceStatus String [Read-Only] Compliance status of the control.
|
40
|
+
|
41
|
+
|
42
|
+
Business Rules
|
43
|
+
|
44
|
+
The following fields are required based on the value of the `implementationStatus` field
|
45
|
+
|Value |Required Fields
|
46
|
+
|------------------------|--------------------------------------------------------
|
47
|
+
|Planned or Implemented |controlDesignation, estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmMethod, slcmTracking, slcmComments
|
48
|
+
|Not Applicable |naJustification, controlDesignation, responsibleEntities
|
49
|
+
|Manually Inherited |controlDesignation, estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmMethod, slcmTracking, slcmComments
|
50
|
+
|
51
|
+
Implementation Plan cannot be updated if a Security Control is "Inherited" except for the following fields:
|
52
|
+
- Common Control Provider (commonControlProvider)
|
53
|
+
- Security Control Designation (controlDesignation)
|
54
|
+
|
55
|
+
The following parameters/fields have the following character limitations:
|
56
|
+
- Implementation Plan information cannot be saved if the fields below exceed 2,000 character limits:
|
57
|
+
- N/A Justification (naJustification)
|
58
|
+
- Responsible Entities (responsibleEntities)
|
59
|
+
- Implementation Narrative (implementationNarrative)
|
60
|
+
- Criticality (slcmCriticality)
|
61
|
+
- Reporting (slcmReporting)
|
62
|
+
- Tracking (slcmTracking)
|
63
|
+
- Vulnerability Summary (vulnerabilitySummary)
|
64
|
+
- Recommendations (recommendations)
|
65
|
+
- Implementation Plan information cannot be saved if the fields below exceed 4,000 character limits:
|
66
|
+
- SLCM Comments (slcmComments)
|
67
|
+
|
68
|
+
Implementation Plan information cannot be updated if Security Control does not exist in the system record.
|
69
|
+
|
70
|
+
Example:
|
71
|
+
|
72
|
+
bundle exec exe/emasser put controls update --systemId [value] --acronym [value] --responsibleEntities [value] --controlDesignation [value] --estimatedCompletionDate [value] --implementationNarrative [value]
|
73
|
+
|
74
|
+
Note: The example is only showing the required fields. Refer to instructions listed above for conditional and optional fields requirements.
|
@@ -1,11 +1,11 @@
|
|
1
|
-
Remove milestones in a system for one or many poa&m items
|
2
|
-
|
3
|
-
To delete a milestone the record must be inactive by having the field isActive set to false (isActive=false).
|
4
|
-
|
5
|
-
The server returns an empty object upon successfully deleting a milestone.
|
6
|
-
|
7
|
-
The last milestone can not be deleted, at-least on must exist.
|
8
|
-
|
9
|
-
Example:
|
10
|
-
|
11
|
-
bundle exec exe/emasser delete milestones remove--systemId [value] --poamId [value] --milestoneId [value]
|
1
|
+
Remove milestones in a system for one or many poa&m items
|
2
|
+
|
3
|
+
To delete a milestone the record must be inactive by having the field isActive set to false (isActive=false).
|
4
|
+
|
5
|
+
The server returns an empty object upon successfully deleting a milestone.
|
6
|
+
|
7
|
+
The last milestone can not be deleted, at-least on must exist.
|
8
|
+
|
9
|
+
Example:
|
10
|
+
|
11
|
+
bundle exec exe/emasser delete milestones remove--systemId [value] --poamId [value] --milestoneId [value]
|
@@ -1,14 +1,14 @@
|
|
1
|
-
Add milestones in a system for one or many poa&m items
|
2
|
-
|
3
|
-
Endpoint request parameters/fields
|
4
|
-
|
5
|
-
Field Data Type Details
|
6
|
-
-------------------------------------------------------------------------------------------------
|
7
|
-
systemId Integer [Required] Unique system identifier
|
8
|
-
poamId Integer [Required] Unique item identifier
|
9
|
-
description String [Required] Provide a description of the milestone. 2000 Characters
|
10
|
-
scheduledCompletionDate Date [Required] Schedule completion date - Unix date format
|
11
|
-
|
12
|
-
Example:
|
13
|
-
|
14
|
-
bundle exec exe/emasser put milestones add --systemId [value] --poamId [value] --description [value] --scheduledCompletionDate [value]
|
1
|
+
Add milestones in a system for one or many poa&m items
|
2
|
+
|
3
|
+
Endpoint request parameters/fields
|
4
|
+
|
5
|
+
Field Data Type Details
|
6
|
+
-------------------------------------------------------------------------------------------------
|
7
|
+
systemId Integer [Required] Unique system identifier
|
8
|
+
poamId Integer [Required] Unique item identifier
|
9
|
+
description String [Required] Provide a description of the milestone. 2000 Characters
|
10
|
+
scheduledCompletionDate Date [Required] Schedule completion date - Unix date format
|
11
|
+
|
12
|
+
Example:
|
13
|
+
|
14
|
+
bundle exec exe/emasser put milestones add --systemId [value] --poamId [value] --description [value] --scheduledCompletionDate [value]
|
@@ -1,23 +1,23 @@
|
|
1
|
-
Updates a milestones in a system for one or many poa&m items
|
2
|
-
|
3
|
-
Endpoint request parameters/fields
|
4
|
-
|
5
|
-
Field Data Type Details
|
6
|
-
-------------------------------------------------------------------------------------------------
|
7
|
-
systemId Integer [Required] Unique system identifier
|
8
|
-
milestoneId Integer [Required] Unique milestone identifier
|
9
|
-
poamId Integer [Required] unique item identifier
|
10
|
-
description String [Required] Provide a description of the milestone. 2000 Characters
|
11
|
-
scheduledCompletionDate Date [Required] In Unix date format ü
|
12
|
-
isActive Boolean [Optional] Set to false only in the case where POA&M PUT would delete
|
13
|
-
specified milestone. Not available for other requests
|
14
|
-
|
15
|
-
|
16
|
-
Set the field "isActive" to false only in the case where POA&M PUT would delete specified milestone. Not available for other requests
|
17
|
-
|
18
|
-
If a field is misrepresented (wrong value)the following response may be provided by the server:
|
19
|
-
Response body: {"meta":{"code":500,"errorMessage":"Sorry! Something went wrong on our end. Please contact emass_support@bah.com for assistance."}}
|
20
|
-
|
21
|
-
Example:
|
22
|
-
|
23
|
-
bundle exec exe/emasser put milestones update --systemId [value] --poamId [value] --milestoneId [value] --description [value] --scheduledCompletionDate [value]
|
1
|
+
Updates a milestones in a system for one or many poa&m items
|
2
|
+
|
3
|
+
Endpoint request parameters/fields
|
4
|
+
|
5
|
+
Field Data Type Details
|
6
|
+
-------------------------------------------------------------------------------------------------
|
7
|
+
systemId Integer [Required] Unique system identifier
|
8
|
+
milestoneId Integer [Required] Unique milestone identifier
|
9
|
+
poamId Integer [Required] unique item identifier
|
10
|
+
description String [Required] Provide a description of the milestone. 2000 Characters
|
11
|
+
scheduledCompletionDate Date [Required] In Unix date format ü
|
12
|
+
isActive Boolean [Optional] Set to false only in the case where POA&M PUT would delete
|
13
|
+
specified milestone. Not available for other requests
|
14
|
+
|
15
|
+
|
16
|
+
Set the field "isActive" to false only in the case where POA&M PUT would delete specified milestone. Not available for other requests
|
17
|
+
|
18
|
+
If a field is misrepresented (wrong value)the following response may be provided by the server:
|
19
|
+
Response body: {"meta":{"code":500,"errorMessage":"Sorry! Something went wrong on our end. Please contact emass_support@bah.com for assistance."}}
|
20
|
+
|
21
|
+
Example:
|
22
|
+
|
23
|
+
bundle exec exe/emasser put milestones update --systemId [value] --poamId [value] --milestoneId [value] --description [value] --scheduledCompletionDate [value]
|
@@ -1,5 +1,5 @@
|
|
1
|
-
Remove one or many poa&m items in a system
|
2
|
-
|
3
|
-
Example:
|
4
|
-
|
5
|
-
bundle exec exe/emasser delete poams remove --systemId [value] --poamId [value]
|
1
|
+
Remove one or many poa&m items in a system
|
2
|
+
|
3
|
+
Example:
|
4
|
+
|
5
|
+
bundle exec exe/emasser delete poams remove --systemId [value] --poamId [value]
|
@@ -1,93 +1,93 @@
|
|
1
|
-
Endpoint request body parameters/fields
|
2
|
-
|
3
|
-
Field Data Type Details
|
4
|
-
-------------------------------------------------------------------------------------------------
|
5
|
-
systemId Integer [Required] Unique eMASS identifier. Will need to provide correct number.
|
6
|
-
status String [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable).
|
7
|
-
vulnerabilityDescription String [Required] Provide a description of the POA&M Item. 2000 Characters.
|
8
|
-
sourceIdentVuln String [Required] Include Source Identifying Vulnerability text. 2000 Characters.
|
9
|
-
pocOrganization String [Required] Organization/Office represented. 100 Characters.
|
10
|
-
resources String [Required] List of resources used. 250 Characters.
|
11
|
-
|
12
|
-
milestones JSON [Conditional] Please see Notes 1 for more details.
|
13
|
-
pocFirstName String [Conditional] First name of POC. 100 Characters.
|
14
|
-
pocLastName String [Conditional] Last name of POC. 100 Characters.
|
15
|
-
pocEmail String [Conditional] Email address of POC. 100 Characters.
|
16
|
-
pocPhoneNumber String [Conditional] Phone number of POC (area code) ***-**** format. 100 Characters.
|
17
|
-
severity String [Conditional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
18
|
-
scheduledCompletionDate Date [Conditional] Required for ongoing and completed POA&M items. Unix time format.
|
19
|
-
completionDate Date [Conditional] Field is required for completed POA&M items. Unix time format.
|
20
|
-
comments String [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters.
|
21
|
-
|
22
|
-
externalUid String [Optional] Unique identifier external to the eMASS application for use with associating POA&M Items. 100 Characters.
|
23
|
-
controlAcronym String [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
|
24
|
-
cci String [Optional] CCI associated with the test result.
|
25
|
-
securityChecks String [Optional] Security Checks that are associated with the POA&M.
|
26
|
-
rawSeverity String [Optional] Values include the following: (I, II, III)
|
27
|
-
relevanceOfThreat String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
28
|
-
likelihood String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
29
|
-
impact String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
30
|
-
impactDescription String [Optional] Include description of Security Control’s impact.
|
31
|
-
residualRiskLevel String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
32
|
-
recommendations String [Optional] Include recommendations. Character Limit 2,000.
|
33
|
-
mitigation String [Optional] Include mitigation explanation. 2000 Characters.
|
34
|
-
|
35
|
-
isInherited String [Read-Only] Indicates whether a POA&M Item is inherited.
|
36
|
-
reviewStatus string [Read-Only] Values include the following options: (Not Approved, Under Review, Approved)
|
37
|
-
extensionDate Date [Read-Only] Value returned for a POA&M Item with review status "Approved" and has a milestone
|
38
|
-
with a scheduled completion date that extends beyond the POA&M Item’s scheduled completion date.
|
39
|
-
|
40
|
-
**If a milestone Id is provided the POA&M with the provided milestone Id is updated and the new POA&M milestones is set to null.**
|
41
|
-
|
42
|
-
The following fields are required based on the contents of the "status" field
|
43
|
-
|status |Required Fields
|
44
|
-
|----------------|--------------------------------------------------------
|
45
|
-
|Risk Accepted |comments
|
46
|
-
|Ongoing |scheduledCompletionDate, milestones (at least 1)
|
47
|
-
|Completed |scheduledCompletionDate, comments, completionDate, milestones (at least 1)
|
48
|
-
|Not Applicable |POAM can not be created
|
49
|
-
|
50
|
-
If a POC email is supplied, the application will attempt to locate a user already registered within the application and pre-populate any information not explicitly supplied in the request. If no such user is found, these fields are required within the request.
|
51
|
-
- pocFirstName, pocLastName, pocPhoneNumber
|
52
|
-
|
53
|
-
Business logic, the following rules apply when adding POA&Ms
|
54
|
-
|
55
|
-
- POA&M Items cannot be saved if associated Security Control or AP is inherited.
|
56
|
-
- POA&M Items cannot be created manually if a Security Control or AP is Not Applicable.
|
57
|
-
- Completed POA&M Item cannot be saved if Completion Date is in the future.
|
58
|
-
- Completed POA&M Item cannot be saved if Completion Date (completionDate) is in the future.
|
59
|
-
- Risk Accepted POA&M Item cannot be saved with a Scheduled Completion Date or Milestones
|
60
|
-
- POA&M Items with a review status of "Not Approved" cannot be saved if Milestone Scheduled Completion Date exceeds POA&M Item Scheduled Completion Date.
|
61
|
-
- POA&M Items with a review status of "Approved" can be saved if Milestone Scheduled Completion Date exceeds POA&M Item Scheduled Completion Date.
|
62
|
-
- POA&M Items that have a status of "Completed" and a status of "Ongoing" cannot be saved without Milestones.
|
63
|
-
- POA&M Items that have a status of "Risk Accepted" cannot have milestones.
|
64
|
-
- POA&M Items with a review status of "Approved" that have a status of "Completed" and "Ongoing" cannot update Scheduled Completion Date.
|
65
|
-
- POA&M Items that have a review status of "Approved" are required to have a Severity Value assigned.
|
66
|
-
- POA&M Items cannot be updated if they are included in an active package.
|
67
|
-
- Archived POA&M Items cannot be updated.
|
68
|
-
- POA&M Items with a status of "Not Applicable" will be updated through test result creation.
|
69
|
-
- If the Security Control or Assessment Procedure does not exist in the system we may have to just import POA&M Item at the System Level.
|
70
|
-
|
71
|
-
|
72
|
-
The following parameters/fields have the following character limitations:
|
73
|
-
- POA&M Item cannot be saved if the Point of Contact fields exceed 100 characters:
|
74
|
-
- Office / Organization (pocOrganization)
|
75
|
-
- First Name (pocFirstName)
|
76
|
-
- Last Name (pocLastName)
|
77
|
-
- Email (email)
|
78
|
-
- Phone Number (pocPhoneNumber)
|
79
|
-
- POA&M Items cannot be saved if Mitigation field (mitigation) exceeds 2000 characters.
|
80
|
-
- POA&M Items cannot be saved if Source Identifying Vulnerability field exceeds 2000 characters.
|
81
|
-
- POA&M Items cannot be saved if Comments (comments) field exceeds 2000 characters
|
82
|
-
- POA&M Items cannot be saved if Resource (resource) field exceeds 250 characters.
|
83
|
-
- POA&M Items cannot be saved if Milestone Description exceeds 2000 characters.
|
84
|
-
|
85
|
-
Example:
|
86
|
-
|
87
|
-
bundle exec exe/emasser post poams add --systemId [value] --status [value] --vulnerabilityDescription [value] --sourceIdentVuln [value] --pocOrganization [value] --resources [value]
|
88
|
-
|
89
|
-
Notes:
|
90
|
-
1 - The format for milestones is:
|
91
|
-
--milestone description:[value] scheduledCompletionDate:[value]
|
92
|
-
2 - Based on the value for the status (--status) parameter there are other required fields
|
93
|
-
3 - Refer to instructions listed above for conditional and optional fields requirements.
|
1
|
+
Endpoint request body parameters/fields
|
2
|
+
|
3
|
+
Field Data Type Details
|
4
|
+
-------------------------------------------------------------------------------------------------
|
5
|
+
systemId Integer [Required] Unique eMASS identifier. Will need to provide correct number.
|
6
|
+
status String [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable).
|
7
|
+
vulnerabilityDescription String [Required] Provide a description of the POA&M Item. 2000 Characters.
|
8
|
+
sourceIdentVuln String [Required] Include Source Identifying Vulnerability text. 2000 Characters.
|
9
|
+
pocOrganization String [Required] Organization/Office represented. 100 Characters.
|
10
|
+
resources String [Required] List of resources used. 250 Characters.
|
11
|
+
|
12
|
+
milestones JSON [Conditional] Please see Notes 1 for more details.
|
13
|
+
pocFirstName String [Conditional] First name of POC. 100 Characters.
|
14
|
+
pocLastName String [Conditional] Last name of POC. 100 Characters.
|
15
|
+
pocEmail String [Conditional] Email address of POC. 100 Characters.
|
16
|
+
pocPhoneNumber String [Conditional] Phone number of POC (area code) ***-**** format. 100 Characters.
|
17
|
+
severity String [Conditional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
18
|
+
scheduledCompletionDate Date [Conditional] Required for ongoing and completed POA&M items. Unix time format.
|
19
|
+
completionDate Date [Conditional] Field is required for completed POA&M items. Unix time format.
|
20
|
+
comments String [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters.
|
21
|
+
|
22
|
+
externalUid String [Optional] Unique identifier external to the eMASS application for use with associating POA&M Items. 100 Characters.
|
23
|
+
controlAcronym String [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
|
24
|
+
cci String [Optional] CCI associated with the test result.
|
25
|
+
securityChecks String [Optional] Security Checks that are associated with the POA&M.
|
26
|
+
rawSeverity String [Optional] Values include the following: (I, II, III)
|
27
|
+
relevanceOfThreat String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
28
|
+
likelihood String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
29
|
+
impact String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
30
|
+
impactDescription String [Optional] Include description of Security Control’s impact.
|
31
|
+
residualRiskLevel String [Optional] Values include the following: (Very Low, Low, Moderate, High, Very High)
|
32
|
+
recommendations String [Optional] Include recommendations. Character Limit 2,000.
|
33
|
+
mitigation String [Optional] Include mitigation explanation. 2000 Characters.
|
34
|
+
|
35
|
+
isInherited String [Read-Only] Indicates whether a POA&M Item is inherited.
|
36
|
+
reviewStatus string [Read-Only] Values include the following options: (Not Approved, Under Review, Approved)
|
37
|
+
extensionDate Date [Read-Only] Value returned for a POA&M Item with review status "Approved" and has a milestone
|
38
|
+
with a scheduled completion date that extends beyond the POA&M Item’s scheduled completion date.
|
39
|
+
|
40
|
+
**If a milestone Id is provided the POA&M with the provided milestone Id is updated and the new POA&M milestones is set to null.**
|
41
|
+
|
42
|
+
The following fields are required based on the contents of the "status" field
|
43
|
+
|status |Required Fields
|
44
|
+
|----------------|--------------------------------------------------------
|
45
|
+
|Risk Accepted |comments
|
46
|
+
|Ongoing |scheduledCompletionDate, milestones (at least 1)
|
47
|
+
|Completed |scheduledCompletionDate, comments, completionDate, milestones (at least 1)
|
48
|
+
|Not Applicable |POAM can not be created
|
49
|
+
|
50
|
+
If a POC email is supplied, the application will attempt to locate a user already registered within the application and pre-populate any information not explicitly supplied in the request. If no such user is found, these fields are required within the request.
|
51
|
+
- pocFirstName, pocLastName, pocPhoneNumber
|
52
|
+
|
53
|
+
Business logic, the following rules apply when adding POA&Ms
|
54
|
+
|
55
|
+
- POA&M Items cannot be saved if associated Security Control or AP is inherited.
|
56
|
+
- POA&M Items cannot be created manually if a Security Control or AP is Not Applicable.
|
57
|
+
- Completed POA&M Item cannot be saved if Completion Date is in the future.
|
58
|
+
- Completed POA&M Item cannot be saved if Completion Date (completionDate) is in the future.
|
59
|
+
- Risk Accepted POA&M Item cannot be saved with a Scheduled Completion Date or Milestones
|
60
|
+
- POA&M Items with a review status of "Not Approved" cannot be saved if Milestone Scheduled Completion Date exceeds POA&M Item Scheduled Completion Date.
|
61
|
+
- POA&M Items with a review status of "Approved" can be saved if Milestone Scheduled Completion Date exceeds POA&M Item Scheduled Completion Date.
|
62
|
+
- POA&M Items that have a status of "Completed" and a status of "Ongoing" cannot be saved without Milestones.
|
63
|
+
- POA&M Items that have a status of "Risk Accepted" cannot have milestones.
|
64
|
+
- POA&M Items with a review status of "Approved" that have a status of "Completed" and "Ongoing" cannot update Scheduled Completion Date.
|
65
|
+
- POA&M Items that have a review status of "Approved" are required to have a Severity Value assigned.
|
66
|
+
- POA&M Items cannot be updated if they are included in an active package.
|
67
|
+
- Archived POA&M Items cannot be updated.
|
68
|
+
- POA&M Items with a status of "Not Applicable" will be updated through test result creation.
|
69
|
+
- If the Security Control or Assessment Procedure does not exist in the system we may have to just import POA&M Item at the System Level.
|
70
|
+
|
71
|
+
|
72
|
+
The following parameters/fields have the following character limitations:
|
73
|
+
- POA&M Item cannot be saved if the Point of Contact fields exceed 100 characters:
|
74
|
+
- Office / Organization (pocOrganization)
|
75
|
+
- First Name (pocFirstName)
|
76
|
+
- Last Name (pocLastName)
|
77
|
+
- Email (email)
|
78
|
+
- Phone Number (pocPhoneNumber)
|
79
|
+
- POA&M Items cannot be saved if Mitigation field (mitigation) exceeds 2000 characters.
|
80
|
+
- POA&M Items cannot be saved if Source Identifying Vulnerability field exceeds 2000 characters.
|
81
|
+
- POA&M Items cannot be saved if Comments (comments) field exceeds 2000 characters
|
82
|
+
- POA&M Items cannot be saved if Resource (resource) field exceeds 250 characters.
|
83
|
+
- POA&M Items cannot be saved if Milestone Description exceeds 2000 characters.
|
84
|
+
|
85
|
+
Example:
|
86
|
+
|
87
|
+
bundle exec exe/emasser post poams add --systemId [value] --status [value] --vulnerabilityDescription [value] --sourceIdentVuln [value] --pocOrganization [value] --resources [value]
|
88
|
+
|
89
|
+
Notes:
|
90
|
+
1 - The format for milestones is:
|
91
|
+
--milestone description:[value] scheduledCompletionDate:[value]
|
92
|
+
2 - Based on the value for the status (--status) parameter there are other required fields
|
93
|
+
3 - Refer to instructions listed above for conditional and optional fields requirements.
|