Enterprise Mission Assurance Support Service (eMASS) (v3.2)

Download OpenAPI specification:Download

eMASS Tier III support: disa.meade.id.mbx.emass-tier-iii-support@mail.mil URL: https://www.dcsa.mil/is/emass/

The Enterprise Mission Assurance Support Service (eMASS) Representational State Transfer (REST) Application Programming Interface (API) enables users to perform assessments and complete actions associated with system records. This command-line interface (CLI) tool implements all of the eMASS endpoints defined in the eMASS REST API v3.2, dated October 21, 2021.

Register CLI
New users will need to register an API key with the eMASS development team prior to accessing the site for the first time. The eMASS REST API requires a client certificate (SSL/TLS, DoD PKI only) where {url}/api/register (POST) is used to register the client certificate.

Every call to the eMASS REST API will require the use of the agreed upon public key certificate and API key. The API key must be provided in the request header for all endpoint calls (api-key). If the service receives an untrusted certificate or API key, a 401 error response code will be returned along with an error message.

Available Request Headers:

key	Example Value	Description
`api-key`	api-key-provided-by-emass	This API key must be provided in the request header for all endpoint calls
`user-uid`	USER.UID.KEY	This User unique identifier key must be provided in the request header for all PUT, POST, and DELETE endpoint calls
		Note: For DoD users this is the DoD ID Number (EIDIPI) on their DoD CAC

Approve API Client for Actionable Requests
Users are required to log-in to eMASS and grant permissions for a client to update data within eMASS on their behalf. This is only required for actionable requests (PUT, POST, DELETE). The Registration Endpoint and all GET requests can be accessed without completing this process with the correct permissions. Please note that leaving a field parameter blank (for PUT/POST requests) has the potential to clear information in the active eMASS records.

To establish an account with eMASS and/or acquire an api-key/user-uid, contact one of the listed POC:

eMASS New User Registration (requires CAC authentication)

Authentication

apikey

The API key must be provided in the request header for all endpoint calls.
See the

Security Scheme Type	API Key
Header parameter name:	api-key

userid

This User unique identifier key must be provided in the request header for all PUT, POST, and DELETE endpoint calls.

Security Scheme Type	API Key
Header parameter name:	user-uid

Test

The Test Connection endpoint provides the ability to verify connection to the web service.

Test connection to the API

Returns endpoint call status

Authorizations:

apikeyuserid

Responses

Response samples

200
400
403
405
500

Content type

application/json

{"meta": {"code": 200
},
"data": {"success": true
}
}

Registration

The Registration endpoint provides the ability to register a certificate & obtain an API-key.

Register user certificate and obtain an API key

Returns the api-key - This API key must be provided in the request header for all endpoint calls (api-key).

Authorizations:

apikeyuserid

Request Body schema: application/json

User certificate previously provided by eMASS.

user-uid

required

string

Responses

Request samples

Payload

Content type

application/json

{"user-uid": "MY.USERUUID.KEY"
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": {"apikey": "f32516cc-57d3-43f5-9e16-8f86780a4cce"
}
}

Systems

The Systems endpoints provide the ability to view system information.

Notes

If a system is dual-policy enabled, the returned system details default to the RMF policy information unless otherwise specified for an individual system.
Certain fields are instance specific and may not be returned in GET request.

Get system information

Returns all system(s) that match the query parameters

Authorizations:

apikeyuserid

query Parameters

includePackage	boolean Default: true Enum: true false Include Package: Indicates if additional packages information is retrieved for queried system.
registrationType	string Default: "regular" Registration Type: Filter record by selected registration type (single value or comma delimited values). Available values: assessAndAuthorize, assessOnly, guest, regular, functional, cloudServiceProvider, commonControlProvider
ditprId	string DITPR ID: Filter query by DoD Information Technology (IT) Portfolio Repository (DITPR).
coamsId	string COAMS ID: Filter query by Cyber Operational Attributes Management System (COAMS).
policy	string Default: "rmf" Enum: "diacap" "rmf" "reporting" System Policy: Filter query by system policy. If no value is specified and more than one policy is available, the default return is the RMF policy information.
includeDitprMetrics	boolean Default: false Enum: true false Include DITPR: Indicates if DITPR metrics are retrieved. This query string parameter can only be used in conjunction with the following parameters: registrationType policy
includeDecommissioned	boolean Default: true Enum: true false Include Decommissioned Systems: Indicates if decommissioned systems are retrieved. If no value is specified, the default returns true to include decommissioned systems.
reportsForScorecard	boolean Default: true Enum: true false DoD Cyber Hygiene Scorecard: Indicates if the system reports to the DoD Cyber Hygiene Scorecard.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"policy": "RMF",
"registrationType": "Assess and Authorize",
"name": "System XYZ",
"acronym": "PM-6",
"description": "This is a test system for the eMASS API documentation",
"systemOwner": "DISA",
"organizationName": "Defense Information Systems Agency",
"secondaryOrganization": "ID31",
"versionReleaseNo": "V1",
"systemType": "IS Major Application",
"isNSS": true,
"isPublicFacing": true,
"coamsId": 93054,
"isTypeAuthorization": true,
"ditprId": "30498",
"authorizationStatus": "Authority to Operate (ATO)",
"authorizationDate": 1638741660,
"authorizationTerminationDate": 1638741660,
"authorizationLength": 365,
"termsForAuth": "Terms/Conditions to maintain a valid ATO",
"securityPlanApprovalStatus": "Approved",
"securityPlanApprovalDate": 1638741660,
"missionCriticality": "Mission Support (MS)",
"geographicalAssociation": "VA Operated IS",
"systemOwnership": "Region 1",
"governingMissionArea": "DoD portion of the Intelligence MA (DIMA)",
"primaryFunctionalArea": "Health/Medical",
"secondaryFunctionalArea": "Logistics",
"primaryControlSet": "NIST SP 800-53 Revision 4",
"confidentiality": "Low",
"integrity": "Moderate",
"availability": "High",
"appliedOverlays": "Classified Information",
"rmfActivity": "Maintain ATO and conduct reviews",
"crossDomainTicket": "Cross Domain Ticket test",
"ditprDonId": "5910, 1234, 8765",
"mac": "II",
"dodConfidentiality": "Public",
"contingencyPlanTested": true,
"contingencyPlanTestDate": 1426957321,
"securityReviewDate": 1531958400,
"hasOpenPoamItem": true,
"hasOpenPoamItem90to120PastScheduledCompletionDate": false,
"hasOpenPoamItem120PlusPastScheudledCompletionDate": false,
"impact": "Low",
"hasCUI": false,
"hasPII": false,
"hasPHI": false,
"ppsmRegistryNumber": "Test PPSM Registry Number",
"interconnectedInformationSystemAndIdentifiers": "Test",
"isPiaRequired": true,
"piaStatus": "Not Started",
"piaDate": 1622048629,
"userDefinedField1": "Test User-defined Field 1",
"userDefinedField2": "Test User-defined Field 2",
"userDefinedField3": "Test User-defined Field 3",
"userDefinedField4": "Test User-defined Field 4",
"userDefinedField5": "Test User-defined Field 5",
"currentRmfLifecycleStep": "4 – Assess",
"otherInformation": "Additional Comments",
"reportsForScorecard": true,
"package": [{"systemId": 35,
"workflow": "Assess and Authorize",
"name": "Package name text",
"currentStageName": "SCA-R",
"currentStage": 4,
"totalStages": 6,
"daysAtCurrentStage": 2,
"comments": "Comments text."
}
],
"connectivityCcsd": [{"ccsdNumber": "CCSD Number",
"connectivity": "Test Connectivity"
}
]
}
]
}

Get system information for a specific system

Returns the system matching provided parameters

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

includePackage	boolean Default: true Enum: true false Include Package: Indicates if additional packages information is retrieved for queried system.
policy	string Default: "rmf" Enum: "diacap" "rmf" "reporting" System Policy: Filter query by system policy. If no value is specified and more than one policy is available, the default return is the RMF policy information.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"policy": "RMF",
"registrationType": "Assess and Authorize",
"name": "System XYZ",
"acronym": "PM-6",
"description": "This is a test system for the eMASS API documentation",
"systemOwner": "DISA",
"organizationName": "Defense Information Systems Agency",
"secondaryOrganization": "ID31",
"versionReleaseNo": "V1",
"systemType": "IS Major Application",
"isNSS": true,
"isPublicFacing": true,
"coamsId": 93054,
"isTypeAuthorization": true,
"ditprId": "30498",
"authorizationStatus": "Authority to Operate (ATO)",
"authorizationDate": 1638741660,
"authorizationTerminationDate": 1638741660,
"authorizationLength": 365,
"termsForAuth": "Terms/Conditions to maintain a valid ATO",
"securityPlanApprovalStatus": "Approved",
"securityPlanApprovalDate": 1638741660,
"missionCriticality": "Mission Support (MS)",
"geographicalAssociation": "VA Operated IS",
"systemOwnership": "Region 1",
"governingMissionArea": "DoD portion of the Intelligence MA (DIMA)",
"primaryFunctionalArea": "Health/Medical",
"secondaryFunctionalArea": "Logistics",
"primaryControlSet": "NIST SP 800-53 Revision 4",
"confidentiality": "Low",
"integrity": "Moderate",
"availability": "High",
"appliedOverlays": "Classified Information",
"rmfActivity": "Maintain ATO and conduct reviews",
"crossDomainTicket": "Cross Domain Ticket test",
"ditprDonId": "5910, 1234, 8765",
"mac": "II",
"dodConfidentiality": "Public",
"contingencyPlanTested": true,
"contingencyPlanTestDate": 1426957321,
"securityReviewDate": 1531958400,
"hasOpenPoamItem": true,
"hasOpenPoamItem90to120PastScheduledCompletionDate": false,
"hasOpenPoamItem120PlusPastScheudledCompletionDate": false,
"impact": "Low",
"hasCUI": false,
"hasPII": false,
"hasPHI": false,
"ppsmRegistryNumber": "Test PPSM Registry Number",
"interconnectedInformationSystemAndIdentifiers": "Test",
"isPiaRequired": true,
"piaStatus": "Not Started",
"piaDate": 1622048629,
"userDefinedField1": "Test User-defined Field 1",
"userDefinedField2": "Test User-defined Field 2",
"userDefinedField3": "Test User-defined Field 3",
"userDefinedField4": "Test User-defined Field 4",
"userDefinedField5": "Test User-defined Field 5",
"currentRmfLifecycleStep": "4 – Assess",
"otherInformation": "Additional Comments",
"reportsForScorecard": true,
"package": [{"systemId": 35,
"workflow": "Assess and Authorize",
"name": "Package name text",
"currentStageName": "SCA-R",
"currentStage": 4,
"totalStages": 6,
"daysAtCurrentStage": 2,
"comments": "Comments text."
}
],
"connectivityCcsd": [{"ccsdNumber": "CCSD Number",
"connectivity": "Test Connectivity"
}
]
}
]
}

System Roles

The System Roles endpoints provides the ability to access user data assigned to systems.

Notes:

The endpoint can access three different role categories: PAC, CAC, and Other.
If a system is dual-policy enabled, the returned system role information will default to the RMF policy information unless otherwise specified.

Get available roles

Returns all available roles

Authorizations:

apikeyuserid

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"roleCategory": "PAC",
"role": "PM/IAM"
}
]
}

Get system roles

Returns the role(s) data matching parameters.

Authorizations:

apikeyuserid

path Parameters

roleCategory

required

string

Default: "PAC"

Enum: "CAC" "PAC" "Other"

Role Category: The system role category been queried

query Parameters

role required	string Default: "Validator (IV&V)" Enum: "AO" "Auditor" "Artifact Manager" "C&A Team" "IAO" "ISSO" "PM/IAM" "SCA" "User Rep (View Only)" "Validator (IV&V)" Role: Required parameter. Accepts single value from available options.
policy	string Default: "rmf" Enum: "diacap" "rmf" "reporting" System Policy: Filter query by system policy. If no value is specified and more than one policy is available, the default return is the RMF policy information.
includeDecommissioned	boolean Default: true Enum: true false Include Decommissioned Systems: Indicates if decommissioned systems are retrieved. If no value is specified, the default returns true to include decommissioned systems.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"systemName": "Test system 1",
"systemAcronym": "S-XYZ",
"roles": [{"roleCategory": "PAC",
"role": "AO",
"users": [{"firstName": "John",
"lastName": "Smith",
"email": "John.Smith@hb.com"
}
]
}
]
}
]
}

Controls

The Controls endpoints provide the ability to view, add, and update Security Control information to a system for both the Implementation Plan and Risk Assessment.

Get control information in a system for one or many controls

Returns system control information for matching systemId path parameter

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

acronyms

string

Default: "PM-6"

Acronym: The system acronym(s) being queried (single value or comma delimited values).

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"name": "System XYZ",
"acronym": "AC-3",
"ccis": "000001,000002",
"isInherited": true,
"modifiedByOverlays": "Requirements",
"includedStatus": "Manually",
"complianceStatus": "Status",
"responsibleEntities": "Unknown",
"implementationStatus": "Planned",
"commonControlProvider": "DoD",
"naJustification": "System EOL within 120 days",
"controlDesignation": "Common",
"estimatedCompletionDate": 1638741660,
"implementationNarrative": "Test Imp. Narrative",
"slcmCriticality": "Test Criticality",
"slcmFrequency": "Annually",
"slcmMethod": "Automated",
"slcmReporting": "Test Reporting",
"slcmTracking": "Test Tracking",
"slcmComments": "Test SLCM Comments",
"severity": "Low",
"vulnerabiltySummary": "Test Vulnerability Summary",
"recommendations": "Test Recommendations",
"relevanceOfThreat": "Low",
"likelihood": "Low",
"impact": "Low",
"impactDescription": "Impact text",
"residualRiskLevel": "Low",
"testMethod": "Test"
}
]
}

Update control information in a system for one or many controls

Update a Control for given systemId

Request Body Required Fields

acronym
responsibleEntities
controlDesignation
estimatedCompletionDate
implementationNarrative

The following optional fields are required based on the Implementation Status implementationStatus value
| Value | Required Fields |--------------------------|--------------------------------------------------- | Planned or Implemented | estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmReporting, slcmTracking, slcmComments | Not Applicable | naJustification, responsibleEntities | Manually Inherited | commonControlProvider, estimatedCompletionDate, responsibleEntities, slcmCriticality, slcmFrequency, slcmMethod, slcmReporting, slcmTracking, slcmComments

If the Implementation Status implementationStatus value is "Inherited", only the following fields can be updated:

controlDesignation
commonnControlProvider

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing control by Id

acronym required	string^[A-Z0-9-]{3,6} [Required] Required to match the NIST SP 800-53 Revision 4.
responsibleEntities required	string [Required] Include written description of Responsible Entities that are responsible for the Security Control. Character Limit = 2,000.
implementationStatus	string Enum: "Planned" "Implemented" "Inherited" "Not Applicable" "Manually Inherited" [Optional] Implementation Status of the Security Control for the information system.
commonControlProvider	string Enum: "DoD" "Component" "Enclave" [Conditional] Indicate the type of Common Control Provider for an “Inherited” Security Control.
naJustification	string [Conditional] Provide justification for Security Controls deemed Not Applicable to the system.
controlDesignation required	string Enum: "Common" "System-Specific" "Hybrid" [Required] Control designations
testMethod	string Enum: "Test" "Interview" "Examine" "Test, Interview" "Test, Examine" "Interview, Examine" "Test, Interview, Examine" [Optional] Identifies the assessment method / combination that will determine if the security requirements are implemented correctly.
estimatedCompletionDate required	integer [ 1500000000 .. 1900000000 ] [Required] Field is required for Implementation Plan.
implementationNarrative required	string [Required] Includes security control comments. Character Limit = 2,000.
slcmCriticality	string [Conditional] Criticality of Security Control regarding SLCM. Character Limit = 2,000.
slcmFrequency	string Enum: "Constantly" "Daily" "Weekly" "Monthly" "Quarterly" "Semi-Annually" "Annually" "Every Two Years" "Every Three Years" "Undetermined" [Conditional] SLCM frequency
slcmMethod	string Enum: "Automated" "Semi-Automated" "Manual" "Undetermined" [Conditional] SLCM method utilized
slcmReporting	string [Conditional] Method for reporting Security Control for SLCM. Character Limit = 2,000.
slcmTracking	string [Conditional] How Non-Compliant Security Controls will be tracked for SLCM. Character Limit = 2,000.
slcmComments	string [Conditional] Additional comments for Security Control regarding SLCM. Character Limit = 4,000.
severity	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
vulnerabiltySummary	string [Optional] Include vulnerability summary. Character Limit = 2,000.
recommendations	string [Optional] Include recommendations. Character Limit = 2,000.
relevanceOfThreat	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
likelihood	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impact	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impactDescription	string [Optional] Include description of Security Control's impact.
residualRiskLevel	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)

Responses

Request samples

Payload

Content type

application/json

{"acronym": "AC-3",
"responsibleEntities": "Unknown",
"implementationStatus": "Planned",
"commonControlProvider": "DoD",
"naJustification": "System EOL within 120 days",
"controlDesignation": "Common",
"testMethod": "Test",
"estimatedCompletionDate": 1638741660,
"implementationNarrative": "Test Imp. Narrative",
"slcmCriticality": "Test Criticality",
"slcmFrequency": "Annually",
"slcmMethod": "Automated",
"slcmReporting": "Test Reporting",
"slcmTracking": "Test Tracking",
"slcmComments": "Test SLCM Comments",
"severity": "Low",
"vulnerabiltySummary": "Test Vulnerability Summary",
"recommendations": "Test Recommendations",
"relevanceOfThreat": "Low",
"likelihood": "Low",
"impact": "Low",
"impactDescription": "Impact text",
"residualRiskLevel": "Low"
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"acronym": "AC-3",
"success": true,
"systemId": 33
}
]
}

Test Results

The Test Results endpoints provide the ability to view and add test results for a system's Assessment Procedures (CCIs) which determine Security Control compliance.

Get one or many test results in a system

Returns system test results information for matching parameters.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

controlAcronyms	string System Acronym: Filter query by given system acronym (single or comma separated).
ccis	string CCI System: Filter query by Control Correlation Identifiers (CCIs).
latestOnly	boolean Default: true Enum: true false Latest Results Only: Indicates that only the latest test resultes are retrieved (single or comma separated).

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"control": "“AC-3”",
"cci": "000001",
"isInherited": true,
"testedBy": "Smith, Joe",
"testDate": 1638741660,
"description": "Test result description",
"type": "Self-Assessment",
"complianceStatus": "Compliant"
}
]
}

Add one or many test results in a system

Adds test results for given systemId

Request Body Required Fields

cci
testedBy
testDate
description
complianceStatus

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing control by Id

cci required	string^\d{5,6},\d{5,6} [Required] CCI associated with test result.
testedBy required	string [Required] Last Name, First Name. 100 Characters.
testDate required	integer <int64> [ 1500000000 .. 1900000000 ] [Required] Unix time format.
description required	string [Required] Include description of test result. 4000 Characters.
complianceStatus required	string Enum: "Compliant" "Non-Compliant" "Not Applicable" [Required] Test result compliance status

Responses

Request samples

Payload

Content type

application/json

{"cci": "000001",
"testedBy": "Smith, Joe",
"testDate": 1638741660,
"description": "Test result description",
"complianceStatus": "Compliant"
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"cci": "000001",
"success": true,
"systemId": 35
}
]
}

POAM

The POA&Ms endpoints provide the ability to view, add, update, and remove Plan of Action and Milestones (POA&M) items and associated milestones for a system.

Get one or many POA&M items in a system

Returns system(s) containing POA&M items for matching parameters.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

scheduledCompletionDateStart	string Date Started: Filter query by the scheduled completion start date (Unix date format).
scheduledCompletionDateEnd	string Date Ended: Filter query by the scheduled completion start date (Unix date format).
controlAcronyms	string System Acronym: Filter query by given system acronym (single or comma separated).
ccis	string CCI System: Filter query by Control Correlation Identifiers (CCIs).
systemOnly	boolean Default: true Enum: true false Systems Only: Indicates that only system(s) information is retrieved.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 830,
"poamId": 45,
"displayPoamId": 450000000,
"isInherited": true,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"controlAcronyms": "“AC-3”",
"cci": "000001",
"status": "Completed",
"reviewStatus": "Under Review",
"vulnerabilityDescription": "Description text",
"sourceIdentVuln": "Source Indentifying Vulnerability text",
"securityChecks": "SV-25123r1_rule,2016-A-0279",
"milestones": [{"systemId": 830,
"milestoneId": 19,
"poamId": 45,
"description": "Description text",
"scheduledCompletionDate": 1599644800,
"reviewStatus": "Under Review"
}
],
"pocOrganization": "Army",
"pocFirstName": "John",
"pocLastName": "Smith",
"pocEmail": "smith@ah.com",
"pocPhoneNumber": "555-555-5555",
"severity": "Low",
"rawSeverity": "I",
"relevanceOfThreat": "Low",
"likelihood": "Moderate",
"impact": "High",
"impactDescription": "Impact Description text",
"residualRiskLevel": "Very Low",
"recommendations": "Recommendations text",
"resources": "Resource text.",
"scheduledCompletionDate": 1599644800,
"completionDate": 1505916276,
"extensionDate": 1505916298,
"comments": "Comments text.",
"mitigation": "Mitigation text",
"isActive": true
}
]
}

Add one or many POA&M items in a system

Add a POA&M for given systemId

Request Body Required Fields

status
vulnerabilityDescription
sourceIdentVuln
pocOrganization
resources

Note
If a POC email is supplied, the application will attempt to locate a user already registered within the application and pre-populate any information not explicitly supplied in the request. If no such user is found, these fields are required within the request.
pocFirstName, pocLastName, pocPhoneNumber

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing control by Id

status	string Enum: "Ongoing" "Risk Accepted" "Completed" "Not Applicable" [Required] Values include the following: (Ongoing,Risk Accepted,Completed,Not Applicable
vulnerabilityDescription	string [Required] Provide a description of the POA&M Item. 2000 Characters.
sourceIdentVuln	string Enum: "Not Approved" "Under Review" "Approved" [Required] Include Source Identifying Vulnerability text. 2000 Characters.
pocOrganization	string [Required] Organization/Office represented. 100 Characters.
resources	string [Required] List of resources used. 250 Characters.
pocFirstName	string [Required] First name of POC. 100 Characters.
pocLastName	string [Required] Last name of POC. 100 Characters.
pocEmail	string [Required] Email address of POC. 100 Characters.
pocPhoneNumber	string [Required] Phone number of POC (area code) -* format. 100 Characters.
externalUid	string [Optional] Unique identifier external to the eMASS application for use with associating POA&Ms. 100 Characters.
controlAcronym	string [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
cci	string^\d{5,6},\d{5,6} [Optional] CCI associated with POA&M.
securityChecks	string [Optional] Security Checks that are associated with the POA&M.
rawSeverity	string Enum: "I" "II" "III" [Optional] Values include the following options (I,II,III)
relevanceOfThreat	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
likelihood	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impact	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impactDescription	string [Optional] Include description of Security Control’s impact.
residualRiskLevel	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
recommendations	string [Optional] Include recommendations. Character Limit = 2,000.
mitigation	string [Optional] Include mitigation explanation. 2000 Characters.
severity	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Conditional] Required for approved items. Values include the following options: (Very Low, Low, Moderate,High,Very High)
scheduledCompletionDate	integer <int64> [ 1500000000 .. 1900000000 ] [Conditional] Required for ongoing and completed POA&M items. Unix time format.
comments	string [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters
completionDate	integer <int64> [ 1500000000 .. 1900000000 ] [Conditional] Field is required for completed POA&M items. Unix time format.
	Array of objects (Milestones) <= 3 items >= 1

Responses

Request samples

Payload

Content type

application/json

{"status": "Completed",
"vulnerabilityDescription": "Description text",
"sourceIdentVuln": "Source Indentifying Vulnerability text",
"pocOrganization": "Army",
"resources": "Resource text.",
"pocFirstName": "John",
"pocLastName": "Smith",
"pocEmail": "smith@ah.com",
"pocPhoneNumber": "555-555-5555",
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"controlAcronym": "“AC-3”",
"cci": "000001",
"securityChecks": "SV-25123r1_rule,2016-A-0279",
"rawSeverity": "I",
"relevanceOfThreat": "Low",
"likelihood": "Low",
"impact": "Low",
"impactDescription": "Impact text",
"residualRiskLevel": "Low",
"recommendations": "Recommendations text",
"mitigation": "Mitigation text",
"severity": "Low",
"scheduledCompletionDate": 1599644800,
"comments": "Comments text.",
"completionDate": 1505916276,
"milestones": [{"description": "Description text",
"scheduledCompletionDate": 1599644800
}
]
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 33,
"poamId": 45,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"success": true
}
]
}

Update one or many POA&M items in a system

Update a POA&M for given systemId

Request Body Required Fields

poamId
displayPoamId
status
vulnerabilityDescription
sourceIdentVuln
pocOrganization
reviewStatus

Notes

If a POC email is supplied, the application will attempt to locate a user already registered within the application and pre-populate any information not explicitly supplied in the request. If no such user is found, these fields are required within the request.
pocOrganization, pocFirstName, pocLastName, pocEmail, pocPhoneNumber
To delete a milestone through the POA&M PUT the field isActive must be set to false: isActive=false.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing control by Id

poamId	integer <int64> [ 1 .. 300 ] [Required] Unique item identifier
displayPoamId	integer <int64> [ 100000000 .. 101003239 ] [Required] Globally unique identifier for individual POA&M Items, seen on the front-end as “ID”.
status	string Enum: "Ongoing" "Risk Accepted" "Completed" "Not Applicable" [Required] The POA&M status
vulnerabilityDescription	string [Required] Provide a description of the POA&M Item. 2000 Characters.
sourceIdentVuln	string [Required] Include Source Identifying Vulnerability text. 2000 Characters.
pocOrganization	string [Required] Organization/Office represented. 100 Characters.
resources	string [Required] List of resources used. 250 Characters.
externalUid	string [Optional] Unique identifier external to the eMASS application for use with associating POA&Ms. 100 Characters.
controlAcronym	string [Optional] Control acronym associated with the POA&M Item. NIST SP 800-53 Revision 4 defined.
cci	string^\d{5,6},\d{5,6} CCI associated with POA&M.
securityChecks	string [Optional] Security Checks that are associated with the POA&M.
rawSeverity	string Enum: "I" "II" "III" [Optional] Values include the following options (I,II,III)
relevanceOfThreat	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
likelihood	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impact	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
impactDescription	string [Optional] Include description of Security Control’s impact.
residualRiskLevel	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Optional] Values include the following options (Very Low, Low, Moderate,High,Very High)
recommendations	string [Optional] Include recommendations. Character Limit = 2,000.
mitigation	string [Optional] Include mitigation explanation. 2000 Characters.
pocFirstName	string [Conditional] First name of POC. 100 Characters.
pocLastName	string [Conditional] Last name of POC. 100 Characters.
pocEmail	string [Conditional] Email address of POC. 100 Characters.
pocPhoneNumber	string [Conditional] Phone number of POC (area code) -* format. 100 Characters.
severity	string Enum: "Very Low" "Low" "Moderate" "High" "Very High" [Conditional] Required for approved items. Values include the following options: (Very Low, Low, Moderate,High,Very High)
scheduledCompletionDate	integer <int64> [ 1500000000 .. 1900000000 ] [Conditional] Required for ongoing and completed POA&M items. Unix time format.
completionDate	integer <int64> [ 1500000000 .. 1900000000 ] [Conditional] Field is required for completed POA&M items. Unix time format.
comments	string [Conditional] Field is required for completed and risk accepted POA&M items. 2000 Characters
isActive	boolean [Conditional] Optionally used in PUT to delete milestones when updating a POA&M.
	Array of objects (Milestones) <= 3 items >= 1

Responses

Request samples

Payload

Content type

application/json

{"poamId": 45,
"displayPoamId": 450000000,
"status": "Completed",
"vulnerabilityDescription": "Description text",
"sourceIdentVuln": "Source Indentifying Vulnerability text",
"pocOrganization": "Army",
"resources": "Resource text.",
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"controlAcronym": "“AC-3”",
"cci": "000001",
"securityChecks": "SV-25123r1_rule,2016-A-0279",
"rawSeverity": "I",
"relevanceOfThreat": "Low",
"likelihood": "Low",
"impact": "Low",
"impactDescription": "Impact text",
"residualRiskLevel": "Low",
"recommendations": "Recommendations text",
"mitigation": "Mitigation text",
"pocFirstName": "John",
"pocLastName": "Smith",
"pocEmail": "smith@ah.com",
"pocPhoneNumber": "555-555-5555",
"severity": "Low",
"scheduledCompletionDate": 1599644800,
"completionDate": 1505916276,
"comments": "Comments text.",
"isActive": true,
"milestones": [{"milestoneId": 19,
"description": "Description text",
"scheduledCompletionDate": 1599644800
}
]
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 33,
"poamId": 45,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"success": true
}
]
}

Remove one or many POA&M items in a system

Remove the POA&M matching systemId path parameter and poamId query parameter

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Delete the given POA&M Id

poamId

required

integer <int64> [ 1 .. 300 ]

[Required] Unique item identifier

Responses

Request samples

Payload

Content type

application/json

{"poamId": 45
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 33,
"poamId": 45,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"success": true
}
]
}

Get POA&M item by ID in a system

Returns system(s) containing POA&M items for matching parameters.

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 830,
"poamId": 45,
"displayPoamId": 450000000,
"isInherited": true,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"controlAcronyms": "“AC-3”",
"cci": "000001",
"status": "Completed",
"reviewStatus": "Under Review",
"vulnerabilityDescription": "Description text",
"sourceIdentVuln": "Source Indentifying Vulnerability text",
"securityChecks": "SV-25123r1_rule,2016-A-0279",
"milestones": [{"systemId": 830,
"milestoneId": 19,
"poamId": 45,
"description": "Description text",
"scheduledCompletionDate": 1599644800,
"reviewStatus": "Under Review"
}
],
"pocOrganization": "Army",
"pocFirstName": "John",
"pocLastName": "Smith",
"pocEmail": "smith@ah.com",
"pocPhoneNumber": "555-555-5555",
"severity": "Low",
"rawSeverity": "I",
"relevanceOfThreat": "Low",
"likelihood": "Moderate",
"impact": "High",
"impactDescription": "Impact Description text",
"residualRiskLevel": "Very Low",
"recommendations": "Recommendations text",
"resources": "Resource text.",
"scheduledCompletionDate": 1599644800,
"completionDate": 1505916276,
"extensionDate": 1505916298,
"comments": "Comments text.",
"mitigation": "Mitigation text",
"isActive": true
}
]
}

Milestones

The Milestones endpoints provide the ability to view, add, update, and remove milestones that are associated with Plan of Action and Milestones (POA&M) items for a system.

Get milestones in one or many POA&M items in a system

Returns system containing milestones for matching parameters.

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.

query Parameters

scheduledCompletionDateStart	string Date Started: Filter query by the scheduled completion start date (Unix date format).
scheduledCompletionDateEnd	string Date Ended: Filter query by the scheduled completion start date (Unix date format).

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 830,
"milestoneId": 19,
"poamId": 45,
"description": "Description text",
"scheduledCompletionDate": 1599644800,
"reviewStatus": "Under Review"
}
]
}

Add milestones to one or many POA&M items in a system

Adds a milestone for given systemId and poamId path parameters

Request Body Required Fields

description
scheduledCompletionDate

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.

Request Body schema: application/json

Update an existing milestone

poamId required	integer <int64> [ 1 .. 300 ] [Required] Unique POA&M item identifier.
description required	string [Required] Provide a description of the milestone.
scheduledCompletionDate required	integer <int64> [ 1500000000 .. 1900000000 ] [Required] Unix date format.

Responses

Request samples

Payload

Content type

application/json

{"poamId": 45,
"description": "Description text",
"scheduledCompletionDate": 1599644800
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"poamId": 45,
"milestoneId": 77,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"success": true
}
]
}

Update one or many POA&M items in a system

Updates a milestone for given systemId and poamId path parameters

Request Body Required Fields

milestoneId
description
scheduledCompletionDate

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.

Request Body schema: application/json

Update an existing control by Id

milestoneId required	integer <int64> [ 1 .. 300 ] [Required] Unique milestone identifier.
description required	string [Required] Provide a description of the milestone.
scheduledCompletionDate required	integer <int64> [ 1500000000 .. 1900000000 ] [Required] Unix date format.

Responses

Request samples

Payload

Content type

application/json

{"milestoneId": 19,
"description": "Description text",
"scheduledCompletionDate": 1599644800
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"poamId": 45,
"milestoneId": 77,
"externalUid": "d6d98b88-c866-4496-9bd4-de7ba48d0f52",
"success": true
}
]
}

Remove milestones in a system for one or many POA&M items

Remove the POA&M matching systemId path parameter
Notes
To delete a milestone the record must be inactive by having the field isActive set to false (isActive=false).

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.

Request Body schema: application/json

Delete the given Milestone Id

milestoneId

required

integer <int64> [ 1 .. 300 ]

[Required] Unique item identifier

Responses

Request samples

Payload

Content type

application/json

{"milestoneId": 19
}

Response samples

Content type

application/json

{ }

Get milestone by ID in POA&M item in a system

Returns systems containing milestones for matching parameters.

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
poamId required	integer Example: 45 POA&M Id: The unique POA&M record identifier.
milestoneId required	integer Example: 77 Milestone Id: The unique milestone record identifier.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 830,
"milestoneId": 19,
"poamId": 45,
"description": "Description text",
"scheduledCompletionDate": 1599644800,
"reviewStatus": "Under Review"
}
]
}

Artifacts

The Artifacts endpoints provide the ability to view, add, update, and remove artifacts (supporting documentation/evidence) and associated files for a system.

Get one or many artifacts in a system

Returns selected artifacts matching parameters to include the file name containing the artifacts.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

filename	string Example: filename=ArtifactsExporFile.pdf File Name: The file name (to include file-extension).
controlAcronyms	string System Acronym: Filter query by given system acronym (single or comma separated).
ccis	string CCI System: Filter query by Control Correlation Identifiers (CCIs).
systemOnly	boolean Default: true Enum: true false Systems Only: Indicates that only system(s) information is retrieved.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"filename": "AutorizationGuidance.pdf",
"isInherited": true,
"isTemplate": false,
"type": "Policy",
"category": "Change Request",
"description": "Artifact description text",
"refPageNumber": "Reference page number",
"ccis": "000001,000002",
"controls": "AC-8,AC-2(4)",
"mimeContentType": "application/zip",
"fileSize": "4MB",
"artifactExpirationDate": 1549036926,
"lastReviewedDate": 1549036928
}
]
}

Add one or many artifacts in a system

Information
The request body of a POST request through the Artifact Endpoint accepts a single binary file with file extension ".zip" only. This accepted .zip file should contain one or more files corresponding to existing artifacts or new artifacts that will be created upon successful receipt. Filename uniqueness throughout eMASS will be enforced by the API.

Upon successful receipt of a file, if a file within the .zip is matched via filename to an artifact existing within the application, the file associated with the artifact will be updated. If no artifact is matched via filename to the application, a new artifact will be created with the following default values. Any values not specified below will be blank.

isTemplate: false
type: other
category: evidence

To update values other than the file itself, please submit a PUT request.

Zip file information
Upload a zip file contain one or more files corresponding to existing artifacts or new artifacts that will be created upon successful receipt.

Business Rules
Artifact cannot be saved if the file does not have the following file extensions:

.docx,.doc,.txt,.rtf,.xfdl,.xml,.mht,.mh,tml,.html,.htm,.pdf,.mdb,.accdb,.ppt,
.pptx,.xls,.xlsx,.csv,.log,.jpeg,.jpg,.tiff,.bmp,.tif,.png,.gif,.zip,.rar,.msg,
.vsd,.vsw,.vdx,.z{#},.ckl,.avi,.vsdx

Artifact version cannot be saved if an Artifact with the same file name already exist in the system.

Artifact cannot be saved if the file size exceeds 30MB.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: multipart/form-data

See Information posted above for additional instructions

isTemplate	boolean
type	string Enum: "Procedure" "Diagram" "Policy" "Labor" "Document" "Image" "Other" "Scan Result" "Auditor Report"
category	string Enum: "Implementation Guidance" "Evidence"
Zipper required	string <binary>

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"filename": "AutorizationGuidance.pdf",
"success": true,
"systemId": 35
}
]
}

Update one or many artifacts in a system

Updates an artifact for given systemId path parameter

Request Body Required Fields

filename
isTemplate
type
category

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

See information above for additional instructions

filename required	string [Required] File name should match exactly one file within the provided zip file. 1000 Characters.
isTemplate required	boolean [Required] Indicates it is an artifact template.
type required	string Enum: "Procedure" "Diagram" "Policy" "Labor" "Document" "Image" "Other" "Scan Result" [Required] Artifact type options
category required	string Enum: "Implementation Guidance" "Evidence" [Required] Artifact category options
description	string [Optional] Artifact description. 2000 Characters.
refPageNumber	string [Optional] Artifact reference page number. 50 Characters.
ccis	string^\d{5,6},\d{5,6} [Required] CCI associated with test result.
controls	string^[A-Z0-9-]{3,6} [Optional] Control acronym associated with the artifact. NIST SP 800-53 Revision 4 defined.
artifactExpirationDate	integer <int64> [ 1500000000 .. 1900000000 ] [Optional] Date Artifact expires and requires review. In Unix Date format.
lastReviewedDate	integer <int64> [ 1500000000 .. 1900000000 ] [Optional]] Date Artifact was last reviewed.. Unix time format.

Responses

Request samples

Payload

Content type

application/json

{"filename": "AutorizationGuidance.pdf",
"isTemplate": false,
"type": "Policy",
"category": "Change Request",
"description": "Artifact description text",
"refPageNumber": "Reference page number",
"ccis": "000001,000002",
"controls": "AC-8,AC-2(4)",
"artifactExpirationDate": 1549036928,
"lastReviewedDate": 1549036928
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"filename": "AutorizationGuidance.pdf",
"success": true,
"systemId": 35
}
]
}

Remove one or many artifacts in a system

Remove the Artifact(s) matching systemId path parameter and request body artifact(s) file name

Note: Multiple files can be deleted by providing multiple file names at the CL (comma delimited)

Example: --files file1.txt, file2.txt

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

See notes above for additional information

Array (<= 4 items)

filename

string

[Required] File name should match exactly one file within the provided zip file. 1000 Characters.

Responses

Request samples

Payload

Content type

application/json

[{"filename": "AutorizationGuidance.pdf"
}
]

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"filename": "AutorizationGuidance.pdf",
"success": true,
"systemId": 35
}
]
}

Artifacts Export

The Artifacts Export endpoint provides the ability to download artifact files for a system.

Get the file of an artifact in a system

Sample Responce
Binary file associated with given filename.
If compress parameter is specified, zip archive of binary file associated with given filename.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

filename required	string Example: filename=ArtifactsExporFile.pdf File Name: The file name (to include file-extension).
compress	boolean Default: true Enum: true false Compress File: Determines if returned file is compressed.

Responses

Response samples

Content type

application/json

{"meta": {"code": 400,
"errorMessage": "Request could not be understood by the server due to incorrect syntax or an unexpected format"
}
}

CAC

The Control Approval Chain (CAC) endpoints provide the ability to view the status of Security Controls and submit them to the second stage in the Control Approval Chain.

Notes:

POST requests will only yield successful results if the Security Control is at the first stage of the CAC. If the control is not at the first stage, an error will be returned.

Get location of one or many controls in CAC

Returns the location of a system's package in the Control Approval Chain (CAC) for matching systemId path parameter

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

controlAcronyms

string

System Acronym: Filter query by given system acronym (single or comma separated).

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"controlAcronym": "AC-3",
"complianceStatus": "Compliant",
"currentStageName": "SCA-V",
"currentStage": 2,
"totalStages": 2,
"comments": "Control Approval Chain comments text."
}
]
}

Submit control to second role of CAC

Adds a Control Approval Chain (CAC) for given systemId path parameter

POST requests will only yield successful results if the control is currently sitting at the first role of the CAC. If the control is not currently sitting at the first role, then an error will be returned.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing Artifact by Id

controlAcronym	string [Required] System acronym name.
comments	string [Conditional] Control Approval Chain comments - 2000 Characters.

Responses

Request samples

Payload

Content type

application/json

{"controlAcronym": "AC-3",
"comments": "Control Approval Chain comments text."
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"controlAcronym": "AC-3",
"success": true,
"systemId": 35
}
]
}

PAC

The Package Approval Chain (PAC) endpoints provide the ability to view the status of existing workflows and initiate new workflows for a system.

Notes:

If the indicated system has any active workflows, the response will include information such as the workflow type and the current stage of each workflow.
If there are no active workflows, then a null data member will be returned.

Get location of system package in PAC

Returns the location of a system's package in the Package Approval Chain (PAC) for matching systemId path parameter

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"systemId": 35,
"workflow": "Assess and Authorize",
"name": "Package name text",
"currentStageName": "SCA-R",
"currentStage": 4,
"totalStages": 6,
"daysAtCurrentStage": 2,
"comments": "Comments text."
}
]
}

Submit system package for review

Adds a Package Approval Chain (PAC) for given systemId path parameter

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing Artifact by Id

workflow	string Enum: "Assess and Authorize" "Assess Only" "Security Plan Approval" [Required] The PAC workflow
name	string [Required] Package name. 100 Characters.
comments	string [Required] Character Limit = 4,000.

Responses

Request samples

Payload

Content type

application/json

{"workflow": "Assess and Authorize",
"name": "Package name text",
"comments": "Comments text."
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"workflow": "Assess and Authorize",
"success": true,
"systemId": 35
}
]
}

CMMC Assessments

The Cybersecurity Maturity Model Certification (CMMC) Assessments endpoint provides the ability to view CMMC assessment information. It is available to CMMC eMASS only.

Get CMMC assessment information

Get all CMMC assessment after the given date sinceDate parameter. It is available to CMMC eMASS only.

Authorizations:

apikeyuserid

query Parameters

sinceDate

required

string

Example: sinceDate=1638764040

Date CMMC date (Unix date format)

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"operation": "UPDATED",
"hqOrganizationName": "Army",
"duns": "852159753",
"uniqueEntityIdentifier": "9809123",
"cageCodes": "89ED9; 99D8B",
"oscName": "UC Labs",
"scope": "Enterprise",
"scopeDescription": "Assessment of UC's Lab",
"awardedCMMCLevel": "Not Certified",
"expirationDate": 1638741660,
"certificateId": "41b89528-a7a8-470a-90f4-c3fd1267d6f7",
"modelVersion": "1.12",
"ssps": [{"sspName": "UC Lab",
"sspVersion": "4.3.0",
"sspDate": 1638741660
}
]
}
]
}

Static Code Scans

The Static Code Scans endpoint provides the ability to upload application scan findings into a system's assets module. Application findings can also be cleared from the system.

Upload static code scans or Clear static code scans

Upload or clear application scan findings into a system's systemId assets module.

Note: To clear an application's findings, use only the field clearFindings as the Request body and set it to true.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

Request Body schema: application/json

Update an existing Artifact by Id

	object
	Array of objects (Static Code Application POST object") <= 3 items >= 1

Responses

Request samples

Payload

Content type

application/json

{"application": {"applicationName": "Artemis",
"version": "Version 5.0"
},
"applicationFindings": [{"rawSeverity": "Moderate",
"codeCheckName": "Hidden Field",
"count": 14,
"scanDate": 1625070000,
"cweId": "155",
"clearFindings": false
}
]
}

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"success": true
}
]
}

Workflow Definitions

The Workflow Definitions endpoint provides the ability to view all workflow schemas available on the eMASS instance. Every transition for each workflow stage is included.

Get workflow definitions in a site

View all workflow schemas available on the eMASS instance filtered by status includeInactive and registration type registrationType.

Authorizations:

apikeyuserid

query Parameters

includeInactive	boolean Default: true Enum: true false Include Inactive: If no value is specified, the default returns false to not include outdated workflow definitions.
registrationType	string Default: "regular" Registration Type: Filter record by selected registration type (single value or comma delimited values). Available values: assessAndAuthorize, assessOnly, guest, regular, functional, cloudServiceProvider, commonControlProvider

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"description": "The workflow description",
"isActive": false,
"version": "4",
"workflow": "RMF Step 1: Security Category",
"stages": [{"name": "Not Started",
"transitions": [{"endStage": "Submit Categorization",
"description": "Initiate Workflow",
"roles": [["PM/ISO",
"System Admin",
"eMASS System Admin",
"ISSE",
"ISSM",
"IO"
]
]
}
]
}
]
}
]
}

Workflow Instances

The Workflow Instances endpoint provides the ability to view detailed information on all active and historical workflows for a system.

Get workflow instances in a system

View detailed information on all active and historical workflows for a system systemId and filtered by provided parameters.

Authorizations:

apikeyuserid

path Parameters

systemId

required

integer

Example: 35

System Id: The unique system record identifier.

query Parameters

includeComments	boolean Default: true Enum: true false Include Comments: If no value is specified, the default returns true to not include transition comments. Note: Corresponds to the Comments textbox that is required at most workflow transitions. Does not include other text input fields such as Terms / Conditions for Authorization.
pageIndex	integer Default: 0 Page Index: If no value is specified, the default returns true to not include transition comments.
sinceDate	string Example: sinceDate=1638764040 Date: Filter on authorization/assessment date (Unix date format). Note: Filters off the lastEditedDate field. Note: The authorization/assessment decisions on completed workflows can be edited for up to 30 days after the initial decision is made.
status	string Default: "all" Enum: "active" "inactive" "all" Status: Filter by status. If no value is specified, the default returns all to include both active and inactive workflows. Note: Any workflows at a current stage of Complete or Cancelled are inactive. Ongoing workflows currently at other stages are active.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"createdDate": 1636124623,
"currentStage": "Echelon II",
"lastEditedBy": "john.doe.ctr@mail.mil",
"lastEditedDate": 1631130837,
"packageName": "Test RMF Step 1 package",
"systemName": "Test system 1",
"version": "4",
"workflow": "RMF Step 1: Security Category",
"workflowInstanceId": 35,
"transitions": [{"comments": "Approved the categorization",
"createdBy": "john.doe.ctr@mail.mil",
"createdDate": 1636124623,
"description": "Submit New Package",
"endStage": "Submit Categorization",
"startStage": "Not Started"
}
]
}
]
}

Get workflow instance by ID in a system

View detailed information on all active and historical workflows for a system systemId and workflowInstanceId.

Authorizations:

apikeyuserid

path Parameters

systemId required	integer Example: 35 System Id: The unique system record identifier.
workflowInstanceId required	integer Example: 123 Workflow Instance Id: The unique milestone record identifier.

Responses

Response samples

Content type

application/json

{"meta": {"code": 200
},
"data": [{"createdDate": 1636124623,
"currentStage": "Echelon II",
"lastEditedBy": "john.doe.ctr@mail.mil",
"lastEditedDate": 1631130837,
"packageName": "Test RMF Step 1 package",
"systemName": "Test system 1",
"version": "4",
"workflow": "RMF Step 1: Security Category",
"workflowInstanceId": 35,
"transitions": [{"comments": "Approved the categorization",
"createdBy": "john.doe.ctr@mail.mil",
"createdDate": 1636124623,
"description": "Submit New Package",
"endStage": "Submit Categorization",
"startStage": "Not Started"
}
]
}
]
}