Skip to main content

Overview

The Nabla Evidence Engine API enables programmatic compliance assessments and evidence generation for federal and defense security frameworks. Generate OSCAL-compliant assessment results from infrastructure-as-code, SBOMs, and system metadata without manual evidence collection. Base URL: https://api.usenabla.com

Supported Frameworks

Nabla provides compliance assessments for the following security frameworks:

FedRAMP

NIST 800-53 security controls for federal cloud services

CMMC 2.0

Defense Industrial Base cybersecurity requirements

FIPS 140-3

Cryptographic module validation and compliance

NIST 800-172

Enhanced security requirements for CUI

Authentication

All API endpoints require authentication using a customer API key passed via the X-Customer-Key header. 
curl --request POST \
  --url https://api.usenabla.com/v1/fedramp \
  --header 'X-Customer-Key: your-api-key' \
  --header 'Content-Type: application/json'
Contact Nabla to obtain your API key.

Output Formats

All assessment endpoints support multiple output formats:
FormatDescriptionUse Case
oscalOSCAL Assessment Results (JSON)GRC platforms, FedRAMP submission
yamlHuman-readable YAMLManual review, version control
jsonSimplified JSON structureCustom integrations, dashboards

Evidence Sources

Nabla accepts evidence from multiple sources:

Infrastructure-as-Code

  • Terraform State: Remote state files (S3, GCS, Azure Blob, HTTP)
  • Repository URLs: Direct Terraform configuration analysis

Software Supply Chain

  • SBOM: CycloneDX, SPDX formats
  • Package Locks: npm, poetry, cargo, go.mod

System Metadata

  • System Info: FIPS mode status, OpenSSL configuration
  • Crypto Policies: OS-level cryptographic policies

Configuration Management

  • Kubernetes: Manifests, Helm charts
  • Ansible: Playbooks, inventories
Evidence Scope: Assessments are based on declared infrastructure in code and metadata. Runtime configurations not reflected in evidence sources will not be assessed.

Assessment Response

All assessment endpoints return a standardized response structure: 
{
  "id": "assessment-uuid",
  "status": "completed",
  "created_at": "2025-10-05T12:00:00Z",
  "assessment": {
    "framework": "NIST 800-53 Rev 5",
    "version": "5.1.1",
    "controls": [
      {
        "control_id": "SC-13",
        "title": "Cryptographic Protection",
        "status": "satisfied",
        "findings": [],
        "evidence": [
          "FIPS-validated library: OpenSSL v3.0.8 (CMVP Certificate #4282)",
          "Encryption at rest enabled: s3-data-lake"
        ]
      }
    ],
    "summary": {
      "total_controls": 421,
      "satisfied": 318,
      "not_satisfied": 89,
      "not_applicable": 14
    }
  },
  "artifacts": [
    {
      "filename": "assessment-results.json",
      "content_type": "application/json",
      "content_base64": "eyJhc3Nlc3NtZW50...",
      "size_bytes": 524288
    }
  ]
}

Additional Capabilities

Architecture Diagrams

Generate Mermaid diagrams from Terraform state using AI: 
curl --request POST \
  --url https://api.usenabla.com/v1/diagram \
  --header 'X-Customer-Key: your-api-key' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "production-architecture",
    "statefile_content": "<base64_statefile>"
  }'

Next Steps

Framework Schemas

Explore detailed framework documentation

OpenAPI Spec

Download the complete OpenAPI specification

Support