Introduction to Continuous Authorization and Monitoring (CAM), including support for NIST RMF

ServiceNow’s Continuous Authorization and Monitoring (CAM) app automates the NIST Special Publication 800-37 Risk Management Framework (RMF) for Information Systems and Organizations (rev 4 and rev 5).

 

RMF is mandated by the U.S. Federal government to provide the necessary resiliency to support the economic and national security interests of the United States. CAM uses the seven steps defined by the RMF to help you make better-informed decisions about your security posture. It is part of the ServiceNow Integrated Risk Management (IRM) Advanced Professional suite.

 

 

 

Without CAM, the authorization process is mostly manual. Risk and compliance teams spend months gathering artifacts, documenting controls, and tracking plan of action and milestones (POA&M) items, often at the cost of actual risk management work. Risk, compliance, and IT operations data are siloed across disconnected tools, meaning a lack of real-time visibility into what’s happening. Legacy tools often address parts of RMF but don’t integrate with live IT operations and asset data, leaving the risk team with no real-time view of control status or authorization posture.

 

Key Features

 

• Key indicators — Monitor continuously to identify compliance violations or emerging risks.
• Integration with the CMDB — Identify assets in real time or manage assets manually to help assess business impact.
• Inherited and hybrid controls — Assign baseline controls automatically based on categorization, easily inherit common controls, or create a hybrid control that is partially inherited.
• System security plan — Generate a system security plan automatically using customizable, self-populating templates.
• CAM Workspace — Experience a persona-based user interface with boundary and package overview pages, tasks, issues, and a 360-degree view.
• POA&M management — Use remediation tasks to build a process for creating and responding to ineffective controls. POA&Ms can be linked to multiple objects.
• Dynamic dashboards — View vulnerabilities, action plans, milestones, configuration failures, security incidents, and more.
• Assessment engagement — Create an assessment engagement that’s linked to your authorization package.
• Automated controls testing — Use continuous monitoring to identify violations and generate issues sooner.
• OSCAL support — Export data and reports in OSCAL format.

 

Highlights

 

• CAM enables teams to define and manage authorization boundaries, create boundary filters, and produce OSCAL-formatted System Security Plans. The Zurich release added dynamic boundary filters, child boundary mapping, and enhanced import/export capabilities. You can view and manage authorization boundaries, define parameters, set boundary filters, and establish parent-child relationships to improve visibility and structure in CAM.
• CAM is available along with the ServiceNow Integrated Risk Management (IRM) Advanced suite, which includes Policy and Compliance Management, Risk Management, and Audit Management. Optional integrations include ITSM, ITOM, and Security Operations, which extend continuous monitoring coverage in the Monitor step.
• CAM is deployed on ServiceNow GCC, authorized at FedRAMP High. Contact your account team to confirm deployment options for your environment.

 

Video: Introduction to CAM

 

 

Continuous Authorization and Monitoring — Product Overview (YouTube) — Covers the seven RMF steps in CAM, how authorization boundaries and packages work, and how continuous monitoring is configured. 

 

Who uses CAM (From NIST 800-37)

Individuals with:

• mission or business ownership responsibilities or fiduciary responsibilities (e.g., heads of federal agencies)
• information system, information security, or privacy management, oversight, or governance responsibilities (e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior agency information security officers, and senior agency officials for privacy)
• responsibility for conducting security or privacy assessments and for monitoring information systems, for example, control assessors, auditors, and system owners
• security or privacy implementation and operational responsibilities, for example, system owners, common control providers, information owners/stewards, mission or business owners, security or privacy architects, and systems security or privacy engineers
• information system development and acquisition responsibilities (e.g., program managers, procurement officials, component product and system developers, systems integrators, and enterprise architects)
• logistical or disposition-related responsibilities (e.g., program managers, procurement officials, system integrators, and property managers)

 

Release Updates

 

Full release notes can be found in Product Documentation: CAM Release Notes (Select the release at the top of the page.)

 

Q2 2026

• Skip control attestations:  Enables users to configure the attestations requirement at the package level, reducing manual effort on large packages and eliminating workflow stages where attestations add no value
• Export and import of OSCAL AR model: Imports externally generated OSCAL AR packages into CAM for a single view and exports assessment results in OSCAL AR format so it is compatible with auditors and regulatory tools

 

Australia release (Q1 2026)

• Open security controls assessment language (OSCAL) AP Support:  Import and export OSCAL assessment plan (AP) files to standardize data exchange with external tools
• Request control tailoring: Request control allocation changes without resetting the authorization package; applies only to delta changes post-AO approval
• Multiple provider inheritance: Expanded support for inheriting common controls across authorization boundaries
• Compliance Framework Configurator: Configure compliance frameworks directly in the platform

 

Resources to get started

 

• CAM Product Documentation — Release Notes — Configuration, workflows, and feature reference
• CAM Training Website - Comprehensive training videos recorded by ServiceNow solution consulting
• CAM Release Notes — Australia — What's new and changed in the Australia (Q1 2026) release
• Product Documentation: Configuration checklist and CAM Workspace – How to implement and use CAM
• IRM Scoping Guide - (including CAM)  
• CAM Product Page - Capabilities overview and federal use cases
• 4 Key Risks Facing Governments Today — ServiceNow white paper on federal risk challenges

 

ServiceNow University

 

Governance, Risk, and Compliance (GRC): Continuous Authorization and Monitoring (CAM) Fundamentals — Covers RMF fundamentals in the CAM application, core workflows, configuration, and administration. Recommended for ISSOs, system owners, GRC admins, and implementation teams

 

Frequently Asked Questions

 

What is IRM, and how do CAM and IRM complement each other?

IRM (Integrated Risk Management) is ServiceNow’s enterprise risk platform — it manages risk registers, policies, controls, and compliance programs. CAM handles system-specific RMF and ATO workflows. They share control data, risk assessments, and findings, so one dataset serves both enterprise risk reporting (OMB A-123) and system-level RMF compliance.

 

Do you need IRM to use CAM?

CAM works with IRM Risk Management and Policy and Compliance, which supply the control library, risk register, and policy framework CAM draws on. An IRM Advanced license is required to install and use CAM.

 

What is OSCAL, and why does OSCAL support matter in CAM?

OSCAL (Open Security Controls Assessment Language) is a set of NIST-defined machine-readable formats for security documentation, including catalogs, SSPs, assessment plans, and POA&Ms. CAM supports OSCAL import and export so authorization package data moves between tools in a standard format without manual transcription. The Australia release added OSCAL AP support, covering assessment plan import from external tools and export for auditors and authorizers.

 

What is NIST, and which publications are most relevant to CAM?

NIST is the National Institute of Standards and Technology. The core NIST Special Publications (SP) for CAM is SP 800-37 (RMF).

 

What is a POA&M?

A POA&M (Plan of Action and Milestones) tracks control weaknesses or deficiencies identified during assessment and their remediation status. CAM creates POA&M records automatically when a control test finds a non-compliant control, assigns owners and due dates, sets priority levels (critical, high, moderate, low), and links remediation tasks. AOs and ISSMs track open and overdue POA&Ms across all boundaries from the workspace dashboard.

 

Does CAM generate reports?

CAM auto-generates SSPs, SARs, POA&M reports, and ATO letters. By tracking control compliance status against live IT operations data after authorization, CAM keeps the ATO current rather than producing a point-in-time report that is outdated almost immediately.

 

What parts of the RMF does CAM support?

CAM covers the full RMF lifecycle on a single data model. It has native access to CMDB data natively; ITSM, ITOM, and Security Operations extend coverage through optional integrations.