GRC: Continuous Authorization and Monitoring vs Risk

Bhupinder Singh
Tera Contributor

Hi Folks...

 

Continuous Authorization and Monitoring application aims at NIST RMF. How does this fit into existing 1) Risk application 2) Policy and Compliance application?

 

In the past using NIST RMF accelerator, imported control objectives were tied to Entities to generate Controls, however, here the process seems different. My target is to load RMF control objectives and generate controls using existing Entity architecture and existing Risk process. Am I missing something as not able to connect the dots? Please suggest 

1 REPLY 1

Community Alums
Not applicable

Hi @Bhupinder Singh ,

CAM is Primarily used for NIST RMF which is for Risk Management. Doesn't really require Entities at all.

As you have Authorization Boundaries , where you can use "Boundry Filters" to fetch the "System Elements" from a particular table.

CAM is not really into Policy framework or Risk Framework.

Please refer to the video : https://www.youtube.com/watch?v=98vqw85bl6I

 

Join us to see the release of the new ServiceNow application Continuous Authorization and Monitoring (CAM) in action. CAM was designed to help organizations implement NIST RMF but can be used for so much more, such as NIST CSF, GSA and DHS frameworks for cloud providers (FedRAMP) and Trusted ...