Mapping ServiceNow features/properties to NIST 800-53B controls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 01:53 AM
Hi,
Does anyone know if there is a document which maps ServiceNow features/properties to the NIST 800-53B control set?
Thanks,
Declan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 09:58 PM
Hi Declan,
Have you tried installing the "GRC: NIST CSF Use Case Accelerator"?
When the accelerator is downloaded and activated in the GRC applications, pre-configured policies, scopes (entities, entity type recommendations), risks, indicators, and other GRC elements appear.
For risk and compliance managers and cybersecurity professionals who are responsible for ensuring that their respective organizations adopt and use the CSF, the NIST CSF Accelerator provides the following:
- A structured way to define and execute risk and cybersecurity management actions in accordance with the CSF
- Content pertaining to the CSF for the three ServiceNow® GRC core applications: Policy and Compliance Management, Risk Management, and Audit Management
- Pre-defined relationships across the various content elements in the GRC applications to aid planning and actions to improve cybersecurity preparedness
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2024 01:53 AM
Hi Shafraz,
Thanks for the reply and yes I have installed the accelerator you mention, however it doesn't provide the NIST 800-53B controls. Instead it is focussed on helping organisations implement the NIST Cybersecurity Framework and while the Accelerator provides policies, control objectives, risk statements etc as per the CSF, these are different to the security controls documented in 800-53B (which is specifically aimed at federal agencies.).
The 800-53B controls are referred to in the 'Supplemental guidance' text field for CSF-sourced Control objectives provided by the Accelerator, but there is no separate table of 800-53B controls (and therefore no link to specific ServiceNow features/properties).
Regards,
Declan

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 02:01 AM
Hello Declan,
NIST 800-53B control set is part of Application - GRC: Continuous Authorization and Monitoring (plugin - com.sn_irm_cont_auth_monitor). You can navigate to control objectives list with source as rev 5 and have impact in the column to see the details, would show as below :
There is a dedicated workflow based on the NIST RMF with seven steps, and in the select step, it will automatically pick up the control set based on impact.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 10:09 AM
Hi Dharav, that's good to know and I've now installed CAM on my PDI and found the NIST 800-53B control set, so thanks for pointing me there.
It doesn't provide specific guidance on features/properties (attestations?) for ServiceNow as a control "entity" so I'm still hoping to get sight of that somewhere.