Mapping ServiceNow features/properties to NIST 800-53B controls

declannolan
Tera Contributor

Hi,

 

Does anyone know if there is a document which maps ServiceNow features/properties to the NIST 800-53B control set?

 

Thanks,

Declan

 

5 REPLIES 5

ShafrazMubarak
Giga Guru

Hi Declan,

 

Have you tried installing the "GRC: NIST CSF Use Case Accelerator"? 

When the accelerator is downloaded and activated in the GRC applications, pre-configured policies, scopes (entities, entity type recommendations), risks, indicators, and other GRC elements appear. 

For risk and compliance managers and cybersecurity professionals who are responsible for ensuring that their respective organizations adopt and use the CSF, the NIST CSF Accelerator provides the following:

  • A structured way to define and execute risk and cybersecurity management actions in accordance with the CSF 
  • Content pertaining to the CSF for the three ServiceNow® GRC core applications: Policy and Compliance Management, Risk Management, and Audit Management
  • Pre-defined relationships across the various content elements in the GRC applications to aid planning and actions to improve cybersecurity preparedness

 

 

declannolan
Tera Contributor

Hi Shafraz, 

 

Thanks for the reply and yes I have installed the accelerator you mention, however it doesn't provide the NIST 800-53B controls.  Instead it is focussed on helping organisations implement the NIST Cybersecurity Framework and while the Accelerator provides policies, control objectives, risk statements etc as per the CSF,  these are different to the security controls documented in 800-53B (which is specifically aimed at federal agencies.).

 

The 800-53B controls are referred to in the 'Supplemental guidance' text field for CSF-sourced Control objectives provided by the Accelerator, but there is no separate table of 800-53B controls (and therefore no link to specific ServiceNow features/properties). 

 

Regards,

Declan

Dharav Devani1
ServiceNow Employee
ServiceNow Employee

Hello Declan,

 

NIST 800-53B control set is part of Application - GRC: Continuous Authorization and Monitoring (plugin  - com.sn_irm_cont_auth_monitor).  You can navigate to control objectives list with source as rev 5 and have impact in the column to see the details, would show as below : 

DharavDevani1_0-1718787601775.png

There is a dedicated workflow based on the NIST RMF with seven steps, and in the select step, it will automatically pick up the control set based on impact.

Hi Dharav,  that's good to know and I've now installed CAM on my PDI and found the NIST 800-53B control set, so thanks for pointing me there.
It doesn't provide specific guidance on features/properties (attestations?) for ServiceNow as a control "entity" so I'm still hoping to get sight of that somewhere.