Mapping ServiceNow features/properties to NIST 800-53B controls

declannolan · ‎06-12-2024

Hi,

Does anyone know if there is a document which maps ServiceNow features/properties to the NIST 800-53B control set?

Thanks,

Declan

ShafrazMubarak · ‎06-12-2024

Hi Declan,

Have you tried installing the "GRC: NIST CSF Use Case Accelerator"?

When the accelerator is downloaded and activated in the GRC applications, pre-configured policies, scopes (entities, entity type recommendations), risks, indicators, and other GRC elements appear.

For risk and compliance managers and cybersecurity professionals who are responsible for ensuring that their respective organizations adopt and use the CSF, the NIST CSF Accelerator provides the following:

A structured way to define and execute risk and cybersecurity management actions in accordance with the CSF
Content pertaining to the CSF for the three ServiceNow® GRC core applications: Policy and Compliance Management, Risk Management, and Audit Management
Pre-defined relationships across the various content elements in the GRC applications to aid planning and actions to improve cybersecurity preparedness

declannolan · ‎06-13-2024

Hi Shafraz,

Thanks for the reply and yes I have installed the accelerator you mention, however it doesn't provide the NIST 800-53B controls. Instead it is focussed on helping organisations implement the NIST Cybersecurity Framework and while the Accelerator provides policies, control objectives, risk statements etc as per the CSF, these are different to the security controls documented in 800-53B (which is specifically aimed at federal agencies.).

The 800-53B controls are referred to in the 'Supplemental guidance' text field for CSF-sourced Control objectives provided by the Accelerator, but there is no separate table of 800-53B controls (and therefore no link to specific ServiceNow features/properties).

Regards,

Declan

Dharav Devani1 · ‎06-19-2024

Hello Declan,

NIST 800-53B control set is part of Application - GRC: Continuous Authorization and Monitoring (plugin - com.sn_irm_cont_auth_monitor). You can navigate to control objectives list with source as rev 5 and have impact in the column to see the details, would show as below :

There is a dedicated workflow based on the NIST RMF with seven steps, and in the select step, it will automatically pick up the control set based on impact.

declannolan · ‎06-19-2024

Hi Dharav, that's good to know and I've now installed CAM on my PDI and found the NIST 800-53B control set, so thanks for pointing me there.
It doesn't provide specific guidance on features/properties (attestations?) for ServiceNow as a control "entity" so I'm still hoping to get sight of that somewhere.