Recommendations to use free SCF or subscribe to UCF for Risk Management frameworks?

Nayan Thakkar · ‎07-26-2022

Hello - As I understand, ServiceNow support free SCF (Secure Controls Framework) to manage compliance and also support subscription to UCF (Unified Compliance Framework). Do you use SNOW RMF to assess against SCF or UCF or some other compliance frameworks (PCI, NIST, ISO etc.) and the reasoning why? Can you suggest if it is worth the cost (also not sure how much does the UCF subscription costs) to subscribe for UCF? Thank you!

Here is link to the UCF subscription, for reference.

Community Alums · ‎07-26-2022

Hi @Nayan Thakkar ,

To answer your question, we can use both ServiceNow support free SCF (Secure Controls Framework) and UCF (Unified Compliance Framework).

SCF is generally for the control objectives and policies which already exist at your company , you can create the entity scoping and others and start using SCF. However, UCF is a external body and Unified Compliance is the integration of processes and tools to aggregate and harmonize all compliance requirements applicable to an organization and it is the world’s largest library database of interconnected compliance documents and the world’s only commercially available Common Controls framework, which gives helps you with Authority documents and citations. Also, once you have UCF integrated it will help you to create the Policies, controls,etc.. automatically.

Only using SCF won't give you Authority documents!!

ServiceNow supports UCF integration using UCF spoke .

Refer to this video to understand importance of UCF :https://community.servicenow.com/community?id=community_article&sys_id=d4146efbdbc68c102be0a851ca961...

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

View solution in original post

Community Alums · ‎07-26-2022

Hi @Nayan Thakkar ,

To answer your question, we can use both ServiceNow support free SCF (Secure Controls Framework) and UCF (Unified Compliance Framework).

SCF is generally for the control objectives and policies which already exist at your company , you can create the entity scoping and others and start using SCF. However, UCF is a external body and Unified Compliance is the integration of processes and tools to aggregate and harmonize all compliance requirements applicable to an organization and it is the world’s largest library database of interconnected compliance documents and the world’s only commercially available Common Controls framework, which gives helps you with Authority documents and citations. Also, once you have UCF integrated it will help you to create the Policies, controls,etc.. automatically.

Only using SCF won't give you Authority documents!!

ServiceNow supports UCF integration using UCF spoke .

Refer to this video to understand importance of UCF :https://community.servicenow.com/community?id=community_article&sys_id=d4146efbdbc68c102be0a851ca961...

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

Community Alums · ‎07-30-2022

Hi @Nayan Thakkar ,

Any update to this ?Any follow-up required? if not

Kindly mark the answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep

Sebastien Fix1 · ‎07-27-2022

There are quite a few accelerators with IRM Pro for ISO/CIS/NIST for free.

UCF can be useful to pay for (10kUSD/y last i checked) but it is far from fault free. You avoid typing down citations and linking them (again, you NEED to do a QA) so could be interesting.

If you download demo data for P&C module there are a bunch of UCF citations being downloaded so you can have a look in your instance. I don't think this adds much value and can quickly overload your Control Register with noise.

Praful3 · ‎07-28-2022

If your customer already having license with UCF then it is well & good to recommend & use that for big picture. One thing remember ServiceNow never provide any content, ServcieNow is not content provider (except for demo environment-demo data).