UCF Mandates. Implied and implement control mapping in servicneow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2023 03:42 AM
Hello Everyone
I am currently trying to understand how UCF citations and controls are getting mapped in servicnenow and i am stuck in one issue.
I see some citations in UCF which have multiple controls under them.
I want to understand how servicneow is mapping them.
for example:
Lets say this is the citation that needs to be imported in servinceow.
Source CCID Description
3.1.1 multiple mandates 820 XYZ
3.1.1 multiple mandates 1160 ABC
The citation has same name but has multiple mandates.
How will OOB servicnow process handle this.
1. Is servicenow creating multiple control objectives for mandates and mapping them under one citations?
2. Is servicneow creating multiple controls and mapping them under citation without creating control objective?
UCF terms are Citations , mandates , implied controls and implement controls. Is there any mapping or comparison of these to servicenow's citaiton , control objectives and controls.
Can anyone help me in understanding this.
@Community Alums @Rajesh_Singh @Jan Spurlin @Naveen Kumar4 @sachin_namjoshi
Regards
Ashish Arovind Raj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2023 03:57 AM
Hi @Ashish Arovind2 ,
The UCF based cititations would have control objectives associated with it :
Then it would follow the process of attaching the Entity Type to the control objective and the controls would get created automatically for all the entities which are part of the entity type.
You can associated multiple Control Objectives and child citations.
Sometimes UCF has control objectives already associated with the respective citation.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2023 04:54 AM
There is good information in product docs about the integration to UCF. Check out this article and the ones that follow it:
It is also good to know what gets imported from UCF into ServiceNow - this table provides that info:
What doesn't get imported from UCF is what they call the control instance. In ServiceNow the equivalent is the control - but we generate it by applying Entity Types to the Control objective.
Sometimes you will see citations duplicated in the citations table - and then when you look at the details you discover that they are related to different control objectives. This can happen when the original citation. is complex and really needs to be broken down into separate parts to measure it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2023 10:03 PM
Hi Jan,
The above response helps.
However, there is a particular ask or scenario -
There are a lot of citations with multiple mandates. I also understand recommends UCF recommends separating these mandates and the Common Controls are also mapped to the mandates.
Q1. How is the above scenario managed with the ServiceNow OOTB IRM processes ?
Q2. Do we have the option in ServiceNow to capture the different mandates of a citation with the UCF API integration? Where (which table) would the mandates be stored and how are the Control objectives mapped ?
Thank You.
Regards,
Anitha

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2023 05:19 AM
@anithanarayan I do not know the answer to your question. I am reaching out to others that know the integration better than me to see if I can get an answer. It may take a couple of days to find a response.