UCF Mandates. Implied and implement control mapping in servicneow

Ashish Arovind2 · ‎05-04-2023

Hello Everyone

I am currently trying to understand how UCF citations and controls are getting mapped in servicnenow and i am stuck in one issue.

I see some citations in UCF which have multiple controls under them.

I want to understand how servicneow is mapping them.

for example:

Lets say this is the citation that needs to be imported in servinceow.

Source CCID Description
3.1.1 multiple mandates 820 XYZ
3.1.1 multiple mandates 1160 ABC

The citation has same name but has multiple mandates.

How will OOB servicnow process handle this.

1. Is servicenow creating multiple control objectives for mandates and mapping them under one citations?
2. Is servicneow creating multiple controls and mapping them under citation without creating control objective?

UCF terms are Citations , mandates , implied controls and implement controls. Is there any mapping or comparison of these to servicenow's citaiton , control objectives and controls.

Can anyone help me in understanding this.

@Community Alums @Rajesh_Singh @Jan Spurlin @Naveen Kumar4 @sachin_namjoshi

Regards
Ashish Arovind Raj

Anushree Randad · ‎05-05-2023

Hi @anithanarayan ,

UCF provides us with authority document, citations and related control objectives. 1 control objective (common control in UCF's terminology) can be mapped to multiple citations. The control objectives can be either of type mandated, implied or implementation and has parent-child relationship. We capture all these relationships from UCF into SN. So the mandates are nothing but control objectives in SN language. We download implied and mandated control objectives into ServiceNow today. We don't download implementation controls because they are purely for reference purpose and when we validated it with customers, they don't really use it. But we do have an enhancement planned to download implementation controls optionally if customers need it in future. We don't tag control objectives as mandated or implied today, but its determined based on the parent-child relationship they have (parent is implied and children are mandated).

Does this answer your question?

We can get you in touch with SMEs from UCF to answer any further questions if you like.

Thanks,

Anushree

Senior Principal Product Manager, IRM

anithanarayan · ‎05-10-2023

Hi @Anushree Randad

Thank you. The explanation is really helpful. We have created a case as well with ServiceNow. Can share the case number CS6638284.
If UCF needs can be contacted to resolved our queries, it will be great.

So if I understand right, In UCF, the mandates from citations are not captured separately (as a separate table) instead the Common Controls corresponding to the mandates in the citation are tagged as Mandated Controls and are mapped to the citation.
The above holds good for citations with multiple mandates as well.

Similarly in ServiceNow, Control Objectives are mapped to Citations.
For Citations with Multiple Mandates, multiple Control Objectives are mapped.

I have the below follow up questions -

1. From the UCF link below I understand - Mandated Control are Parent and Implied Control is child. Screenshot below -

https://support.commoncontrolshub.com/hc/en-us/articles/204278525-What-is-the-difference-between-an-...

Whereas in ServiceNow from your response above (parent is implied & Children are mandated)

But when I created a sample list in UCF using a trial account, I can see both are a possibility.
Kindly help provide a clarity here, if my understanding if my understanding is incorrect. Screenshots below -

a. Parent is Implied and Child is Mandated Control

b. Parent is Mandated Control and child is Implied Control.

2. In UCF there is clear way to differentiate mandated controls (In Bold), Implied Control (In Italic).
Is there a way we can differentiate similarly in ServiceNow Control Objectives ?
If we plan to create a Type or Checkbox to capture Mandated Control or Implied control, will the OOTB API support or with some additional simple configurations can this be captured during integration ?

3. In ServiceNow, For Citation with multiple mandates, how is the Control objective mapping done ?
Will the Citation with multiple mandates be mapped to multiple Control Objectives ?

OR

Will there be duplicate Citations created (2 Citations from same Authority Document with same reference & Name but different description) and different single control objectives mapped to each citation ?

I have observed in ServiceNow with demo date, 2 Citations from same Authority Document with same reference & Name but different description.
Different control objectives mapped to these Citations.

What and when does such use case happen.

a. Citations with same Reference, Name and from same Authority document

b. The description of the 2 same citations differs.

c. The citations are mapped to 2 different Control Objectives.

4. There is a specific ask from customer to separate the individual mandates from citations with multiple mandates. Is there an option to do this in UCF?
If we plan to do some customization say a separate table for mandates and map Control Objectives to it downstream and citations upstream. Does UCF support this or is there a way the integration can be configured to achieve this ?

Calculate the compliance score of citations from its mandates and citations.

It will be great if these questions are answered. We will be able to do good progress.

Thank You.

Regards,

Anitha

anithanarayan · ‎05-15-2023

Hi @Anushree Randad @Jan Spurlin Kindly help us with answers to the above questions please. We need to start configurations to establish the POC.