USEM Office Hours FAQs: Migration & Adoption

Thank you to everyone who has been joining our Unified Security Exposure Management (USEM) Office Hours. Below you'll find a summary of the top frequently asked questions and answers curated from our USEM Office Hours series. We've also attached the USEM Office Hours slides for more information.

 

For additional resources, visit the SecOps Resource Library in the ServiceNow Community or register for upcoming USEM Office Hours. 

 

FAQs

 

1) What is USEM (VR v30x) and how does it relate to Vulnerability Response (VR)? 

Unified Security Exposure Management (USEM) is the next evolution of Vulnerability Response. It brings together all exposure types—host vulnerabilities, application vulnerabilities, container vulnerabilities, misconfigurations, and cloud exposures—into a unified experience through the Security Exposure Management (SEM) Workspace. If you currently use VR, USEM is your upgrade path and is available with VR v30x or higher, using the in-product migration assistant. Learn more about the migration process in the USEM Migration Support KB. For a comprehensive overview including a demo and webinar recording, visit the USEM Release Highlights community article. 

 

2) When is the deadline to upgrade to USEM (VR v30x)? 

USEM will become the required version of VR starting with the Brazil platform release. We strongly recommend completing your migration before upgrading to Brazil to allow time for planning and testing. Until then, you can plan and migrate on your own timeline using the migration assistant. For planning guidance, see the Essential Information: VR to USEM Upgrade Guidance community article. 

 

3) What happens if I upgrade to the Brazil platform release without first migrating to USEM (VR v30x)? 

Upgrading to Brazil will automatically trigger a VR true-up to version 30.x, which installs USEM as a dependency. If you haven’t gone through the migration steps beforehand, you will need to do so afterward, which is not ideal. We strongly recommend completing the migration before your Brazil upgrade to allow time for planning, regression testing, and addressing any customizations. Review the Essential Information: VR to USEM Upgrade Guidance for step-by-step planning guidance. 

 

4) Will upgrading to the Australia platform release force us onto USEM (VR v30x)? 

No, based on current guidance, the forced true-up to USEM (VR v30.x) will not occur until the Brazil platform release. There are VR store app true-up versions that may apply during an Australia upgrade, but USEM is not required until Brazil. Refer to the VR Version Compatibility Matrix (login required) for specific version details. 

 

5) Does upgrading to USEM (VR v30x) require a new license or additional cost? 

If you are currently entitled to Vulnerability Response, you can upgrade to USEM (VR v30.x) without a license change. Your existing license tier determines which exposure types and features are available to you. For example, some advanced features, such as AI-powered insights and deduplication, require Now Assist entitlements. We recommend reaching out to your account team for licensing specifics. 

 

6) How long does the migration process take? 

Migration time depends on the size of your environment and the number of customizations. As an example, for a large customer with approximately 50 million VITs and 600 rules, the initial steps of the upgrade took approximately 4 hours. Following that, manual activity is require to review customizations, which is customer-specific. For smaller environments with no customizations, the minimum migration time is around 2 hours. We recommend starting in a sandbox environment to benchmark timing for your specific instance. Consult the Migration Support KB for detailed steps and troubleshooting. 

 

7) Is the USEM Migration Assistant required, or can I just upgrade the plugins? 

The USEM Migration Assistant is strongly recommended. It guides you through the upgrade process step by step, including plugin upgrades, customization review, and conflict resolution. While you could upgrade plugins directly, the migration assistant ensures data changes and configuration migrations are handled properly and reduces risk. Access the USEM Migration Support KB for full documentation. 

 

8)Do I need to run the USEM Migration Assistant in every environment (sandbox, dev, test, prod)? 

Yes, the guidance is to use the migration assistant in each environment. You can move configurations from one environment to another using the Steps for Migrating USEM Configurations Between Instances KB, but the migration tool must be run in each environment to ensure data changes are applied correctly. We recommend starting in sandbox, as your dev environment is likely being used for other changes scheduled for production sooner. 

 

9) If I already migrated to USEM (VR v30x), do I need to use the USEM Migration Assistant again for future upgrades? 

No, the migration assistant is only for first-time migrations from VR to USEM. Once you have migrated, future upgrades can be performed by installing new versions through the App Manager. If you are still resolving conflicts in the migration assistant, you can return to it after upgrading the apps. 

 

10) Will my existing reports and custom dashboards still work after migrating to USEM (VR v30x)? 

For the most part, yes. If your reports and dashboards rely on standard tables (VITs, CVITs, AVITs), they should continue to work. A small number of columns have changed with USEM, so we recommend validating your dashboards post-migration and updating any references to changed columns. For more information on USEM column changes, review the Migration Support KB. Note that the existing VR tables are not being merged or restructured; the same table architecture remains, with a new configuration and reporting framework on top. For information on USEM reporting, see the SEM Visualization Library documentation. 

 

11) Will the Classic UI still be available after migrating to USEM (VR v30x)? 

Yes, the Classic UI will remain available. However, all new features and enhancements will be developed for the Security Exposure Management (SEM) Workspace going forward. Features are not planned to be removed from the Classic UI, but new capabilities will not be added there. We encourage teams to begin transitioning to the SEM Workspace to take advantage of new functionality. Start with the Using Unified Security Exposure Management documentation. 

 

12) What is happening with the IT Remediation Workspace? 

We recommend that IT Remediation Owners begin transitioning to the USEM experience, but we recognize this takes time. There is currently no specific date for when the IT Remediation Workspace will no longer be available. The product team is exploring options such as a redirect from the IT Remediation Workspace to the SEM Workspace in a future release. For guidance on what changes for remediation owners, see the IT Remediation Owner Experience Guide. 

 

13) How does USEM (VR v30x) handle vulnerabilities from multiple scanners (e.g., Tenable, MDVM, Qualys)? 

Scanner vendors typically do not provide sufficient information to automatically correlate findings across different scanners. USEM offers several approaches to help: a Now Assist AI feature that uses generative AI to correlate and deduplicate vulnerability results across scanners; remediation task grouping rules to consolidate findings; and classification rules to categorize vulnerability and asset types for risk scoring, SLA management, and prioritization. The AI deduplication feature requires Now Assist for VR entitlement. Learn more in the Now Assist Deduplication documentation and the AI-Powered Optimizations for Vulnerability Management community article. 

 

14) Are ServiceNow-built integrations (Qualys, Rapid7, Tenable, etc.) compatible with USEM (VR v30x)? 

Yes, for any ServiceNow-built integrations, we have released v30.x versions that are compatible with USEM. During the migration, the migration assistant will suggest upgrading those integrations to their USEM-compatible versions. There should be no changes to custom integrations leveraging the integration framework. If you want to review new columns to make changes to existing custom integrations (optional), refer to the Migration Support KB for a list of USEM data model and column changes. 

 

15) What training and enablement resources are available for USEM (VR v30x)? 

Several resources are available: the USEM On-Demand Bootcamp on ServiceNow University (free of charge), community articles with demos and webinar recordings, product documentation, the IT Remediation Owner Experience Guide, and the Office Hours sessions. The USEM bootcamp content will also be incorporated into the VR Implementation Training course. All resources are curated in the SecOps Resource Library. 

 

16) How are assignment rules and other configurations handled during migration? 

With USEM, configurations such as assignment rules, CI lookup rules, and auto-close rules now reside in the Security Exposure Management Workspace. The migration assistant will migrate your existing rules. All customizations will be surfaced as conflicts or skipped files during the migration process for you to review and resolve. This is also a good opportunity to re-evaluate and simplify rules, though the migration does not force changes; rules are migrated as-is. Regression testing is recommended. Refer to the Migration Support KB for details on the customization review step.

 

17) Does USEM (VR v30x) work with IRM, GRC, or Security Posture Control (SPC)? 

Yes. USEM integrates with IRM Continuous Monitoring to surface exposure findings in risk assessments. If you have already configured exception management to work with GRC Policy Exception, the migration assistant will carry those configurations forward. Security Posture Control (SPC) is purpose-built to surface toxic combination insights using data from your security tools and asset data, and is fully supported within the USEM experience. 

 

18) Can USEM (VR v30x) be installed in a Personal Developer Instance (PDI)? 

You can install VR v30.x in your PDI through the Developer Portal today. This is a great way to explore USEM in a sandbox environment before planning your migration. 

 

19) How do I stay informed about USEM (VR v30x) updates, events, and office hours? 

Subscribe to the SecOps Community page to receive notifications for all events. View the full SecOps events calendar, register for upcoming USEM Office Hours, and access the SecOps Resource Library for curated resources. You can also visit or request access to the private SecOps Product Roadmap community group for early visibility into upcoming features (requires you to be logged into the community with your corporate email address). 

 

20) Should I migrate to USEM (VR v30x) separately from a platform family release upgrade, or combine them? 

We recommend keeping them separate when possible. Combining the VR-to-USEM upgrade with a platform upgrade may not leave enough time for regression testing, customization review, documentation, and training. Since USEM (VR v30.x) is compatible with your current platform release, we recommend prioritizing the USEM migration first and completing it before your next platform upgrade. For more information, refer to the Essential Information: VR to USEM Upgrade Guidance.