Options for update set migration in an MFA Mandatory environment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2022 07:33 AM
I've worked with several customers in the federal space. Generally there is an MFA requirement however the accounts used to migrate update sets the traditional way (defining the environment in update sources and then using a username and password) do not seem to meet the MFA standard.
What other options are there? I know of the following but is this it?
Git: Implements MFA via Oath on the Git side but frequently requires you to ask the platform owners to purchase a separate Git license for the full support and feature set.
App Pipeline: App Engine Studio includes the "App Pipeline" I believe you can set up mutual authentication for the pipeline user account though I'm still working through this.
Custom solution via REST/SOAP and TLS Mutual Authentication. This seems like a huge undertaking and not something I would want to take on.
Are there other solutions I'm missing?
I did find this gem of a knowledge article: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0812384
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2022 12:55 PM
As far as I know, Servicenow meets DOD IL5 requirements, in their federal data centers.
https://www.servicenow.com/company/media/press-room/impact-level-il5-provisional-authorization.html
So if your instances are hosted their, you shouldn't have any problems with the Clone Feature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 09:43 AM
This isn't really about cloning as much as it's about retrieval of update sets and more specifically the requirement to have an account without MFA to be able to do that.
To attain that DOD IL5 requirement ServiceNow would have had to demonstrate that the platform could be configured and maintained in a way that meets that standard. That doesn't mean there aren't things you can do in the platform that do NOT meet that standard. The responsibilities matrix makes that pretty clear. If the dot is in the customer column that means you have the responsibility to make sure you are conforming. I'm not saying this is what happened but it could have been as simple as "Ya in this IL5 space admins would need to migrate code via exporting XML, our other code migration methods do not meet the standard" in which case they would get the certification but you could technically put your implementation at additional risk by adding an admin user without MFA enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 01:11 PM
I assume you have an account in the Federal Support portal. At one time that was hiwave (instead of hi). I suggest you login there and create a case. The last I knew, Servicenow has many Federal customers in the U.S. And they are doing the same for some European and some other countries. And I never heard of any issues with the local admin account that is typically used for clone and update set configuration. The Servicenow platform (with this behavior) has met DOD standards. Those customers clone and retrieve update sets. As all instances are hosted in the environment, and access to the environment requires 'strong authentication'.
