Integrate with UCF Common Controls Hub to manage compliance frameworks

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrate with UCF Common Controls Hub to manage compliance frameworks

    This integration enables ServiceNow® customers to manage compliance frameworks by importing content from the Unified Compliance Framework (UCF) Common Controls Hub (CCH) into their Governance, Risk, and Compliance (GRC) application. Compliance administrators can use UCF content such as authority documents, citations, controls, and control objectives as authoritative sources within ServiceNow. This helps maintain alignment with recognized compliance standards and frameworks.

    Show full answer Show less

    To use this integration, customers must have a UCF Common Controls Hub subscription, which is available for purchase from the ServiceNow Store or directly from Unified Compliance. Previously free access ended in 2018, so a subscription is now required. All imported UCF data is read-only to preserve data integrity and must not be customized within ServiceNow.

    Key Features

    • Account and Subscription Requirements: Customers need a UCF CCH account with API access enabled and an active subscription to download and synchronize compliance content.
    • Shared Lists: UCF content is organized into shared lists that must include all previously imported authority documents to ensure consistency when importing updates.
    • Importing Authority Documents: Customers can import authority documents either via a single shared list or multiple shared lists. When importing more than 100 documents, multiple lists are necessary due to system limits.
    • System Property Configuration: The property sncompucf.deactivatedeprecateddocs controls validation and deactivation of deprecated documents during imports from multiple shared lists. Setting this property to false disables automatic validation and requires manual review.
    • Terminology Alignment: The integration maps UCF terminology to ServiceNow GRC terms for clarity—Authority Document to Authority Document, Citation to Citation, and Control to Control Objective.
    • Support Process: Customers must create a Now Support Case to receive assistance with UCF-CCH account integration and setup.

    Practical Guidance for ServiceNow Customers

    • Ensure you have a valid UCF CCH subscription and API access before attempting integration.
    • Use shared lists to import and update authority documents to keep your controls library synchronized with UCF updates.
    • When dealing with large numbers of authority documents, organize them into multiple shared lists and adjust the system property accordingly to manage import validation and deprecated document handling.
    • Do not customize imported UCF authority documents, citations, or control objectives within ServiceNow to maintain data integrity.
    • Use the terminology mapping to align your GRC policies and reports accurately with UCF standards.
    • Contact ServiceNow support through a Now Support Case for account integration help and troubleshooting.

    This integration streamlines maintaining compliance frameworks by leveraging authoritative UCF content, ensuring your compliance program stays current and consistent with recognized standards.

    Compliance administrators can download content from Network Frontiers Unified Compliance Framework (UCF) to use as GRC authority documents, citations, controls, and control objectives. The documents can be updated on pre-defined intervals. You must have a UCF Common Controls Hub account to create shared lists and import them into the ServiceNow® instance.

    If your organization wants to use UCF Common Controls Hub as the source for your controls library, you can purchase a subscription from the ServiceNow Store or see Common Controls Hub. For more information, see Unified Compliance Framework.

    Note:
    The previous arrangement for free access to UCF content inclusive of your GRC license ended November 30, 2018. All customers must purchase a subscription from Unified Compliance directly.
    Warning:
    All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or control objectives on any UCF fields transformed into GRC tables.
    1. Sign up for a UCF CCH account and customize your basic subscription to include API Access.
    2. Activate Compliance UCF.
    3. Create a Now Support Case for UCF-CCH account integration information.
    4. Configure the UCF integration using the UCF Common Controls Hub.
    5. Download a UCF shared list.

    Import authority document using single shared list

    Every authority document already imported into the ServiceNow® instance must be in any shared list you wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which may have changed) and what you’ve already imported.
    Figure 1. Shared list import successful
    Graphic shows all authority documents reimported with the new one
    Figure 2. Shared list import unsuccessful
    Graphic shows a mismatch of the imported authority documents

    An error is rendered since SOX is not being reimported within this Shared List.

    Import authority documents using multiple shared lists

    If you need to import more than 100 authority documents then you must import them into multiple shared lists, as there is a limitation that a shared list can contain only 100 authority documents. You can create multiple shared list (SL), for example SL1 to import 100 authority documents and SL2 for the rest of the authority documents. Group similar authority documents as one group when you import the authority documents into multiple shared list, so that there is no dependency of the documents between the multiple shared list.

    To support multiple shared list, the system property sn_comp_ucf.deactivate_deprecated_docs that is by default true, must be set to false.
    • If the system property is set to true, then the existing validation is done to check if the authority documents imported are already imported in the ServiceNow instance.
    • If the system property is set to false, then the imported authority documents are not validated at all.

    Set the property as false and import the UCF content in multiple shared list. If the authority documents, citations, and control objectives that are imported in the shared list are deprecated, then such documents will not be deactivated in the ServiceNow instance. Instead, the user must manually validate the documents and the links between the citation and control objectives. An email is sent with the links to the mapping between the citation and control objectives.

    UCF and GRC terminology differences

    Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differs slightly as explained in the following table.

    Table 1. Terminology differences
    UCF GRC application
    Authority Document Authority Document
    Citation Citation
    Control Control Objective