NIST CSF tables

  • Release version: Zurich
  • Updated June 16, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of NIST CSF tables

    The NIST CSF tables in ServiceNow's Zurich release provide structured data management for cybersecurity activities aligned with the NIST Cybersecurity Framework (CSF). These tables support tracking, analysis, and reporting of cybersecurity objectives, controls, risks, and related remediation efforts within the Governance, Risk, and Compliance (GRC) application.

    Show full answer Show less

    Key Tables and Their Purposes

    • Target [sngrctarget]: Central table shared across GRC applications and content packs, used to track unique entities and their specific attributes related to cybersecurity use cases.
    • NIST CSF Activity [snirmnistcsfnistcsfactivity]: Tracks cybersecurity activities for Targets, enabling gap analysis and identification of gaps, non-compliant controls, risks, issues, failed indicators, and action plans.
    • Gaps [snirmnistcsfm2mpolicystatenistcsfact]: Captures control objectives not yet implemented, aiding in detailed reporting and drill-down analysis by associating gaps to Targets.
    • Non-compliant Control [snirmnistcsfm2mcxontrolsnistcsfact]: Records controls identified as non-compliant, focusing on cybersecurity control objectives from the framework core, supporting reporting and drill-down via associations to Targets.
    • Risk [snirmnistcsfm2mrisksnistcsfactivities]: Tracks risks linked to implemented controls for cybersecurity objectives, facilitating risk management and reporting with associations to Targets.
    • Issue [snirmnistcsfm2missuesnistcsfact]: Tracks issues related to implemented controls and associated risks, enhancing visibility into risk-related problems with reporting and drill-down capabilities.
    • Action Plan [snirmnistcsfm2mremediationnistcsfact]: Manages action plans or remediation tasks identified for issues, supporting ongoing cybersecurity improvements and reporting linked to Targets.
    • Failed Indicators [snirmnistcsfm2mindicatorsnistcsfact]: Captures indicators that have failed for targets, controls, or risks, aiding in monitoring and reporting failures relevant to cybersecurity activities.
    • Related Control Objectives [sncompliancem2mpolicystmtpolicystmt]: Tracks relationships between control objectives at the same hierarchical level, supplementing the existing parent-child control objective associations.

    Practical Benefits for ServiceNow Customers

    These tables enable customers to systematically manage and monitor cybersecurity controls and activities aligned with the NIST CSF. By leveraging these linked tables, organizations can perform comprehensive gap analyses, identify non-compliance, assess risks, address issues with action plans, and monitor failed indicators. This structured approach supports enhanced reporting, drill-down capabilities, and overall governance of cybersecurity posture within the ServiceNow GRC framework.

    A few tables are impacted by the NIST CSF guidance.

    Table Purpose
    Target [sn_grc_target] Target is a core table of design to be shared component among the ServiceNow GRC application and GRC use-case content packs.Target is like entity in its purpose, but is used to track any attributes specific to use-case content packs. No two target records can reference the same entity at any time.
    NIST CSF Activity [sn_irm_nist_csf_nist_csf_activity] NIST CSF Activity table is used to track cybersecurity activity relevant for a target. The activity also helps in performing gap analysis that identifies the gaps, non-complaint controls, risks, issues, failed indicators and action plans for a cybersecurity activity.
    Gaps [sn_irm_nist_csf_m2m_policy_state_nist_csf_act] Gaps table in NIST CSF is used to track control objectives that aren’t yet implemented as gaps. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Gaps to Targets.
    Non-compliant Control [sn_irm_nist_csf_m2m_cxontrols_nist_csf_act] Non-compliant Control table in NIST CSF is used to track controls that are identified as non-compliant. Only cybersecurity control objectives as defined by the framework core which are implemented as controls and non-compliant are tracked. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Non-compliant Controls to Targets.
    Risk [sn_irm_nist_csf_m2m_risks_nist_csf_activities] Risk table in NIST CSF is used to track risks that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Risks to Targets.
    Issue [sn_irm_nist_csf_m2m_issues_nist_csf_act] Issue table in NIST CSF is used to track issues that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. Issues of risks associated with these controls are also included in the metric. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Issues to Targets.
    Action Plan [sn_irm_nist_csf_m2m_remediation_nist_csf_act] Action Plan table in NIST CSF is used to track the action plans that are identified for the issues. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Action Plans (remediation tasks) to Targets.
    Failed Indicators [sn_irm_nist_csf_m2m_indicators_nist_csf_act] Failed indicators table in NIST CSF is used to track the failed indicators of the target and the control or risk. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Failed Indicators to Targets.
    Related Control Objectives [sn_compliance_m2m_policy_stmt_policy_stmt] Related Control Objectives table in NIST CSF is used to track the associations between control objectives. In base implementation, parent and child control objectives are supported, but this table introduces a concept to relate the control objectives at the same level.