NIST CSF tables

  • Release version: Australia
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of NIST CSF tables

    The NIST CSF tables in ServiceNow GRC provide a structured way to manage and track cybersecurity activities, controls, risks, issues, and remediation efforts aligned with the NIST Cybersecurity Framework guidance. These tables support the Australia release version updated on June 11, 2026, and are designed to facilitate integrated risk and compliance management within the ServiceNow platform.

    Show full answer Show less

    Key Tables and Their Practical Use

    • Target [sngrctarget]: Serves as a core table representing entities specific to GRC use-case content packs, ensuring no duplication of entity references. It acts as the foundational component for associating cybersecurity activities and related records.
    • NIST CSF Activity [snirmnistcsfnistcsfactivity]: Tracks cybersecurity activities linked to Targets and supports gap analysis by identifying non-compliant controls, risks, issues, failed indicators, and action plans.
    • Gaps [snirmnistcsfm2mpolicystatenistcsfact]: Captures unimplemented control objectives as gaps, enabling detailed reporting and drill-down analysis. It links gaps to specific Targets via a many-to-many (m2m) relationship.
    • Non-compliant Control [snirmnistcsfm2mcxontrolsnistcsfact]: Records cybersecurity control objectives deemed non-compliant, facilitating reporting and tracking of remediation efforts. It associates these controls with Targets through an m2m table.
    • Risk [snirmnistcsfm2mrisksnistcsfactivities]: Tracks risks connected to implemented controls for cybersecurity objectives, allowing for comprehensive risk management and reporting linked to Targets.
    • Issue [snirmnistcsfm2missuesnistcsfact]: Maintains issues related to controls and their associated risks, supporting resolution tracking and analysis. Issues are linked to Targets via an m2m table.
    • Action Plan [snirmnistcsfm2mremediationnistcsfact]: Manages remediation tasks or action plans developed to address identified issues, providing visibility into mitigation efforts connected to Targets.
    • Failed Indicators [snirmnistcsfm2mindicatorsnistcsfact]: Tracks failed indicators related to Targets and their controls or risks, enabling focused monitoring and reporting of compliance status.
    • Related Control Objectives [sncompliancem2mpolicystmtpolicystmt]: Supports relationships between control objectives at the same hierarchical level, enhancing the ability to analyze and link related controls beyond parent-child associations.

    Benefits for ServiceNow Customers

    • Enables comprehensive tracking and management of cybersecurity activities and compliance aligned with NIST CSF.
    • Supports detailed gap analysis, risk identification, issue tracking, and remediation planning within a unified platform.
    • Facilitates advanced reporting and drill-down capabilities to monitor control effectiveness and compliance status.
    • Improves integration between controls, risks, issues, and action plans through well-defined many-to-many relationships.
    • Enhances control objective management by allowing flexible associations beyond traditional hierarchies.

    A few tables are impacted by the NIST CSF guidance.

    Table Purpose
    Target [sn_grc_target] Target is a core table of design to be shared component among the ServiceNow GRC application and GRC use-case content packs.Target is like entity in its purpose, but is used to track any attributes specific to use-case content packs. No two target records can reference the same entity at any time.
    NIST CSF Activity [sn_irm_nist_csf_nist_csf_activity] NIST CSF Activity table is used to track cybersecurity activity relevant for a target. The activity also helps in performing gap analysis that identifies the gaps, non-complaint controls, risks, issues, failed indicators and action plans for a cybersecurity activity.
    Gaps [sn_irm_nist_csf_m2m_policy_state_nist_csf_act] Gaps table in NIST CSF is used to track control objectives that aren’t yet implemented as gaps. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Gaps to Targets.
    Non-compliant Control [sn_irm_nist_csf_m2m_cxontrols_nist_csf_act] Non-compliant Control table in NIST CSF is used to track controls that are identified as non-compliant. Only cybersecurity control objectives as defined by the framework core which are implemented as controls and non-compliant are tracked. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Non-compliant Controls to Targets.
    Risk [sn_irm_nist_csf_m2m_risks_nist_csf_activities] Risk table in NIST CSF is used to track risks that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Risks to Targets.
    Issue [sn_irm_nist_csf_m2m_issues_nist_csf_act] Issue table in NIST CSF is used to track issues that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. Issues of risks associated with these controls are also included in the metric. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Issues to Targets.
    Action Plan [sn_irm_nist_csf_m2m_remediation_nist_csf_act] Action Plan table in NIST CSF is used to track the action plans that are identified for the issues. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Action Plans (remediation tasks) to Targets.
    Failed Indicators [sn_irm_nist_csf_m2m_indicators_nist_csf_act] Failed indicators table in NIST CSF is used to track the failed indicators of the target and the control or risk. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Failed Indicators to Targets.
    Related Control Objectives [sn_compliance_m2m_policy_stmt_policy_stmt] Related Control Objectives table in NIST CSF is used to track the associations between control objectives. In base implementation, parent and child control objectives are supported, but this table introduces a concept to relate the control objectives at the same level.