Import OSCAL Assessment Plan files to automatically create engagements, control tests, and assessment procedures in your authorization package.
Before you begin
- OSCAL Assessment Plan file is validated using the OSCAL CLI tool
- The corresponding Catalog, Profile, and SSP files must be available
- If importing for an existing package, the provider packages must exist in the instance with matching source identifiers (for inherited controls)
Role required:
- Information System Security Manager (sn_irm_cont_auth.info_system_sec_manager)
- Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer)
- CAM Administrator (sn_irm_cont_auth.admin)
About this task
Importing with the OSCAL Assessment Plan model creates the complete package structure including boundary, package, controls, engagements, control tests, and assessment procedures. Each AP file creates one engagement. You can
import multiple AP files together for packages with multiple engagements.
The import wizard guides you through file attachment, user mapping, and preview before creating records. After import, the system processes the files in sequence and creates all related objects.
Note: When importing multiple AP
files, each file must have a unique UUID. If two AP files contain the same UUID, the import process fails and displays an error message.
Procedure
-
Navigate to .
-
In the CAM
Workspace, select the OSCAL import landing page icon.
-
In the OSCAL Import page, select New Import.
-
From the OSCAL Model drop-down, select AP.
-
In the Source field, enter the source system identifier.
The source identifier helps maintain uniqueness when importing from external systems. Use a consistent source name for packages from the same external instance.
- Optional:
In the Import status recipients field, select the users who should be notified when the import completes.
Recipients receive an email notification after the import is complete.
-
Select Next to proceed to file attachments.
-
Attach the mandatory files:
-
Under Catalog, select Attach files and upload the catalog JSON file.
-
Under Profile, select Attach files and upload the profile JSON file.
-
Under SSP, select Attach files and upload the SSP JSON file.
You can also include boundary, data flow, network, and enterprise architecture illustrations, if necessary.
-
Select Next to proceed to attach additional files.
- Optional:
If your package includes overlays, select Overlay Attachment and upload one or more overlay JSON files.
-
Under Overlay attachment, select Assessment Plan Attachments and upload one or more AP JSON files.
- Optional:
If your package includes POA&Ms, select POAM Attachment and upload the POA&M JSON file.
-
Select Next.
The system validates all attached files against OSCAL standards. If validation fails, error messages display indicating which files have issues. If validation succeeds, the wizard proceeds to user mapping.
-
In the user mapping screen, review the list of users from the OSCAL file.
OSCAL users are automatically mapped to ServiceNow users and appear with the following mapping status:
- Auto-mapped: Indicates that a ServiceNow user with a matching username is found.
- Blank: Indicates no matching ServiceNow user is found, and that manual mapping is required.
-
For OSCAL users without a corresponding ServiceNow user, select the appropriate ServiceNow user from the drop-down.
-
Verify mandatory roles are assigned:
Required roles include:
- System Owner
- Information System Security Officer (ISSO)
- Information System Security Manager (ISSM)
If any mandatory role is unassigned after auto-mapping, manually select a user for that role.
-
Select Next to proceed to the preview screen.
-
Review the preview section.
The preview displays objects that will be created, overridden, or skipped based on whether the package exists in the target instance.
For new packages:
All objects display as "Create New":
- SSP-related objects: Baseline controls, inherited controls, hybrid controls, information type definitions
- AP-related objects: Engagements, control tests, test plans, entity to engagement mappings
On import, all objects are created.
For existing packages:
All SSP and AP related objects display as "Override" by default. If you skip the package,
all related objects are skipped automatically, including baseline controls, information type definitions, inherited controls, hybrid controls, engagements, test plans, control tests, and entity to engagement mappings.
Objects that skip automatically:
- Information type definitions already in the library
- Policies already existing in the instance
Information type definitions and policies skip because they exist independently of packages and are not tightly coupled with authorization boundaries.
- Optional:
To skip or override specific object types, do the following:
-
Select the object from the Select the ones you would wish to override list and choose Override.
You can override objects at the boundary or package level. When you skip an authorization package, all child objects (baseline controls, engagements, test plans, control tests) skip automatically due to parent-child
relationships.
-
Select Import to begin the import process.
A confirmation message displays indicating the import process has started.
-
On the status screen, monitor the import progress.
The status screen displays each model being processed:
- Pending: Queued for processing
- In Progress: Currently processing (shows start date)
- Success: Completed (shows start and end dates)
- Error: Failed (shows error details)
The Assessment Plan typically takes a few minutes to process depending on the number of controls and control tests being created.
-
After all models show Success status, navigate to the authorization package to verify the import results.
Verify engagements were created, control tests exist for expected controls, and test plans are populated with assessment procedures.