CAM workflow configuration

  • Release version: Australia
  • Updated June 11, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CAM workflow configuration

    The CAM Workflow Configuration in ServiceNow Continuous Authorization and Monitoring (CAM) allows customers to define and implement custom workflows beyond the default National Institute of Standards and Technology (NIST) Risk Management Framework. This flexibility enables adaptation to unique compliance and authorization needs by decoupling CAM from the NIST framework’s seven-step process, supporting multiple frameworks and workflows.

    Show full answer Show less

    Key Features

    • Custom Workflow Configurations: Define workflows, frameworks, regulations, versions, impact levels, and view rules. CAM includes NIST configurations by default but supports other frameworks like Protective Security Policy Framework (PSPF) or internal custom frameworks.
    • State Models: Control workflow lifecycle with defined states (e.g., Prepare, Categorize), transitions, and validations applied to authorization packages. State models support approval requirements and report generation without custom code.
    • State Transitions and Validation: Control progression between workflow steps with validation conditions such as completing approvals or ensuring mandatory fields.
    • Workflow Attributes: Add capabilities like approval enforcement and UI behavior to specific workflow states without programming.
    • Workflow Limitations: Without the CAM Advanced plugin, only two workflows (including NIST) are supported. The plugin removes this cap, allowing unlimited workflows.
    • Enabling and Migrating Workflows: Workflow configuration is enabled via a system property available when CAM Workspace is installed. Enabling requires migration of existing authorization packages and boundaries to associate them with workflows, mainly the default NIST workflow, to maintain full functionality.
    • OSCAL Export/Import Support: Workflow and framework metadata are included in CAM exports when enabled. Import scenarios vary depending on the property state in source and target instances; packages without matching workflows in the target instance require manual correction as unsupported imports degrade functionality.
    • Assessment Integration: Supports both classic platform assessments and risk assessments (via Advanced Risk Management). Customers must create or modify assessment templates targeting the Authorization Package table as CAM does not provide out-of-the-box templates.

    Key Outcomes

    • Adapt CAM to diverse compliance frameworks beyond NIST, increasing flexibility and relevance to specific organizational requirements.
    • Manage authorization packages through customizable workflow states and transitions, improving workflow governance and compliance control.
    • Maintain backward compatibility while supporting multiple workflows, ensuring smooth adoption without disrupting existing processes.
    • Enable comprehensive reporting and filtering based on workflow configurations, enhancing visibility and management of authorization packages.
    • Facilitate accurate data migration and integration through enforced workflow associations and controlled OSCAL import/export behavior.
    • Leverage integrated assessment capabilities to evaluate compliance and risk associated with authorization packages effectively.

    Configure custom workflows in Continuous Authorization and Monitoring to support compliance requirements beyond the default National Institute of Standards and Technology NIST Risk Management Framework.

    The CAM Workflow Configuration enables you to configure custom workflows and frameworks instead of restricting operations to the National Institute of Standards and Technology (NIST) framework. This flexibility enables you to adapt CAM to your specific compliance and authorization requirements.

    Previously, CAM maintained tight coupling with the NIST framework and its seven-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The Workflow Configuration decouples CAM from this single framework, enabling you to create and map custom workflows to authorization packages and boundaries.

    The configuration uses existing authorization package records and adds flexible state models that can map to different workflows. This approach maintains backward compatibility while enabling support for multiple workflows.

    Workflow configuration

    A workflow configuration defines the workflow, framework, regulation, and its associated versions, impacts, and view rules. CAM ships NIST workflow configuration, but you can create additional workflows for other frameworks such as Protective Security Policy Framework (PSPF) or custom internal frameworks.

    Each workflow configuration includes:

    • Versions: Different revisions of the workflow (for example, NIST Rev 4 and Rev 5)
    • Workflow impacts: Impact levels used to filter control objectives (for example, Low, Moderate, High)
    • View rules: Custom views that apply only to specific workflows
    • State model: Links the workflow to a specific state model

    State model

    A state model defines the steps, transitions, and validations for a workflow. The state model is applied to the authorization package table and controls how packages move through the workflow life-cycle.

    State models include:

    • Workflow states: Individual steps in the framework (for example, Prepare, Categorize, Select)
    • State transitions: Valid paths between steps, with required validation conditions.
    • State model attributes: Special capabilities like approval requirements or report generation. State model attributes are to control the functionality available at specific workflow steps.

    State transitions

    State transitions define how packages move from one step to another. Each transition can include validation conditions that must be satisfied before proceeding.

    Examples of validation conditions:

    • Authorization boundary field can’t be empty
    • All baseline controls must have "Create controls automatically" enabled
    • Required approvals must be completed

    State model attributes

    Attributes add special capabilities to workflow states without requiring custom code. Attributes control features like approval requirements, report generation, related list actions, and UI page visibility for specific workflow states.

    For a complete list of available attributes, see Add existing attributes to a GRC workflow state.

    Workflow limitations

    Without the CAM Advanced plugin (app-grc-cont-auth-monitor-advanced), you can create a maximum of two workflows (including the NIST workflow). Installing the CAM Advanced plugin removes this limitation and enables unlimited workflow configurations.

    Enabling workflow configuration

    The workflow configurator is available only when CAM Workspace is installed. A system property controls whether custom workflows are enabled. For more information, see Continuous Authorization and Monitoring system properties.

    When you enable the workflow configuration property:

    • The system displays a confirmation dialog explaining the impacts
    • Existing packages and boundaries must be migrated to associate them with workflows
    • The property can’t be inactive after activation
    • The system refreshes to apply the new configuration
    Important:
    After enabling the property, you must run the migration scheduled job to associate existing packages and boundaries with the NIST workflow. Packages and boundaries without workflow associations have limited functionality.

    Migration behavior

    When migrating existing data, CAM automatically assigns all packages and boundaries to the workflow.

    The migration process:

    • Identifies all authorization packages and boundaries without workflow assignments
    • Associates them with the default NIST workflow configuration
    • Updates the home page to display workflow-specific tabs
    • Enables workflow-based filtering and reporting

    OSCAL export and import

    When the workflow configuration property is enabled, OSCAL export includes workflow and framework metadata.

    Export and import scenarios

    Property off (export) → Property on (import)
    Imported packages default to NIST workflow because no workflow data exists in the export
    Property on (export) → Property off (import)
    Import succeeds but packages lack workflow functionality
    Property on (both instances)
    • If the workflow exists in the import instance: Package uses that workflow
    • If the workflow doesn’t exist in the import instance: Package experience is broken and must be manually corrected
    Note:
    CAM doesn’t support importing packages with missing workflow configurations. You must create matching workflows in the target instance before importing.

    Assessment capabilities

    The Send Assessment button enables both classic assessments and risk assessments (when Advanced Risk Management is installed).

    Classic assessments

    Platform assessments that use assessment metric types. You must create or modify assessment templates where the table is set to Authorization Package.

    Risk assessments

    Risk Assessment Methodology (RAM) assessments that evaluate risks associated with packages and boundaries. Risk assessments appear in a separate related list on the package form.

    Note:
    CAM doesn’t ship assessment templates for authorization packages. You must create or modify existing templates for both assessment types.