Request control tailoring

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Request control tailoring

    Request control tailoring enables ServiceNow customers to modify baseline controls within an authorization package after the Select step, without reverting the entire package to earlier workflow stages. This capability prevents the need to re-implement and re-test all controls when only a subset requires changes, supporting incremental updates through delta changes.

    Show full answer Show less

    Key Features

    • Allows adding new controls or updating existing control configurations while keeping unaffected controls unchanged.
    • Supports multiple control types including Baseline, Inherited, Hybrid, Fully inherited, Not applicable, Overlay.
    • Control tailoring requests can be created by CAM admins, System owners, ISSOs, and ISSMs for packages in the Implement step or later.
    • The interface provides a dual-panel view: Current Records showing existing configurations and Requested Records showing proposed modifications, aiding users in managing changes.
    • Approval workflow assigns requests to the Authorizing Official (AO), who reviews only the delta changes and can approve, request more information, or reassign the request.
    • Control tailoring activities are documented in the authorization package work notes for audit and tracking.

    Control State Transitions

    • Adding a baseline control creates it in Draft state.
    • Changing a baseline control from Not Applicable to Applicable creates the control.
    • Changing from Applicable to Not Applicable retires the control.
    • Updating hybrid controls to inherited or fully inherited adjusts allocation types accordingly.
    • Modifying hybrid configurations updates control requirements.
    • Approved overlay control modifications apply configured behaviors and actions to baseline controls.

    Package Status and Approval Considerations

    • Changes from control tailoring requests do not take effect until AO approval.
    • Once approved, only modified controls transition to new states; unchanged controls remain in their current states.
    • Only one control tailoring request in New state is permitted per package at a time.

    Control tailoring requests enable you to modify baseline controls for an authorization package after the Select step without reverting the package to earlier workflow steps.

    Previously, modifying baseline controls after the Select step required moving the package back to Select, which reset the control lifecycle for all controls in the package. This meant re-implementing and re-testing all controls even when changes affected only a small subset. Control tailoring requests allow incremental modifications by applying only delta changes to the package.

    Through Control tailoring requests, you can add new controls or update existing control configurations while maintaining unaffected controls in their current state.

    The following control types are supported:
    • Baseline
    • Inherited
    • Hybrid
    • Fully inherited
    • Not applicable
    • Overlay

    CAM admins, System owners, ISSOs, and ISSMs can create control tailoring requests for packages in Implement step or later. The request interface displays two panels: Current Records (left) showing existing package configuration and Requested Records (right) showing proposed modifications. Users review current allocations as reference while building requested changes.

    Approval workflow

    After you request approval for a control tailoring request, the system assigns it to the Authorizing Official (AO) configured for the authorization package and sends an email notification. The AO reviews only the delta changes in the Requested Changes tab and can approve, request more information, or reassign to a different AO. If more information is needed, the request returns to the submitter for modifications before resubmission.

    After approval, changes are applied to the requested controls. Only modified controls transition to new states while unchanged controls retain their current state. All control tailoring activities are recorded in the authorization package work notes.

    Control state transitions

    The control tailoring process manages several types of control changes:

    When you add a baseline control to the package, the system creates the corresponding control in Draft state. When you change a baseline control from Not Applicable to Applicable, the system creates the control. When you change a baseline control from Applicable to Not Applicable, the system retires the existing control.

    When you change a hybrid control to inherited or fully inherited, the system updates the existing control with the new allocation type. When you update the hybrid configuration for an existing hybrid control, the system updates the control requirements to reflect the new configuration.

    When an overlay control modification in a control tailoring request is approved, the system applies the overlay's configured behavior and actions to the baseline controls.

    Package status during approval

    While a control tailoring request is pending approval, the proposed changes don't take effect until the AO approves the request. After approval, the system applies the changes to baseline controls and updates related controls accordingly. Only one control tailoring request in New state is allowed per package at a time.