NIST RMF supporting concepts
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of NIST RMF Supporting Concepts
The NIST RMF Use Case Accelerator provides essential concepts for ServiceNow customers, guiding them in risk management and security practices. Notably, from version 10.1.0 onward, support for the Use Case Accelerator is limited to existing customers. New users should utilize the GRC: Continuous Authorization Monitoring application for compliance and security management needs.
Show less
Key Features
- Target: A shared table linking ServiceNow GRC products with Use Case Accelerators, representing unique profiles throughout their lifecycle.
- Confidentiality (C): Refers to protecting information access and privacy, rated as High, Moderate, or Low.
- Integrity (I): Ensures information authenticity and guards against improper modifications, also rated as High, Moderate, or Low.
- Availability (A): Guarantees reliable access to information, rated similarly to confidentiality and integrity.
- Baseline Controls: Recommended security controls aimed at mitigating risk and ensuring compliance, categorized by impact levels.
- Impact Analysis: Assesses the potential effects of changes on the security state of a Target, classified into Low, Moderate, or High impact levels.
- Assurance: Controls that enhance security strength and confidence in the Target's functionality.
- Common Controls: Inheritable controls applicable to multiple Targets.
- Compensating Controls: Alternative controls providing equivalent protection when baseline controls cannot be implemented.
- Supplemental Controls: Additional controls to meet specific risk management requirements.
- Tailoring: Modifying security control baselines based on specific guidance and organizational parameters.
Key Outcomes
Implementing these concepts helps organizations effectively manage security risks and maintain compliance with regulatory requirements. By understanding and applying these elements, ServiceNow customers can enhance their security posture and ensure reliable information management across their operations.
Familiarize yourself with these concepts, developed from the NIST RMF guidance.
Note:
Starting with version 10.1.0, the NIST RMF Use Case Accelerator will be supported only for customers who currently use the product. New and existing customers should consider using the GRC: Continuous Authorization Monitoring application. For
details, Continuous Authorization and Monitoring.
| Concept | Description |
|---|---|
| Target | The target is the foundation of the NIST RMF Use Case Accelerator and all related concepts. The target is a shared table between the ServiceNow®
GRC products and several Use
Case Accelerators. They are similar to the concept of profiles in the core GRC applications. They are
optionally linked to profiles, but are used for any attributes that are specific
to the Use Case Accelerators. Note: Each NIST RMF Target uniquely represents a
single profile throughout its RMF life-cycle. |
| Confidentiality (C) | Confidentiality is a security objective of a Target, and is defined as the act of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Confidentiality is expressed as High, Moderate, and Low values |
| Integrity (I) | Integrity is a security objective of a Target is defined as act of guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Integrity is expressed as High, Moderate, and Low values |
| Availability (A) | Availability is a security objective of a Target is defined as act of ensuring timely and reliable access to and use of information. Availability is expressed as High, Moderate, and Low values |
| Baseline controls | Baseline Controls are recommended set of security controls from National Institute of Standards and Technology (NIST) which when implemented and determined to be effective, would mitigate security risk while complying with security requirements. Baseline controls have a designated impact value which is a combination of High, Moderate, or Low values. |
| Impact analysis | Impact analysis determines the extent to which proposed or actual changes to the Target or its environment of operation can affect or have affected the security state of the Target. A Target in which all three CIA security objectives evaluate to Low is considered Low-impact and uses any of the security controls which are tagged as Low impact value. Likewise, a Target in which any of the three CIA security objectives evaluate to Moderate is considered Moderate-impact and uses any of the security controls which are tagged as Moderate impact value. Likewise, a Target in which any of the three CIA security objectives evaluate to High is considered High-impact and uses any of the security controls which are tagged as High impact value. |
| Assurance | Assurance controls increase both the strength of security and degree of confidence that the functionality of Targets is correct, complete, and consistent and would mitigate the security risk and assists in complying with security requirements |
| Common | Common controls are controls that are inheritable by one or more Targets |
| Compensating | Compensating controls are controls which can be employed in lieu of recommended baseline security controls and provide equivalent or comparable protection for the Targets |
| Supplemental | Supplemental controls are controls which can be employed as added security controls to adequately meet the risk management needs of a Target |
| Tailoring | Tailoring is a process by which a security control baseline is modified based on: (i) Targets scoping guidance; (ii) specification of the security controls, for example, compensating, if needed; and (iii) the specification of organization — defined parameters in the security controls via explicit assignment and selection statements |