NIST RMF Use Case Accelerator dashboards and reports
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of NIST RMF Use Case Accelerator Dashboards and Reports
The NIST RMF Use Case Accelerator provides dashboards and reports for each phase of the NIST Risk Management Framework (RMF): Categorize, Select, Implement, Assess, Authorize, and Monitor. As of version 10.1.0, support is limited to existing customers, with a recommendation to consider the GRC: Continuous Authorization Monitoring application for new and existing users.
Show less
Key Features
- Overview Reports: Summarize security compliance and risk across various aspects, including heatmaps and annual loss exposures.
- Categorize Reports: Identify targets lacking baseline controls, assess security impacts, and categorize targets by confidentiality, integrity, and availability ratings.
- Select Reports: Facilitate the review and tailoring of baseline security controls and policy statements to enhance security posture.
- Assess Reports: Track completion and due dates of control attestations and risk assessments, ensuring timely compliance management.
- Authorize Reports: Provide insights into the approval status of targets and the roles of risk executive and authorizing official approvers.
- Monitor Reports: Detail the effectiveness of profiles, controls, and test plans, along with compliance status and associated risks.
Key Outcomes
Utilizing these reports enables ServiceNow customers to effectively manage and monitor their security compliance and risk management processes. By leveraging the insights from the dashboards, organizations can identify inefficiencies, ensure timely assessments, and maintain adherence to NIST standards, ultimately enhancing their overall security framework.
The NIST RMF Use Case Accelerator contains various reports displayed on different dashboards, available within each of the sections in the NIST RMF process: Categorize, Select, Implement, Assess, Authorize, and Monitor.
Note:
Starting with version 10.1.0, the NIST RMF Use Case Accelerator will be supported only for customers who currently use the product. New and existing customers should consider using the GRC: Continuous Authorization Monitoring application. For
details, Continuous Authorization and Monitoring.
| Reports | Purpose |
|---|---|
| Security Compliance Overview | Provides an overall compliance summary of the security policies. |
| Profiles Compliance Overview | Provides an overall compliance summary of the profiles implementing security controls. |
| Security Compliance Details | Provides a detailed compliance summary of the security policies. |
| Inherent Security Risk Heatmap | Heatmap of security risks based on the Inherent qualitative results of risks. |
| Residual Security Risk Heatmap | Heatmap of security risks based on the Residual qualitative results of risks. |
| Inherent Security Risk | Bubble chart of security risks based on the average Inherent quantitative results of risks. |
| Residual Security Risk | Bubble chart of security risks based on the average Inherent quantitative results of risks. |
| Inherent Annual Loss Exposures Security Risk | Provides an insight into Inherent Annualized Loss Expectancy (ALE) for different security risks. |
| Residual Annual Loss Exposures Security Risk | Provides an insight into Residual Annualized Loss Expectancy (ALE) for different security risks. |
| Issues summary | Plots issues noted for security policies on a week by week basis. |
| Targets with no Baseline Controls | Targets with completed security impact analysis with no baseline control generated. Baseline Controls are recommended set of security controls from National Institute of Standards and Technology (NIST) which when implemented and determined to be effective, would mitigate security risk while complying with security requirements. The Baseline Controls to be implemented can be determined from the recommended Baseline Policy Statements on the Target. |
| Targets pending Impact Analysis | Security impact analysis when conducted by the organizations, determines the extent to which proposed or actual changes to the target or its environment of operation can affect or have affected the security state of the target. Changes to the target or its environment of operation may affect the security controls currently in place (including system-specific, hybrid, and common controls), produce new vulnerabilities in the target, or generate requirements for new security controls that were not needed previously. |
| Targets status | Targets organized by their current state of Risk Management process. The Risk Management process is provided by National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a disciplined and structured process that integrates information security and risk management activities. |
| Confidentiality Impact | Targets grouped for each confidentiality rating value. National Institute of Standards and Technology (NIST) defines Confidentiality as preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Confidentiality is expressed as High, Moderate, and Low values. |
| Integrity Impact | Targets grouped for each Integrity rating value. National Institute of Standards and Technology (NIST) defines Integrity as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Integrity is expressed as High, Moderate, and Low values. |
| Availability Impact | Targets grouped for each Availability rating value. National Institute of Standards and Technology (NIST) defines Availability as ensuring timely and reliable access to and use of information. Availability is expressed as High, Moderate, and Low values. |
| Impact | Targets grouped for each Impact rating value. National Institute of Standards and Technology (NIST) defines Impact as the loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect; (ii) a serious adverse effect; or (iii) a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Whereas security impact analysis is defined as organizations determination of the extent to which the security state is affected. Impact is expressed as High, Moderate, and Low values. |
| Review Baseline Controls | Provides an overview for the NIST Risk Management select step of the framework in-order to facilitate review of the baseline policy statements and controls. NIST RMF > Select > Review Baseline Controls launches this dashboard |
| Baseline Security Policy Statements | Baseline Security Policy Statements are recommended set of security control definitions from National Institute of Standards and Technology (NIST) which when implemented and determined to be effective, would mitigate security risk while complying with security requirements. |
| Baseline Security Controls | Baseline Security Controls are recommended set of security controls from National Institute of Standards and Technology (NIST) which are being implemented and if determined to be effective, would mitigate security risk while complying with security requirements. |
| Reports | Purpose |
|---|---|
| Baseline Security Policy Statements | Baseline Security Policy Statements are recommended set of security control definitions from National Institute of Standards and Technology (NIST) which when implemented and determined to be effective, would mitigate security risk while complying with security requirements. |
| Baseline Security Controls | Baseline Security Controls are recommended set of security controls from National Institute of Standards and Technology (NIST) which are being implemented and if determined to be effective, would mitigate security risk while complying with security requirements. |
| Reports | Purpose |
|---|---|
| Baseline Assurance Policy Statements | Baseline Security Assurance Policy Statements are recommended set of security control definitions from National Institute of Standards and Technology (NIST) which are designated as Assurance control definitions which when implemented increase both the strength of security and degree of confidence that the functionality is correct, complete, and consistent and would mitigate security risk while complying with security requirements. |
| Baseline Assurance Controls | Baseline Security Assurance Controls are recommended set of security control definitions from National Institute of Standards and Technology (NIST) which are designated as Assurance control are being implemented to increase both the strength of security and degree of confidence that the functionality is correct, complete, and consistent and would mitigate security risk while complying with security requirements. |
| Baseline Common Policy Statements | Baseline Security Common Policy Statements are set of security control definitions from National Institute of Standards and Technology (NIST) which when designated as Common control definitions by organizations indicate these are inheritable by one or more organizational targets. |
| Baseline Common Controls | Baseline Security Common Controls are set of security control definitions from National Institute of Standards and Technology (NIST) are being implemented and which when designated as Common controls by organizations indicate these are inheritable by one or more organizational targets. |
| Baseline Compensating Policy Statements | Baseline Security Compensating Policy Statements are set of security control definitions from National Institute of Standards and Technology (NIST) which when designated as Compensating control definitions by organizations indicate these can be employed in lieu of other security controls and provide equivalent or comparable protection for organizational targets. |
| Baseline Compensating Controls | Baseline Security Compensating Controls are set of security control definitions from National Institute of Standards and Technology (NIST) are being implemented and which when designated as Compensating controls by organizations indicate these can be employed in lieu of other security controls and provide equivalent or comparable protection for organizational targets. |
| Baseline Supplemental Policy Statements | Baseline Security Supplemental Policy Statements are set of security control definitions from National Institute of Standards and Technology (NIST) which when designated as Supplemental control definitions by organizations indicate these can be added to security controls to adequately meet the risk management needs for organizational targets. |
| Baseline Supplemental Controls | Baseline Security Supplemental Controls are set of security control definitions from National Institute of Standards and Technology (NIST) are being implemented and which when designated as Supplemental controls by organizations indicate these can be added to security controls to adequately meet the risk management needs for organizational targets. |
| Reports | Purpose |
|---|---|
| Control Attestations completed | Displays the number of NIST Risk Management control attestations completed. |
| Control Attestations upcoming due date | Displays the number of NIST Risk Management control attestations due within 7 days. |
| Control Attestations due after 7 days | Displays the number of NIST Risk Management control attestations due after 7 days. |
| Control Attestations missed due date | Displays the number of NIST Risk Management control attestations that have missed their due date. |
| Control Attestations by profile | Provides an overview of the NIST Risk Management control attestations grouped by profiles. |
| Control Attestations past due | Provides an overview of the NIST Risk Management control attestations grouped by due date. |
| Risk Assessments completed | Displays the number of NIST Risk Management risk assessments completed. |
| Risk Assessments upcoming due date | Displays the number of NIST Risk Management risk assessments due within 7 days. |
| Risk Assessments due after 7 days | Displays the number of NIST Risk Management risk assessments due after 7 days. |
| Risk Assessments missed due date | Displays the number of NIST Risk Management risk assessments that have missed their due date. |
| Risk Assessments by profile | Provides an overview of the NIST Risk Management risk assessments grouped by profiles. |
| Risk Assessments past due | Provides an overview of the NIST Risk Management risk assessments grouped by due date. |
| Reports | Purpose |
|---|---|
| Target approval status | Provides an overview of the current state of approvals of the target. |
| Risk Executive approvers | Provides an overview of targets as assigned to the risk executive approvers. |
| Authorizing Official approvers | Provides an overview of targets as assigned to the authorizing official approvers. |
| Reports | Purpose |
|---|---|
| In-effective Profiles | Total number of profiles having at least one control test of a security control flagged as in-effective. |
| In-effective Controls | Total number of security controls having atleast one control test flagged as in-effective. |
| In-effective Test Plans | Total number of test plans having at least one control test of a security control flagged as in-effective. |
| Non-compliant Controls | Total number of security controls with status non-compliant. |
| Risks | Total number of Risks that are associated with security controls. |
| Issues | Total number of issues that are related to security controls and risks. |
| Control compliance | Provides compliance overview of the security controls. |
| Profile effectiveness | Provides an overview of the profile effectiveness for profiles having security controls based on the effectiveness of the associated control tests. |
| Control effectiveness | Provides an overview of the control effectiveness for security controls based on the effectiveness of the associated control tests. |
| Test Plan effectiveness | Provides an overview of the test plan effectiveness of security controls based on the effectiveness of the associated control tests. |
| Risks | List of Risks grouped by profiles and associated with security controls. |