Import in OSCAL format

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Import in OSCAL format

    The CAM OSCAL import feature in ServiceNow provides a guided, playbook-style process to efficiently integrate security control data using OSCAL (Open Security Controls Assessment Language) JSON files. It supports importing various OSCAL models including Catalog, System Security Plan (SSP), Assessment Plan (AP), and Assessment Results (AR), streamlining the creation and update of authorization packages within the CAM workspace.

    Show full answer Show less

    Import Process and Supported Models

    From the OSCAL Import landing page, users can view existing imports and initiate new ones. The import workflow includes these stages:

    • Details: Specify the OSCAL model type, source details, and recipients for import notifications.
    • Attachments: Upload required JSON files depending on the selected model:
      • Catalog: Upload the catalog file.
      • SSP: Upload catalog, profile, and one or more overlay files.
      • Assessment Plan (AP): Upload catalog, profile, SSP, one or more AP files (one per engagement), optionally overlays and POA&M files.
      • Assessment Results (AR): Upload catalog, profile, SSP, AP, assessment results, optional overlays, and POA&M files (which merge with existing POA&M items).
    • User and Group Mapping: Map users and groups from the OSCAL files to ServiceNow users and groups, identifying roles such as Assigned To (Engagement) or Owner (Control Test). Applicable to SSP, AP, and AR models.
    • Roles and Responsibilities: Assign users to roles that persist throughout the authorization package lifecycle; applicable for SSP and AP models only.
    • Preview and Override: Review files to be imported, with options to import, skip, or override existing packages. Overriding replaces all related data, and skipping bypasses package creation.

    Key Functional Details

    • Multiple overlay files can be uploaded; duplicate control objective references across overlays are now handled gracefully, with defined rules determining precedence.
    • Control fields such as Status, Frequency, Weighting, Implementation Statement, and Activities are populated from the implemented requirements section if available.
    • Control tailoring requests (CTRs) included in import files are created as new records linked to the authorization package, with the “created by” field assigned based on user mapping or defaulting to the system owner.
    • For AR imports, users can choose to skip or override existing engagements and associated POA&M items.
    • When overriding an existing package, overlays and control objectives are updated or recreated as per the import data.
    • Each AP file must have a unique UUID to avoid import errors.

    Practical Benefits for ServiceNow Customers

    • Enables automated, standardized import of security control data and authorization package components in OSCAL format.
    • Supports comprehensive mapping of imported users, groups, and roles to align imported data with existing ServiceNow entities.
    • Allows flexible import management with options to create new packages or override existing ones while preserving data integrity.
    • Improves data completeness by populating additional control implementation details during import.
    • Facilitates integration with external tools or instances by importing assessment results and related data.

    Next Steps and Additional Resources

    Customers can begin importing OSCAL files directly from the New Import playbook within CAM workspace. For detailed troubleshooting and error handling related to OSCAL imports and control catalogs, refer to the OSCAL Import Knowledge Base article [KB1794095] available in Now Support.

    The CAM OSCAL import offers a playbook-style experience designed to streamline the integration of security control data.

    This guided process supports importing JSON files in both Catalog and System Security Plan (SSP) models, using the OSCAL (Open Security Controls Assessment Language) format. From the OSCAL Import landing page, you can view a list of previously imported OSCAL files along with their current statuses. To start a new import, select New Import from the All OSCAL Imports landing page. The import process then guides you through the following structured stages:
    • Details: Enter the import details, such as the OSCAL model, source, and recipients for import status notifications.
    • Attachments: Upload the OSCAL-formatted files corresponding to the model selected in the Details tab.
      • For Catalog OSCAL model, you must upload the catalog file to proceed with the import process.
      • For SSP OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Overlay: You can upload multiple overlay files.
      • For Assessment Plan (AP) OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Assessment Plan: You can upload multiple AP files (one per engagement).
        • Overlay: You can upload multiple overlay files (optional)
        • POA&M: You can upload POA&M files (optional)
      • For Assessment Results (AR) OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Assessment Plan: The AP file linked to the AR being imported.
        • Assessment Results: The AR file to import.
        • Overlay: You can upload multiple overlay files (optional)
        • POA&M: You can upload POA&M files (optional). POA&M items from this file are aggregated with the POA&M items already present in the AR file.
    • User and Group Mapping: Map users and groups from the OSCAL files to the corresponding ServiceNow users and groups in your instance. Each user entry shows the roles the user is listed as in the import — for example, Assigned To (Engagement), Owner (Control Test), or Assigned To (POA&M). This step applies to the SSP, AP, and AR OSCAL models.
    • Roles and Responsibilities: Assign users to specific roles for the imported files. These users will retain their roles throughout each step in the authorization package.
      Note:
      This tab is applicable only when the SSP or Assessment Plan OSCAL model is selected.
    • Preview and Override: Review the list of files to be uploaded, along with the number of files that will be created or skipped. Take appropriate actions such as importing, skipping, or overriding.
      Note:
      • A new role CTR opened by appears in the user mapping list for packages with associated control tailoring requests. CTR opened by identifies the user recorded as the creator of the control tailoring request during import. If no user is mapped to this role, the system defaults to the system owner configured for the authorization package.
      • You can only override files that are in the skipped state. Additionally, if you override a package, all data associated with that package will be overridden.
      • For new packages, all SSP and AP-related objects (engagements, control tests, test plans, entity to engagement mappings) display as Create New. On import, all objects are created.
      • For existing packages, all SSP and AP related objects display as "Override" by default. If you skip the package, all related objects are skipped automatically, including baseline controls, information type definitions, inherited controls, hybrid controls, engagements, test plans, control tests, and entity to engagement mappings.
      • When importing multiple AP files, each file must have a unique UUID. If two AP files contain the same UUID, the import process fails and displays an error message.
      • For AR imports, if an engagement from the package already exists on the instance, you can choose to skip or override the existing engagement and its associated POA&M items.

      • When you override an existing authorization package during import, the system applies the imported data to the package as follows:

        • Overlays are overwritten with the imported values
        • Control objectives from the imported source are created or overwritten
        • Control tailoring requests from the imported SSP are created as new records associated with the overriding package
    • The import process includes the following behavior:
      • Previously, importing multiple overlay files that contained duplicate control objective references caused the import to fail. The import now succeeds when overlay files contain duplicate control objective references. Each overlay defines behavior and action rules for matching and distinct control objectives, and the system applies these rules to determine which overlay's configuration takes effect for each control objective.
      • Previously, when importing files, control fields were not populated beyond the minimum required. The import now populates the following fields from the implemented requirements section, if the values are present in the export file:
        • Status
        • Frequency
        • Weighting
        • Implementation statement
        • Activities

        This applies to controls created during the import of SSP, Assessment Plan, and Assessment Report models.

    • If the imported file contains control tailoring request data, the system creates a control tailoring request record as part of the import. The imported control tailoring request includes:

      • Requested changes
      • Overlay controls
      • Work notes (visible in the CTR record, marked as imported from OSCAL)
      • The created by field, set to the user mapped to the CTR opened by role during import (defaults to System Owner if not mapped)

      The control tailoring request record is visible in the authorization package after import.

    Using the CAM import OSCAL feature, you can perform the following:

    For more information on the OSCAL import error and control catalog, see the OSCAL Import [KB1794095] article in the Now Support Knowledge Base.