Continuous Authorization and Monitoring release notes

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Continuous Authorization and Monitoring Washington DC Release Notes

    The ServiceNow® Continuous Authorization and Monitoring application provides a structured method for managing authorization packages through the NIST Risk Management Framework (RMF). The Washington DC release introduces significant enhancements for improved control management and compliance tracking.

    Show full answer Show less

    Key Features

    • Granular Control Management: Manage controls at the control requirements level, allowing detailed tracking and assessment of compliance with NIST 800-53 revision 5.
    • Control Objective Breakdown: Define requirements at the control objective level, facilitating automated creation and individual attestation of control requirements.
    • Hybrid Controls: Create controls that partially inherit requirements from a common control provider while implementing additional specific requirements.
    • Assessment Procedures: Use tailored assessment procedures based on NIST 800-53A to evaluate control effectiveness with options to mark them as Effective, Ineffective, or Not Applicable.
    • New CAM Views: Access comprehensive control objective and control requirements lists directly within the CAM view for better oversight.
    • Next Experience UI Framework: Enhanced analytics and reporting solutions are now available in the Next Experience UI Framework for improved user experience.
    • Updated Test Plans: The Test template form now includes additional fields for documenting assessment procedures and control effectiveness.
    • Implementation Statement Requirement: A new field in the Control form requires documentation before moving controls to the Assess state.

    Activation Information

    To install Continuous Authorization and Monitoring, request it from the ServiceNow Store. For detailed information about available apps and submission requests, visit the ServiceNow Store. Ensure to check the cumulative release notes for all released applications.

    The ServiceNow® Continuous Authorization and Monitoring application provides a standardized approach to defining an authorization package and walking through the seven stages of the NIST Risk Management Framework (RMF). Continuous Authorization and Monitoring was enhanced and updated in the Washington DC release.

    Continuous Authorization and Monitoring highlights for the Washington DC release

    • Enable management of controls at a granular level that is at the control requirements level, which are shipped by the base system for controls belonging to NIST 800-53 revision 5.
    • Define requirements at a control objective level that enables the breakdown of the control and create control requirements automatically, which can also be attested individually.
    • Create hybrid controls by inheriting control requirements partially and self-implementing the rest of the requirements.
    • Enable testing of the control based on the assessment procedures as defined by NIST 800-53A.

    See Understanding Continuous Authorization and Monitoring for more information.

    Important:
    Continuous Authorization and Monitoring is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Washington DC release

    Managing controls at a granular level
    Configure a control requirement at the control objective level based on the NIST 800-53 Risk Management Framework to assess the control at a granular level. You can also take attestations at the requirement level while the control moves to the Attest state in the workflow. You can monitor and track the control effectively and clearly identify specific requirements that are non-compliant, which leads to the control being non-compliant.
    Set up baseline controls to generate controls and implement requirements
    Create a control that is implemented as an inherited control in part and as a system-specific control in part, which helps to adopt partial requirements from a common control provider. You can also inherit one or more requirements provided by a common control provider.
    Ability to have assessment procedures based on NIST 800-53A
    Determine the control’s effectiveness based on the individual assessment procedure’s effectiveness. You can tailor the assessment procedures in test templates and mark them as Effective, Ineffective, or Not applicable.
    New related lists in the CAM view of Control objective and Control forms
    Use the CAM view of the Control objective form that has all the control objective requirements from the NIST 800-53 revision 5. Similarly, the CAM view of the Control form has all the requirements generated for the control in the control requirements related list.

    Changed in this release

    Analytics and Reporting Solutions for CAM in Next Experience UI Framework
    Starting with version 18.1.0 of Continuous Authorization and Monitoring application, the Analytics and Reporting solutions for CAM such as the CAM Overview, AO Overview, and SCA Overview dashboards are available in the Next Experience UI Framework.
    Generating assessment procedure plans for a test plan
    The Control test section of the Test template form is updated with additional fields such as Examine, Interview, and Test that draw control test guidelines from NIST.
    Determine control effectiveness of a control test
    Additional new fields such as Examine, Interview, and Test are added to the Test plan and Control test forms to test the control effectiveness.
    Document implementation statement for a control
    The Control form now has a new field called Implementation statement, which is required before moving the control to the Assess state.
    Discussion field in the Control objective and Control forms
    Based on the 800-53 controls, the Discussion content provided by NIST for each control is shipped by the base system at the control objective level, which is also updated in the Control form when the control is created.

    Activation information

    Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.