Deferring remediation in Application Vulnerability Response

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Deferring remediation in Application Vulnerability Response

    Starting with version 20.0, ServiceNow enables users to defer remediation of application vulnerabilities by using the Awaiting Implementation state for Application Vulnerable Items (AVIs) and remediation tasks. This capability allows remediation specialists to indicate that their research is complete, even if the fix is not yet available.

    Show full answer Show less

    Key Features

    • Awaiting Implementation State: Users can manually transition records to this state from the Under Investigation status, signaling completion of initial research.
    • Required Fields: When in the Awaiting Implementation state, two fields must be filled out:
      • Remediation Commitment Date: The planned date for remediation.
      • Remediation Plan: A description of the remediation strategy, which appears in the record's notes.
    • System Properties: Two properties control mandatory fields and modal displays during transitions, ensuring users provide necessary details unless settings are modified.
    • Missed Remediation Commitment Date Module: A dedicated module allows users to view AVIs that have not met their remediation commitment dates.
    • State Roll Down: An option to override existing AVIs' commitment dates and plans during the transition to Awaiting Implementation is available, allowing for data consistency.

    Key Outcomes

    By implementing the Awaiting Implementation state, ServiceNow customers can effectively manage remediation workflows, ensuring clarity on tasks that are ready for implementation but awaiting a fix. This feature enhances tracking of commitment dates and plans, ultimately leading to more organized and efficient vulnerability management processes.

    Starting with v20.0, you can defer remediation with the Awaiting Implementation state that is available for application vulnerable items (AVI)s and remediation tasks as they move through their life cycles. You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state.

    Use case

    As a remediation specialist, you can move a record into Awaiting Implementation to let your team know that your research and work on a task is complete. You might choose this update if you find that a fix is ready for implementation but isn't available. An example of an unavailable fix is a software patch. If the maintenance window for a patch isn't available when you finish your research, you can move the task to Awaiting Implementation until the patch can be deployed.

    Required fields

    There are two required, editable fields on the AVI and remediation task records that are in the Awaiting Implementation state:

    Remediation commitment date
    The planned remediation date.
    Remediation plan
    The description of the remediation plan for remediation. This text is displayed in the Notes on the record.

    Fields and system properties

    There are two system properties that are set to true by default for the modal that appears when you transition a record to Awaiting Implementation. If left in their default settings:

    sn_vul.remediation_fields
    Sets Remediation commitment date and Remediation plan as mandatory fields. If set to false, these fields are optional.
    sn_vul.awaiting_implementation
    Displays the modal with the Remediation commitment date, Remediation plan fields after you select Awaiting Implementation on a record. If set to false, you can change the state of an AVI to Awaiting implementation without a prompt for entering a commitment date or a plan.

    Missed Remediation Commitment Date Module

    View any AVIs that have missed their Remediation commitment dates in the Missed Remediation Commitment Date module. Navigate Application Vulnerability Response > Vulnerable items > Missed Remediation Commitment Date to view the list.

    State roll down from remediation tasks to AVIs

    The UI action button to transition a record into Awaiting Implementation is only visible on application vulnerable item and remediation task records in the Under Investigation state. For state roll down, on the modal that appears when you select Awaiting Implementation on a remediation task, there's an option to Override existing AVIs.

    Option Description
    Select Override existing AVIs.

    Select this option to override the Remediation commitment dates and Remediation plans any existing AVIs in the task already in the Awaiting Implementation state.

    If selected, this feature rolls down the date and plan data on the remediation task to the AVIs.
    Leave Override existing AVIs deactivated.

    Leave the option deactivated to keep the date and plan values intact for any existing AVIs on the task already in the Awaiting Implementation state.

    If deactivated, AVIs already in Awaiting Implementation preserve their existing date and plan data and are not impacted by state roll down.

    Roll down examples

    Say you want to transition a remediation task from Open to Awaiting Implementation so that you can update the task’s commitment date and plan information for a software patch maintenance window. Assume that there is an AVI in this task in the Awaiting Implementation state, and you want to update its commitment date and plan information to match the remediation task.

    To overwrite the AVIs date and plan data so it matches the remediation task, select the check box to Override existing AVIs when prompted. The AVI’s date and plan values become the plan and date values that you enter for the task in the prompt when you select Awaiting Implementation.

    If you don’t select the override option in this case, and there is an AVI in Awaiting Implementation, the original date and plan data on the AVI remains intact. The plan and date values that you enter for the task in the prompt when you select Awaiting Implementation aren't used on any AVIs already in the Awaiting Implementation state in the task.

    If an AVI on a task is in Resolved or Closed-fixed and you transition the task to Awaiting Implementation, selecting Override existing AVIs doesn't change the AVIs from Closed-fixed and Resolved to Awaiting Implementation due to a higher state precedence.

    If override is not selected while moving the task to Awaiting Implementation and there's an AVI already in Awaiting Implementation and you move the task back to Open or Under Investigation, the AVI remains in Awaiting Implementation.