Consolidated page of all release notes for Continuous Authorization and Monitoring from Washington DC to Xanadu.
How to use this page
To help you prepare for your upgrade, we have combined the cross-family Continuous Authorization and Monitoring release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Washington DC to Xanadu.
Tip: If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."
Important information for upgrading Continuous Authorization and Monitoring to Xanadu
Before you upgrade to Xanadu, review these pre- and post-upgrade tasks and complete the tasks as needed.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
New features
Between your current release family and Xanadu, new features were introduced for Continuous Authorization and Monitoring.
| Release |
Release notes |
Washington DC |
- Managing controls at a granular level
- Configure a control requirement at the control objective level based on the NIST 800-53 Risk Management Framework to assess the control at a granular level. You can also take attestations at the requirement level while the
control moves to the Attest state in the workflow. You can monitor and track the control effectively and clearly identify specific requirements that are non-compliant, which leads to the control being non-compliant.
- Set up baseline controls to generate controls and implement requirements
- Create a control that is implemented as an inherited control in part and as a system-specific control in part, which helps to adopt partial requirements from a common control provider. You can also inherit one or more
requirements provided by a common control provider.
- Ability to have assessment procedures based on NIST 800-53A
- Determine the control’s effectiveness based on the individual assessment procedure’s effectiveness. You can tailor the assessment procedures in test templates and mark them as Effective, Ineffective, or Not applicable.
- New related lists in the CAM view of Control objective and Control forms
- Use the CAM view of the Control objective form that has all the control objective requirements from the NIST 800-53 revision 5. Similarly, the CAM view of the Control form has all the requirements generated for the control in the control requirements related list.
|
Xanadu |
- CAM
Workspace
- Use the CAM
Workspace for an end-to-end user experience. The Home page, overview pages of authorization boundary and authorization package, unified tasks page, and the dashboards help you capture information and give you
a better insight into the data that aids in decision making.
CAM
Workspace includes exclusive features with which you can:
- Add related control objectives.
- View controls by family for a control objective and report based on families for NIST 800-53.
- Add attachments to assessment procedures and document notes.
- View all Plan of Actions and Milestones (POA&M) in a single pane.
- CAM supports the OSCAL format to export control-related information
- Export SSP files in the OSCAL format based on various models such as SSP, Profile, Catalog, and Catalog overlay. The generated report is compatible to share the information with other systems. CAM supports the National Institute of Standards and Technology (NIST) recommended OSCAL format to provide control-based information in machine-readable formats.
- CAM ATO artifacts
- Generate ATO artifacts from an authorization package in Microsoft Word format for the following reports:
- SSP
- Security Assessment Report (SAR)
- POA&M
- Enhancements in CAM user roles
- The existing user roles in CAM application have been enhanced with the following privileges:
- Use the Information Owner (sn_irm_cont_auth.information_owner) role to view and update the information types of an authorization package.
- Use the Audit reader (sn_audit.reader) lite role to view audit-related entities, such as engagements.
- Create and manage issues as a system user.
|
Changes
Between your current release family and Xanadu, some changes were made to existing Continuous Authorization and Monitoring features.
| Release |
Release notes |
Washington DC |
- Analytics and Reporting Solutions for CAM in Next Experience UI Framework
- Starting with version 18.1.0 of Continuous Authorization and Monitoring application, the Analytics and Reporting solutions for CAM such as the CAM Overview, AO Overview, and SCA Overview dashboards are available in the Next Experience UI Framework.
- Generating assessment procedure plans for a test plan
- The Control test section of the Test template form is updated with additional fields such as Examine, Interview, and Test that draw control test guidelines from NIST.
- Determine control effectiveness of a control test
- Additional new fields such as Examine, Interview, and Test are added to the Test plan and Control test forms to test the control effectiveness.
- Document implementation statement for a control
- The Control form now has a new field called Implementation statement, which is required before moving the control to the Assess state.
- Discussion field in the Control objective and Control forms
- Based on the 800-53 controls, the Discussion content provided by NIST for each control is shipped by the base system at the control objective level, which is also updated in the Control form when the control is created.
|
Xanadu |
- Role changes for Continuous Authorization and Monitoring
Workspace users
- Reader (sn_irm_cont_auth.reader), Authorization Official (sn_irm_cont_auth.authorization_official), and Executive Reader (sn_irm_cont_auth.executive_read) can now access Continuous Authorization and Monitoring
Workspace.
- OSCAL Catalog model export
- In exporting the control-related information as part of the Catalog model, the child control objectives of a control objective are mapped to the Control field. Furthermore, related control objectives of the control objective
are mapped to the Links field.
- Enhancements in CAM
Workspace
- The following enhancements have been made in CAM
Workspace:
- New pop-ups with additional capabilities are added to the hybrid controls creation.
- POA&Ms include all authorization package issues.
- The Family field and Family ID field are added to the Control objective page.
- The Notes field and Attachment field are added to the Assessment procedure page.
- The 360° View button is configured in all pages of CAM
Workspace.
- CAM user role changes
- Defining roles and assigning privileges and permissions for approvals is critical to ensure security in the CAM application. The user role changes are:
- The Information Owner (sn_irm_cont_auth.information_owner) role can also update information types of an authorization package, and the role also contains the Audit user (sn_audit.user) role in addition to the Reader
(sn_irm_cont_auth.reader) role.
- The Information System Security Manager (sn_irm_cont_auth.info_system_sec_manager) role can update the authorization package, and the role contains the Compliance user (sn_compliance.user) and Reader
(sn_irm_cont_auth.reader) roles.
- The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role can update the authorization package.
- The Reader (sn_irm_cont_auth.reader) role contains the Audit reader (sn_audit.reader) role.
- The System User (sn_irm_cont_auth.system_user) role contains the Audit user (sn_audit.user) role.
- The System Owner (sn_irm_cont_auth.system_owner) role also contains the Audit user (sn_audit.user) and Compliance user (sn_compliance.user) roles.
|
Removed
Between your current release family and Xanadu, some Continuous Authorization and Monitoring features or functionality were removed.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
- The Authorization Official (AO) (sn_irm_cont_auth.authorization_official) role no longer contains the sn_audit.user and sn_compliance.user roles. The AO role can only read and approve an authorization package.
- The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role no longer contains the sn_audit.user role.
- The Reader (sn_irm_cont_auth.reader) role no longer contains the sn_audit.user role.
|
Deprecations
Between your current release family and Xanadu, some Continuous Authorization and Monitoring features or functionality were deprecated.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Activation information
Review information on how to activate Continuous Authorization and Monitoring.
| Release |
Release notes |
Washington DC |
Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Xanadu |
Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Additional requirements
If any additional requirements were introduced or changed for Continuous Authorization and Monitoring we have noted them here.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Browser requirements
If any specific browser requirements were introduced or changed for Continuous Authorization and Monitoring we have noted them here.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Accessibility information
Review details on accessibility information for Continuous Authorization and Monitoring, such as specific requirements or compliance levels.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Localization information
If there are specific localization considerations for Continuous Authorization and Monitoring we have noted them here.
| Release |
Release notes |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Highlight information
If there are specific highlight considerations for Continuous Authorization and Monitoring we have noted them here.
| Release |
Release notes |
Washington DC |
- Enable management of controls at a granular level that is at the control requirements level, which are shipped by the base system for controls belonging to NIST 800-53 revision 5.
- Define requirements at a control objective level that enables the breakdown of the control and create control requirements automatically, which can also be attested individually.
- Create hybrid controls by inheriting control requirements partially and self-implementing the rest of the requirements.
- Enable testing of the control based on the assessment procedures as defined by NIST 800-53A.
See Understanding Continuous Authorization and Monitoring for more information.
|
Xanadu |
- Use the added features in the CAM
Workspace to help streamline your work and have an efficient end-to-end user experience.
- Export System Security Plan (SSP) files in the OSCAL format, which includes models like Catalog, Profile, and SSP.
- Use the lite roles introduced in CAM for lighter business operations.
- Group similar controls into a family-related and club-related to help identify and understand the controls.
See Continuous Authorization and Monitoring for more information.
|