Continuous Authorization and Monitoring release notes

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read

    • The ServiceNow® Continuous Authorization and Monitoring (CAM) application provides a standardized approach to defining an authorization package and walking through the seven stages of the NIST Risk Management Framework (NIST RMF). Continuous Authorization and Monitoring (CAM) was enhanced and updated in the Xanadu release.

    Continuous Authorization and Monitoring highlights for the Xanadu release

    • Use the added features in the CAM Workspace to help streamline your work and have an efficient end-to-end user experience.
    • Export System Security Plan (SSP) files in the OSCAL format, which includes models like Catalog, Profile, and SSP.
    • Use the lite roles introduced in CAM for lighter business operations.
    • Group similar controls into a family-related and club-related to help identify and understand the controls.

    See for more information.

    Important:
    Continuous Authorization and Monitoring is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Xanadu release

    CAM Workspace
    Use the CAM Workspace for an end-to-end user experience. The Home page, overview pages of authorization boundary and authorization package, unified tasks page, and the dashboards help you capture information and give you a better insight into the data that aids in decision making.
    CAM Workspace includes exclusive features with which you can:
    • Add related control objectives.
    • View controls by family for a control objective and report based on families for NIST 800-53.
    • Add attachments to assessment procedures and document notes.
    • View all Plan of Actions and Milestones (POA&M) in a single pane.
    CAM supports the OSCAL format to export control-related information
    Export SSP files in the OSCAL format based on various models such as SSP, Profile, Catalog, and Catalog overlay. The generated report is compatible to share the information with other systems. CAM supports the National Institute of Standards and Technology (NIST) recommended OSCAL format to provide control-based information in machine-readable formats.
    CAM ATO artifacts
    Generate ATO artifacts from an authorization package in Microsoft Word format for the following reports:
    • SSP
    • Security Assessment Report (SAR)
    • POA&M
    Enhancements in CAM user roles
    The existing user roles in CAM application have been enhanced with the following privileges:
    • Use the Information Owner (sn_irm_cont_auth.information_owner) role to view and update the information types of an authorization package.
    • Use the Audit reader (sn_audit.reader) lite role to view audit-related entities, such as engagements.
    • Create and manage issues as a system user.

    Changed in this release

    Role changes for Continuous Authorization and Monitoring Workspace users
    Reader (sn_irm_cont_auth.reader), Authorization Official (sn_irm_cont_auth.authorization_official), and Executive Reader (sn_irm_cont_auth.executive_read) can now access Continuous Authorization and Monitoring Workspace.
    OSCAL Catalog model export
    In exporting the control-related information as part of the Catalog model, the child control objectives of a control objective are mapped to the Control field. Furthermore, related control objectives of the control objective are mapped to the Links field.
    Enhancements in CAM Workspace
    The following enhancements have been made in CAM Workspace:
    • New pop-ups with additional capabilities are added to the hybrid controls creation.
    • POA&Ms include all authorization package issues.
    • The Family field and Family ID field are added to the Control objective page.
    • The Notes field and Attachment field are added to the Assessment procedure page.
    • The 360° View button is configured in all pages of CAM Workspace.
    CAM user role changes
    Defining roles and assigning privileges and permissions for approvals is critical to ensure security in the CAM application. The user role changes are:
    • The Information Owner (sn_irm_cont_auth.information_owner) role can also update information types of an authorization package, and the role also contains the Audit user (sn_audit.user) role in addition to the Reader (sn_irm_cont_auth.reader) role.
    • The Information System Security Manager (sn_irm_cont_auth.info_system_sec_manager) role can update the authorization package, and the role contains the Compliance user (sn_compliance.user) and Reader (sn_irm_cont_auth.reader) roles.
    • The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role can update the authorization package.
    • The Reader (sn_irm_cont_auth.reader) role contains the Audit reader (sn_audit.reader) role.
    • The System User (sn_irm_cont_auth.system_user) role contains the Audit user (sn_audit.user) role.
    • The System Owner (sn_irm_cont_auth.system_owner) role also contains the Audit user (sn_audit.user) and Compliance user (sn_compliance.user) roles.

    Removed in this release

    • The Authorization Official (AO) (sn_irm_cont_auth.authorization_official) role no longer contains the sn_audit.user and sn_compliance.user roles. The AO role can only read and approve an authorization package.
    • The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role no longer contains the sn_audit.user role.
    • The Reader (sn_irm_cont_auth.reader) role no longer contains the sn_audit.user role.

    Activation information

    Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.