Combined Continuous Authorization and Monitoring release notes for upgrades from Xanadu to Yokohama

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Continuous Authorization and Monitoring release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Xanadu to Yokohama.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Continuous Authorization and Monitoring to Yokohama

Before you upgrade to Yokohama, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

New features

Between your current release family and Yokohama, new features were introduced for Continuous Authorization and Monitoring.


Release	Release notes
Xanadu	CAM Workspace Use the CAM Workspace for an end-to-end user experience. The Home page, overview pages of authorization boundary and authorization package, unified tasks page, and the dashboards help you capture information and give you a better insight into the data that aids in decision making. CAM Workspace includes exclusive features with which you can: Add related control objectives. View controls by family for a control objective and report based on families for NIST 800-53. Add attachments to assessment procedures and document notes. View all Plan of Actions and Milestones (POA&M) in a single pane. CAM supports the OSCAL format to export control-related information Export SSP files in the OSCAL format based on various models such as SSP, Profile, Catalog, and Catalog overlay. The generated report is compatible to share the information with other systems. CAM supports the National Institute of Standards and Technology (NIST) recommended OSCAL format to provide control-based information in machine-readable formats. CAM ATO artifacts Generate ATO artifacts from an authorization package in Microsoft Word format for the following reports: SSP Security Assessment Report (SAR) POA&M Enhancements in CAM user roles The existing user roles in CAM application have been enhanced with the following privileges: Use the Information Owner (sn_irm_cont_auth.information_owner) role to view and update the information types of an authorization package. Use the Audit reader (sn_audit.reader) lite role to view audit-related entities, such as engagements. Create and manage issues as a system user.
Yokohama	OSCAL Import landing page Import files for catalog and SSP models on the new OSCAL Import landing page. Once the import process is initiated, you can check the status under the Import status section. OSCAL Export button Export selected control objectives in the OSCAL format with the new OSCAL Export button while in the control objectives list view. ATO artifacts in Microsoft Word Generate ATO artifacts from an authorization package in the Microsoft Word format. In CAM Workspace, you can use the Generate SSP drop-down list in a selected authorization package to generate the following reports: Security Assessment Plan (SAP) Authorization to Operate (ATO) Letter Executive Summary This enhancement verifies that all ATO artifacts are formatted consistently and can be shared and reviewed.

Changes

Between your current release family and Yokohama, some changes were made to existing Continuous Authorization and Monitoring features.


Release	Release notes
Xanadu	Role changes for Continuous Authorization and Monitoring Workspace users Reader (sn_irm_cont_auth.reader), Authorization Official (sn_irm_cont_auth.authorization_official), and Executive Reader (sn_irm_cont_auth.executive_read) can now access Continuous Authorization and Monitoring Workspace. OSCAL Catalog model export In exporting the control-related information as part of the Catalog model, the child control objectives of a control objective are mapped to the Control field. Furthermore, related control objectives of the control objective are mapped to the Links field. Enhancements in CAM Workspace The following enhancements have been made in CAM Workspace: New pop-ups with additional capabilities are added to the hybrid controls creation. POA&Ms include all authorization package issues. The Family field and Family ID field are added to the Control objective page. The Notes field and Attachment field are added to the Assessment procedure page. The 360° View button is configured in all pages of CAM Workspace. CAM user role changes Defining roles and assigning privileges and permissions for approvals is critical to ensure security in the CAM application. The user role changes are: The Information Owner (sn_irm_cont_auth.information_owner) role can also update information types of an authorization package, and the role also contains the Audit user (sn_audit.user) role in addition to the Reader (sn_irm_cont_auth.reader) role. The Information System Security Manager (sn_irm_cont_auth.info_system_sec_manager) role can update the authorization package, and the role contains the Compliance user (sn_compliance.user) and Reader (sn_irm_cont_auth.reader) roles. The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role can update the authorization package. The Reader (sn_irm_cont_auth.reader) role contains the Audit reader (sn_audit.reader) role. The System User (sn_irm_cont_auth.system_user) role contains the Audit user (sn_audit.user) role. The System Owner (sn_irm_cont_auth.system_owner) role also contains the Audit user (sn_audit.user) and Compliance user (sn_compliance.user) roles.
Yokohama	Generate the OSCAL SSP model of an authorization package Export the SSP model of an authorization package in the OSCAL format. The exported report contains only the control objectives linked to the authorization package and their additional information, such as inherited controls and the hierarchy of the control objectives. Generate ATO artifacts in Microsoft Word and HTML templates Use the Document designer plugin (com.sn_grc_doc_design) to create report templates in Microsoft Word. A new property module has been introduced to select the template type as a Microsoft Word template in addition to an HTML template.

Removed

Between your current release family and Yokohama, some Continuous Authorization and Monitoring features or functionality were removed.


Release	Release notes
Xanadu	The Authorization Official (AO) (sn_irm_cont_auth.authorization_official) role no longer contains the sn_audit.user and sn_compliance.user roles. The AO role can only read and approve an authorization package. The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role no longer contains the sn_audit.user role. The Reader (sn_irm_cont_auth.reader) role no longer contains the sn_audit.user role.
Yokohama	No updates for this release.

Deprecations

Between your current release family and Yokohama, some Continuous Authorization and Monitoring features or functionality were deprecated.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Activation information

Review information on how to activate Continuous Authorization and Monitoring.


Release	Release notes
Xanadu	Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Yokohama	Install CAM by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Additional requirements

If any additional requirements were introduced or changed for Continuous Authorization and Monitoring we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Continuous Authorization and Monitoring we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Accessibility information

Review details on accessibility information for Continuous Authorization and Monitoring, such as specific requirements or compliance levels.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Localization information

If there are specific localization considerations for Continuous Authorization and Monitoring we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Highlight information

If there are specific highlight considerations for Continuous Authorization and Monitoring we have noted them here.


Release	Release notes
Xanadu	Use the added features in the CAM Workspace to help streamline your work and have an efficient end-to-end user experience. Export System Security Plan (SSP) files in the OSCAL format, which includes models like Catalog, Profile, and SSP. Use the lite roles introduced in CAM for lighter business operations. Group similar controls into a family-related and club-related to help identify and understand the controls. See Continuous Authorization and Monitoring for more information.
Yokohama	Import catalog and System Security Plan (SSP) models with the new CAM Open Security Controls Assessment Language (OSCAL) import landing page. Export and import SSP models and catalog models in the OSCAL format. Export control objectives as a catalog in the OSCAL format. Generate additional reports in Microsoft Word format, such as a Security Assessment Plan (SAP), Authorization to Operate (ATO) Letter, and Executive Summary. Generate reports based on a Microsoft Word template. See Continuous Authorization and Monitoring for more information.