State synchronization between change requests and remediation tasks

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of State synchronization between change requests and remediation tasks

    In the ServiceNow Vulnerability Response product, the states of remediation tasks (VULs) and related change requests (CHGs) are synchronized automatically. This synchronization ensures that as a change request progresses through its lifecycle, the state of any associated remediation task updates accordingly, streamlining vulnerability remediation tracking and management.

    Show full answer Show less

    Key Features

    • Automatic State Updates: When a new or existing CHG is linked to a remediation task and not in the "Awaiting Implementation" state, the remediation task state moves forward to "Awaiting Implementation."
    • Progression to Resolved: After all tasks on a CHG are completed (Implemented) and the CHG moves to "Review," the linked remediation task automatically transitions to "Resolved."
    • Backward State Movement: If a CHG is canceled or closed unsuccessfully, the remediation task moves back to "Under Investigation," reflecting the need for further remediation effort.
    • Multiple CHGs per VUL: When multiple change requests are linked to a single remediation task, the state synchronization is based on the CHG in the earliest lifecycle state. For example, if one CHG is still in "Implement," the VUL remains in "Awaiting Implementation."
    • System Property Control: State synchronization is enabled by default via the system property snvul.crstatesynch, but users can control synchronization behavior, such as disabling it when adding CIs to a change request.
    • Manual Overrides: While manual state changes on CHGs and VULs are possible, synchronization can override these changes to maintain consistency.

    Practical Implications for ServiceNow Customers

    • Enables consistent and automated tracking of remediation task progress aligned with change request status, reducing manual updates and errors.
    • Helps ensure remediation tasks accurately reflect the current remediation efforts and status of associated change requests.
    • Supports scenarios where multiple change requests address a single vulnerability, providing clear rules on how the remediation task state is derived.
    • Allows flexibility with manual updates but maintains synchronization integrity to prevent state inconsistencies.
    • Improves visibility into remediation progress, aiding in risk management and compliance reporting.

    There is a synchronized relationship between the State fields of remediation tasks (VULs) and the State fields of change requests (CHG) in the Vulnerability Response product. As a change request moves through its life cycle, it also moves the state of any related remediation tasks automatically.

    State synchronization

    The remediation task record is referred to as a VUL in the following sections. In previous versions of Vulnerability Response, remediation tasks were called, vulnerability groups (VG). In the following images, VG= remediation task, or a VUL record.

    State synchronization is enabled by a system property (sn_vul.cr_state_synch) by default in your instance when you download the Vulnerability Response application.

    When state synchronization is enabled, the CHG State field changes the remediation task State field automatically in the following cases:

    • When a new CHG is created for a remediation task (VUL), if it is not in Awaiting Implementation, the VUL state moves forward to Awaiting Implementation.
    • When an existing CHG is associated to a VUL, if it is not in Awaiting Implementation, the VUL state moves forward to Awaiting Implementation.
    • After the tasks on a CHG are completed (Implemented), and the CHG is moved to the Review state, the VUL moves forward to Resolved.

    For more information and examples of state synchronization, see the following sections.

    Note:
    You can still manually move CHGs and VULs through the states of their life cycles on their respective records with state synchronization enabled, but when the system registers that a CHG has changed its state, or you add a CHG or remove it from a VUL, state synchronization potentially can override your manual intervention. However, change requests states do not automatically move the VUL from the Closed or Deferred states.

    Forward state synchronization

    The following image illustrates how CHG states automatically move VUL states in a forward life cycle, that is, from Open to Resolved.

    How CR states drive VG states.

    You can create new change requests for any remediation task in a state other than Closed. State synchronization automatically moves the VUL bi-directionally through the Open, Under Investigation, Awaiting Implementation, and Resolved states. This movement is based on certain values of the state field on the change request. State synchronization between the change request and the remediation task is invoked automatically unless the check box (Add CIs to CR) is displayed on a form and you choose to clear the check box.

    The VUL does not move forward to Resolved when a CHG is in its open states. Any CHG in states prior to Review in its life cycle such as, New, Assess, Authorize, Scheduled or Implement as shown in the preceding figure are considered open states for the CHG. Open states do not move the state field on the VUL, because investigations or tasks on the CHG are not completed. State synchronization is invoked when a CHG is created for, or associated to, the VUL, or the state of an existing relationship changes on the CHG. The completed CHG states are Review and successfully Closed. When a CHG is closed successfully, its closed codes are: Successful, or Successful with issues, in which case the VUL moves forward to Resolved.

    Backward state synchronization

    As a CHG is processed during its life cycle, it may be canceled at some point. In this case, if the CHG is Cancelled, or Closed (with a close code of Unsuccessful), the VUL automatically moves back to Under Investigation. The VUL moves back to Under Investigation, because there is no active plan to remediate the vulnerability.

    If a VUL is in a Resolved state​, and you create a new CHG or associate it to an existing CHG in one of the initial open states​, the VUL automatically transitions back to Awaiting Implementation​. The VUL moves back to this state, because more work is now assigned to the CHG.

    VULs with more than one CHG

    If a VUL in Awaiting Implementation has more than one CHG associated with it, state synchronization is based on the status of the CHG in the earliest state of its life cycle. For example, a VUL has four CHGs associated with it, CHG1, CHG2, CHG3, and CHG4 as shown in the following table.
    CHG number CHG state
    1 Implement
    2 Canceled
    3 Closed (close code of Unsuccessful)
    4 Closed (close code Successful)

    State synchronization between the CHG and the VUL in this case is based on CHG1, which is in the earliest state of the four CHGs, (Implement). In this case, the VUL remains in Awaiting Implementation.

    In another example, if a VUL is in the Resolved state and has an existing CHG that has been implemented and is in the Review state, and a new CHG is created, the VUL moves back from Resolved to Awaiting Implementation. State synchronization is based on the CHG in the New state, which is the CHG in the earliest state.

    CHG number CHG state
    1 Review
    2 New

    Additionally, when VULs have more than one CHG, the state of the VUL transitions automatically in the following cases:

    • When a CHG moves forward to Review, if all other CHGs associated with the VUL are in Review or Closed states (with a successful close code), ​the VUL automatically transitions to Resolved​. Any other related CHGs that are canceled or closed unsuccessfully are ignored.
    • When a CHG moves to Cancelled or ​Closed (close code of Unsuccessful), if all other CHGs associated with the VUL are in the same state, then the VUL automatically transitions back to Under Investigation​.

    For more information about remediation task states and what you can do in each state, see Vulnerability Response remediation task and vulnerable item states.