Impact of the compensating controls on risk score and expiration date

  • Release version: Zurich
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Impact of the compensating controls on risk score and expiration date

    This content explains how compensating controls affect risk scores and expiration dates for vulnerable items and remediation tasks within ServiceNow Vulnerability Response. It describes the process for requesting and approving risk reductions, how risk scores are adjusted, and how these changes propagate to associated vulnerable items and remediation tasks.

    Show full answer Show less

    Risk Reduction Process and Risk Score Impact

    • Remediation Owners can request risk reduction for vulnerable items or remediation tasks; Vulnerability Managers or Analysts approve these requests.
    • When approved, the risk score of the affected item is reduced to the Desired value specified in the state change approval record.
    • The original risk score is preserved in the Original risk score field, while the Risk score reflects the reduced value until the compensating controls expire.
    • Risk scores are dynamically updated during data ingestion based on compensating controls and scanner-calculated values.

    Impact on Remediation Tasks and Vulnerable Items

    • Compensating controls approved on a remediation task automatically apply to its associated vulnerable items with higher risk scores, reducing their risk scores to the approved Desired value.
    • New vulnerable items added to remediation tasks with existing compensating controls inherit the reduced risk rating automatically, with their original risk scores recorded separately.
    • SLA calculations for newly ingested vulnerable items consider the reduced risk level, not the original scanner severity.
    • The expiration date for risk reduction (Until date) is only rolled down to vulnerable items if no prior compensating control exists; otherwise, the existing date on the vulnerable item takes precedence.

    Handling Vulnerable Items with Compensating Controls

    • When risk reduction is approved on a vulnerable item, the reduced risk score is shown in the Risk score field, and the previous score is saved as the Original risk score until the compensating controls expire.
    • During data ingestion, if the scanner-calculated risk score is higher than the reduced risk score, the reduced risk score remains, but the original risk score updates with the new scanner value; if lower, both fields update.
    • When a Configuration Item (CI) changes for a vulnerable item with compensating controls, behavior depends on the system property snseccmn.updateoncichange:
      • If true, the CI is updated on the same vulnerable item, and compensating controls remain applicable.
      • If false, the vulnerable item is closed, a new one is created, compensating controls are applied to the new item, and risk scores and expiration dates persist.
    • If a vulnerable item is reopened by the scanner, any existing compensating control continues to apply.

    Practical Benefits for ServiceNow Customers

    • Enables accurate risk score management by applying approved compensating controls, reflecting true risk reduction until expiration.
    • Ensures consistent risk scoring and SLA calculations across vulnerable items and remediation tasks, even when new vulnerabilities are ingested or configuration changes occur.
    • Maintains historical risk data through the Original risk score field, supporting auditability and risk tracking.
    • Improves vulnerability management efficiency by automating risk score inheritance and expiration date handling.

    As a Remediation Owner, you can request risk reduction for a host vulnerable item or remediation task. And the Vulnerability Manager or Analyst can approve these risk reduction requests.

    For more information on how to request risk reduction and approve risk reduction approval, see Request risk reduction for a vulnerable item or remediation task and Approve or reject requests in the Vulnerability Manager Workspace respectively.

    When a risk reduction request is approved, the risk score is reduced according to the Desired value (risk rating) in the state change approval (VCA#) record. The highest risk score of the desired risk rating is assigned to the record when your risk reduction request is approved. The following example shows how the Risk score and Original risk score are updated when compensating controls are applied. The default highest risk scores of the risk ratings are used in the following example.

    Table 1. Impact of compensating controls on risk score and original risk score
    Scenario Risk rating Risk score Original risk score (Calculated risk score)
    Data prior to v20.0 2 - High 80 The field is not available prior to v20.0.
    After upgrading to v20.0 2 - High 80 Null
    Calculated risk score changes to 90 during ingestion 1 - Critical 90 Null
    When you apply compensating controls 3 - Medium 69 90
    Calculated risk score changes to 70 during ingestion 3 - Medium 69 70
    Calculated risk score changes to 50 during ingestion 3 - Medium 50 50
    Calculated risk score changes to 80 during ingestion 3 - Medium 50 80
    When compensating controls expire on Until date for risk reduction 2 - High 80 Null

    Impact of compensating controls on a remediation task

    When your request for risk reduction is approved for a remediation task, the impact of compensating controls on its vulnerable items is as follows:

    • The compensating controls applied on the remediation task are applied on its vulnerable items (other than those in Closed state) that have risk score greater than the risk score corresponding to the Desired value in the state change approval of a remediation task. And the risk score of these vulnerable items is reduced according to the Desired value.
    • When new vulnerable items are ingested and associated with a remediation task that already has an approved compensating control, the reduced risk rating is automatically inherited by the new vulnerable items. The risk score of the new vulnerable items is set to match the Desired value from the approved state change approval record, and the Original risk score field reflects the scanner-calculated value. This applies to all finding types across Vulnerability Response, Application Vulnerability Response, and Container Vulnerability Response.
    • The SLA for newly ingested vulnerable items that inherit a compensating control from the remediation task is calculated based on the reduced risk level, not the original scanner-severity level.
    • The Until date for risk reduction remains unchanged for the vulnerable items on which a compensating control is already applied. It is not updated with the Until date for risk reduction of the Remediation Task.
    • The Until date for risk reduction is rolled down to the vulnerable items only when a compensatory control is not applied on any vulnerable item previously. If you apply the compensatory controls on the remediation task again, the Until date for risk reduction is not rolled down to the vulnerable items as the existing Until date for risk reduction of the vulnerable items is given priority.
    • When a new vulnerable item is added to a remediation task on which compensatory controls are already applied, the compensating control is automatically applied to the new vulnerable item, and its risk score is reduced to match the Desired value from the approved state change approval record.

    Impact of a compensating control on a vulnerable item

    When your request for risk reduction is approved for a vulnerable item:

    • Its new risk score displays in the Risk score field and the old risk score (calculated risk score) moves to the Original risk score field. This change holds till the date specified in the Until date for risk reduction field.
    • When a vulnerable item has compensating controls already applied, during ingestion:
      • If the calculated risk score is greater than the risk score then risk score remains same and original risk score is updated with the calculated risk score.
      • If the calculated risk score is less than the risk score then both risk score and original risk score are updated with the calculated risk score.
    • If a Configuration Item (CI) is changed for a vulnerable item on which a compensating control is already applied:
      • The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.

        The compensating control is still applicable for the vulnerable item.

      • The vulnerable item is closed and a new vulnerable item is created if the sn_sec_cmn.update_on_ci_change system property is set to false.

        The compensating control applied to the old vulnerable item is applied to the new vulnerable item and the Until date for risk reduction, Original risk score and Risk score remain the same.

    • When a vulnerable item is reopened by the scanner and compensating control is already applied on it, the same compensating control is applied after it is reopened.