The ServiceNow® Continuous Authorization and Monitoring (CAM) application helps governmental organizations and contractors, critical infrastructure, and other high-assurance organizations manage their compliance with cyber risk management frameworks.
With CAM, you can manage the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), Defense Federal Acquisition Regulation Supplement/NIST 800–171 (DFARS), FedRamp, International Organization for Standardization (ISO) 31000, and high-maturity standards.
You can use digital transformation across all stages of the risk management lifecycle to reduce manual work, improve collaboration across functional teams within the platform, and use the flexibility of the ServiceNow® platform to adapt your risk management system to your processes easily. You can also achieve new levels of automation for the multitude of tasks around the management of authorization boundaries, impact assessments, system categorization, controls, audits, plans of action, milestones, artifacts, attestations, continuous monitoring, ongoing authorization, and others.
- Manage authorization boundaries with deep integration into CMDB.
- Manage and assign roles such as ISSO, ISSM, System Owner, Security Controls Assessors, Information Owner, and key stakeholders.
- Attach key artifacts, such as the data flow diagram and the network diagram.
- Perform impact analysis in-platform with automated system categorization.
- Automatic selection of baseline controls with selection overrides.
- Manage control overlays with individual control tailoring and control exception reason.
- Define and inherit common controls across authorization boundaries with full visibility of those controls, their owners, and current states.
- Automatically generate issues and findings based on automated or manual indicators, or attestations.
- Receive attestation responses and artifacts within the platform without resorting to email and spreadsheets.
- Use indicators to define acceptable or unacceptable data conditions for true continuous monitoring.
- Create assessment engagements and test plans, and issue assessment tasks to control assessors.
- Create and manage Plan of Action & Milestones (POA&Ms) and drive related work tasks and subtasks across functional teams without having to leave the platform.
- Gain visibility into the work completion and timeliness of POA&Ms in progress before they are overdue.
- Automatically generate System Security Plans (SSP) with up-to-date ground truth.
- Continuously monitor the state of compliance and authorization of your programs and missions.
New:
- Relationships between boundaries can now be created. Hierarchy of boundaries is now supported.
- Adding a "Dynamic Filter" checkbox for boundary filters that updates system elements according to filter conditions when enabled.
- Automatic update of boundary status to Operational when a package moves to the Monitor state.
- Transition of Boundary status to Reauthorize as the Package Authorization date approaches.
Changed:
- Inactive authorization packages cannot be moved to next steps.
- ISSO users can now edit implementation statement field of the Authorisation package’s controls.
Fixed:
- Some of the missing information types have been updated with appropriate sub-categories.
- SSP Word Template is updated to include Rev5 controls where ever applicable.
- The applies_to field of the Entity that is linked to the Authorisation boundary is now populated with the same authorization boundary itself.
- Fixed security defects.
Removed:
- The sam_user role has been successfully removed from the CAM Reader role.
The following GRC applications must be installed and active:
- GRC: Policy and Compliance Management (com.sn_compliance)
- GRC: Risk Management (com.sn_risk)
- GRC: Audit Management (com.sn_audit)
The following plugin must be active:
When you upgrade this application, ensure that any other installed GRC applications are upgraded to the equivalent release version. For example, Continuous Authorization and Monitoring version 18.x is certified to work with other version 18.x GRC applications.