The ServiceNow® Continuous Authorization and Monitoring (CAM) application helps governmental organizations and contractors, critical infrastructure, and other high-assurance organizations manage their compliance with cyber risk management frameworks.
With CAM, you can manage the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), Defense Federal Acquisition Regulation Supplement/NIST 800–171 (DFARS), FedRamp, International Organization for Standardization (ISO) 31000, and high-maturity standards.
You can use digital transformation across all stages of the risk management lifecycle to reduce manual work, improve collaboration across functional teams within the platform, and use the flexibility of the ServiceNow® platform to adapt your risk management system to your processes easily. You can also achieve new levels of automation for the multitude of tasks around the management of authorization boundaries, impact assessments, system categorization, controls, audits, plans of action, milestones, artifacts, attestations, continuous monitoring, ongoing authorization, and others.
- Manage authorization boundaries with deep integration into CMDB.
- Manage and assign roles such as ISSO, ISSM, System Owner, Security Controls Assessors, Information Owner, and key stakeholders.
- Attach key artifacts, such as the data flow diagram and the network diagram.
- Perform impact analysis in-platform with automated system categorization.
- Automatic selection of baseline controls with selection overrides.
- Manage control overlays with individual control tailoring and control exception reason.
- Define and inherit common controls across authorization boundaries with full visibility of those controls, their owners, and current states.
- Automatically generate issues and findings based on automated or manual indicators, or attestations.
- Receive attestation responses and artifacts within the platform without resorting to email and spreadsheets.
- Use indicators to define acceptable or unacceptable data conditions for true continuous monitoring.
- Create assessment engagements and test plans, and issue assessment tasks to control assessors.
- Create and manage Plan of Action & Milestones (POA&Ms) and drive related work tasks and subtasks across functional teams without having to leave the platform.
- Gain visibility into the work completion and timeliness of POA&Ms in progress before they are overdue.
- Automatically generate System Security Plans (SSP) with up-to-date ground truth.
- Continuously monitor the state of compliance and authorization of your programs and missions.
Fixed:
- Enhanced security by creating Query range ACLs across multiple tables.
The following GRC applications must be installed and active:
- GRC: Policy and Compliance Management (com.sn_compliance)
- GRC: Risk Management (com.sn_risk)
- GRC: Audit Management (com.sn_audit)
The following plugin must be active:
When you upgrade this application, ensure that any other installed GRC applications are upgraded to the equivalent release version. For example, Continuous Authorization and Monitoring version 18.x is certified to work with other version 18.x GRC applications.