NIST CSF tables

  • Release version: Washingtondc
  • Updated February 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of NIST CSF Tables

    This content outlines the key tables associated with the NIST Cybersecurity Framework (CSF) within the ServiceNow Governance, Risk, and Compliance (GRC) application. These tables facilitate tracking various aspects of cybersecurity activities, controls, and compliance reporting, enabling organizations to effectively manage their cybersecurity posture.

    Show full answer Show less

    Key Features

    • Target Table: A core table for tracking attributes specific to GRC use-case content packs; no two target records can reference the same entity.
    • NIST CSF Activity: Tracks cybersecurity activities relevant to a target and assists in gap analysis to identify issues and action plans.
    • Gaps Table: Monitors control objectives that are not yet implemented, aiding in reporting and drill-down analysis.
    • Non-compliant Control: Tracks controls identified as non-compliant, linking them to relevant targets for reporting purposes.
    • Risk Table: Records risks associated with implemented controls, facilitating detailed reporting and analysis.
    • Issue Table: Keeps track of issues related to implemented controls, also linking to associated risks for comprehensive metrics.
    • Action Plan Table: Documents action plans for identified issues, enhancing overall remediation tracking.
    • Failed Indicators: Tracks failed indicators related to targets and controls, supporting reporting efforts.
    • Related Control Objectives: Manages associations between control objectives, including relationships at the same level.

    Key Outcomes

    By leveraging these tables within ServiceNow, organizations can enhance their ability to manage cybersecurity risks, ensure compliance with the NIST CSF, and effectively report on their cybersecurity posture. This structured approach supports comprehensive analysis and facilitates informed decision-making regarding cybersecurity strategies and actions.

    A few tables are impacted by the NIST CSF guidance.

    Table Purpose
    Target [sn_grc_target] Target is a core table of design to be shared component among the ServiceNow GRC application and GRC use-case content packs.Target is like entity in its purpose, but is used to track any attributes specific to use-case content packs. No two target records can reference the same entity at any time.
    NIST CSF Activity [sn_irm_nist_csf_nist_csf_activity] NIST CSF Activity table is used to track cybersecurity activity relevant for a target. The activity also helps in performing gap analysis that identifies the gaps, non-complaint controls, risks, issues, failed indicators and action plans for a cybersecurity activity.
    Gaps [sn_irm_nist_csf_m2m_policy_state_nist_csf_act] Gaps table in NIST CSF is used to track control objectives that aren’t yet implemented as gaps. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Gaps to Targets.
    Non-compliant Control [sn_irm_nist_csf_m2m_cxontrols_nist_csf_act] Non-compliant Control table in NIST CSF is used to track controls that are identified as non-compliant. Only cybersecurity control objectives as defined by the framework core which are implemented as controls and non-compliant are tracked. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Non-compliant Controls to Targets.
    Risk [sn_irm_nist_csf_m2m_risks_nist_csf_activities] Risk table in NIST CSF is used to track risks that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Risks to Targets.
    Issue [sn_irm_nist_csf_m2m_issues_nist_csf_act] Issue table in NIST CSF is used to track issues that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. Issues of risks associated with these controls are also included in the metric. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Issues to Targets.
    Action Plan [sn_irm_nist_csf_m2m_remediation_nist_csf_act] Action Plan table in NIST CSF is used to track the action plans that are identified for the issues. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Action Plans (remediation tasks) to Targets.
    Failed Indicators [sn_irm_nist_csf_m2m_indicators_nist_csf_act] Failed indicators table in NIST CSF is used to track the failed indicators of the target and the control or risk. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Failed Indicators to Targets.
    Related Control Objectives [sn_compliance_m2m_policy_stmt_policy_stmt] Related Control Objectives table in NIST CSF is used to track the associations between control objectives. In base implementation, parent and child control objectives are supported, but this table introduces a concept to relate the control objectives at the same level.