NIST RMF supporting concepts

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of NIST RMF supporting concepts

    This guidance introduces key concepts supporting the NIST Risk Management Framework (RMF) as implemented in ServiceNow. It helps customers understand how NIST RMF principles are represented and managed within ServiceNow’s Governance, Risk, and Compliance (GRC) products and relevant Use Case Accelerators. Note that starting from version 10.1.0, the NIST RMF Use Case Accelerator is supported only for existing customers; new users should consider the GRC: Continuous Authorization Monitoring application.

    Show full answer Show less

    Key Concepts

    • Target: The foundational element representing a single NIST RMF profile throughout its lifecycle. It serves as a shared table between GRC products and Use Case Accelerators, encapsulating attributes specific to RMF assessment.
    • Security Objectives (CIA Triad): Each Target has defined objectives for Confidentiality, Integrity, and Availability. These objectives are classified as High, Moderate, or Low and drive the selection of appropriate security controls.
      • Confidentiality: Protecting information access and disclosure to maintain privacy and proprietary data.
      • Integrity: Guarding against unauthorized changes to ensure authenticity and non-repudiation.
      • Availability: Ensuring timely and reliable access to information.
    • Baseline Controls: Predefined sets of NIST security controls categorized by impact level (High, Moderate, Low) that mitigate risks and satisfy security requirements when effectively implemented.
    • Impact Analysis: The process of assessing how changes to a Target or its environment affect its security posture. The highest impact level among the CIA objectives determines the control impact level applied to the Target.
    • Assurance Controls: Controls that enhance security strength and confidence in the Target’s functionality, helping to meet security requirements and reduce risk.
    • Common Controls: Controls shared and inherited by multiple Targets, promoting efficiency in control implementation.
    • Compensating Controls: Alternative controls used instead of baseline controls that provide equivalent protection.
    • Supplemental Controls: Additional controls implemented to address specific risk management needs beyond baseline requirements.
    • Tailoring: The process of customizing the baseline controls based on Target scoping, compensating control specification, and organization-defined parameters to ensure appropriate risk management alignment.

    Practical Implications for ServiceNow Customers

    ServiceNow customers leveraging the NIST RMF Use Case Accelerator or transitioning to Continuous Authorization Monitoring can expect a structured approach to managing security controls mapped to NIST standards. Understanding the Target concept and CIA-based impact analysis enables precise control selection and risk mitigation tailored to organizational needs. The ability to apply common, compensating, and supplemental controls, along with tailoring, provides flexibility to meet unique compliance requirements while maintaining alignment with NIST guidelines.

    Familiarize yourself with these concepts, developed from the NIST RMF guidance.

    Note:
    Starting with version 10.1.0, the NIST RMF Use Case Accelerator will be supported only for customers who currently use the product. New and existing customers should consider using the GRC: Continuous Authorization Monitoring application. For details, Continuous Authorization and Monitoring.
    Concept Description
    Target

    The target is the foundation of the NIST RMF Use Case Accelerator and all related concepts.

    The target is a shared table between the ServiceNow® GRC products and several Use Case Accelerators. They are similar to the concept of profiles in the core GRC applications. They are optionally linked to profiles, but are used for any attributes that are specific to the Use Case Accelerators.
    Note:
    Each NIST RMF Target uniquely represents a single profile throughout its RMF life-cycle.
    Confidentiality (C) Confidentiality is a security objective of a Target, and is defined as the act of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Confidentiality is expressed as High, Moderate, and Low values
    Integrity (I) Integrity is a security objective of a Target is defined as act of guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Integrity is expressed as High, Moderate, and Low values
    Availability (A) Availability is a security objective of a Target is defined as act of ensuring timely and reliable access to and use of information. Availability is expressed as High, Moderate, and Low values
    Baseline controls Baseline Controls are recommended set of security controls from National Institute of Standards and Technology (NIST) which when implemented and determined to be effective, would mitigate security risk while complying with security requirements. Baseline controls have a designated impact value which is a combination of High, Moderate, or Low values.
    Impact analysis Impact analysis determines the extent to which proposed or actual changes to the Target or its environment of operation can affect or have affected the security state of the Target. A Target in which all three CIA security objectives evaluate to Low is considered Low-impact and uses any of the security controls which are tagged as Low impact value. Likewise, a Target in which any of the three CIA security objectives evaluate to Moderate is considered Moderate-impact and uses any of the security controls which are tagged as Moderate impact value. Likewise, a Target in which any of the three CIA security objectives evaluate to High is considered High-impact and uses any of the security controls which are tagged as High impact value.
    Assurance Assurance controls increase both the strength of security and degree of confidence that the functionality of Targets is correct, complete, and consistent and would mitigate the security risk and assists in complying with security requirements
    Common Common controls are controls that are inheritable by one or more Targets
    Compensating Compensating controls are controls which can be employed in lieu of recommended baseline security controls and provide equivalent or comparable protection for the Targets
    Supplemental Supplemental controls are controls which can be employed as added security controls to adequately meet the risk management needs of a Target
    Tailoring Tailoring is a process by which a security control baseline is modified based on: (i) Targets scoping guidance; (ii) specification of the security controls, for example, compensating, if needed; and (iii) the specification of organization — defined parameters in the security controls via explicit assignment and selection statements