Integrate with UCF Common Controls Hub to manage compliance frameworks

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrate with UCF Common Controls Hub to manage compliance frameworks

    This integration enables ServiceNow® Governance, Risk, and Compliance (GRC) customers to import and manage compliance frameworks by connecting with the Unified Compliance Framework (UCF) Common Controls Hub (CCH). Compliance administrators can download UCF content—including authority documents, citations, controls, and control objectives—and keep this information current by updating at predefined intervals.

    Show full answer Show less

    A UCF Common Controls Hub account with API access is required to create and import shared lists into the ServiceNow instance. Note that free access to UCF content ended in 2018; organizations must now purchase a UCF subscription directly or via the ServiceNow Store.

    Key Features

    • Import Authority Documents via Shared Lists: Compliance managers download UCF authority documents organized in shared lists. Each shared list must contain only documents already imported into the ServiceNow instance to avoid inconsistencies.
    • Handling Multiple Shared Lists: To import more than 100 authority documents, users can create multiple shared lists, grouping related documents to avoid dependencies. A system property (sncompucf.deactivatedeprecateddocs) must be set to false to support this multiple shared list import without automatic validation.
    • Read-Only Data: All imported UCF data is read-only within ServiceNow to maintain integrity and must not be customized.
    • Terminology Mapping: The integration aligns UCF terminology with ServiceNow GRC terms, mapping UCF Authority Documents, Citations, and Controls to their GRC equivalents (Authority Document, Citation, and Control Objective respectively).
    • Integration Setup Support: Customers can create a Now Support case to assist with UCF-CCH account integration and configuration.

    Practical Considerations and Best Practices

    • Ensure every authority document to be imported is included in the shared list to maintain synchronization between UCF CCH and the ServiceNow instance.
    • When importing multiple shared lists, manually validate deprecated documents and the links between citations and control objectives, as automatic deactivation is disabled.
    • Keep the UCF authority documents updated regularly to maintain a consistent and accurate controls framework.
    • Protect read-only imported data from customization to safeguard compliance integrity.

    Compliance administrators can download content from Network Frontiers Unified Compliance Framework (UCF) to use as GRC authority documents, citations, controls, and control objectives. The documents can be updated on pre-defined intervals. You must have a UCF Common Controls Hub account to create shared lists and import them into the ServiceNow® instance.

    If your organization wants to use UCF Common Controls Hub as the source for your controls library, you can purchase a subscription from the ServiceNow Store or see Common Controls Hub. For more information, see Unified Compliance Framework.

    Note:
    The previous arrangement for free access to UCF content inclusive of your GRC license ended November 30, 2018. All customers must purchase a subscription from Unified Compliance directly.
    Warning:
    All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or control objectives on any UCF fields transformed into GRC tables.
    1. Sign up for a UCF CCH account and customize your basic subscription to include API Access.
    2. Activate Compliance UCF.
    3. Create a Now Support Case for UCF-CCH account integration information.
    4. Configure the UCF integration using the UCF Common Controls Hub.
    5. Download a UCF shared list.

    Import authority document using single shared list

    Every authority document already imported into the ServiceNow® instance must be in any shared list you wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which may have changed) and what you’ve already imported.
    Figure 1. Shared list import successful
    Graphic shows all authority documents reimported with the new one
    Figure 2. Shared list import unsuccessful
    Graphic shows a mismatch of the imported authority documents

    An error is rendered since SOX is not being reimported within this Shared List.

    Import authority documents using multiple shared lists

    If you need to import more than 100 authority documents then you must import them into multiple shared lists, as there is a limitation that a shared list can contain only 100 authority documents. You can create multiple shared list (SL), for example SL1 to import 100 authority documents and SL2 for the rest of the authority documents. Group similar authority documents as one group when you import the authority documents into multiple shared list, so that there is no dependency of the documents between the multiple shared list.

    To support multiple shared list, the system property sn_comp_ucf.deactivate_deprecated_docs that is by default true, must be set to false.
    • If the system property is set to true, then the existing validation is done to check if the authority documents imported are already imported in the ServiceNow instance.
    • If the system property is set to false, then the imported authority documents are not validated at all.

    Set the property as false and import the UCF content in multiple shared list. If the authority documents, citations, and control objectives that are imported in the shared list are deprecated, then such documents will not be deactivated in the ServiceNow instance. Instead, the user must manually validate the documents and the links between the citation and control objectives. An email is sent with the links to the mapping between the citation and control objectives.

    UCF and GRC terminology differences

    Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differs slightly as explained in the following table.

    Table 1. Terminology differences
    UCF GRC application
    Authority Document Authority Document
    Citation Citation
    Control Control Objective