DevOps accelerator for control compliance, PaCE execution, and exception management

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of DevOps accelerator for control compliance, PaCE execution, and exception management

    The GRC: DevOps Accelerator is an application designed to help ServiceNow customers evaluate compliance with DevOps policies and Governance, Risk, and Compliance (GRC) control objectives by integrating with the Policy as a Code Engine (PaCE). It maps control objectives from regulations and standards—such as CIS controls, NIST 800-53, ISO 27002, and PCI DSS—with DevOps policies provided by the DevOps Config Policy Content Pack.

    Show full answer Show less

    This integration enables DevOps managers to monitor compliance status, visualize evidence of PaCE policy execution, and manage exceptions efficiently.

    Important: The GRC DevOps Accelerator is deprecated, no longer supported, and unavailable for new activations.

    Key Features

    • Control Objective Mapping: The plugin maps relationships between PaCE policies and GRC control objectives across various standards and frameworks.
    • Data Tables:
      • Control objective to items table: Stores mappings between control objectives and PaCE policies.
      • DevOps policy to control objective staging table: Temporarily holds mapping data in a pending state before processing.
    • Scheduled Data Processing: A daily import job moves mapping data from the staging table to the main control objective to items table, updating records to processed status upon successful import.
    • Compliance Monitoring: Provides visibility into compliance status and evidence of policy execution for DevOps controls.

    Prerequisites and Dependencies

    • Installation of the DevOps Config Policy Content Pack provided by PaCE.
    • GRC plugins including Cybersecurity Controls Accelerator (CIS), Compliance Unified Compliance Framework (UCF), and Continuous Authorization and Monitoring (CAM).
    • The GRC: Policy and Compliance Management plugin is required for operation.
    • Note that if CIS, UCF, or CAM plugins are not installed, related control objective data will not be available.

    Operational Details

    • The staging table for policy to control objective mappings holds data in a pending state until processed by the scheduled import job.
    • Mappings for CAM and CIS use control objective sys IDs, while UCF uses the source ID from shared lists.
    • Only mappings where both control objectives and PaCE policies exist on the instance are processed; others remain pending.

    What ServiceNow Customers Can Expect

    Customers leveraging this accelerator can automate the evaluation of DevOps compliance against multiple regulatory frameworks, gain centralized visibility into policy execution and compliance status, and manage exceptions effectively. However, since the product is deprecated, new customers cannot activate it, and existing users should plan for transition or alternative solutions.

    GRC: DevOps Accelerator is an application that enables your customers to evaluate the compliance for DevOps policies and GRC control objectives integrating with Policy as a Code Engine (PaCE).

    Important:
    GRC DevOps Accelerator is now deprecated and no longer supported or available for new activation. For details, see the Deprecation process [KB0867184] article in the Now Support Knowledge Base.

    GRC: DevOps Accelerator (com.sn_grc_devops) plugin maps the control objectives drawn from regulations, standards, and frameworks, such as CIS controls, NIST 800-53, ISO 27002, PCI DSS, and others with DevOps Policy as a Code Engine (PaCE). The DevOps policies are provided by the DevOps Config Policy Content Pack.

    With this integration you can evaluate the compliance status. The integration also enables the DevOps managers to monitor control compliance, visualize evidence of PaCE execution, and manage exceptions.

    Pre-requisites for DevOps accelerator

    1. Hierarchy of PaCE-related plugins and CDM-related plugins.
    2. DevOps Config Policy Content Pack provided by PaCE.
    3. GRC plugins: GRC: Cybersecurity Controls Accelerator, GRC: Compliance UCF, and GRC: Continuous Authorization and Monitoring.
    Note:
    GRC: DevOps Accelerator (com.sn_grc_devops) is dependent on DevOps Config Policy Content Pack and GRC: Policy and Compliance Management. However, if GRC: Cybersecurity Controls Accelerator (CIS), GRC: Unified Compliance Framework (UCF), and GRC: Continuous Authorization and Monitoring (CAM) plugins are not installed on the instance, then the staging data relevant to the control objectives from these plugins would not be available on installing GRC: DevOps Accelerator.
    GRC: DevOps Accelerator plugin maps the relationship between PaCE policies and control objectives.
    Note:
    Not all GRC control objectives may have a relationship with every PaCE policy.

    Populating control objective and PaCE mapping data from the instances to staging table

    Control objective to items mapping table
    As part of DevOps accelerator, the mapping relationships between control objectives and PaCE policies are shipped to the customers. The relationship is captured in Control objective to items [sn_compliance_control_objective_item] table, where the Control objective column and Item record column, which is the PaCE policy, list the data.
    Figure 1. Control objective to item table
    Control objective to item table.
    DevOps policy to control objective staging table
    Figure 2. DevOps accelerator staging table
    DevOps accelerator staging table.

    There is a staging table as a part of DevOps accelerator, which is DevOps policy to control objective staging [sn_grc_devops_policy_control_objective_staging] table. A user with Compliance admin role can view the table.

    For CAM and CIS, the sys IDs of the control objectives map with the DevOps policy sys IDs. However, for UCF the source ID of the control objective imported from the Shared List is mapped with the DevOps policy sys ID.

    The data in the DevOps policy to control objective staging [sn_grc_devops_policy_control_objective_staging] table is shipped in Pending status. The data is populated in the staging table based on the applications that are installed in the instance. The data is not processed if the control objective and the PaCE policy do not exist in the instance.

    Scheduled job to move data from the staging to the main table

    A daily job (Import DevOps policy to Control Objective mapping from staging) runs after the applications and the DevOps accelerator are installed to add the records to the Control objective to items (sn_compliance_control_objective_item) table. If the record is successfully added to the mapping table, then the status of the record in the staging table moves to Processed. If a control objective is not populated or present in the application, then the record is not processed but is in Pending status.