CAM workflow configuration

  • Release version: Australia
  • Updated June 16, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CAM Workflow Configuration

    The CAM Workflow Configuration in ServiceNow Continuous Authorization and Monitoring (CAM) allows you to create and manage custom workflows beyond the default National Institute of Standards and Technology (NIST) Risk Management Framework. This flexibility enables organizations to tailor CAM workflows to their specific compliance frameworks and authorization requirements, supporting multiple frameworks such as PSPF or internal custom models while maintaining backward compatibility with the standard NIST workflow.

    Show full answer Show less

    Key Features

    • Custom Workflow Creation: Define workflows, frameworks, regulations, versions, impacts, and view rules to suit your compliance needs.
    • State Models: Control workflow life-cycle through defined states (e.g., Prepare, Categorize) and transitions with validation conditions to ensure compliance steps are followed correctly.
    • State Model Attributes: Add functionality such as approval requirements, report generation, and UI controls without custom coding.
    • Workflow Impacts and Versions: Manage different impact levels (Low, Moderate, High) and revisions of workflows to align with evolving standards.
    • Workflow Limitations and Extensions: Without the CAM Advanced plugin, you can create up to two workflows; the plugin removes this limit, allowing unlimited workflow configurations.
    • Workflow Configuration Enabling: Available only with CAM Workspace installed; enabling requires a system property change and migration of existing packages and boundaries to associate them with workflows.
    • Migration Support: Automatically associates existing authorization packages and boundaries with the default NIST workflow to preserve functionality.
    • OSCAL Export/Import: Workflow metadata is included in OSCAL exports; importing requires workflows to exist in the target instance to maintain package integrity.
    • Assessment Capabilities: Supports both classic platform assessments and risk assessments (with Advanced Risk Management), enabling comprehensive evaluation of authorization packages.

    Practical Implications for ServiceNow Customers

    By using CAM Workflow Configuration, you can:

    • Adapt CAM workflows to comply with your organization's specific regulatory frameworks beyond NIST.
    • Enforce structured lifecycle steps with validations and approvals to enhance governance and reduce compliance risks.
    • Leverage state model attributes to automate and control workflow behavior without custom development.
    • Manage multiple workflow versions and impact levels to stay current with regulatory changes.
    • Ensure smooth transition and continued functionality of existing authorization packages through migration support.
    • Utilize enhanced reporting and filtering capabilities tied to workflow states for better oversight.
    • Integrate assessment processes directly with authorization packages for continuous compliance monitoring.

    To enable these capabilities, ensure CAM Workspace is installed, enable the workflow configuration property, run the migration job, and plan your custom workflow definitions accordingly. Installing the CAM Advanced plugin is recommended if you require more than two workflows.

    Configure custom workflows in Continuous Authorization and Monitoring to support compliance requirements beyond the default National Institute of Standards and Technology NIST Risk Management Framework.

    The CAM Workflow Configuration enables you to configure custom workflows and frameworks instead of restricting operations to the National Institute of Standards and Technology (NIST) framework. This flexibility enables you to adapt CAM to your specific compliance and authorization requirements.

    Previously, CAM maintained tight coupling with the NIST framework and its seven-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The Workflow Configuration decouples CAM from this single framework, enabling you to create and map custom workflows to authorization packages and boundaries.

    The configuration uses existing authorization package records and adds flexible state models that can map to different workflows. This approach maintains backward compatibility while enabling support for multiple workflows.

    Workflow configuration

    A workflow configuration defines the workflow, framework, regulation, and its associated versions, impacts, and view rules. CAM ships NIST workflow configuration, but you can create additional workflows for other frameworks such as Protective Security Policy Framework (PSPF) or custom internal frameworks.

    Each workflow configuration includes:

    • Versions: Different revisions of the workflow (for example, NIST Rev 4 and Rev 5)
    • Workflow impacts: Impact levels used to filter control objectives (for example, Low, Moderate, High)
    • View rules: Custom views that apply only to specific workflows
    • State model: Links the workflow to a specific state model

    State model

    A state model defines the steps, transitions, and validations for a workflow. The state model is applied to the authorization package table and controls how packages move through the workflow life-cycle.

    State models include:

    • Workflow states: Individual steps in the framework (for example, Prepare, Categorize, Select)
    • State transitions: Valid paths between steps, with required validation conditions.
    • State model attributes: Special capabilities like approval requirements or report generation. State model attributes are to control the functionality available at specific workflow steps.

    State transitions

    State transitions define how packages move from one step to another. Each transition can include validation conditions that must be satisfied before proceeding.

    Examples of validation conditions:

    • Authorization boundary field can’t be empty
    • All baseline controls must have "Create controls automatically" enabled
    • Required approvals must be completed

    State model attributes

    Attributes add special capabilities to workflow states without requiring custom code. Attributes control features like approval requirements, report generation, related list actions, and UI page visibility for specific workflow states.

    For a complete list of available attributes, see Add existing attributes to a GRC workflow state.

    Workflow limitations

    Without the CAM Advanced plugin (app-grc-cont-auth-monitor-advanced), you can create a maximum of two workflows (including the NIST workflow). Installing the CAM Advanced plugin removes this limitation and enables unlimited workflow configurations.

    Enabling workflow configuration

    The workflow configurator is available only when CAM Workspace is installed. A system property controls whether custom workflows are enabled. For more information, see Continuous Authorization and Monitoring system properties.

    When you enable the workflow configuration property:

    • The system displays a confirmation dialog explaining the impacts
    • Existing packages and boundaries must be migrated to associate them with workflows
    • The property can’t be inactive after activation
    • The system refreshes to apply the new configuration
    Important:
    After enabling the property, you must run the migration scheduled job to associate existing packages and boundaries with the NIST workflow. Packages and boundaries without workflow associations have limited functionality.

    Migration behavior

    When migrating existing data, CAM automatically assigns all packages and boundaries to the workflow.

    The migration process:

    • Identifies all authorization packages and boundaries without workflow assignments
    • Associates them with the default NIST workflow configuration
    • Updates the home page to display workflow-specific tabs
    • Enables workflow-based filtering and reporting

    OSCAL export and import

    When the workflow configuration property is enabled, OSCAL export includes workflow and framework metadata.

    Export and import scenarios

    Property off (export) → Property on (import)
    Imported packages default to NIST workflow because no workflow data exists in the export
    Property on (export) → Property off (import)
    Import succeeds but packages lack workflow functionality
    Property on (both instances)
    • If the workflow exists in the import instance: Package uses that workflow
    • If the workflow doesn’t exist in the import instance: Package experience is broken and must be manually corrected
    Note:
    CAM doesn’t support importing packages with missing workflow configurations. You must create matching workflows in the target instance before importing.

    Assessment capabilities

    The Send Assessment button enables both classic assessments and risk assessments (when Advanced Risk Management is installed).

    Classic assessments

    Platform assessments that use assessment metric types. You must create or modify assessment templates where the table is set to Authorization Package.

    Risk assessments

    Risk Assessment Methodology (RAM) assessments that evaluate risks associated with packages and boundaries. Risk assessments appear in a separate related list on the package form.

    Note:
    CAM doesn’t ship assessment templates for authorization packages. You must create or modify existing templates for both assessment types.