Request control tailoring

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Request control tailoring

    Request control tailoring enables ServiceNow customers to modify baseline controls in an authorization package after the Select step without reverting the package to earlier workflow stages. This feature avoids resetting the entire control lifecycle and the need to reimplement or retest all controls, allowing incremental changes by applying only the differences (delta changes).

    Show full answer Show less

    Control tailoring supports various control types: Baseline, Inherited, Hybrid, Fully Inherited, Not Applicable, Overlay. It is available for packages in the Implement step or later and can be initiated by CAM admins, system owners, ISSOs, and ISSMs.

    Key Features

    • Incremental Modifications: Add new controls or update existing ones without affecting controls that remain unchanged.
    • Dual Panel Interface: Displays Current Records (existing package configuration) and Requested Records (proposed changes) side by side, helping users review current allocations while building modifications.
    • Approval Workflow: Control tailoring requests are submitted for approval to the Authorizing Official (AO), who receives email notifications and reviews only the delta changes. The AO can approve, request additional information, or reassign the request. If more information is required, the request returns to the submitter for revision before resubmission.
    • Control State Transitions: The system handles various control changes appropriately:
      • Additions create controls in Draft state.
      • Changing controls from Not Applicable to Applicable creates new controls; changing from Applicable to Not Applicable retires them.
      • Updates to hybrid controls adjust allocation types or configurations accordingly.
      • Overlay control modifications apply configured behaviors upon approval.
    • Package Status During Approval: Proposed changes remain inactive until AO approval. Only one new control tailoring request can be pending per package at a time.
    • Audit Trail: All control tailoring activities are logged in the authorization package work notes for traceability.

    Key Outcomes

    • Enables efficient, granular updates to authorization package controls without full lifecycle resets.
    • Reduces the risk and effort associated with broad reimplementation or retesting when only minor control adjustments are needed.
    • Ensures control changes are governed and approved through a clear workflow involving the AO.
    • Maintains package integrity by keeping unaffected controls stable while accommodating necessary changes.

    Control tailoring requests enable you to modify baseline controls for an authorization package after the Select step without reverting the package to earlier workflow steps.

    Without control tailoring requests, modifying baseline controls after the Select step requires moving the package back to Select, which resets the control lifecycle for all controls in the package. This requires reimplementing and retesting all controls even when changes affect only a small subset. Control tailoring requests allow incremental modifications by applying only delta changes to the package.

    Control tailoring requests let you add new controls or update existing control configurations while maintaining unaffected controls in their current state.

    The following control types are supported:

    • Baseline
    • Inherited
    • Hybrid
    • Fully inherited
    • Not applicable
    • Overlay

    CAM admins, system owners, ISSOs, and ISSMs can create control tailoring requests for packages in Implement step or later. The request interface displays two panels: Current Records (left) showing existing package configuration and Requested Records (right) showing proposed modifications. Review current allocations as reference while building requested changes.

    Approval workflow

    After you submit a control tailoring request for approval, the system assigns it to the Authorizing Official (AO) configured for the authorization package. The AO receives an email notification. The AO reviews only the delta changes in the Requested Changes tab and can approve, request more information, or reassign to a different AO. If more information is needed, the request returns to the submitter for modifications before resubmission.

    After approval, changes are applied to the requested controls. Only modified controls transition to new states while unchanged controls retain their current state. All control tailoring activities are recorded in the authorization package work notes.

    Control state transitions

    The control tailoring process manages several types of control changes:

    When you add a baseline control to the package, the system creates the corresponding control in Draft state. When you change a baseline control from Not Applicable to Applicable, the system creates the control. When you change a baseline control from Applicable to Not Applicable, the system retires the existing control.

    When you change a hybrid control to inherited or fully inherited, the system updates the existing control with the new allocation type. When you update the hybrid configuration for an existing hybrid control, the system updates the control requirements to reflect the new configuration.

    When an overlay control modification in a control tailoring request is approved, the system applies the overlay's configured behavior and actions to the authorization package.

    Package status during approval

    While a control tailoring request is pending approval, the proposed changes don't take effect until the AO approves the request. After approval, the system applies the changes to baseline controls and updates related controls accordingly. Only one control tailoring request in New state is allowed per package at a time.