NIST CSF tables

Release version: Australia

Updated June 16, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of NIST CSF tables

The NIST CSF tables in ServiceNow GRC provide structured data management to support cybersecurity risk management aligned with the NIST Cybersecurity Framework. These tables enable tracking of targets, activities, gaps, controls, risks, issues, action plans, and indicators to facilitate comprehensive cybersecurity governance and reporting.

Show full answer Show less

Key Tables and Their Purpose

Target [sngrctarget]: Central entity to represent and track attributes of cybersecurity targets across GRC applications and use-case content packs. Ensures unique entity references per target record.
NIST CSF Activity [snirmnistcsfnistcsfactivity]: Records cybersecurity activities relevant to each target, supporting gap analysis to identify gaps, non-compliant controls, risks, issues, failed indicators, and associated action plans.
Gaps [snirmnistcsfm2mpolicystatenistcsfact]: Tracks unimplemented control objectives as gaps. Supports detailed reporting and drill-down by associating gaps to targets.
Non-compliant Control [snirmnistcsfm2mcxontrolsnistcsfact]: Captures cybersecurity controls defined by the framework core that are implemented but non-compliant. Facilitates reporting and analysis linked to targets.
Risk [snirmnistcsfm2mrisksnistcsfactivities]: Associates risks with implemented controls for control objectives, enabling risk tracking and detailed insights per target.
Issue [snirmnistcsfm2missuesnistcsfact]: Tracks issues related to controls and associated risks for control objectives, supporting metric inclusion and target-based reporting.
Action Plan [snirmnistcsfm2mremediationnistcsfact]: Manages action plans (remediation tasks) created to address identified issues, linked to targets for effective remediation tracking.
Failed Indicators [snirmnistcsfm2mindicatorsnistcsfact]: Records failed indicators related to targets, controls, or risks, providing visibility into compliance failures for reporting.
Related Control Objectives [sncompliancem2mpolicystmtpolicystmt]: Supports associations between control objectives at the same hierarchical level, enhancing control objective relationship tracking beyond parent-child structures.

Practical Benefits for ServiceNow Customers

Enables comprehensive tracking and management of cybersecurity activities and compliance using NIST CSF-aligned data models.
Facilitates gap analysis, risk identification, and issue management within the ServiceNow GRC environment.
Supports detailed reporting and drill-down capabilities across cybersecurity controls, risks, and remediation efforts tied to organizational targets.
Improves visibility into non-compliance, failed indicators, and action plans, helping customers prioritize and manage cybersecurity improvements effectively.
Enhances control objective relationships, aiding in nuanced governance and compliance strategy development.

A few tables are impacted by the NIST CSF guidance.


Table	Purpose
Target [sn_grc_target]	Target is a core table of design to be shared component among the ServiceNow GRC application and GRC use-case content packs.Target is like entity in its purpose, but is used to track any attributes specific to use-case content packs. No two target records can reference the same entity at any time.
NIST CSF Activity [sn_irm_nist_csf_nist_csf_activity]	NIST CSF Activity table is used to track cybersecurity activity relevant for a target. The activity also helps in performing gap analysis that identifies the gaps, non-complaint controls, risks, issues, failed indicators and action plans for a cybersecurity activity.
Gaps [sn_irm_nist_csf_m2m_policy_state_nist_csf_act]	Gaps table in NIST CSF is used to track control objectives that aren’t yet implemented as gaps. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Gaps to Targets.
Non-compliant Control [sn_irm_nist_csf_m2m_cxontrols_nist_csf_act]	Non-compliant Control table in NIST CSF is used to track controls that are identified as non-compliant. Only cybersecurity control objectives as defined by the framework core which are implemented as controls and non-compliant are tracked. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Non-compliant Controls to Targets.
Risk [sn_irm_nist_csf_m2m_risks_nist_csf_activities]	Risk table in NIST CSF is used to track risks that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Risks to Targets.
Issue [sn_irm_nist_csf_m2m_issues_nist_csf_act]	Issue table in NIST CSF is used to track issues that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. Issues of risks associated with these controls are also included in the metric. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Issues to Targets.
Action Plan [sn_irm_nist_csf_m2m_remediation_nist_csf_act]	Action Plan table in NIST CSF is used to track the action plans that are identified for the issues. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Action Plans (remediation tasks) to Targets.
Failed Indicators [sn_irm_nist_csf_m2m_indicators_nist_csf_act]	Failed indicators table in NIST CSF is used to track the failed indicators of the target and the control or risk. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Failed Indicators to Targets.
Related Control Objectives [sn_compliance_m2m_policy_stmt_policy_stmt]	Related Control Objectives table in NIST CSF is used to track the associations between control objectives. In base implementation, parent and child control objectives are supported, but this table introduces a concept to relate the control objectives at the same level.