Import in OSCAL format

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Import in OSCAL format

    The CAM OSCAL import provides a guided, playbook-style experience to streamline the integration of security control data using OSCAL-formatted JSON files. It supports multiple OSCAL models including Catalog, System Security Plan (SSP), Assessment Plan (AP), and Assessment Results (AR). This feature enables ServiceNow customers to efficiently import and manage security authorization package data within the CAM workspace.

    Show full answer Show less

    Import Process and Supported Models

    • Access and Initiation: Customers begin the import from the OSCAL Import landing page, where they can view previous imports and their statuses or start a new import via the New Import option.
    • Structured Stages: The process guides users through several key stages:
      • Details: Specify OSCAL model type, source information, and notification recipients.
      • Attachments: Upload required JSON files according to the selected OSCAL model:
        • Catalog: Upload catalog file.
        • SSP: Upload catalog, profile, and one or more overlay files.
        • Assessment Plan (AP): Upload catalog, profile, SSP, one or more AP files, optional overlays and POA&M files.
        • Assessment Results (AR): Upload catalog, profile, SSP, AP files, AR files, optional overlays, and POA&M files. POA&M items are aggregated.
      • User and Group Mapping: Map OSCAL users and groups to ServiceNow users/groups, including roles like Assigned To (Engagement), Owner (Control Test), and Assigned To (POA&M). Applies to SSP, AP, and AR models.
      • Roles and Responsibilities: Assign users to specific roles retained throughout the authorization package lifecycle (applicable for POA&M, AR, SSP, and AP models).
      • Preview and Override: Review objects to be created, skipped, or overridden. Manage control tailoring request roles (“CTR Assigned To” and “CTR Opened By”) with fallbacks if unmapped. For new packages, all SSP and AP objects are created; for existing packages, SSP, AP, AR, and POA&M objects default to override.

    Import Behavior and Considerations

    • Duplicate control objective references in overlay files are handled by applying defined behavior and action rules to determine effective overlay configurations.
    • Imported data populates fields such as Status, Frequency, Weighting, Implementation Statement, and Activities when present in SSP, AP, and AR models.
    • Control tailoring requests included in imports generate corresponding records with details such as requested changes, overlay controls, and work notes, linked to mapped users or defaulting to System Owner.
    • When overriding existing authorization packages, overlays and control objectives are updated or created, and control tailoring requests are added as new records.
    • For AR imports, existing engagements can be skipped or overridden along with their POA&M items.
    • Unique UUIDs are required for multiple AP file imports to avoid import failures.

    Practical Benefits for ServiceNow Customers

    • Enables seamless import of OSCAL catalogs, SSPs, and Assessment Results into CAM, facilitating comprehensive security package management.
    • Supports integration of external security data and assessment results into ServiceNow, aiding compliance and risk management workflows.
    • Offers detailed control over user-role assignments and object management to maintain authorization package integrity.
    • Improves efficiency by automating the creation and updating of security controls, assessments, and POA&M items within CAM.

    The CAM OSCAL import offers a playbook-style experience designed to streamline the integration of security control data.

    This guided process supports importing JSON files in both Catalog and System Security Plan (SSP) models, using the OSCAL (Open Security Controls Assessment Language) format. From the OSCAL Import landing page, you can view a list of previously imported OSCAL files along with their current statuses. To start a new import, select New Import from the All OSCAL Imports landing page. The import process then guides you through the following structured stages:
    • Details: Enter the import details, such as the OSCAL model, source, and recipients for import status notifications.
    • Attachments: Upload the OSCAL-formatted files corresponding to the model selected in the Details tab.
      • For Catalog OSCAL model, you must upload the catalog file to proceed with the import process.
      • For SSP OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Overlay: You can upload multiple overlay files.
      • For Assessment Plan (AP) OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Assessment Plan: You can upload multiple AP files (one per engagement).
        • Overlay: You can upload multiple overlay files (optional)
        • POA&M: You can upload POA&M files (optional)
      • For Assessment Results (AR) OSCAL model, you must upload the following files:
        • Catalog
        • Profile
        • SSP
        • Assessment Plan: The AP file linked to the AR being imported. You can upload multiple AP files.
        • Assessment Results: The AR file to import. You can upload multiple AR files.
        • Overlay: You can upload multiple overlay files (optional)
        • POA&M: You can upload multiple POA&M files (optional). POA&M items from this file are aggregated with the POA&M items already present in the AR file.
    • User and Group Mapping: Map users and groups from the OSCAL files to the corresponding ServiceNow users and groups in your instance. Each user entry shows the roles the user is listed as in the import — for example, Assigned To (Engagement), Owner (Control Test), or Assigned To (POA&M). This step applies to the SSP, AP, and AR OSCAL models.
    • Roles and Responsibilities: Assign users to specific roles for the imported files. These users will retain their roles throughout each step in the authorization package.
      Note:
      This tab is applicable when POAM, AR, SSP or Assessment Plan OSCAL model is selected.
    • Preview and Override: Review the list of objects to be uploaded, along with the number of objects that will be created or skipped. Take appropriate actions such as importing, skipping, or overriding.
      Note:
      • "CTR Assigned To" and "CTR Opened By appear" roles appear in the user mapping list for packages with associated control tailoring requests. CTR Opened By identifies the user recorded as the creator of the control tailoring request during import. CTR Assigned To identifies the user assigned to the control tailoring request during import. If no user is mapped to either role, the system defaults to the authorizing official configured for the authorization package.
      • For new packages, all SSP and AP-related objects (engagements, control tests, test plans, entity to engagement mappings) display as Create New. On import, all objects are created.
      • For existing packages, all SSP, AP, AR, and POA&M related objects display as Override by default when importing an AP or AR model. If you skip the package, all related objects are skipped automatically, including baseline controls, information type definitions, inherited controls, hybrid controls, engagements, test plans, control tests, assessment results, and entity to engagement mappings.
      • When importing multiple AP files, each file must have a unique UUID. If two AP files contain the same UUID, the import process fails and displays an error message.
      • For AR imports, if an engagement from the package already exists on the instance, you can choose to skip or override the existing engagement and its associated POA&M items.

      • When you override an existing authorization package during import, the system applies the imported data to the package as follows:

        • Overlays are overwritten with the imported values
        • Control objectives from the imported source are created or overwritten
        • Control tailoring requests from the imported SSP are created as new records associated with the overriding package
    • The import process includes the following behavior:
      • The import process succeeds even when overlay files contain duplicate control objective references. Each overlay defines behavior and action rules for matching and distinct control objectives, and the system applies these rules to determine which overlay's configuration takes effect for each control objective.
      • The import now populates the following fields, if the values are present in the export file:
        • Status
        • Frequency
        • Weighting
        • Implementation statement
        • Activities

        This applies to controls created during the import of SSP, Assessment Plan, and Assessment Report models.

    • If the imported file contains control tailoring request data, the system creates a control tailoring request record as part of the import. The imported control tailoring request includes:

      • Requested changes
      • Overlay controls
      • Work notes (visible in the CTR record, marked as imported from OSCAL)
      • The created by field, set to the user mapped to the CTR opened by role during import (defaults to System Owner if not mapped)

      The control tailoring request record is visible in the authorization package after import.

    Using the CAM import OSCAL feature, you can perform the following:

    For more information on the OSCAL import error and control catalog, see the OSCAL Import [KB1794095] article in the Now Support Knowledge Base.