Configuration Compliance states

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance States

    Configuration Compliance enables users to track the status of remediation tasks through a defined state model, facilitating effective management of compliance efforts. Starting from version 14.9, terminology changes have been implemented to enhance clarity around remediation tasks and their associated states.

    Show full answer Show less

    Key Features

    • State Transitions: Remediation tasks can transition between states such as Open, Under Investigation, Resolved, and Closed, based on specific triggers and test results.
    • Automatic Updates: The system automatically transitions tasks from Resolved to either Closed or Under Investigation depending on the results of subsequent scans.
    • Interaction Options: Each state provides various actions, including creating Change Requests, marking tasks as false positives, or requesting exceptions.
    • State Precedence: When multiple remediation tasks exist, the highest precedence state is applied to associated test results. This hierarchy ensures that the most critical state is reflected accurately.

    Key Outcomes

    By effectively managing remediation task states, customers can ensure compliance and quickly respond to issues as they arise. The system's auto-evaluation of task states simplifies management efforts, allowing teams to focus on addressing significant compliance challenges rather than manual oversight. Regular updates and transitions ensure that all stakeholders remain informed of the current status and actions required.

    With Configuration Compliance, you can see a state model to learn what the status of the remediation task is at any given time. The remediation task states control the test result states by precedence.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Remediation Task States

    Remediation tasks have many possible states. Automatic transition is available from the Resolved state based on the next scan results. If all test results pass on the next scan, the group is closed. Otherwise, it transitions to the Under Investigation state. The system verifies this closed state, but it re-evaluates the group state if a test result is added to or deleted from the group. The work notes are updated to reflect the transition.

    The following figure shows how the state of a remediation task transitions from the Open state to the Closed state.

    Figure 1. Configuration Compliance state flow (prior to v15.0)
    Configuration Compliance state flow.
    Note:
    • Each group form contains Follow and Update buttons, which are standard for ServiceNow tasks.
    • Starting with v15.0 of Configuration Compliance, the following have been removed:
      • Close button
      • the Resolution field in the Resolve modal.

    The following table lists the Configuration Compliance states.

    Table 2. Configuration Compliance states
    State Description
    Open State upon creation.
    Under Investigation Triggered by the Start Investigation button. From this state, you can:
    Create a Change Request
    For more information, see Create a change request in Configuration Compliance.
    Request exception
    Provide a reason and select a reopen date.
    Delete
    Confirm the deletion. Removes the remediation task.
    Mark as false positive
    Provide a reason and notes. Marks the remediation task as false positive.
    Deferred Triggered by the Defer button. From this state you can:
    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the group.

    Deferment information appears under the Defer/Close related tab. On the defer date, the group reopens for remediation.
    Awaiting Implementation Triggered by the Awaiting Implementation button. From this state you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Create a Change Request
    For more information, see Create a change request in Configuration Compliance.
    Resolve
    In the Resolution notes, add the reason why you are resolving the Remediation Task.

    The state becomes Resolved. Notes appear under the Resolution related tab.

    Delete
    Confirm the deletion. Removes the remediation task.
    Resolved Triggered from the Resolve button. From this state you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the remediation task.

    Notes appear under the Notes related tab. Resolution information appears under the Resolution related tab. The notes reflects in the Work notes of all the test results associated with the Remediation Task.
    Closed Triggered from the Close button or Mark as false positive button.

    Starting from v14.12 of Configuration Compliance, you can close a remediation task by marking it as false positive.

    From this state you can:

    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the group.

    Closure information appears under the Defer/Close related tab.
    • If the Remediation Task is marked as Closed or Fixed and if the test result added is not itself Closed or Fixed, the test result state does not change, and the remediation task state is changed to Open.
    • When you create a new remediation task or split a remediation task, the Reason, and Until fields are reevaluated for new and old remediation tasks. When the state of all test results is Deferred, the value in the Reason and Until fields are rolled up to the remediation task.
      • If all the test results in a remediation task are deferred, and have the same Reason, then the remediation task is assigned the same Reason. Otherwise, the Reason field is changed to None.
      • The date in the Until field is updated with the closest until date of all the remediation tasks to which the test results belong to.
      Note:
      This evaluation is done by the Rollup test result values to test result group and configuration test scheduled job, which runs every one hour.
    • If the Last Seen is greater than the Resolution date for a resolved test result, then the test result is reopened. In a resolved Remediation Task, if at least one test result is reopened during ingestion, then the remediation task moves to the Under investigation state.

    Test Result States

    The state of a remediation task also changes the state of its associated test results. This mechanism has two cases:
    Test results that belong to only one remediation task
    Results match the state of the remediation task with three exceptions:
    • If the remediation task changes its state to Closed and its resolution (substate) to Fixed, the item ignores that change and then falls back to the Open state.
    • If the remediation task changes its state to Closed and its resolution (substate) to Cancelled, the item ignores that change and then falls back to the Open state.
    • If the test result source status is Fixed (updated by a scan or import), then when the remediation task changes its state, the test result changes its state to Closed (Fixed) no matter what state the remediation task is in.
    Test results that belong to multiple remediation tasks
    Test results do not match the state of the remediation task automatically. Instead, it searches among all the associated groups to find the state with the highest precedence to apply. This is the state of precedence:
    Closed (substate: Result Invalid) > Deferred > Resolved > Awaiting Implementation > Under Investigation > Open
    Note:
    Closed (substate: Fixed) and Closed (substate: Cancelled) are two special cases.
    Note:
    Starting with v15.0 of Configuration Compliance, the Result Invalid substate has been deprecated.

    Remediation Task state examples

    For example:

    Remediation Tasks State Test result State
    Group A: Open > Under Investigation

    Group B: Open

    		 Under Investigation

    When Group A is Under Investigation and Group B is Open, the test result changes to Under Investigation, since after the search, between Group A and Group B, Group A has the state with the highest precedence.
    Group A: Under Investigation

    Group B: Open > Under Investigation

    		 Under Investigation

    When Group B is Under Investigation and Group A is Under Investigation, the test result stays as Under Investigation, since after the search, between Group A and Group B, they have the state with the same precedence.
    Group A: Under Investigation

    Group B: Under Investigation > Awaiting Implementation

    		 Awaiting Implementation

    When Group B is Awaiting Implementation and Group A is Under Investigation, the test result changes to Awaiting Implementation, since after the search, between Group A and Group B, Group B has the state with the highest precedence
    Group A: Under Investigation > Deferred

    Group B: Awaiting Implementation

    		 Deferred

    When Group A is Deferred and Group B is Awaiting Implementation, the test result changes to Deferred, since after the search, item 1 found out that between Group A and Group B, Group A has the state with the highest precedence
    Group A: Deferred

    Group B: Awaiting Implementation > Closed (Result Invalid)

    		 Closed (Result Invalid) > Deferred

    When Group B is Closed and the resolution (substate) is Result Invalid, and Group A is Deferred, the test result changes to Closed (Result Invalid), since after the search, between Group A and Group B, Group B has the state with the highest precedence.
    Group A: Deferred

    Group B: Closed (Result Invalid) > Open (via Reopen)

    		 Deferred

    When Group B is re-opened and its state changes to Open, and Group A is Deferred, the test result changes to Deferred, since after the search, between Group A and Group B, Group A has the state with the highest precedence.
    Group A: Deferred

    Group B: Awaiting Implementation > Closed (False Positive)

    		 Closed (False Positive)

    When Group B is Closed and the resolution (substate) is False Positive and Group A is Deferred, the test result changes to Closed (False Positive), since after the search, between Group A and Group B, Group B has the state with the highest precedence.
    Table 3. Test result state special cases
    Remediation Task State Test result state
    Group A: Under Investigation

    Group B: Awaiting Implementation > Closed (Fixed or Cancelled)

    		 Under Investigation

    When Group B is Closed (substate Fixed or substate Cancelled), and Group A is Under Investigation, the test result changes from Awaiting Implementation (previously, the highest precedence) to Under Investigation (currently, the highest precedence).
    Group A: any state

    Group B: any state

    		 If the test result source status is Fixed (updated by a scan or import), then when the remediation task changes its state, the test result changes its state to Closed (Fixed) no matter what states the other associated remediation tasks are in. The test result search for remediation task state does not occur.