Exploring Configuration Compliance

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Configuration Compliance

    The ServiceNow® Configuration Compliance application enables organizations to efficiently prioritize and remediate critical configuration-related security vulnerabilities across their IT environments. It leverages test results from third-party Secure Configuration Assessment (SCA) integrations to verify compliance with security or corporate policies, helping customers identify, prioritize, and remediate non-compliant configuration items. Configuration Compliance integrates tightly with the ServiceNow AI Platform® and Governance, Risk, and Compliance (GRC) application to unify and streamline vulnerability management, remediation, and reporting processes.

    Show full answer Show less

    Key Features

    • Integration with Third-Party SCAs: Automatically import policies, tests, and configuration scanning content from supported third-party SCA tools, enabling seamless assessment of configuration compliance.
    • Correlation and Visibility: Correlate policies and test results to configuration items (assets) in the ServiceNow Configuration Management Database (CMDB) to identify vulnerabilities and verify compliance status.
    • Unified Assessment and Remediation: Group configuration findings and route remediation tasks automatically based on specialist skillsets and responsibilities, streamlining collaboration between security, IT, and business teams.
    • Intelligent Workflows and Change Management Integration: Enable smooth hand-offs and create pre-populated change requests directly from Configuration Compliance to facilitate remediation requiring additional resources.
    • GRC Integration: Roll up configuration test results to corresponding GRC controls for comprehensive compliance and risk management.
    • Dashboards and Metrics: Monitor remediation status with built-in dashboards displaying metrics related to remediation tasks, compliance tests, and policies.
    • Role-Based Access: Support for roles such as snvulc.admin, snvulc.write, snvulc.remediationowner, and snvulc.read to manage permissions and responsibilities within Configuration Compliance.
    • Vulnerability Response Integration: When integrated with Qualys and Tenable Vulnerability Response, Configuration Compliance can leverage vulnerability data across multiple deployments within a single GRC instance.

    Important Notes for Customers

    • Terminology updates from version 14.9 rename key entities for clarity, such as "Test Result Group" becoming "Remediation Task Group."
    • Customers upgrading to versions compatible with Unified Security Exposure Management (USEM) should select version 30.x or higher; otherwise, versions below 30.x should be used.
    • Configuration Compliance is available by subscription through the ServiceNow® Store.
    • Activation, setup, and configuration details are available in the product documentation to help get started.

    Who Should Use Configuration Compliance

    Configuration Compliance supports multiple roles involved in vulnerability and compliance management, including system administrators, vulnerability administrators and managers, vulnerability analysts, and compliance administrators. Its design facilitates collaboration across security, IT operations, and business process stakeholders to reduce risk and enhance security posture efficiently.

    Use test results obtained from third-party Secure Configuration Assessment (SCA) integrations to verify compliance with security or corporate policies. Identify, prioritize, and remediate non-compliant configuration items.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    What is Configuration Compliance

    The ServiceNow® Configuration Compliance application enables you to prioritize and remediate the most critical configuration-related vulnerabilities in your environment quickly and efficiently. Configuration Compliance is available by subscription in the ServiceNow® Store.

    Configuration Compliance workflow

    Key features of Configuration Compliance

    Use the Configuration Management Database (CMDB) in your ServiceNow AI Platform® to help you expose and fix your most critical configuration-related security vulnerabilities. Focus your remediation resources on activities with the greatest risk reduction. Streamline the remediation process across security, IT, and your business process stakeholders. The Configuration Compliance application includes the following key features:

    • With supported third-party integrations, automatically import policies, tests, authoritative sources, and technologies. See Configuration Compliance integrations for more information about supported integrations.
    • Correlate policies and tests to configuration items (assets) to identify configuration-related vulnerabilities and help you verify that your assets are in compliance with your policies and controls.
    • Unify configuration assessment, assignment, and remediation across all of your assets.
    • Configuration scanning content can be imported from leading Secure Configuration Assessment (SCA) ecosystem integration applications.
    • Configuration findings, test failures, can be grouped and routed automatically based on remediation specialist skill sets and areas of responsibility. Intelligent workflows and tight integration with change management provide smooth task hand-offs between groups.
    • When used with the ServiceNow Governance, Risk, and Compliance (GRC) application, configuration tests in Configuration Compliance can be rolled up to their corresponding GRC controls.
    • With enhanced change management, create pre-populated change requests for IT directly from Configuration Compliance to help you with your remediation tasks that require additional resources.
    • With dashboards, view remediation status metrics on remediation task, compliance test, and policy records.

    Who uses Configuration Compliance

    Configuration Compliance activities can involve many levels of management.
    • System administrators
    • Vulnerability administrators
    • Vulnerability managers
    • Vulnerability analysts
    • Compliance administrators
    Configuration Compliance tasks involve the following roles.
    • sn_vulc.admin — can read, write, delete
    • sn_vulc.write — can read and write
    • sn_vulc.remediation_owner — Can read and update assigned records
      Note:
      The sn_vulc.remediation_owner role is also automatically assigned when any user is assigned the itil role.
    • sn_vulc.read — can read

    Configuration Compliance and Security Operations

    When the Qualys Vulnerability Integration and the Tenable Vulnerability Integration are installed, access to Vulnerability Response becomes available. You can have multiple deployments of these integrations. Data sourced from each deployment is identified and available in a single instance of GRC.

    Available versions for Australia

    Release version Release notes
    If you intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version starting with 30.x when installing or upgrading. Configuration Compliance release notes.

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    See Setting up, installing, and configuring the Configuration Compliance application for more information about activating the application.
    If you do not intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version below 30.x when installing or upgrading.