Control requirement generation and upgrade steps

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Requirement Generation and Upgrade Steps

    This document outlines the process for generating control requirements and the upgrade steps associated with the Washington DC release of ServiceNow. It describes how enabling specific options in the control objective form triggers the automatic generation of controls and their requirements based on the state of the authorization package.

    Show full answer Show less

    Key Features

    • Automatic Control Generation: Enabling the "Creates controls automatically" and "Create control requirements" options initiates the generation of controls and control requirements when the authorization package transitions states.
    • State-Dependent Generation: Control requirements are generated only if the control objective requirements are present and the generation flag is activated. If the flag is false, requirements will not be generated.
    • Dynamic Updates: Updating a control objective requirement's description will reflect in the associated control requirement only if the control is in the Draft state.
    • Manual Requirement Tagging: If control objective requirements are deleted, corresponding control requirements are marked as Manual. They can be unmarked when the control is in Draft state.

    Key Outcomes

    Upon upgrading to the Washington DC release, the following occurs:

    • New fields are added to the Control form, including Authorization package and Control allocation, with values populated for existing CAM controls.
    • The "Create control requirements" option is set to True by default for all NIST 800-53-revision 5 control objectives.
    • Control requirements are generated for all existing controls in Draft state under NIST 800-53-revision 5 control objectives.

    This ensures a streamlined approach to managing control requirements, enhancing operational efficiency within ServiceNow environments.

    The Creates controls automatically and Create control requirements options in the control objective form and the state of the authorization package are important to create control requirements.

    Control requirement generation logic

    If you enable the Creates controls automatically and Create control requirements options in the control objective form, then the item generation flow is triggered automatically to create controls and control requirements, respectively. Depending on the state of the control, the generated control requirements' state changes.

    If the Create control requirements option is selected when the authorization package moves from the Select to the Implement state, the controls are generated. At the same time, control requirements for the control objective requirements are also generated. Control requirements would be generated only if the control objective requirements are present and if the flag is true. If the control objective requirements are present but the flag is false, then the control requirements would not be generated.

    If while creating the control objective, the flag was set as false and the requirements weren’t generated, you can still generate the control requirements by selecting the flag and saving the control objective record, provided the controls associated with this particular control objective have control objective requirements, and the controls are Active and in the Draft state. If the controls are in any state other than Draft, then control requirements would not be generated. However, if, for example, the control was in the Monitor state and is moved back to Draft state, then control requirements would be generated provided the Create control requirements option is selected.

    New control objective requirements added
    The same is the case when you add control objective requirements to a control objective using the New or Edit button in the Control objective requirements related list.
    Update
    If you update the description of a control objective requirement, then the description of the corresponding control requirement is updated provided the control is in the Draft state. If the control is in any other state, then the description is updated when the control moves back to Draft state.
    Delete
    If a few of the control objective requirements of a control objective are removed, then correspondingly the control requirements of the control cannot be removed, instead they are marked as a Manual requirement. This condition is true for controls in any state. Later, if the control moves to Draft state, then you can remove the manual tag from these requirements. On the other hand, if a new control is created after some of the control objective requirements are removed, then the new control does not have the requirements that were removed but only the existing number.

    If the authorization package moves from the Implement to Select state, then all the associated controls of CAM are retired, and correspondingly all the requirements associated with them are also retired. All these actions are handled by item generation.

    Mandatory upgrade steps

    The following upgrade setup actions take place on upgrading to Washington DC release:
    1. The Authorization package field and Control allocation field in the Control form are newly added. The values in these fields are populated for the existing CAM controls.
    2. For all NIST 800-53-revision 5 control objectives, the Create control requirements option is set to True by default in the Control objective form.
    3. The control requirements are created for all the existing controls, from NIST 800-53-revision 5 control objectives, which are in the Draft state.