Continuous Authorization and Monitoring release notes

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Continuous Authorization and Monitoring release notes

    The ServiceNow® Continuous Authorization and Monitoring (CAM) application offers a standardized framework to define authorization packages and navigate the seven stages of the NIST Risk Management Framework (NIST RMF). The Xanadu release introduces enhancements that streamline workflows, improve data insights, and support interoperability through standardized formats like OSCAL.

    Show full answer Show less

    Key Features

    • CAM Workspace: Provides an integrated user experience with a Home page, overview pages for authorization boundaries and packages, unified task views, and dashboards to facilitate data-driven decision-making. Features include adding related control objectives, viewing controls by family for NIST 800-53, attaching documents to assessment procedures, and a consolidated Plan of Actions and Milestones (POA&M) view.
    • OSCAL Format Support: Enables exporting System Security Plan (SSP) files and related control information in machine-readable OSCAL formats (Catalog, Profile, SSP, and Catalog overlay), enhancing compatibility for sharing with other systems.
    • ATO Artifacts Generation: Allows generation of Authority to Operate (ATO) artifacts in Microsoft Word format, including SSP, Security Assessment Report (SAR), and POA&M reports directly from authorization packages.
    • Enhanced User Roles: Introduction of lite roles for lighter business operations, such as Information Owner and Audit Reader. Role privileges have been refined to clearly delineate capabilities for updating information types, managing authorization packages, and viewing audit-related entities.
    • Control Grouping and Reporting: Controls can be grouped into family-related clusters to simplify identification and understanding, with enhancements in exporting control data to map child and related control objectives appropriately.
    • Workspace Enhancements: Improved hybrid controls creation with new pop-ups, expanded POA&M to include all authorization package issues, additional fields (Family, Family ID, Notes, Attachments) for better context, and a 360° View button across CAM Workspace pages for comprehensive insights.

    User Role Changes

    • Information Owner role can view and update authorization package information types and includes Audit User privileges.
    • Information System Security Manager role can update authorization packages and includes Compliance User and Reader roles.
    • Information System Security Officer role can update authorization packages but no longer includes Audit User privileges.
    • Reader role now includes Audit Reader privileges but excludes Audit User privileges.
    • System User and System Owner roles encompass Audit User and Compliance User privileges.
    • Authorization Official role is limited to reading and approving authorization packages and no longer contains Audit User or Compliance User roles.

    Activation Information

    Continuous Authorization and Monitoring is available via the ServiceNow Store. Customers must request installation from the store to activate CAM in their environments.

    The ServiceNow® Continuous Authorization and Monitoring (CAM) application provides a standardized approach to defining an authorization package and walking through the seven stages of the NIST Risk Management Framework (NIST RMF). Continuous Authorization and Monitoring (CAM) was enhanced and updated in the Xanadu release.

    Continuous Authorization and Monitoring highlights for the Xanadu release

    • Use the added features in the CAM Workspace to help streamline your work and have an efficient end-to-end user experience.
    • Export System Security Plan (SSP) files in the OSCAL format, which includes models like Catalog, Profile, and SSP.
    • Use the lite roles introduced in CAM for lighter business operations.
    • Group similar controls into a family-related and club-related to help identify and understand the controls.

    See Continuous Authorization and Monitoring for more information.

    Important:
    Continuous Authorization and Monitoring is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Xanadu release

    CAM Workspace
    Use the CAM Workspace for an end-to-end user experience. The Home page, overview pages of authorization boundary and authorization package, unified tasks page, and the dashboards help you capture information and give you a better insight into the data that aids in decision making.
    CAM Workspace includes exclusive features with which you can:
    • Add related control objectives.
    • View controls by family for a control objective and report based on families for NIST 800-53.
    • Add attachments to assessment procedures and document notes.
    • View all Plan of Actions and Milestones (POA&M) in a single pane.
    CAM supports the OSCAL format to export control-related information
    Export SSP files in the OSCAL format based on various models such as SSP, Profile, Catalog, and Catalog overlay. The generated report is compatible to share the information with other systems. CAM supports the National Institute of Standards and Technology (NIST) recommended OSCAL format to provide control-based information in machine-readable formats.
    CAM ATO artifacts
    Generate ATO artifacts from an authorization package in Microsoft Word format for the following reports:
    • SSP
    • Security Assessment Report (SAR)
    • POA&M
    Enhancements in CAM user roles
    The existing user roles in CAM application have been enhanced with the following privileges:
    • Use the Information Owner (sn_irm_cont_auth.information_owner) role to view and update the information types of an authorization package.
    • Use the Audit reader (sn_audit.reader) lite role to view audit-related entities, such as engagements.
    • Create and manage issues as a system user.

    Changed in this release

    Role changes for Continuous Authorization and Monitoring Workspace users
    Reader (sn_irm_cont_auth.reader), Authorization Official (sn_irm_cont_auth.authorization_official), and Executive Reader (sn_irm_cont_auth.executive_read) can now access Continuous Authorization and Monitoring Workspace.
    OSCAL Catalog model export
    In exporting the control-related information as part of the Catalog model, the child control objectives of a control objective are mapped to the Control field. Furthermore, related control objectives of the control objective are mapped to the Links field.
    Enhancements in CAM Workspace
    The following enhancements have been made in CAM Workspace:
    • New pop-ups with additional capabilities are added to the hybrid controls creation.
    • POA&Ms include all authorization package issues.
    • The Family field and Family ID field are added to the Control objective page.
    • The Notes field and Attachment field are added to the Assessment procedure page.
    • The 360° View button is configured in all pages of CAM Workspace.
    CAM user role changes
    Defining roles and assigning privileges and permissions for approvals is critical to ensure security in the CAM application. The user role changes are:
    • The Information Owner (sn_irm_cont_auth.information_owner) role can also update information types of an authorization package, and the role also contains the Audit user (sn_audit.user) role in addition to the Reader (sn_irm_cont_auth.reader) role.
    • The Information System Security Manager (sn_irm_cont_auth.info_system_sec_manager) role can update the authorization package, and the role contains the Compliance user (sn_compliance.user) and Reader (sn_irm_cont_auth.reader) roles.
    • The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role can update the authorization package.
    • The Reader (sn_irm_cont_auth.reader) role contains the Audit reader (sn_audit.reader) role.
    • The System User (sn_irm_cont_auth.system_user) role contains the Audit user (sn_audit.user) role.
    • The System Owner (sn_irm_cont_auth.system_owner) role also contains the Audit user (sn_audit.user) and Compliance user (sn_compliance.user) roles.

    Removed in this release

    • The Authorization Official (AO) (sn_irm_cont_auth.authorization_official) role no longer contains the sn_audit.user and sn_compliance.user roles. The AO role can only read and approve an authorization package.
    • The Information System Security Officer (sn_irm_cont_auth.info_system_sec_officer) role no longer contains the sn_audit.user role.
    • The Reader (sn_irm_cont_auth.reader) role no longer contains the sn_audit.user role.

    Activation information

    Install Continuous Authorization and Monitoring by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.