Control requirement generation and upgrade steps

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control requirement generation and upgrade steps

    This content explains how control requirements are automatically generated and managed within the authorization package lifecycle in the Yokohama release of ServiceNow. It details the logic for generating controls and control requirements, how changes to control objective requirements affect control requirements, and the impact of the authorization package states on these processes. It also outlines key upgrade steps introduced in this release to ensure smooth transition and enhanced control management.

    Show full answer Show less

    Control requirement generation logic

    • Enabling Creates controls automatically and Create control requirements options in the control objective form triggers automatic creation of controls and control requirements.
    • When the authorization package moves from Select to Implement state, controls and control requirements are generated if the Create control requirements option is enabled and control objective requirements exist.
    • If control objective requirements exist but the option is disabled during creation, control requirements can still be generated later by enabling the option and saving the control objective—this applies only if associated controls are Active and in Draft state.
    • Controls in states other than Draft do not generate control requirements unless moved back to Draft state with the option enabled.

    Managing control objective requirement changes

    • Adding new control objective requirements triggers generation of corresponding control requirements, subject to the same state and option conditions.
    • Updating a control objective requirement description updates the related control requirement description if the control is in Draft; otherwise, the update occurs when the control returns to Draft state.
    • Removing control objective requirements marks corresponding control requirements as Manual requirements (not deleted) regardless of control state; the manual tag can be removed if the control moves to Draft.
    • New controls created after removal of control objective requirements only include existing active requirements, excluding the removed ones.

    Authorization package state impact

    • Moving the authorization package from Implement to Select state retires all associated controls and their requirements.
    • These state transitions and associated item generation actions ensure accurate lifecycle management of controls and requirements.

    Required upgrade steps for Yokohama release

    • New fields Authorization package and Control allocation are added to the Control form; existing CAM controls are populated with values in these fields.
    • For all NIST 800-53 Revision 5 control objectives, the Create control requirements option is set to True by default.
    • Control requirements are generated for all existing controls in Draft state associated with these NIST 800-53 Revision 5 control objectives to align with new generation logic.

    The Creates controls automatically and Create control requirements options in the control objective form and the state of the authorization package are important to create control requirements.

    Control requirement generation logic

    If you enable the Creates controls automatically and Create control requirements options in the control objective form, then the item generation flow is triggered automatically to create controls and control requirements, respectively. Depending on the state of the control, the generated control requirements' state changes.

    If the Create control requirements option is selected when the authorization package moves from the Select to the Implement state, the controls are generated. At the same time, control requirements for the control objective requirements are also generated. Control requirements would be generated only if the control objective requirements are present and if the flag is true. If the control objective requirements are present but the flag is false, then the control requirements would not be generated.

    If while creating the control objective, the flag was set as false and the requirements weren’t generated, you can still generate the control requirements by selecting the flag and saving the control objective record, provided the controls associated with this particular control objective have control objective requirements, and the controls are Active and in the Draft state. If the controls are in any state other than Draft, then control requirements would not be generated. However, if, for example, the control was in the Monitor state and is moved back to Draft state, then control requirements would be generated provided the Create control requirements option is selected.

    New control objective requirements added
    The same is the case when you add control objective requirements to a control objective using New or Edit in the Control objective requirements related list.
    Update
    If you update the description of a control objective requirement, then the description of the corresponding control requirement is updated provided the control is in the Draft state. If the control is in any other state, then the description is updated when the control moves back to Draft state.
    Delete
    If a few of the control objective requirements of a control objective are removed, then correspondingly the control requirements of the control cannot be removed, instead they are marked as a Manual requirement. This condition is true for controls in any state. Later, if the control moves to Draft state, then you can remove the manual tag from these requirements. On the other hand, if a new control is created after some of the control objective requirements are removed, then the new control does not have the requirements that were removed but only the existing number.

    If the authorization package moves from the Implement to Select state, then all the associated controls of CAM are retired, and correspondingly all the requirements associated with them are also retired. All these actions are handled by item generation.

    Required upgrade steps

    The following actions happen when you upgrade to the Yokohama release:
    1. The Authorization package field and Control allocation field in the Control form are newly added. The values in these fields are populated for existing CAM controls.
    2. For all NIST 800-53-revision 5 control objectives, the Create control requirements option is set to True by default in the Control objective form.
    3. The control requirements are created for all the existing controls, from NIST 800-53-revision 5 control objectives, which are in the Draft state.