Impact of the compensating controls on risk score and expiration date

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Impact of the compensating controls on risk score and expiration date

    This document explains how compensating controls affect the risk score and expiration date of vulnerable items and remediation tasks in ServiceNow Vulnerability Response. It outlines the process for requesting and approving risk reduction, and details how these changes are reflected in risk scores and associated fields.

    Show full answer Show less

    Impact on Risk Scores and Expiration Dates

    • When a risk reduction request is approved, the risk score is adjusted to the highest risk score associated with the approved Desired value (risk rating) from the state change approval record.
    • The Risk score field reflects the reduced risk score, while the original scanner-calculated risk score moves to the Original risk score field. This remains in effect until the Until date for risk reduction.
    • During vulnerability ingestion, the calculated risk score may update the risk score and original risk score depending on comparisons with the compensating control’s risk score.
    • When compensating controls expire on the Until date, the risk score reverts to the original higher risk rating.

    Impact on Remediation Tasks and Vulnerable Items

    • Compensating controls approved on remediation tasks apply to all associated vulnerable items (except Closed ones) with risk scores above the Desired value, reducing their risk scores accordingly.
    • Newly ingested vulnerable items associated with remediation tasks that have approved compensating controls inherit the reduced risk rating automatically. Their SLA calculations are based on this reduced risk.
    • The Until date for risk reduction on remediation tasks only rolls down to vulnerable items if no compensating control existed prior; otherwise, existing expiration dates on vulnerable items take precedence.
    • Reapplying compensating controls on remediation tasks does not update the Until date for vulnerable items if they already have one.

    Behavior When Vulnerable Items Change

    • If a Configuration Item (CI) changes for a vulnerable item with compensating controls, the control continues to apply if the system property snseccmn.updateoncichange is true.
    • If that property is false, the vulnerable item is closed, a new one is created, and the compensating control along with risk scores and expiration dates are transferred to the new item.
    • When a vulnerable item is reopened by the scanner, any existing compensating controls remain applied.

    Practical Implications for ServiceNow Customers

    • Customers can effectively manage risk levels by requesting compensating controls that reduce risk scores and influence SLAs for remediation prioritization.
    • The system ensures consistent application of compensating controls even as new vulnerabilities are added or existing items are updated.
    • Expiration dates for risk reductions are carefully managed to ensure controls are valid and risk scores revert appropriately when controls expire.
    • Understanding these mechanics helps customers maintain accurate risk scoring and remediation workflows aligned with their security policies.

    As a Remediation Owner, you can request risk reduction for a host vulnerable item or remediation task. And the Vulnerability Manager or Analyst can approve these risk reduction requests.

    For more information on how to request risk reduction and approve risk reduction approval, see Request risk reduction for a vulnerable item or remediation task and Approve or reject requests in the Vulnerability Manager Workspace respectively.

    When a risk reduction request is approved, the risk score is reduced according to the Desired value (risk rating) in the state change approval (VCA#) record. The highest risk score of the desired risk rating is assigned to the record when your risk reduction request is approved. The following example shows how the Risk score and Original risk score are updated when compensating controls are applied. The default highest risk scores of the risk ratings are used in the following example.

    Table 1. Impact of compensating controls on risk score and original risk score
    Scenario Risk rating Risk score Original risk score (Calculated risk score)
    Data prior to v20.0 2 - High 80 The field is not available prior to v20.0.
    After upgrading to v20.0 2 - High 80 Null
    Calculated risk score changes to 90 during ingestion 1 - Critical 90 Null
    When you apply compensating controls 3 - Medium 69 90
    Calculated risk score changes to 70 during ingestion 3 - Medium 69 70
    Calculated risk score changes to 50 during ingestion 3 - Medium 50 50
    Calculated risk score changes to 80 during ingestion 3 - Medium 50 80
    When compensating controls expire on Until date for risk reduction 2 - High 80 Null

    Impact of compensating controls on a remediation task

    When your request for risk reduction is approved for a remediation task, the impact of compensating controls on its vulnerable items is as follows:

    • The compensating controls applied on the remediation task are applied on its vulnerable items (other than those in Closed state) that have risk score greater than the risk score corresponding to the Desired value in the state change approval of a remediation task. And the risk score of these vulnerable items is reduced according to the Desired value.
    • When new vulnerable items are ingested and associated with a remediation task that already has an approved compensating control, the reduced risk rating is automatically inherited by the new vulnerable items. The risk score of the new vulnerable items is set to match the Desired value from the approved state change approval record, and the Original risk score field reflects the scanner-calculated value. This applies to all finding types across Vulnerability Response, Application Vulnerability Response, and Container Vulnerability Response.
    • The SLA for newly ingested vulnerable items that inherit a compensating control from the remediation task is calculated based on the reduced risk level, not the original scanner-severity level.
    • The Until date for risk reduction remains unchanged for the vulnerable items on which a compensating control is already applied. It is not updated with the Until date for risk reduction of the Remediation Task.
    • The Until date for risk reduction is rolled down to the vulnerable items only when a compensatory control is not applied on any vulnerable item previously. If you apply the compensatory controls on the remediation task again, the Until date for risk reduction is not rolled down to the vulnerable items as the existing Until date for risk reduction of the vulnerable items is given priority.
    • When a new vulnerable item is added to a remediation task on which compensatory controls are already applied, the compensating control is automatically applied to the new vulnerable item, and its risk score is reduced to match the Desired value from the approved state change approval record.

    Impact of a compensating control on a vulnerable item

    When your request for risk reduction is approved for a vulnerable item:

    • Its new risk score displays in the Risk score field and the old risk score (calculated risk score) moves to the Original risk score field. This change holds till the date specified in the Until date for risk reduction field.
    • When a vulnerable item has compensating controls already applied, during ingestion:
      • If the calculated risk score is greater than the risk score then risk score remains same and original risk score is updated with the calculated risk score.
      • If the calculated risk score is less than the risk score then both risk score and original risk score are updated with the calculated risk score.
    • If a Configuration Item (CI) is changed for a vulnerable item on which a compensating control is already applied:
      • The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.

        The compensating control is still applicable for the vulnerable item.

      • The vulnerable item is closed and a new vulnerable item is created if the sn_sec_cmn.update_on_ci_change system property is set to false.

        The compensating control applied to the old vulnerable item is applied to the new vulnerable item and the Until date for risk reduction, Original risk score and Risk score remain the same.

    • When a vulnerable item is reopened by the scanner and compensating control is already applied on it, the same compensating control is applied after it is reopened.