The ServiceNow® Continuous Authorization and Monitoring (CAM) application helps governmental organizations, contractors, critical infrastructure entities, and other high-assurance organizations manage their compliance with cyber risk management frameworks.
With CAM, you can manage the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), Defense Federal Acquisition Regulation Supplement/NIST 800–171 (DFARS), FedRAMP, International Organization for Standardization (ISO) 31000, and high-maturity standards.
You can use digital transformation across all stages of the risk management lifecycle to reduce manual work, improve collaboration across functional teams within the platform, and use the flexibility of the ServiceNow® platform to adapt your risk management system to your processes easily. You can also achieve new levels of automation for the multitude of tasks related to managing authorization boundaries, impact assessments, system categorization, controls, audits, plans of action, milestones, artifacts, attestations, continuous monitoring, ongoing authorization, and others.
- Manage authorization boundaries with deep integration into CMDB.
- Manage and assign roles such as ISSO, ISSM, System Owner, Security Controls Assessors, Information Owner, and key stakeholders.
- Attach key artifacts, such as the data flow diagram and the network diagram.
- Perform impact analysis within the platform with automated system categorization.
- Automatically select baseline controls with selection overrides.
- Manage control overlays with individual control tailoring and reasons for control exceptions.
- Define and inherit common controls across authorization boundaries with full visibility of those controls, their owners, and current states.
- Automatically generate issues and findings based on automated or manual indicators, or attestations.
- Receive attestation responses and artifacts within the platform without resorting to email and spreadsheets.
- Use indicators to define acceptable or unacceptable data conditions for true continuous monitoring.
- Create assessment engagements and test plans, and issue assessment tasks to control assessors.
- Create and manage Plan of Action & Milestones (POA&Ms) and drive related work tasks and subtasks across functional teams without leaving the platform.
- Gain visibility into the work completion status and timeliness of POA&Ms in progress before they are overdue.
- Automatically generate System Security Plans (SSP) with up-to-date ground truth.
- Continuously monitor the state of compliance and authorization of your programs and missions.
Fixes:
- Security bugs.
- Resolved the visibility of Vulnerable item widget even without the security plugin in the Overview tab.
- Resolved Access Restricted error for the Packages Pending Approval widget in CAM Dashboard and AO Dashboard.
The following GRC applications must be installed and active:
- GRC: Policy and Compliance Management (com.sn_compliance)
- GRC: Risk Management (com.sn_risk)
- GRC: Audit Management (com.sn_audit)
When upgrading this application, ensure that all other installed GRC applications are also upgraded to the equivalent release version to maintain compatibility. For example, Continuous Authorization and Monitoring version 21.x is certified to work with other GRC applications at version 21.x.