The ServiceNow® Continuous Authorization and Monitoring (CAM) application helps government agencies, contractors, critical infrastructure entities, and other high-assurance organizations manage compliance with cyber risk management frameworks.
CAM supports a broad range of frameworks and standards, including the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), NIST Cybersecurity Framework (CSF), Defense Federal Acquisition Regulation Supplement/NIST 800-171 (DFARS), FedRAMP, ISO 31000, and other high-maturity standards.
CAM streamlines the entire risk management lifecycle, reducing manual effort, improving collaboration across functional teams, and adapting to your organization's processes. The application also automates key tasks across authorization boundary management, impact assessments, system categorization, control implementation, audits, Plans of Action and Milestones (POA&Ms), artifact management, attestations, continuous monitoring, and ongoing authorization.
- Manage authorization boundaries with deep integration into CMDB.
- Manage and assign roles such as ISSO, ISSM, System Owner, Security Control Assessors, Information Owner, and key stakeholders.
- Attach key artifacts, such as the data flow diagram and the network diagram.
- Perform impact analysis within the platform with automated system categorization.
- Automatically select baseline controls with selection overrides.
- Manage control overlays with individual control tailoring and reasons for control exceptions.
- Define and inherit common controls across authorization boundaries with full visibility of those controls, their owners, and current states.
- Automatically generate issues and findings based on automated or manual indicators, or attestations.
- Receive attestation responses and artifacts within the platform without resorting to email and spreadsheets.
- Use indicators to define acceptable or unacceptable data conditions for true continuous monitoring.
- Create assessment engagements and test plans, and issue assessment tasks to control assessors.
- Create and manage Plans of Action and Milestones (POA&Ms) and drive related work tasks and subtasks across functional teams without leaving the platform.
- Gain visibility into the work completion status and timeliness of POA&Ms in progress before they are overdue.
- Automatically generate System Security Plans (SSPs) with up-to-date ground truth.
- Continuously monitor the state of compliance and authorization of your programs and missions.
Changed
This release includes the following changes:
- CAM email notifications now include references to records in the workspace.
Fixed
This release resolves the following issues:
- Orphaned system elements not removed when an authorization boundary is deleted.
- CIA impact value columns not displaying in the Information Types popup.
- SSP HTML template reports displaying incorrect data for Rev 5 Authorization Packages.
The following GRC applications must be installed and active:
- GRC: Policy and Compliance Management (com.sn_compliance)
- GRC: Risk Management (com.sn_risk)
- GRC: Audit Management (com.sn_audit)
- Integrated Risk Management Professional(com.sn_irm_pro)
When upgrading this application, ensure that all other installed GRC applications are also upgraded to the equivalent release version to maintain compatibility. For example, Continuous Authorization and Monitoring version 21.x is certified to work with other GRC applications at version 21.x.