The ServiceNow® Continuous Authorization and Monitoring (CAM) application helps government agencies, contractors, and high-security organizations manage compliance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). It supports frameworks and standards including RMF and ISO 31000. CAM streamlines the entire risk management lifecycle, reducing manual effort, improving team collaboration, and supporting adaptation to organization-specific processes. The application automates key tasks, including authorization boundary management, impact assessments, system categorization, control implementation, audits, Plans of Action and Milestones (POA&Ms), artifact management, attestations, continuous monitoring, and ongoing authorization.
Persona-based workspaces support efficient management of your RMF program, with each workspace tailored to specific roles such as Authorization Official, Security Control Assessor, System Owner, System User, Information Owner, Information System Security Officer, Information System Security Manager, and CAM Admin.
Key features of Continuous Authorization and Monitoring (CAM):
- Homepage: A centralized landing page providing an at-a-glance overview of your CAM program and quick access to key tasks and records.
- Overview of Boundary: A summary view of authorization boundary details, including associated systems, controls, and compliance status.
- Overview of Package: A summary view of RMF package details, providing visibility into package status and associated records.
- Unified Tasks page: A single consolidated page for managing tasks across the RMF lifecycle.
- Contextual Pane: A side panel that displays contextual details for boundaries, packages, controls, and control objectives without navigating away from the current page.
- POA&M landing page: A dedicated page for creating, tracking, and managing Plans of Action and Milestones.
- 360-degree View: A comprehensive relational view that surfaces all associated records and dependencies for a selected item.
- Platform Analytics dashboards: Pre-built dashboards integrated with Platform Analytics for reporting and visualization across your RMF program.
- OSCAL import and export: Support for importing and exporting catalogs and System Security Plans (SSPs) in OSCAL format.
- ATO artifacts: Generation and management of Authorization to Operate documentation, including SSP, SAR, POA&M, SAP, ATO Letter, and Executive Summary.
- Word template reporting: Support for generating and exporting reports using Word templates.
New
This release introduces the following enhancements:
- Added support for importing and exporting the OSCAL Assessment Results (AR) model.
- Added package-level configuration to skip attestations for controls within a package.
- Implemented additional query range ACLs to enhance security.
- Added missing CAM-specific fields to OSCAL import and export.
Fixed
This release resolves the following issues:
- Resolved multiple issues affecting OSCAL import and export.
- Pagination missing in the preview and override sections of OSCAL import.
- Vertical related list momentarily displaying a "No record available" message while loading.
- Category, Type, and Classification fields not enabled on the Control Objective related list.
The following Governance, Risk, and Compliance (GRC) applications must be installed and active:
- GRC: Continuous Authorization and Monitoring (com.sn_irm_cont_auth_monitor).
- GRC: Common Workspace Elements (com.sn_grc_workspace).
- ServiceNow IntegrationHub Action Step—Zip (com.glide.hub.action_step.zip) for OSCAL Export.
Permissions and roles:
- Role required to install the app: System Administrator (admin)
When you upgrade this application, make sure to upgrade any other installed GRC applications to the equivalent release version. For example, Continuous Authorization and Monitoring version 21.x is certified to work with other GRC applications at 21.x version.