thank you all for joining today and if you have any other questions after this recording please do put them on the community link that i'll be providing that way um our experts will always be able to come back and answer them okay with that let's go ahead and take it away thanks jorge all right thank you lisa all right so uh today we i'll be walking you through our new application continuous authorization and monitoring before i get started however let me just advance my slides here there we go there are a series of applications that are being released that were released in october um cam as we're calling it internally continuous authorization and monitoring was one that i was introduced in october but we do have a few others that came out features on existing applications and then we have a few other things coming out in november so that is what we're celebrating here um there are other series that you can take a look at so last week we started with business continuity management which is a new application that was released as part of the risk portfolio uh continuous authorization and monitoring uh heavily focusing on nist rmf is what we'll focus today but starting next week you can also take a look at existing functionality for advanced risk assessments for policy and compliance and internal audit i'll be back with you guys for vendor risk management and then in december we'll unveil the two new applications coming out in november first regulatory change management and um last operational resiliency so i hope you're able to join us and if you cannot then the recordings are available in the community and you can always access those all right so let's get started right into continuous authorization and monitoring right so this is an application that we built specifically to solve for nist rmf and so a lot of our customers are trying uh we're trying to do risk management governance and um we're heavily mandated by the federal government at least here in the united states to follow 837 853 more commonly known as nist risk management framework for cyber security compliance and so what we introduced in october is an application that is built on top of our grc applications and that is why we're still part of that risk or grc portfolio to walk you um as an end user from being able to scope and define as an authorization boundary or a system as it was previously known as walk you through the seven stages now that rmf has including some aspects of prepare all the way to monitor doing a lot of the things that rmf mandates that you should do before i go into the demo let's walk you through why first do why service now and then why grc right and so that's kind of what i'll take a couple minutes in explaining and then i will walk you through an end-to-end demo from starting to define an authorization boundary we'll walk it through the seven stages all the way to monitor so the first thing that we'll take a look at is when we are talking about an authorization package there's a lot of things that happen in the prepare step right there's things that i need to do to define the stakeholders i need to come up with a mission i need to come up with a risk monitoring strategy but an important aspect that we noticed was that when we talked to our customers they were using a visio diagram from three years ago to define their authorization boundary and so they kept approaching us servicenow because we already have all of that asset information through our cmdb right and through item item sorry we give you the automation of going out discovering all of your assets within your environment being able to tie them to business processes and so when you create an authorization boundary and service now it's as close to real time as you can possibly get because we're going after the source of record right the source of truth into exactly what is happening in your environment and so we're reducing the manual step which becomes a snapshot in time it reduces the ability to do continuous monitoring continuous diagnostics and monitoring whatever steps you leverage because we are actually going deep into the cmdb and pulling out those assets from there the where where this is complemented right is that through software asset management and hardware asset management uh same in him respectively you can now start tying business context around it right so it's great to know that you do have a bunch of servers but what does it mean right what do they do within your organization which services do they help support how are they performing over time and so the same idea of being able to define an authorization boundary tied to those missions or objectives and understand what they're being used for will help you in this prepare step right to gain that context that will then allow you to perform the remaining six steps of rmf and then finally if you read 837 one of the things that they talk about is being heavily embedded in the software development life cycle or sdlc right so with our devops capabilities that we have in servicenow you can now embed rmf early in the process so that it reduces cost it reduces some of the um you know kind of resource intensive steps of going in and implementing certain controls after the fact right so with these three capabilities we believe and it's part of the servicenow portfolio we believe that we can introduce better mechanisms to define the authorization boundary the second thing that we'll do is still part of the prepare step and it revolves around performing risk assessments right and this is um really why we're heavily so heavily embedded with our risk management suite of products because we can do certain things like a business impact assessment or business impact analysis or bia through our business new business continuity management application we can do things like doing an inherent versus residual risk assessment with risk management or we can have tailored very specific rmf type of assessments that help us understand what type of system i'm dealing with right and this is all part of risk management additionally just again if you read 837 they talk a little bit about supply chain risk right and so we have vendor risk management under our portfolio that you can also tie to better understand your authorization boundary to gain that business context and just have you uh give you better visibility into really what's happening with your environment i'm going to take a few minutes just to walk exactly what risk management is and it's going to take less than a minute but then we'll go back into the slides right so the first thing is when you look at what nist and this is in this slide it's not a service now slide what they call out as their enterprise risk management framework they have these you know different tasks or functions that an erm playbook has to do from identifying context all the way to monitoring and they this is how they see something like nist rmf fit into that erm playbook this is why we built rmf on top of risk management on top of policy and compliance because a lot of the things that we have to do from an rmf perspective are things that were needed capabilities of servicenow risk management of servicenow policy and compliance and so it made no sense to reinvent the wheel it made no sense to build something that was specific for rmf other than a wrapper in a process workflow that helps you drive and quarterback all of these different activities that need to happen but it's all built on top of existing functionality the idea here too is that because we have in risk management an erm playbook or erm capabilities we've introduced rmf capabilities and content that we can also help other customers solve for other types of regulations and requirements that they had to adhere to such as iso 31000 ombh123 or gao green book right so because we built the left hand side of this we've now built the right hand side of this it allows customers to build a risk management program that has more than one regulation embedded in it along those lines right our risk management portfolio our risk portfolio excuse me has been recognized by both forester and gartner we are the only vendor who is a leader in both and so you know again you know from a product perspective it just made perfect sense to be able to sit on top of those products rather than have to reinvent the wheel and do something that you know risk management was already doing if we go back uh to this view right so the second thing that we have to do is around control baselines and information types and control inheritance right so we use policy and compliance to create those controlled baselines uh we give you information types coming in from this 8 1 800 um sorry 160 version 2 we have capabilities around control inheritance controlled life cycle and when i go through the demo i'll be able to show you all of those things and finally once we get into the authorization and monitor steps this is where our capabilities are on for security operations right knowing where um a vulnerability vulnerability excuse me lives the context behind the vulnerability if it has an exploit if it affects c i or a what's the risk associated with that vulnerability and give you that level of visibility right today a lot of these processes happen manually a lot of these processes happening outside of technology there are a lot of silos where a bunch of this information is kept right and so with servicenow what we're trying to do is reduce those silos and bring in that work into the platform so that you can audit for it this can be better communication across all stakeholders and this is another example right there is a team that is doing vulnerabilities day in and day out they're doing scanning they're doing remediation around those scans by implementing patches by changing software versions etc and this is now visibility that you can have as a you know user of cam and vulnerability response alongside with that you can have things like security incidents and i'll show you what that looks like um but even things like changes happening on a software version or in a server incidents that are acquiring across your environment right they may not impact confidentiality and they may not impact integrity but you know there's three there's a third thing around availability right so we understand that if your systems were to go down it would actually have an impact on your business as a whole right because i'm sure that system helps support important business processes and that's where the availability comes into play right so we even think that having some of the very basic and you know kind of our bread and butter on service now around incident management can help inform really how the system is performing and what that risk rating is from an ongoing basis we of course have a variety of different other products in servicenow so you know we touched on a few really the left-hand side of this as servicenow continues to enrich their portfolio we'll be able to um enrich this continuous authorization management application in small right um and so that's really the few slides that i wanted to show i wanted to focus a lot of my time on the demo so i don't see any questions on the chat or in the q a please feel free to ask as many questions as you want i am closely monitoring this so i'll i'll stop the moment you see something or the moment that i see something so that i can answer that question in a timely fashion so let me go ahead and switch uh to my environment um this view here i just lost my mouse there for a second and so as part of continuous authorization and monitoring we've included a series of different roles and personas that come with the application if you look and read the documentation there's about like 30 or 50 different roles that they talk about but we've included the mature the main ones right and i'll show you what those are when you get into the boundary and package what i'm seeing now though is i am a system owner an so susan orwell in this case and i'm going to start by first defining my authorization boundary so these are the boundaries that i own or the systems that i own i'm going to go ahead and create a brand new one so i will call this my demo authorization boundary i'm going to give it a description and here i see some of the stakeholders associated with the authorization boundary right i still don't see the authorized and official i still don't see the iso and the ec and all these other personas because those are associated with the package itself right and we'll define them when we define the package we have an authorization boundary record here and we did that because a it's easier to monitor and track changes right so if there's new assets that are coming online it doesn't affect your package it affects your boundary and so it just gives us a lot more flexibility there if you are migrating your process from a legacy solution um or if you're even migrating from a manual uh solution right then and you've already kind of defined your diagrams in visio and lucidchart whatever technology you use we give you the ability to attach those here right so if you have a drawing of your boundary you can absolutely attach it as part of this record however the power of the platform and the power of this application is in defining your system elements and tying them specifically to those assets in your environment there's a couple ways that we can do this right the first is through a boundary filter and a boundary filter will allows us to essentially cast a wide net and add more than one system element at a time right so i'm going to quickly walk you through what that looks like so if i create a new boundary filter i am going to call this windows servers right so the expectation is that susan orwell owns a particular set of windows servers i'm going to go to that table here in service now and i can see that i have 52 records matching you create your filter condition and you can do certain things like you know my ip address ranges from you know x to i i can do things like the owner is equal to me in this case because you know we only have 52 things and it's just for demo purposes i'm just going to pick the ones that you know are essentially not retired or stolen that brings our records down to 43 and if i submit this boundary filter i notice that automatically those 43 system elements have been added to my list here i can do some cleanup right so as i said a boundary filter cast a wide net perhaps there's some windows servers here that are fall outside of my scope and so you know this load balancer in this example or anything in san diego right i know that is someone else owns those um i can go ahead and delete those from this list i'm not going to do that just for demo purposes but before i move on i i do want to clarify that you can create as many boundary filters as you want so in this case if susan owned both windows servers and linux servers she would be able to do so if the scope of ownership is not so much horizontal but more so vertical right so i own the windows servers i own the app servers i own the databases and i in fact i own the business process right so i own an entire process um from the business perspective all the way down to the it assets so i think of it more as a vertical boundary then i can also create those boundary filters to scope all of those out if you have very specific system elements in mind or specific assets in mind then you can bring those as well by the way while i show you this um you know i i know i keep harping on cmdb right which is you know actual asset information but you can bring in business processes you can bring in physical locations you can bring in um you know anything people anything that you have in in service now so in this case what i'm going to do is i'm going to go after my laptop which i've added here right so not only do i own windows servers i own the laptop which is i use to manage those uh windows servers right so as i go here i see that i have things on a filter but my apple macbook i did not add from a filter right which is why it's shown like this now before i move on to authorization packages um the thing and i see a question and i'll answer in just a few minutes is there is um a great value of doing this because as i said uh before we are um bringing in all of the affected assets from a vulnerability perspective right all the incidents and so if we tie in these physical assets at this stage here it's actually going to make our job easier is down the line um so let me go ahead and just answer a few questions here so the question is is this filter dynamic so that if new servers are added in the future they will be included in the system elements so as of today the filter is dynamic there is a manual job that runs and brings in those new system elements we have an application around regulatory change management that we're exploring to see if there needs to be a change management process around your boundary right so that if you know if maybe five new assets get added and come live that's fine but if your entire boundary changes right then maybe we need to reauthorize the whole entire thing so we are exploring on mechanisms of how of what processes we need to implement when these system elements start changing but as of today the filter is dynamic you can run a job and get the you know get the deltas but we want to make sure that as we continue to enhance this product that we show those deltas better and that maybe we come up with a review and approval process for those deltas the second question around brian is can you demonstrate a failure of an inherited control on your system boundary so yes but i'll get to that once i get to the authorization package so what i'm going to do now is i'm going to go ahead and create an authorization package here and so i will call this demo auth package um i can define an acronym and here as you can see i can tie it to a business process and here's where you also see some of the additional roles and personas that we have right so i need to define an authorizing official they're going to have a different visibility and different access as well as different dashboards and reports that are specific to their role i can define a security control assessor or a ska i can define an iso or multiple isos in this case i'll choose isabel and then i have information owners and systems users coming in from the authorization boundary the thing about service now is that if you have additional roles here like i said when you read the documentation there's about 25 to 30. a common one that i get here a lot is in the issy which is an information system security engineer you can absolutely configure it and add that particular role or persona to your process i'm going to go ahead and save it and we're still part of the prepare step right i need to i can define a system or purpose if there's things that you need to add here like ip ranges um you know anything that pertains to the way that you track and uh and the way that you define or need to document or describe a system you can add all of those here through a drag and drop mechanism you can also start doing some assessments here i'm going to show you how you can do a pta or privacy threshold analysis followed by a pia so if i answered any of these questions is yes um then i will be able to take a privacy impact assessment what i'm going to do is i'm going to answer all of these as now because i don't want to show you what um there's no sense of me showing you what to responding to an assessment but what i did want to show is the fact that we can absolutely perform any type of assessment if you want to do a pia you can do so if you want to do inherent versus residual you can do so in here in this case again we're just focusing on this privacy aspect of things now that i've done the prepare step and there's other things that live outside of this right when you define your business or vision of business processes your continuous monitoring strategy i'll show you kind of how that works a little bit but anything again anything else that you want to use to describe the system can be drag um configured and added to the form here what i'll do is i'll move to categorize and in the categorize step the main output of this is to derive the impact and the way that we do this in service now is a couple of ways right first you can do it manually but what we've done is we've include included a library of information types this comes from 80160 version 2. um with their respective cina right so i'm going to add that collection i'm going to add global trade and information system security right i can add one or multiple information types that this particular system processes stores interacts with and we've also brought in their respective cina coming in from nist and you know at this stage you can do some overriding right um self confidentiality i see low moderate high and low and what we do is we take the high water mark or the worst case scenario for each and then we also take the high water mark um for impact based on cina right so let's um let's spend a few minutes kind of walking through what that looks like right so first thing i can do is i can override global trade and i can say that in this particular instance and that's important to the node right global trade is high high high and if i create another package and i use global trade i would still see high high and high i can override this instance of global trade though so just by changing confidentiality to moderate does not mean that i change it for everyone else if i wanted to change it for everyone else then i would go into this information type library and if i had the right permissions then i could but i'm only modifying this particular instance and saying that in this case global trade is moderate and you'll see that our recommended switch to moderate i can also override the overall impact right then i can say well this is true right i am storing global trade but my impact is going to be moderate and this is my justification right and when i save this record you'll see that the impact of the package is actually moderate and so there's multiple ways that you can override it but you can always make that last determination to what your ultimate impact is going to be right in this case we're going to determine that it's moderate when you read the documentation there is an approval step between categorize and select because this impact field will help you determine which controls you need to implement and that comes from nist and so as i request approval here it gets sent out to a couple of stakeholders with email notifications the ism right but we've not defined one and the ao and so what i'm going to do now is i'm going to quickly impersonate an authorizing official and just very quickly approve this as well um just so that we can go through the rest of the demo i've approved it what i'm going to uh also do is i'm going to impersonate now an iso right so i impersonated as um a system owner now i'm going to impersonate and isso so as i go here i'm going to go into my authorization package which is the demo one and i'll be able to see that what we've done right based on this impact is we've automatically told you which controls nist stipulates you need to implement because of your moderate impact and we land here on the select face which um that perf which allows you to perform controlled tailoring and so i'll spend a couple more minutes here on control tailoring before i move on but first things is uh for the 262 controls that i have i'm able to do four things to it right the first is i can add additional controls i can add them by adding a control overlay so if i add here a privacy overlay then you know and it may be actually based on my pia results then i would have added additional controls that are tied to that overlay and those overlays we give customers the ability to create them to manage them to review them and finally approve them so that that control overlay can be an organizational overlay that is leveraged and used across the organization you can also add controls right so i can add these two you know controls i'll just pick the first two and i you know essentially enriched my list of controls than that that i now need to implement so that's the first thing that i can do which is add additional controls the second thing is i can mark things as not applicable excuse me i just took a little bit of water there so um what i what i need to do here or what i can do here is i can say well personal security policy and procedures because i own windows servers does not apply to me right this needs to belong to somebody else or um you know and and it goes hand in hand with control inheritance but let's just imagine for a second that i don't know who owns this control all i know is that i cannot add personnel security and policy and procedures right so first thing i'll say is this control is not applicable right and i can say okay i'll confirm and then we what we do is we move it to this bucket here of not applicable controls here i see my justification um so that later on it's easier for stakeholders to consume right so they're not having to go through all 263 controls and filter and see which ones come can wear deem non-applicable um it stays in this bucket throughout the life cycle of the entire package so that again it's easier to consume for other stakeholders so that's the second thing that i can do is i can mark certain controls that's not applicable then the third and fourth thing revolver on control inheritance so control inheritance and i think there was a question that was asked by someone is the idea that because i own windows servers and i get asked to have an alternate processing site or i get asked to have physical security controls or i get asked to have a fire suppression system those are things that i'm not going to own but i know are things that the facility owner is going to own right so the facility will be part of its own system and i know that i think i can inherit those controls but before i can inherit a control i need to create those controls as common controls right and that's kind of the third thing that you see here sorry the fourth thing but it's really the first step right so first thing that i'm going to do is i can say alternate processing site identification authentication and these functional properties of security controls and it's just the first study that i saw i'm going to go ahead and i'm going to create them as common controls we give you a confirmation message letting you know what that means and what happens now is that these uh you know common controls you're going to be the a provider a common control provider for them but they do not get added to the catalog until the package gets formally authorized so as i go into just a few minutes and showing you i want to inherit from my common control i won't see these three on the list because they've not been added to the catalog because the package has not been authorized so that's kind of the the third thing that i can do right if i am defined or i someone tells me that i need to be a common control provider then this is how i'll be able to look at the list of controls and perhaps it's all of them or perhaps it's just a subset of them right we give you that flexibility to choose exactly what that number is like then um the the thing that i can finally do is now that i do have some common controls i can inherit from common controls right so in this case i have this alternate worksite control that i'm you know being asked to implement i know that the facility that i sit in has already implemented that control and so now i am able to inherit the control so this is the control that i need to implement alternate worksite i'm inheriting from the same control coming in from nist but that is being performed at the data center level right the facility level i have bad demo data here to be to be quite honest um and so the question was around being able to demonstrate a failure of an inherited control uh this is where this status field would show you whether something is compliant or non-compliant so the owner of that common control is now responsible for ensuring the controller support is implemented and ensuring that the control is compliant and i can inherit the protection from that common control but i also inherit the compliance of that common control so if the warwick data center owner control is non-compliant then i am also non-compliant if i wanted to get additional details around how the control was implemented uh implementation steps etc i'll be able to click on the control here and get that visibility right but in this case you know the status is the more important thing which is again whether that control is compliant or non-compliant that pretty much sums up the four things that we can do around control tailoring just to briefly recap i can add mike thinks it's not applicable or do control inheritance either by defining myself as a common control provider or inheriting from a common control provider there is another approval step between select and implement so let's go ahead and walk through that and i think this one makes a lot of sense as well right because there's a lot of resources and time commitments that need to happen when you implement controls so before you go ahead and do that and spend the money and buy all those technologies and solutions gives you an ability to make sure that you do have the right scope of control selected and defined during your um tailoring phase so as i go into this um you'll see that we've now automatically move to the implement step what we also do is we create the controls automatically and so let's talk a little bit about you know the way that we do controls and control definition in service now right so what we were looking at before is baseline controls which is a control objective and a control objective is you know steps a through x on what needs to happen and what i need to do to make sure that i that i am compliant against that control but it is not a control instance right it's just a template that once it gets mapped to an actual entity or an actual asset or an object it gets created as a control instance so now i have this alternate processing site control instance which is the control template or control objective mapped to this particular boundary right so that's really the difference between baseline controls and the actual controls right these are the ones that i need to go ahead and implement these are the ones that i'll be able to audit and be able to say their whether they're compliant or non-compliant so um very briefly what i'll show you here is um this is one of those places where we've leveraged existing functionality coming in from policy and compliance very heavily right so the control will have its own life cycle the control will be able to be you know you'll be able to define implementation steps and more importantly once we get into that automation and and we you know walk you through maturity all of the automation that exists with policy and compliance right for instance you can automatically test your controls via indicators you can automatically create test plans by defining the test plan at the template level and you can automatically perform control tests again through those indicators and so all of these great functionality and features that allow you to introduce automation are existing as well as this continuous authorization monitoring product right so for instance in this alternate processing site your indicator might go out and say do i have a facility where you know um my this particular facility will you know um go into if there was a disaster right so you can absolutely automates a lot of that process but like i said this is a out of the box control from policy and compliance and it's one of those places where we've leveraged the power of our grc solution i'm not going to show you what you know actually implementing a control looks like right like i said in some cases it's a process control where you need to define a process and others it's a technical control where you'd either need to configure something or buy some sort of technology to make sure that the control is implemented so the expectation is uh you'll walk through your entire list of controls you'll go ahead and implement all of those controls and once you feel like you're at a good point and ready to go out and start assessing those controls this is where you would click this button and we'll go into the assess step of the rmf workflow to show you what assessments look like i'm going to impersonate now a secure security control assessor or scott and as i go into that package what we have done is we have leveraged our internal audit capabilities with audit management to help the audit team or the assessors walk through this particular engagement from beginning to end so as i click here first i'll be able to invite additional auditors i'll be able to add approvers to this process i get automatically assigned to this i have planned and end dates and then you know actual field work dates for all of the different activities that i perform the same time i can create an audit work paper if that's kind of a requirement that i have to perform but what we do is um we automatically scope out the engagement right these are the controls that i need to ensure were implemented correctly and are performing correctly and then what we do is we automatically generate those audit tasks right i can see here i'm at 94. if i refresh then i'm at a hundred right we're automatically generating those 262 control control test tasks if i had test plans for any of my controls then we would create those audit tasks again automatically by using the test plan as a template to make sure that those steps are being followed properly and finally as part of this audit management capability and it goes in line with a 153 alpha is there may be controls that you need to perform a control test and an interview or you can perform an interview instead of a control test or you need to perform a walkthrough right so all of those capabilities allow you um to do those things exactly right then you'll be able to kind of mix and match uh either based on 853a or on your own risk appetite and processes how you're going to go out and assess all of these different controls so i let me very quickly click on an autotusk you know again if i had control test plans i would see all of this automatically populated i do not and so for this sake of this i'm just going to mark this as ineffective i'll be able to you know here are my design results right that tell me you know this is ineffective because and as i close this and i you know um walk through it um the one thing that is important to note is i if i go to the authorization package then anytime that one of those control test fails it automatically gets generated here as a poem and so let's walk through what a poem looks like i'm going to go ahead and impersonate the isa one more time and these poems can be done in parallel with the assessment right so stephen is going through the entire assessment process um you know he's performing all the different things that needs to that needs to perform and then as isabel i can come in here and look at the poems that are being generated from those control tests so i can see that i have a control test failure on the physical access control i can um you know assign this to someone else right so yes i am the eso but this is a control that i know you know a system administrator needs to solve or you know whatever the case may be i can absolutely delegate that i can mark activities and comments right and i can say well you know what i'll give them 10 days to to resolve this and keep track of of all these different things now the important thing with a poem in servicenow is that you can choose to remediate the poem and if i choose this one i'll see that milestones tab appeared and it allows me to create one or multiple milestones right so milestone a has to do with following you know steps through b um you know uh second milestone is about doing this and they have their own timelines associated to it right and i can have as many milestones as i want but the second action that i can perform is i can accept this poem right and now i see an acceptance task being generated go ahead and save that because we also introduced some automation here we automatically create the acceptance task the weakness description i can put in my stuff and then i have fields to enter the business justification what the effect on the business is and again here i will be able to give some stay certain end dates if applicable right but this is how i'm able to complete my risk acceptance form that yes i'm aware that there is a weakness yes i'm aware that there's a vulnerability whatever the case may be but i choose to accept the risk if i didn't choose to accept the risk then i would have gone to remediate and i would have seen all of those different milestones or define all of those different milestones which are visible once we get to that time of authorizing the entire package so you know the expectation here is again this work can be done in in parallel but expectation is stephen will go through that entire audit process the esl the sl and any other stakeholders are looking at the poems being generated and then um resolving those again in parallel i do see a question so it says it's discontinuous authorization and monitoring for cyber security risk consider as an accelerator it seems the product combines features of policy and compliance risk management not a management module so internally we are not considering it to be an accelerator we are considering it to be an application but as akira pointed out correctly it is built on top of policy and compliance risk management and audit management the reason why as i said in the beginning is because we didn't want to reinvent the wheel risk management framework as the name implies is just another risk management framework and so we didn't want to deviate and start creating two different risk products the other reason why we are calling it an application and not an accelerator is because we will continue to enhance this uh an accelerator is not it's typically something you build and not that you forget about but you do very very minor incremental updates to it with cam we are very focused on this we are very invested in this and we will continue to add additional functionalities based on customer feedback so i can tell you for instance that there's an appetite to integrate with something like a stake right then being able to ingest that and be able to report on that that's something that's in our roadmap and will continue to enhance right so um and that is why we're calling it an application even its own right um despite the fact that yes it borrows key pieces from other products um as i go into the authorized step um there's two steps to this now you know i'll close out the demo in just a few minutes first thing is um gives you a pre-authorization kind of process right so i'm done with my assessments i'm done with my poems i completed everything that i needed to do um first thing that i can do is i can generate an ssp so we have a template um that we've kind of modeled out after the fedramp template but can be modeled after your own template uh that allows you to generate that report right so goes out looks at all of the details that we've filled out in both the authorization boundary and the authorization package and then looks at how each control was implemented some of the steps that were taken to implement that and then what it's doing behind the scenes it's generating a pdf file takes about a minute or so to complete sometimes less than that so if it doesn't complete in just another couple seconds i'll pause it oh there we go so um here it's created it's ssp very quickly i'm going to download it and open it just to show you what that looks like like i said right it's based on fedramp but can absolutely be configured um to to this um and then has some names the important fact uh thing on on the fedramp is section 13 right and that's what we've included as part of this all the steps and the things that have had occurred um we do have another question this time coming from youtube and it says is this really specific to rmf i think it also lies to other regulatory frameworks and yes it does right i think um there are things i i'll show this one again because i think it's a powerful one um a lot of the things that we're doing are within the flavor and within the scope of rmf but it's really just enterprise risk management and enterprise risk management done well right so um i see rmf as being a very sophisticated and mature risk management framework um and so yeah there are a lot of things that are specific to other regulatory frameworks and that's another to a curious point earlier right another reason why we're built on top of risk management because rmf you know may not live in complete isolation from other risk management programs that you have internally so yes we we are absolutely tackling other kind of regulatory requirements as we are doing this so we just walked through the ssp there's this is where because we were able to tie in those assets we now start gaining additional context i do not have um incident response in this particular demo environment i do have change requests right so i see all of the different changes um that are applicable and are happening live in my environment and may affect availability i see all of the different vulnerability items that are associated to those things that i've scoped out when we created the authorization boundary and what we see here is we see a summary of those activities right um and um that did not let me refresh this um i wonder if it's something that i need to be aware of um but yeah we would see a wrist summary i'm not sure why it's not showing here i'll get to the bottom of that but this is where we start seeing those vulnerabilities and i also want to make sure that when we have these vulnerabilities that we can automatically generate poems right so that's something that is also in our roadmap and another feature which i think you know distinguishes from us from being an application versus an accelerator um i do see another question around iso 31000 can we use it for iso 31000 compliance i don't think that you can do it completely out of the box with the things that we're seeing i think with elements of rmf with elements of our regular risk management framework risk management application which is literally just an erm orm solution you can solve for iso 31 000 but we are exploring mechanisms so that with this application continuous authorization monitoring we can tackle adjacent kind of regulations so that's something um that you know a i'll first write it down as as feedback and and something that we need to explore closer um and be you know something that is it was actually not roadmap just based on that screenshot that you saw um but in the future what we want to do is um add additional automation right so right now i see all of the vulnerabilities but you know that poem creation is still manual right but a we you know our intent was first let's solve this ability let's solve bring in the work into the platform let's do all of that work in one platform by removing all of those silos and then this is when we can start enhancing it and adding aiml and just regular automation to the process to make the entire thing just smoother and and that's really where i'll conclude the demo right if i had seen incident incident security incidents i would have and i had that module installed and i would have seen those but this is really where the power of the platform comes to play right being able to tie all of these different things that are happening in different silos all under one platform so um that really concludes kind of the demonstration um like to just make sure that you can visit servicenow.com risk if you want to see additional functionality or get you know papers or anything like that you can join our community we closely monitor the community from a product perspective but also from a sme perspective so that if you do have any questions or any pieces of feedback the community is a great way to start that communication and you can watch this and other ask the asperg videos and webinars on youtube and i will um just you know hang out for a couple more minutes see if there's any other questions that come up uh but if not then i'd like to thank you very very much for your time and you know again you know from a product perspective feedback from customers questions even from customers allow us to make the product even better so appreciate your time i appreciate your feedback i do see one question and it says around control testing tables are those the same as audit management or is the table just for cam no so control testing is the same tables as audit and so couple things you can do there first leverage indicators like you can with policy and compliance you can leverage test plans like you can with audit management and so all of the functionality that is being added to those products as we speak will also be able to leverage in cam these are some great questions yeah yeah all right all right and akira likes the ssp pf generator yeah that's something that was added to the platform um it'll continue to get enhanced but you know so it gives us a great starting place to build the ssp we also want to um think of of ways and mechanisms to generate the tsar and as well as the poem report you know using fedramp as a template but can easily be configured by customers good lively session all right well thank you everybody you can also find a previous um what did we do for the rm rmf we did another one earlier didn't we just recently no we we have um other ask the experts on youtube but yeah we'll you know any information i think you can get in on the community on the youtube channel or on our website oh i think there was a platform approach to simplifying rmf i think that's a little bit right all right well great well thank you again for participating with us today and we hope to catch you at our other sc expert events that are coming soon so with that everybody gets a few minutes back into their day