so we don't miss a beat so i'll be posting all the links into the chat again and so if you have questions after we end today's live session you're more than welcome to please post your questions on that community link and share with your colleagues let's see got more some more people coming in that's great if you do have a question during the live session please do use um the chat um or the q a from the zoom and we'll try to get it answered live for you okay i think we're gonna be taking the full hour so i'm gonna say let's go ahead and take it away thanks hey awesome thank you lisa uh good afternoon good morning good evening wherever you are in the world thank you for taking uh time out of your day to join us uh my name is matt fisher and manish if we could just go back to that title slide please my name is matt fisher i'm a security risk architect in servicenow i represent our security operations and our risk and compliance integrated risk management products within the dod and the ic today on the call with me i have cushbudushi who comes from a central federal services cyber practice which is very large practice she's going to tell you a little bit more about that as well as will coffee from their digital platforms practice what this really means is the servicenow practice and today we're kind of doing a joint announcement um we've been working on some solutions towards rmf both from the servicenow side from the accenture side and we wanted to discuss a little bit of what we had there and give afs a chance to to talk about it in a little bit more detail now if you could go to the next slide please i do have to do a little bit of housekeeping um since my portion of the presentation discusses some future looking product we have to do kind of the standard disclaimer this is the safe harbor and i think we're all used to seeing these i'm going to discuss an application that is due to release within the next couple of weeks but since it isn't released yet it may or may not come to market it may or may not look the same way or have the same functionality i think we all understand that when we're talking about software so with that let's begin please manish thank you we have a very short agenda today i'm just going to talk for a few slides about our newest application continuous authorization and monitoring and from there i'm just going to really turn it over to accenture federal services and let them talk about some of the challenges they've seen as experts in the space living with customers on site real challenges they've seen in rmf automation first hand and how they approach their automation towards that leveraging service now of course but everything they've built on top of that to build their solution which they call the cyber assurance integration framework or cave so next please thanks so uh it's hard to do a presentation talking about servicenow's risk management capabilities without showing a slide like this we're very proud of what we've accomplished um we are uh leading leading the market in so many different ways to me i just can't fathom that our one integrated risk management solution is not only leading three separate gartner magic quadrants but we're also leading the forester wave and and other tools and that's really due that's that's a reflection of the investment we've made in the product internally next please thanks this that's really a reflection of the investment we've made in the product over the years um you know way back in 2015 it was relatively new but you can see that there's this been this very strong growth so every year not only do we invest in the development and adding new capabilities to it but we increase the investment and every quarter every release we come out with more and more capabilities capabilities that span vendor risk management risk you know risk uh and kri management policy and control life cycles business continuity and now our newest application next slide continuous authorization and monitoring so this is the latest the latest addition to the servicenow risk management continuous authorization monitoring really leverages other capabilities in the servicenow platform right so servicenow gives us this incredible you know kind of shared data model you know almost a data lake if you will and all these wonderful applications around it that make it very easy to build processes and drive work across functional units and makes it very easy to add in you know customized workflows and other other unique capabilities so we used what we had in the platform we built on top of that to really bring risk management directly applied to rmf so this is going to be a separate product it's actually going to be you know included with integrated risk management so it's not a not a separate sku or a separate acquisition but it's a separate product designed specifically for rmf that handles the full life cycle from categorizing your systems and dealing with uh information types and control overlays and control tailoring and inheritance all the way to you know driving tasks for say security control assessors and driving life cycles around poems and really the idea here is to not just present that control layer and and not just automate the active monitoring controls but really capture all of the work that goes into rmf in a way that really only serves now can do so with that um i'd like to turn it over to accenture now the reason we have accenture here is because they've been a key partner in all of this obviously you don't build an rmf solution in a vacuum this isn't something that we just sent engineers off and they went and did it we had a lot of help from partners and customers and we engaged in really kind of a joint development process with accenture right to the point of you know engineers talking to product management and doing lots of previews and it's been a really wonderful you know joint venture of ours and at the same time there's limitations to what we can do as servicenow we're a software manufacturer we don't live on site with customers we don't run programs and so getting some of that insight from accenture was very valuable to us but they're also going to discuss some of the dod specific capabilities that they've built that really only they could build that we wouldn't be able to so with that i'd like to turn it over to kush buddhist um doshi from the cyber practice to talk a little bit about how afs works with servicenow and how they brought this to fruition so all yours thank you so much matt uh hello everyone uh as matt indicated bill coffey and i are here to present from the accenture federal services side of the house so again welcome everyone and we will now walk you through the journey we went through as an organization in conjunction with servicenow as we've implemented the nist risk management framework for many of our clients including federal uh dod see clients what you're seeing here on the slide right now is accenture and servicenow's journey the key things i actually want to highlight here are that we have 6 800 resources globally 5000 projects that we've delivered using servicenow integration with accenture also i wanted to highlight is that seven of the 42 servicenow certified master architects in the world are by accenture federal next slide please the other aspect i wanted to highlight this risk management framework goes hand in hand with the work we do day in day out with the cyber practice that we have we have over 20 years of experience helping our clients occur their organization we have 350 plus patents related to security worldwide we support multitude of clients and we have over 5000 security risks mitigated per year next slide please so it was really important for all of us to understand what are the key rmf challenges that the industry is facing a couple of the items that you know what we've encountered and i'm sure many of our customers are also wondering i have a new product online well how much time is it actually going to take me to get through the ato process is it going to be 12 months 18 months and even some cases 24 months so the lead time for current assessment and authorization efforts has been a huge concern for some of our clients outside of that assessment and authorization activities are looked at as manual labor in this case we have so much paper work we have to do to bring products to the market there's also several different reporting mechanisms we have to take into account fisma reporting reporting for the gao audits sever several different compliance frameworks that we as an organization and many of our clients actually have to encounter overall an integrated front we've seen multiple silos that our customers have had to actually come across so how do we actually give them one overall over overall solution for all the oversight mechanisms that are in place and last but not least people consider rmf as a huge cost for compliance but how can we actually make it a repeatable process for them the other thing that i want to point out here is what we've been seeing in industry as well is the concept of let's move from traditional rmf processes to more so a ongoing authorization model there have been many conversations across dod about fast track ato organizational risk tolerance baseline how do we actually pull it all together also nist came out with revision five now for the last several years everyone has been focusing on nist rmf framework revision four there's also nist 837 that has come out with revision two but how do we actually incorporate all these ongoing security requirements next slide please so that's where we came up we we understand our customers problem we understand what we have to do in terms of meeting all our regulation requirements hence we came up with the cyber assurance integration framework the key thing i want to highlight about accenture cyber assurance integration framework is it integrates information assurance and devsecops automation to enable and accelerate our assessment and authorization processes the top process here is you have touch once report menu solution so we've built together a enterprise-wide single solution that will help you meet your compliance requirements so one would ask why are you actually even doing this time has gone that we think of ato or a a activities as an after after thought we have built our environment okay now all i need to do is get into production let's get our ato no we need to think about security from the get-go the thought process here is let's take our security requirements and shift it to the left this allows for us to save time and cost and it's also integrated as part of our system development life cycle again we're not thinking through it from the perspective we only need to develop security documentation but we need to actually protect and defend against malicious threat activities and threat actors that actually take place we wanted to provide a risk-based proactive approach to meet all the security requirements and last but not least include automation as part of it with all the solutions in the market today how do we make that happen how do we meet those rmf requirements how do i get all my test results done and that's where cyber assurance integration framework comes into play next slide please so i just don't want to talk about a framework here we want to talk about where we've actually implemented this with working with our clients these are the real-time calf results that you guys see we've been able to implement caf for many of our dod and federal federal civilian clients we've reduced the overall time to achieve an il-6 ato by 50 we've developed a accelerated a a package development as well as ato approval by 75 migrating to an il5 environment imagine we're talking about 12 to 18 months those days are gone the thought process here is let's rock and roll and get through our ato in a short amount of time frame but not again putting our security requirements at risk we have to keep those in mind we've also streamlined our overall a a package development across many of our information systems within three months again long gone are the days of 12 to 18 months short amount of time frame we've also worked across 21 financial systems and we've performed rmf gap analysis reducing their overall testing time to over fifty percent next slide please so what we've came up with in addition to the cyber restaurants integration framework is our compliance animation what you see here today and what on the slides more specifically is the chatbot rpa functionality that we've built in with the cyber assurance integration framework we call it the caf automation so what does this do for us it creates a repeatable processes for us to meet our desktop operation requirement as well as our continuous monitoring requirements we're focused on continuous authorization not one time let's go through our ato process every three years but let's make sure that we're meeting our requirements on a continuous basis security validation we provide ongoing proof that we have all our controls in place and then at the same time we're meeting it and enhancing our security posture next slide please so what does actually caf automation look like the thought process here is we'll have a single integrated view which will provide us an overall holistic view into the cyber assurance process our cyber insurance requirements are met requirements fiscam requirements for those who have to meet the fiscal requirements as well but we use that again the intelligent automation platform to be able to do that we use chatbot functionality to do our security categorization control selection even for that matter developing our test results we also integrate with tenablenesses to get our com to get our stick compliance reports together to get our iva compliance reports together what also i wanted to highlight here that you might be seeing on the slide is with the caf automation that we've built in you can see that we are able to integrate with servicenow we can create a ticket in service now and it pre-populates the forms for you the main highlight here is the api integration that we've built on top of that we can integrate with emass csam exacta to be able to provide that one stop shop that one central view to see where you stand from how many vulnerabilities you have in your environment to how many controls that you actually have implemented or what is out of compliance outside of that where you can see your main threat factors are so with that i'm actually going to turn it over to will coffee who's going to discuss further on how we work very closely with servicenow to develop the overall caf automation and servicenow integration thanks kooshboo i appreciate that and thanks matt for uh for the introduction earlier on so my name is will coffey i'm in our digital platforms practice i focus on service now specifically i'm uh focusing on the security operations and integrated risk management portions of the servicenow platform uh of this of the 48 certified master architects in the world uh i'm one of them so when we talk about where we're at in federal our federal practice currently has two of those certified master architects and what that means is that we're looking at the overall capabilities of servicenow as a platform and being able to take the holistic views of those things and put them together one of the things we've done is with our caf automation and with our integrated risk management capability the platform we looked to partner with servicenow so that we could create that that industry best practice and driven approach to automating and accelerating the ato process to help reduce the amount of time spent on things like generating the assessment and authorization package managing that process through the rmf steps and reducing the amount of time spent on manual tasks during the continuous monitoring phase while making it easy to do the day-to-day work ultimately what we wanted to do is simplify the compliance of compliance so what we've done is we have built in partnership with servicenow helping them understand how things how the actual challenges within the industry with our clients from real world examples can be solved using the servicenow platform so they built the continuous authorization or excuse me continuous assessment and monitoring capability on top of their irm platform what we did was we built an additive approach that has our caf component with the servicenow capabilities also built on top of cam and irm so we've helped to accelerate the capabilities that you're getting from the risk management framework piece by adding things like automation upfront for information categorizations aligning some of our national security system compliance pieces that align to nist 859 we've added a portal component that helps with the ui ux better user interface for defining what those initial information categorizations are we've added a dashboard we've added poems we've helped try to make all of that automation that is typically a manual process up front be built into service now so that we can accelerate that entire timeline and reduce the amount of time it takes to get through your a a get through your ato and the amount of time that you're spending on continuous monitoring next slide please if we're looking at how we have taken caf and how we've taken service now and built that into the overall process we look at the intelligent automation that's provided by caf through things like the chat bot that help us populate uh those pieces of the servicenow puzzle that get us to steps one and two and six of the rmf process the new cam application that servicenow is bringing kind of builds into the middle and what we're doing is blowing out some of those additional capabilities that servicenow has brought and adding more to it so that that simplification of the process overall allows you to have a more holistic end-to-end a a process ato process continuous monitorization or continuous monitoring process what that really means is you don't have to worry about manually selecting controls once you do your system categorizations and your information types it's going to define those things for you it's going to define your confidentiality it's going to define your integrity it's going to define your availability will define your system impact which will define your controls and then you'll have the ability to add overlays on top of those so that if you have additional controls or inherited controls from any other systems you can bring those in as well which will then reduce the amount of time that you have to spend going through and defining where are we overlapping where are we overlaying where are we inheriting how are we assessing against these things where are we able to assess our boundaries quickly and efficiently the other piece that we're looking at is when we're going through the accreditation process how are we using workflow built within the service now platform to be able to drive that that authorization when we're looking at the existing manual processes and the way that people are doing it now it's a lot of excel spreadsheets that are driven by hey i need the isso or issm or ao to be able to review these things i need to put together a report well with servicenow and the dashboarding capability and all of the containment of that data within the assessment and authorization process in one record we can see that consolidated view we can see where things are at we can see what the information types are we can see what the risks are we can see the attestations of the implementation of those controls into the environment so that when the isso or issm or ao gets to review and approve what is being done they don't have to look at it across a lot of different spreadsheets or different documents they can see it in one place and the other part of that is they can look at it along the way they can see how things are progressing they can see how the workflow is managing across uh all of the different areas of the rmf process so it will significantly reduce as as khushboo showed significantly reduces the amount of time it takes to get through the process overall which is a huge paradigm shift for our federal customers and we know that sometimes the processes are different sometimes the compliance systems that you have to use on the back end are different so if you're using e-master if you're using csam or xacta whatever those things are going to be you know the system works with all of those things so looking across if you're using dod processes or if you're using dhs processes it doesn't really matter to us right we want to make sure that everything that we've built is built in a way that integrates seamlessly with servicenow integrates across the caf capability and then integrates into the federal overall environment for compliance and managing that compliance within the federal network so we've taken a lot of our capabilities out of the platform overall to make sure that what we have defined what we are defining how we're driving the workflow how we're going and to end on these things is built in a way that uh it really amplifies the capabilities of your platform overall which just generally brings you more value to the process and to your platform leveraging or platform use excuse me um next slide please so the last part of what i want to talk about is when we're looking at things like api integrations and api ingestions those capabilities to be able to do configuration compliance to be able to do vulnerability scanning and map those against the controls for the continuous monitoring piece and for the easy export of the capability to the compliance platforms that exist like all of those things are coming together within caf within cam and within the rmf uh accelerators that we've built on top of those within servicenow it really does define the simplified end-to-end process for overall assessment authorization rmf definitions of the ato process and into your overall continuous monitor next slide please so i'm going to let uh i'm going to let matt or koosh boo talk a little bit about this but i really appreciate the opportunity to share with you guys um i know we have some information on the screen right now about some of the upcoming events so i look forward to showing you this will actually be a demonstration of the capabilities but i won't steal matt's thunder on this one so i'll let him talk a little bit more about this on that my thunder this is gonna be another joint one this is uh so to these today's presentation was kind of the the opener of the intro if you will our next presentation on ton 28 is the deep dive and that's where we're going to have you know servicenow product management and and afs developers uh go through and really do a step-by-step demo and get you you know deep into the into the application itself yeah so hey well if if uh you're good to go why don't we open it up to questions and uh see see what the audience is thinking right now absolutely teresa lisa do we have any inbound questions not yet we hope he gets them soon it says in order to review and validate the controls the procedures and sop are integrated and easy to monitor updates and version ah okay well do you want to talk a little bit about that yeah absolutely so so jose to specifically answer your question how do we go about reviewing and validating the controls procedures we have the ability especially with the caf automation piece that we've built in that we can go ahead and put in the procedures upload them we have and compared against the nest test results requirements that we have to actually keep in mind so what it does is with the automation piece we use uh ocr to review what the requirements are and compare it with the documents um overall and accordingly we can identify you know the control implementation statements which will also help us build our system security plan but at the same time also assess the results yeah and i can tell you from the servicenow side when it comes to reviewing and validating controls servicenow integrated risk management does have a complete set of processes and life cycles around controls which doesn't mean just knowing what the controls are and assigning them out to your people and processes and assets but also means ensuring that the controls are tested on a regular basis that they're continuously monitored in an automated fashion so one of the things we do with that is we give you special functionality just for describing like control tests and the ability to test the operation of a control in addition to the design and report those results back in the platform so unlike some environments that i think many of us have lived in in the past where a lot of that information was shuffled around in spreadsheets and email and there's a lot of manual aggregation normalization it's all can all contain the platform for you and the beautiful thing about that is it gives you perspective at the highest levels so you can very easily see what your entire agency risk is or what's your entire agency's rmf compliance but you get that individual control fidelity so it's very easy to drill down and look at say the result of a control test or the current compliance of a single control or a single risk against a single asset or a single process see if the capability is absolutely in there for you and i did notice that lisa just pasted a whole list of upcoming uh risk management events for everybody that's wonderful some of these do span into other areas there's vendor risk and i see business continuity um as well as the the cam and rmf session on the 28th and there is actually another question in there too matt yep teresa shared uh asking if this is just focused on nist rmf or is it focused on nist csf as well ah thank you for your sharp eyes so you know i i tell you what will that i'll approach from the servicenow side and then you can talk to kay for a little bit we did build the continuous authorization and monitoring application in direct response to lots of federal customers who said hey servicenow is awesome we think this would be you know the ideal place to do rmf and we need help with that so it was purpose built to rmf that doesn't mean it only applies to rmf though there's a lot of additional frameworks out there there's csf there's some iso standards cmmc there's new ones coming up all the time and these are being adopted by much more than just the federal community we're used to um yeah certainly anyone who's been around for for a while remembers diet cap and fisma and discap cap and sort uh but you know the the us government made that investment in in people and and thought leadership and all of the footwork into going to and building these this extremely mature framework it is a very mature framework and it's it's very well thought out it's not necessarily the easiest to implement and automate on the execution side of things but it makes perfect sense as a framework and a lot of organizations are turning it to it now regulated utilities high risk industries right like financials other governments state and local governments hospital systems are now recognizing the need for an extremely mature set of practices an extremely mature framework and they're looking at what the us government built and saying that's it we're going to adopt that so while cam was built for rmf it absolutely helps with any of those other frameworks as well they're all very similar determine the risk of the system and there might be more or less steps involved in that determine what controls we need to apply and monitor those controls and that's essentially what we're doing in cam will can you talk to csf and cave i can so i have some particular thoughts on this and i know that khushboo i'm sure you do as well um when we were looking at how can we holistically address across the integrated risk management framework overall especially within the servicenow platform we looked at incorporating not only the irm slash grc depending on how you want to talk about it capabilities that servicenow provides but the security operations capabilities that it also provides so things like your vulnerability management your threat intelligence and your security incident response pieces that come into that in particular vulnerability management directly ties to the integrated risk management portion and when we look at the cyber security framework and we talk about the identify protect detect respond and recover portions of it that goes into the controls so how are we leveraging something like tenable or acas for configuration compliance vulnerability management against specific controls in the subset that's defined for the authorization boundary that we're in and taking that vulnerability management tying it into response detection and response as part of our continuous monitoring efforts and then expanding that across both sections of not only rmf but csf as well so we do that right and when you're doing things like poems and you're doing things like vulnerability management in response to specific controls identifying the attestations that are aligned to the response of those things we wanted to make sure that we're looking at this from the most holistic holistic point possible so we can provide the easiest management overall because if you're only doing part of it that's great but it's still manual efforts on the other side so we want to bring that capability for automation that is built into the platform and that in a that uh intelligent automation that we have through the ai component to both of them right so we're able to take a spreadsheet that once took four hours to complete and get it done in two minutes we're able to take vulnerability mapping between controls that used to had to be done manually and we're completing it automatically now so all of those things do come together uh in one in one holistic i hate this term because it's a super salesy term but the single pane of glass right we talk about it that way um coochboo i i'd like to i know you've got some thoughts on that as well so i'd like to give you the opportunity yep absolutely um thanks will and thank you matt so the key things um you know when we're thinking through this right i mean we as matt mentioned and will mention we're not just looking at the nest risk management framework we are definitely looking at all the security compliance requirements that do exist today so we've done an analysis of what it entails and a good chunk of it has that basis of this 853 controls uh so as i had indicated earlier we have some agencies have the financial requirements that you have to meet which is the fiscam requirements but what we did was we built a rural crosswalk to look through where the similarities are as well as where the gaps are and hence we came up with cav so we can truly actually meet all those requirements if an agency has three regulatory requirements how do we actually make that happen so with the innovation factor that we've added and as well indicated i mean think about it right if i'm doing the secops if i have the secops module integrated and i need to develop all my stick compliance reports or my iva compliance reports or even overall well-being management compliance report if i can do that in minutes that's so much more time that i can actually focus on the security mission at hand that i have for my organization and um with the chatbot rpa functionality that we have i mean think about it right i if i have to go through my security categorization process and it's taking me uh one to two weeks just to go through the security categorization with various stakeholders if i can now do that in a matter of hours get my categorization form completed and get it through the ato approval process that's a lot of time savings and that's where we pull it all together using that intelligent automation platform i believe we have more questions there are i'm actually looking at the questions and answers right now there's three in the q a section i'm going to read the first one and then i think the second two can be grouped together but the first one is how can we get our hands on calf how is it priced and has it been used at clients already all right um i'm happy to answer that so we do have our contact information listed uh towards the end of the slide so if you are interested in knowing how it's going to be priced definitely feel free to reach out to us and we can discuss further um also in terms of how you can get your hands on cath uh we can talk about next steps so you know our email address is listed as you can see on the screen uh in terms of has it been used at clients already caf processes absolutely have been used with our dod and ic clients and several of our other federal clients that we are implementing it live if this question is more specific about has caf automation been implemented already we are in the processes of doing that today so whoever asked that question i hope i answered your question that was perfect that's it says from anonymous attendee so that's good um and then the second question second and third question are related but um i i'm going to read them both and then we can talk about i'll and i have a portion of the answer um and then kush go out i'll let you speak into this as well so the first part of it is and asks can this be used for il5 at this time so the answer is yes and no uh the answer is yes if you have a self-hosted or on-prem instantiation of servicenow that lives in an il5 environment you can do it there and you can use that because right now servicenow and the gov community cloud the gcc is il4 now i don't i think that there's some activity around bringing that to the next level but at this time it is il4 but you can use it if you have a self-hosted or on-prem instantiation of servicenow the second question is would multi-classified environments nipper zipper top secret etc require separate service now instances or can servicenow integrate the information into a single pane of glass now that's kind of that's that's a semi multifaceted answer right you would want to have multiple instances across the different domains just because you can't have nipper stuff nipper sipper jwix all on one platform i suppose you can if it's at the j weeks level right everything's going to flow up nothing's ever going to flow down but you can at the highest levels take the data do cross domain data sharing but it's really going to flow one direction which is up so you can flow your nipper up you can flow your zipper up into jwicks or whatever it's going to be and have that holistic view at the most secure level it wouldn't go down uh if you wanted to look at nipper data only you would have to be in the the unclass environment on the nippernet uh looking at it there so you can have that single pane of glass but it would have to be at the most classified levels so it can roll up but you would have to have multiple instantiations of service now across those those uh security domains uh but you know that's kind of that's architecturally the decision of however you want to put it together though i i hope that was from abel yeah matt kushboo do you guys have any questions on that i think some i think there's some variation in that as well right so you know servicenow is currently deployed in every classification domain you can think of and absolutely plenty of you know multi multi-domain environments i think it really starts falling down to kind of the enterprise architecture so you know servicenow itself doesn't necessarily need to connect to everything for instance if you want to bring vulnerability management data in and bring your egg has results in use servicenow to drive the remediation processes around that use that to feed your rmf you know if you have if you already have existing processes for say someone doing a network scan in in one domain or one enclave and then somehow getting that into your security center in acads right we just need to we just need to talk to that security center so in that case we wouldn't have to be present in that enclave ourselves but i think it does start boiling down to kind of agency enterprise architecture and specific use cases from my perspective thank you i agree i believe we have some more questions uh that teresa's posted in here so um i'll tackle those if well you're good with it as well go ahead yeah please how would you handle arma for existing systems that are already accredited and that's definitely something to think through right i mean we you know the whole thought process being okay you have to go through your ata process every three years that that's no longer the case with continuous authorization ongoing authorization and play what we do very specifically not only with uh caf automation but with also and matt please do answers from the servicenow perspective but i'll speak here on the calf automation side is we've built in those continuous monitoring requirements we have the list of controls identified that are prioritized we have our kanban knowledge base that you would essentially use to go ahead and see what the what your new accreditation requirements quote unquote are going to be um so if i am an existing system i've already gotten my accreditation now the main focus point is should i worry about it to just get my ato in the next three years that's not the thought process here we have those controls environment you can use the rpa uh chatbot rpa functionality and it has the lists of controls listed for you you'd respond to that we'd have our test results automated and then again if you're using emass or csam we can upload those test results in there as well um matt do you want to add from the cam perspective for existing systems i i completely agree i mean you know when i first started off as a as a government contractor you know our concept of security was do all your inspections then come back three years later obviously the rate of of technology has eclipsed that and the entire government now is is you know hopefully at or moving towards the concept of continuous monitoring so i view rmf really as kind of two major halves of the pie i view it as a lot of administrative effort um the control selection and categorization and there's certainly challenges to that but then there's that whole second half of continuous monitoring which is the technical challenge and this is where i hear a lot of struggle i hear a lot of c levels telling me that we just don't have visibility into the assets in the network that we need that we have trouble with the volume of data coming in from from the sensor layer from acads and other technologies and sims and then trying to correlate that all to risk and manage and assign thresholds and quantify it and that's really where servicenow excels the platform approach we take of having everything a shared data model essentially you know this literally a single database um and all these unique applications across so many different domains gives us really a very unfair advantage there so i brought up a cas a few minutes ago and i talked about bringing results in from acads and then running them through something like our vulnerability response product well that gives you a whole workflow for managing the vulnerability remediation cycle but because it is the same platform the same data model right it's you know we're able to take that and monitor that within cam and use that as a data feed for continuous monitoring as just one example and while that's possible to do with any technology with legacy technologies that typically involves a lot of custom integration work and then you have to bring in things like any sort of work automation right do we have a ticketing system some sort of work tracking system now we have to integrate with that and now we need our metrics and visualizations and that's another system right servicenow brings all that together in one platform so i think the kanban perspective of it is extremely valuable i think that's a very good question i think you would be very pleasantly surprised by what the capabilities are there i saw that we we also had a question from uh mike goodman um asking about uh slas between systems so um i don't know if it's something your team is prepared to discuss slas are a little bit outside of my personal expertise with cam yeah servicenow does have the ability to apply slas monitor performance again against activities and against the slas and i will say that servicenow has a very strong concept of systems depending on other systems so the second half of mike's question is you know i have an sla here but i depend on this other business service so at the very very core of servicenow is this thing called the cmdb the configuration management database which is essentially the mother of all asset databases right it has this wonderful schema that accounts for every every detail about an asset you can think of and any type of asset not just computers not just switches and routers but phones and ot and scada systems it can all be implemented in there and there's discovery that goes around that of course but one of the really big things about that cmdb is it is service aware so it not only knows everything about the configuration of that asset and maintains that central ground truth for the entire agency but it also understands how assets depend on other assets or are dependent upon not just the technical perspective the business service perspective so we have a concept of you know this is a windows server but this windows server is part of this analysis stack here which is part of this you know intel system here or weapons platform or this other major program and how it impacts those so while slas are kind of outside of my realm and i think as outside of the realm of the products we're talking about today we do have the capability to implement slas and monitor against them and we absolutely have a deep understanding of how systems depend on each other so i wouldn't be at all surprised to find out that we can absolutely show an sla dependency to get the to get the full answer on that with 100 confidence would have to turn into some other folks internally which i'd be glad to do for you if you want to ping me offline yeah and matt if i could just add to that real quick is you know i don't think we're addressing that right now in this in this capability that we're putting out i think it's something to pay attention to but in line with what matt is saying the other thing that servicenow brings to the table is the common services data model right so if you're looking at cs dam csdm and the implementation of csdm it does align those things for the sla capabilities right your business capabilities your business applications your information objects your application services your services your service offerings and everything that falls into those things which is a lot of stuff but there are ways to align the target systems and the service mapping of those systems to slas but the focus of what we're doing here is not necessarily overlapping those things but more how are we maintaining the compliance on top of those things but it's possible right the possibility is there to extend the capabilities of the platform to address those things yeah that's that's a good question and i'd be glad to follow up off offline and try to get the get some more details around that um we do have a couple more questions that came in uh cushvoo i think this one is is probably perfect for you or will how do you intend to meet basically it's revision five how do you intend to meet the nist rmf revision five requirements no uh definitely a wonderful question there so um nist version five actually was introduced uh to the public last week i know draft was already released so the final one came out if i recall correctly september 23rd we have already done our pre-analysis based on the draft version that had come out to meet uh the nist version five requirements uh we also have conducted a detailed gap analysis of where the differences are so in preparation for caf automation more specifically and again as we work through with servicenow hand in hand we did account for the revision five updates um so in the event if our agency that we're supporting once you meet those requirements we're prepared to actually address them as well awesome and then we got a really interesting question about essentially adapting this to devops so the question is the question is asking literally are you using flow designer how flexible can this be modified to integrate with devops so you know flow designer is a specific capability within servicenow it's basically a drag and drop gui a no code or maybe a little bit of code way of building complex workflows and automations and you can use it to automate actions within servicenow such as you know creating a ticket or changing the state of something but you can also use it to interact with systems outside of servicenow i've used flow designer to make rest calls out to other systems and bring data in and process things based on that so the cam application itself doesn't doesn't literally use flow designer it has it has the flows baked in but you can use flow designer on anything you want anywhere in service now very literally when you go build a flow with flow designer the first thing that asks is what you want to trigger and you know very often that trigger it might be a scheduled job or but typically it's based on changes or updates to a certain table i.e when a new security instant is is created that meets these conditions or you know an update over here that meets these conditions is built so you can definitely use flow for this now for devops specifically that's a great question devops is uh sweeping the nation it's a great move i was practicing software security way back in the day when it was really the realm of penetration testers and it's been remarkable watching it just move left so much and see so many capabilities in devops now devops as it comes to rmf is kind of a new challenge you still have all the requirements of rmf and all the security concerns but you need extreme agility there right as developers are building and code could maybe committing 100 times a day now we do have a dedicated devops product within servicenow that can help with that but what i'll say is that cam is capable of performing monitoring against any data in the servicenow system or any data that can be brought in right so if data exists in another system we need to bring that in for monitoring we can build a flow for that or we can use other techniques and then it can be continuously monitored via our indicators which are essentially little data robots that just look at all the tables and look for changes so tying that back to your rmf controls and risks is is certainly feasible there's always details like how you want issues directed back and you might have different risk thresholds for something in development i think determining those thresholds is is you know one of the key areas for for a lot of customers right what do we what standards do we really want to hold them to before a certain build can be released to the new gate and where do we want to do that do we want to do security testing before it passes the automated functional testing or afterwards so i think there's going to be a lot of flexibility in there but you can certainly use these applications and these processes to monitor what's going on in devops and men i actually wanted to address it from a caf automation perspective uh so from a calf automation and devops perspective caf is actually built on information and assurance and devsecops framework so we do account for shifting left of the security requirements it's included as part of the system development life cycle um from the get-go right so we do the uh we use agile processes to do the testing as it's actually being built as as the code is being developed we run the code scans we do the analysis and we also meet the rmf requirements from the get-go so you know as i had indicated um a little bit earlier during the during our webinar is no longer are we thinking of hto as a final activity right before going into production it is integrated from the beginning as it should be and as it was always intended that's excellent yep we have a few more questions uh i matt i think this one's for you is the cmdb schema extensible it is yep it absolutely is so you can you can take um existing portions of the schema that we've created and uh create new portions on it add and remove to it you can um and then of course the wonderful thing is you can build automation around that specific new schema and monitor for changes in the sort in fact um let me say this everything in servicenow is is extensible it is um if you've never done any real uh kind of you know power user work with it before it's an incredibly open transparent flexible platform to work with but that said i'm not the master architect we're very fortunate to have uh to have one of the 48 um well i'm going to start calling will uh one out of 48. like like star trek um one of 48. uh so will do you want to do you want to speak to that a little bit and how you can extend servicenow and talk about building on the platform yeah i mean i was going to answer it just the same way you did which is you know is the cmdb schema extensible absolutely yeah i mean and that's that is the basis of the platform your ability to extend um and use the the platform as it is to be able to create that flexibility for what you're trying to do or relate across the different data types that are in the system is one of the primary benefits of servicenow overall i mean when you're looking to when you're looking to bring more data to light uh or relate more data to do more things that that platform flexibility and that platform accessibility is really going to be one of the key things that drives all of that stuff so the ability to do that is absolutely there and it's definitely something that we take advantage of all the time because that allows us to to leverage the data that we need in the places that we need it to be able to execute the flows in the way that we want them to to support our customers missions so it's it's really the overall extensibility and flexibility of the platform is just you know it's really phenomenal so yeah it's one of those products where the more i work with it the more impressed i am yeah it does a lot there's a lot of stuff it does a lot but i appreciate how it makes things it does a lot but it does it in a way in a presentation that makes it very easy to understand and work with and what i love about it is if i'm building a capability for someone it does so much for me that all i have to worry about really is what i call the micro logic right which actually kind of goes into the last question we have one minute left uh i don't know if we want to wrap or get to it but you know can we explain what's truly automated and how can you meet the continuous monitoring requirements i would say um you know reach out to one of us because i'm happy that one join the next webinar and you'll see you'll see it uh but two if you have questions i'm happy to walk through with you i know koosh was happy to walk through with you matt's happy to walk through with you so reach out to one of us and uh you know we'll we'll be happy to talk through that in in more depth um so that's all i've got on that one yep and as indicated our contact information is listed so do not hesitate to reach out to us so matt with that we will we will turn it over to you and again thank you so much everyone for uh hearing us out today and we look forward to hearing from you today absolutely thank you everyone really appreciate your time and participation yeah thank you will and kishbu your your partnership on this has been very valuable and very important and very welcome and i appreciate your contributions here on the webinar today even so with that i really all i can say at this point is thank you so much um we're all living in some pretty crazy times um for those of us who are uh still kind of stuck working at home it's it's funny how at first that sounds like a benefit