to take a moment to let everyone join in before we start today's event i will be posting um the recording of this event on the from the community in the chat window so you're welcome to please share it with your colleagues as well as to replay and watch so that um you know you can always post questions on the community after and i'll be repeating this a few times as we get more of our attendees in so again we welcome you all today we're excited to have you here especially for this holiday weekend so we'll be getting started in a moment i have a few more attendees coming in uh so i'm going to welcome everybody again and i'll let you know that i'm posting the links in the chat window so it's available that's where the recording will be if you have questions please use the zoom chat and we will be answering them i believe at the end so just keep that in mind when you are posing your questions and we are at the top of the hour so you know what i'm going to say one more time welcome everybody and uh let's get started with today's ask the expert event thank you matthew are you going to be uh introducing yourself today yeah i was outstanding good morning i was going to let jorge go first he's really the star of the show uh good afternoon everyone um for some of you good morning thank you for joining us uh it is a holiday weekend um i'm i'm flattered that you're you're spending your time with us and hopefully today we'll learn a lot together and invigorate some new thought my name is matt fisher i'm a solution consultant i'm responsible for our security and risk products in the dod and ic however that's just my personal role this presentation is not strictly for the dod or the ic this really would benefit anyone working in a governmental role or even a regulated industry or a high risk industry and with me the real start of the show my partner jorge garcia jorge want you introduce yourself yeah so i'm a product manager here at the wrist business unit at servicenow and i am uh the product manager in charge of our um rmf specific application awesome thank you so today we're going to be sharing some new stuff with everyone um uh including some actual live demos of something that is not in general release yet so what this means is we have to do kind of the blanket safe harbor disclaimers right what we're talking about today are forward-looking statements based on our beliefs and assumptions um however uh there's no guarantee that what you're going to see or what we what we discuss will be released to market or released on time or it may not include specific feature and functionality this is the nature of software i think we're all used to all used to that um but i just wanted to let you know that this is a a preview and kind of an early sneak release so today we're talking about everybody's favorite subject rmf um actually this will sound crazy been a lot of circles and in washington dc people actually get together and have beer and talk about rmf as a party subject i'm not going to go into a lot of detail about what rmf is i'm assuming that everyone on this call has way more expertise in rmf than i ever will but i just want to point out a couple of key traits about it according to this themselves they say it's a very holistic and comprehensive risk management process and it is certainly very holistic and comprehensive it integrates rmf into the system development life cycle which means that this isn't strictly a security activity that happens at the very end of something this is something that needs to occur while the system is being built and it provides processes and tasks it certainly provides processes and tasks now when it comes to actually automating rmf and executing rmf there's a lot of challenges there's challenges in just understanding rmf it takes a long time to really understand what it is there's challenges in understanding all the spin-offs and the variations of it there's cs there's csf there's the the new ccmm there's iso standards these things are all complex they're very mature but when it comes to actually automating them there seems to be a lot of legacy approaches out there there's a lot of organizations that are using technologies that were built 10 to 15 years ago purpose built for the idea of managing complex control sets which is great and they served a really valuable function when they first came out but what customers are telling us now is that as their organizations grow as their needs to automate rmf grow as rms just becomes more um serious and and a bit more complex through the agency that these legacy approaches are creating challenges there's technical challenges and that they're becoming these kind of isolated data islands of their own and we hear that a lot of them have very close proprietary architectures i had the customer tell me that the product they they were using doesn't even have external apis that they can use to manage the product and automate more themselves and that they're really just very focused on this technical control based work and that you know they're very rigid this created challenges we have customers who tell us that despite having these systems there's still way too much manual effort required in doing rmf right um that these systems don't allow them to incorporate enough of their process and so that their processes end up adapting to the software and i've seen that myself in in several cases kind of personally unfortunately a lot of cases the business adapts the way they work to the software which is wrong and backwards the software should be adapting to how they work um and of course trying to integrate these into the rest of the agency is very challenging when you think about rmf i you know the first thing for me that comes to mind is controls controls thousands and thousands of controls but when you think about the different functional units the different roles and different people who actually need to get involved in rmf it's a lot more than just like the oc iso right system owners and system admins and you know service management groups and operational management groups all need to be part of this and when everyone has kind of siloed fractured systems trying to bring them all together at the scope of an agency is very hard what this means is it takes them a long time to achieve value they have increased sustainment costs and just overall they're telling us they aren't giving the benefits they want and if you're not able to practice rmf efficiently unfortunately this usually means that the effectiveness goes down as well when rmf is hard to do efficiently the government just doesn't say here have more money right get more people do more manual work unfortunately this tends to drive security challenges and just kind of reduce the overall security benefit that you should be getting from these systems so from my perspective a new paradigm is needed for automating rmf we need to kind of go beyond the concept of just managing controls and automating control mappings and get down to real work automation and what i mean by this is not just automating the work of assigning controls but all these tasks associated with the six different steps right all these customers telling us ah 80 of our work is done manually outside of the platform and then we're taking the results of this work we're plugging it in right i'll make more of that let the security folks do security stuff let your sis ads your system owners give them more time and ability to actually build securely as opposed to the very tedious effort of doing all this manual work and customers just deserve something that's very flexible very configurable your software should be working to your most desired end state processes not the other way around and you should also have really strong integrations with the rest of the businesses rmf isn't just for the rmf folks this is to benefit the entire agency and this work requires lots of different functional units coming together aligning and acting as one and to benefit all of this having that real time ground truth this is so essential how many times have you tried to research a system for any purpose whether it's to answer a data call or maybe you're working some sort of security issue you're you're working a vulnerability or a security incident you're trying to learn something about the system and you you go and you pull an artifact that was basically outdated the moment it was uploaded to a system right um this whole this old idea remember three-year atos this this whole concept of a system only changes once every three years that's gone right and so that means your system needs real ground truth across all these units across the entire enterprise and this will bring you the time to value and the lower sustainment costs that you deserve this is what we're doing in servicenow servicenow is the platform of platforms we deliver great experiences automating work across the entire enterprise and when i say entire enterprise i don't just mean your i.t enterprise i mean your hr your personnel your finance management your supply chain management servicenow excels and was built from the ground up to automate work and we do that with a lot of really unique capabilities one of which is this platform delivers you all the capabilities for work automation this platform was actually originally built years ago without applications on it it was originally designed as a platform for people to build applications of their own on and so we give you these capabilities that i refer to as the building blocks of automation so we don't give you a dashboard we give you a framework for dashboards to let you build any sort of dashboards you want we give you a framework for reporting that makes it so easy to build reports if you can build a chart in excel you can build a dashboard widget a report in servicenow without having to engage developers or technical staff we give you frameworks for things like knowledge management notifications workflows orchestrations and then on top of that framework we built all of these applications so we have applications for it service management going through and dealing with your change requests your release management your problems it operations management giving that network and asset visibility and doing discovery maintaining the health of these systems dealing with inbound events from these systems asset management understanding what your software and your hardware assets are what what they what they contain right and we have things like security operations where we bring soar security orchestration automation and response we bring soar to the servicenow platform so you can automate your security incidents your vulnerability responses right so now you can automatically bring your vulnerabilities in from acads and automate the entire response process behind that right and we automate all of your risk management but we do this all as part of a single platform this is the beauty of it we have all of these applications right each of which are crushing their own respective place our integrated risk management on servicenow literally has three or four gartner magic quadrants to it now we're leading so many different analyst spaces that we haven't figured out how to put them all on one slide yet but you get all of this as a single platform built on these building blocks of automation so what this means is it's extremely easy for us to automate more of the work of rmf the work that right now so many agencies have to do outside of their platforms they have to do manually we can automate more of that work we can drive interaction between these business units so much easier and without building a million different integrations because this is the same platform the same shared common data model underneath and on top of this we built our integrated risk management i'll just give you a very quick walkthrough of this before i turn it over to jorge within integrated risk management we're essentially allowing you to manage the entire policy and risk framework and control life cycle and what i mean by that is we make it very easy for you to manage multiple policies any sort of policy whether it's a123 whether it's dod 500.2 whether it's 853 or your own internal policies and we make it very easy for you to manage these risks associated with them as well we allow you to then assign these to different entities in lots of different flexible ways there's a lot of different ways to slice and dice these how these get assigned but then the really big thing is we make continuous monitoring easy we have these data indicators that you can point at other tables in servicenow and specify conditions and say if the data matches these conditions it's compliant or it isn't we also make it very easy for you to send out attestations do you soundly swear or affirm that you've implemented these controls in accordance with standard etc etc same sort of things we did today but you're probably doing it through a lot of different emails and spreadsheets right now we do all this within the platform and when we get these results in whether it's you know 24 7 through an indicator or it's an attestation response when there are problems we automatically generate the issues from there we generate the remediation tasks and we drive that complete chain of remediation now this is a marquee product of ours this concept of doing risk management policy management compliance on this wonderful platform that allows us to to really really automate and automate the full scope of work around it and we've put a lot of effort into this you can see that our development efforts behind this just keep ramping we just keep adding more and more resources to the pro this product and it just keeps growing so i'm going to do now is turn it over to the real star of the show jorge is going to talk about the continuous authorization and monitoring application we are building right now it's due to release in october and this is how we're addressing the need to automate more rmf and jorge i see you're sharing is over to you all right thanks matt so yeah so as matt just said right so we are building uh in the middle of building and and finishing up our continuous authorization and monitoring or cam application which will allow customers like yourself to be able to walk through the entire rmf workflow from beginning to end and encompassing all 47 of the tasks that 837 stipulates have to be done as part of the seven steps if you include prepare um through when you create an authorization package so what i will do is i will walk through slides and show a demo at the same time so i'll be flicking back and forth a little bit um but hopefully you are able to stay with me so the first thing is um the reason why we decided to build an rmf application in servicenow and you know and the opportunity that we saw is that we have all of these great products and other applications that servicenow offers in their portfolio so what i'll walk you through is how all of those things tie together and what we've done in order to ensure that as you walk and a package through its life cycle that we can leverage as much automation as part of the application as possible but also leverage data points and work that has already been done outside of the risk management function as possible right so that said uh let's start with kind of the some of the main activities that have to be done right so the first thing in the prepare step is you have to define your system or authorization boundary right and that includes being able to scope out the how data flows how things are connected to each other which ports are open and for that we have this products in service now right so the first one starts with it operations management but that provides you visibility discovery service mapping and essentially becomes your cmdb um of all of the different configuration items these are laptops servers computers anything that is able to be discoverable but the on top of that we allow capabilities to ensure that you can tie those to business processes locations facilities so it's not just a cmdb dealing with configuration items and a true configuration management database but rather your database of everything right so your it infrastructure and your business infrastructure and start drawing relationships between the two to understand business context now as your cmdb starts um coming you know up what we are doing on top of that is that we have other applications in service now that allow you to manage that software manage that hardware and again start drawing those relationships to the business very quickly um just because i do want to get to the demo we also have um capabilities in devops so that you can start rmf as early in the process as possible right and so if you read 837 they actually map all of the different tasks that are part of a 137 to specific stages of the software development life cycle right and the idea is that the earlier you can get started with rmf in the particular development of an application and then the cheaper and the easier it's going to to be to manage it and ensure that you're following that regulation so all of these capabilities allow us to build an authorization boundary tying ourselves to the cmdb being able to consume that business context those interrelationships and connections between those things so as i flip into the demo and i said i was going to flip back between product and slides a little bit what i want to show you is i have here a demo record i have an authorization package i'm logged in as a system admin just because i want to be able to show you multiple things at once but we do have all of the roles associated for the roles and responsibilities and all the stakeholders that 137 stipulates the main ones at least and so in this case if i was to impersonate or log login is using orwell then i would be the system of narrow of this package right but again just because i want to flip back and forth and show you a few things i'm here logging in as a system admin so first thing i'll do is i will go into the authorization boundary and we'll see how all of these things tie together at the end right and i have the ability to create filters that are tied to either cis that are specific to a cmdb or anything else within the service now table right so again it can be a facility it can be a location it can be a business process and by creating one or more of these filters we can start generating our boundary in which we can also start tailoring right so if i had a server here that was not applicable i would be able to delete it or if i had additional system elements that needed to be part of this boundary i can also add them so this is all data that is already part of your cmdb so if i was to click on it i would actually get a lot of the it context behind this particular server and i will show you that at the end how we bring in all of those elements that we'll see throughout the demo today i have capabilities to add diagrams but really the bulk of the work is going to be driven through the authorization package right but again the idea is that if we can leverage that existing data about what a boundary is which elements belong to it which servers which firewalls which points all of that information becomes crucial as i walk this package from beginning to end so as i go back to the slides um we've kind of created a boundary and i'm not showing you how to create it to have one already created for this demo but really all of this information becomes invaluable and i'll show you again at the end how we make those connections the second thing that you have to do and it's big on the prepare step is you have to perform risk assessments and for this we are relying heavily on our risk management portfolio to be able to do business impact assessments or analysis using our business continuity management tool whether you need to do an inherent versus residual risk assessment using risk management whether you need to tie rmf to other parts or other regulations or best practices that your organization follows through policy and compliance right so there may be a situations where rmf is a regulation that you follow but iso 27001 is something that you strive to to be compliant with right just for a best practices perspective we have the ability to tie to vendor risk and again 837 talks about how by implementing rmf you're also helping mitigate your supply chain risk and so tying it back to those vendors that give you a particular piece of software or are part of your supply chain for a service that you provide to your customers is also something that we provide and the reason why we have tied ourselves very heavily to risk management is because rmf as the name says rightedson is just another framework that is used for risk management it has its own things that are different from the way that we do enterprise risk or operational risk out in the private sector um it has this workflow that is associated that is particular to rmf but at the at the core or at the foundation it has all of the elements that our risk management application has and in fact nist themselves in this chart comes from a nist document talks about this erm playbook having enterprise risk management capabilities to first understand the context right whether that's your i.t context business context and tying those things together all the way down to uh from identifying those risks to hopefully having kris or key risk indicators to monitor that and so the erm playbook here that you see on the left hand side is out of the box capabilities that our risk management application has and what we're doing is we are solving with cam specifically for rmf um for this first phase or this first approach um again the idea is that because they have these seven steps that rmf abides by and concepts like authorization boundary and package we can also help solve for rmf and all of the different things that we see here on this chart and our goal within the risk business unit is that by having our risk management capabilities native risk management capabilities out of the box added some of the nuances of rmf that we can start closing in the gap and we can start solving for things like iso 31000 omb a123 and other regulations that really live i would say in the middle of what is typically an erm um you know kind of plain vanilla erm and rmf and so our end goal is that to be able to solve for all of those things and with cam we believe that we have here all the things on the left the things on the right and our customers would be able to close the gap and solve for things in the middle the second thing that we decided to be part of and very closely tied to our risk management products is because our irm portfolio happens to be a leader on both gartner and forrester and in fact is the only vendor who was a leader in both and so it just made a lot of sense for us to closely align to them and be able to leverage all of the functionality that they have already provided moving forward we also use policy and compliance on our risk management applications when we talk about controlled baselines information types control inheritance uh the life cycle of a control the attestations of a control and again all functionality that already lives and exists in risk management so what i'm going to do now is i'm going to flip back to here and what i've done so far in this package is i've defined the roles and responsibilities i've done a privacy threshold analysis or privacy impact assessment i've gone through the trouble of categorizing my system based on information types that the system handles or processes and i've actually requested approval right so we're starting kind of in the middle of of this but what i'm going to do is i'm going to approve this package as a system admin on behalf of the ao and what we'll see is start seeing some of the automation that we've introduced right so let me reload the form uh let me wait a little bit longer and reload again because what we are doing is based on this impact of high we automatically tell you which controls nist specifies you need to assess based on that impact value and as well as as you enter the select step right so we were in categorized we requested approval it got approved we entered the select step um we see the baseline controls that we need to implement based on this impact and now we have the ability to do control selection and control tailoring so what i can do is i can add individual controls right so let's say that i um want to add these additional two controls based on other attributes about this particular boundary i can absolutely do so and in fact i see that my list has grown to 345 based on the fact that i added those two i can also mark certain controls is not applicable so i can go ahead and say that this control does not need to be implemented for whatever reason right so we have a placeholder to enter justification what we do is we make him into its own bucket of not applicable controls and we also save the justification right so everything is kept for audit uh capabilities the thing that uh an additional thing that we have is the ability to inherit from a common control as well as create a common control so it's kind of a one-two step process um a two-step process sorry where first someone gets defined or told that they're going to be a common control provider and so they would actually say for emergency power i will provide that to the entire facility i'll go ahead and create that as a common control you get warned or told or informed about what that means and once a common control has been defined then you'll have the ability to inherit that from that common control so that means that you'll be able to inherit the security that the co the control provides as well as its compliance status and i'm not going to go into details uh too much there right but we have full control inheritance based on common control providers in a common control catalog what i'll do now is i'll request approval right so it let's imagine that i've gone through every single one of my baseline controls i've done the tailoring phase i've specified which controls need to be inherited and now i need to move to the implement step so let me go ahead and reload the form here and what you'll see is that because um i requested for an approval based on my select step and the control tailoring phase i get another approval here i'm going to go ahead and just approve that for the for the sake of the demo and wait a few minutes a few seconds here just so that the the workflow can move to implement and what you can see here is i've decided to essentially implement 344 controls one of them was marked as not applicable and what the system is now doing is it's automatically generating all of those controls instances on our behalf so for each control i'll have the capability to attest that the control has been implemented review the control implementation steps maybe modify or document or append additional implementation steps that were needed to be taken to implement this control and then start monitoring the control via indicators so we have all of these capabilities from our native policy and compliance application that allows us to create controls and then track the control through completion now for the sake of this demo um again we we created this automatically but let's imagine that i've gone ahead and i've implemented all of these controls and i'm ready to move to assess right and so that means that a security control assessor will come in and will perform all of the necessary um steps to ensure that the controls have been implemented as specified through the instructions right and so what we do here is we create an audit engagement we assign it to the security control assessor and we create the control test task so that the assessor can go in review every single control that is in scope in this case all 344 and then these audit tasks are automatically generated and they would go in there enter their findings and enter whether the control the control has been implemented appropriately again just for the sake of time i will jump ahead a little bit and not really show you um that true assessment but um going back to those slides this is where we are so far right so as i move ahead right as part of the assessment process i need to start generating poems or issues or findings whatever you may want to call them right and we use those in internal audit or audit capabilities to the for the assessor to go out assess the control if it's a manual test we have capabilities to create automated indicators that go out and test that control automatically and give you that either compliant non-compliant or pass fail result um and then the way that we do things as well is that for the poems we tie to our security operations applications uh so we have things around security incident kind of the soar application that matt alluded to earlier so any security incidents that have been opened and have an impact on our authorization package and this ties back to that early phase right because we have all of that cmdb data and a security incident impacts one or several ci's we have all of that context available to us we may have vulnerabilities that are present on any of those system elements or we can actually check in an automated fashion whether certain configurations have been turned on right so whether the password strength is as strict as we've actually specified it to be as well as any other thread intel right so all of this information allows us to create the poems enrich the poems and actually start creating milestones in those applications to start solving them right so if i have a vulnerability the poem will actually direct you to either patch the system or find some sort of other way to mitigate that vulnerability and finally we also show you things around i.t service management right so this does not necessarily impact confidentiality or integrity but it impacts availability so if there's a blackout that is impacting your firewalls or anything any other system if you see that there's an incident that is causing all of them to be offline if you notice that a change request has an impact of shutting everything down then we can provide all of that capability and all of that visibility into the final kind of risk summary that allows the organization not just to generate the poems but gives context outside of just the risk solu function to make that decision final decision to authorize things and monitor things so what i'm going to do now is i i will go into another record um one that has a little bit more of that context and sorry i need to go into this authorization package my apologies so as i click on this hr infrastructure system i see all of the information that i've seen but i also see this risk summary tab and the risk summary tab is showing me how many change requests have been open on any of those system elements that were defined in the authorization boundary the number of incidents so again this impacts availability and so things that i need to be aware of in order for my system to be go through the authorized but also from a monitoring perspective in this case i noticed that i don't have any security incidents but if i did have security incidents they would also show up in these related lists and be available as part of the risk summary as well i have vulnerable items and so this ties to vulnerabilities and those poems that can be driven off of that and here i can also see the software that is installed just to give me some additional context as to whether i need to patch certain things or whether there are any very dangerous vulnerabilities that is open in one of these patches and all of this information is shown here in the risk summary to give you kind of the aggregated score or view based on how they score things right so vulnerable items tend to score things in this quantitative value and we show you that it's a 51 out of 100 these tend to be scored in a qualitative value but we also show you that um for instance for change request there has a high score so you may want to be aware of the fact that this may actually impact your authorization boundary and so just to close it out um you know we want to make sure that we what we showed you is really just the left hand side of all of the capability and things that servicenow is able to provide from a disability perspective service now continues to increase its portfolio and its offerings and so there's a lot of insight and just context that we can gain as we walk through the rmf process as we look to automate things as we look to make risk-based decisions based on things that are actually happening right so and because all of that work is being done in one platform and one system we're able to better visual uh visualize that and tie that those things together so matt with that i uh pass it on to you if if you have any closing remarks uh no no closing remarks yet um i want to thank you very much that was that was awesome there was a question that came in i guess through youtube live i don't know if you're ready to um address this i know the basic answer but uh taylor is asking if records and fields are a-backed based on stakeholder roles etc so i know that we do have a lot of rms specific roles such as the system owner the associations the ska the ao etc um and that there are certain access controls in place but is that an area that you might be able to comment on a little bit more now sorry i was on mute so yeah so we do have um access control um on all of these roles and based uh on the role that you have you're able to view certain records so as a system owner i'm only able to view the records that i own say hey oh i'm able to view the records that i need to authorize and then based on those roles additionally there are things that i can or cannot do within a particular record so we have a concept of system users but a system user may only be assigned tasks or things to do and don't really have a say into defining the you know the information types or things like that unless they've been assigned to so all of these roles have access control in them thank you jorge and there's another question um does this app require subscription so uh servicenow is is subscription-based products this application continuous authorization monitoring will actually be included in irm professional and enterprise so there will not be a separate subscription required for this specific application it's being included in irm pro and enterprise any other comments you might want to make on that for you no i think you got it cool great questions they are um yeah so i mean we're very excited to to you know release this as part of iron pro and just add more value to it and you know if you aren't fully aware of irm yet i i encourage you to learn more about it it it really does help the entire enterprise today obviously we focused on continuous authorization and monitoring right cyber risk management rmf management but this same integrated risk management application is is being used for enterprise risk management it's being used for operational risk management hr risk management um you know it's built in a way that doesn't confine you to only one use case so what this means is you know we talked about how instead of just having kind of this you know a data island of rmf here and bringing into the platform the same integrated risk management can be extended so we think it really represents a huge amount of value for for the dollar um especially when you as you start moving other realms of compliance and risk management into it so all right great uh lisa are you seeing any more questions on youtube i'll check one more time i'm not saying them yet but um you know you can always post your questions on the link that i've provided in the chat uh this recording is there now well this live portion of it is and as soon as we end the broadcast it turns into on-demand so you can re-watch it and post questions and uh you know both jorge and matt will be there to answer more questions later if you if you want to come back um i did have one question from someone that's asked that the if the slides are available uh they can be available i don't know if youtube uh i'm i'm no youtube expert i don't know if youtube lets us upload files separately um but you know jorge and i and the rest of the servicenow team are certainly here to to support you and if you want to do a one-on-one and go into into more depth uh or if you just want the slides that you can distribute around your organization reach out to your sales team we'll get them to you either i can also attach them to that community link and yes generally now that we had certain users that were prompted for a password which is a new development it did was not uh it didn't happen to me two weeks ago when we did an event so it must be a new zoom security issue and so we'll make sure that we review our workflow um and and link when we do post it out so our apologies to those um with the password issues um [Music] all right i guess with that we're gonna end today any other questions that might be coming up i'm not seeing any right well we thank you all again and uh oh one last one one last one all right we're holding there we go is it is it a plug-in we have to activate uh jorge i'll leave that one to you is this this is going to be uh it is a plug or a store download it is a store download and it does have to be activated the same way that you would activate any other plugin and this is you know this is available not only for cloud customers but this is available on-prem as well all right then thank you again if you do have any other questions please do use that community link and then your other audience will be able to see your questions and our experts will be there to come back and answer and engage with you so we want to thank you again for joining us and we hope that you uh find some more community events that'll be coming up through not only the end of this month i bet october november have a great weekend everyone and uh see you all soon thank you all for sharing your time with us