all right thank you all for joining us we're very happy to be here to talk about cyber security risk um as one of the pressing problems facing Global governments couple of housekeeping tips before we get started um you are automatically placed on mute although we want this to be interactive so you'll notice at the very bottom of your screen you have a little Q&A button please enter your questions in the Q&A um we want to again make this interactive we want to get your questions answered um the session is being recorded and I will share in our chat a link to our on demand webinar that you'll be able to watch and have your co-workers watch after this and at the very end we do have a short survey that will pop up so we appreciate you taking that so that we can come up with new ideas to be able to present to you all so today we'll be talking about cyber security challenges um we're going to get into how service now can help and then you know driving customer success you know how how are we how are we showing our customer customers finding success with the solutions that we're offering them and then finally a wrap up I am very pleased to be joined by my two colleagues um Brian Myers Brian can you introduce yourself hi everyone I'm Brian Myers I run the security or risk and security practice for uh Verizon I'm sorry for Riz uh for uh for serice Snell Federal uh and been doing it for about four years uh I'm joined by uh Todd Huber Todd's my solution consultant Todd thank you Brian Todd Huber here like like Brian said I am his solution consultant been with service now about just about three and a half years now and and prior to this I actually did RMF work as a practitioner with the government as a contractor in ay I spent 11 years doing diet cap and RMF so I'm very familiar with the use case and I'm looking forward to our session this afternoon and Todd is going to bring it to life for us with a live demo some make sure you stick around to see the live demo so you know we did some some research and and in a paper that we recently published is there's four pressing problems that we really see facing Global government so this isn't just the North American US Government um but it's also Amia government um European Union this is very common and and you'll find that this isn't honestly even just relegated to governments um these problems also touch on private business the first one is cyber threats and we're going to be talking a lot more about that today the second one and we'll have a future webinar on this is around climate change and how that is not only impacting the government's ability to help organizations private organizations moderate their use of of carbon emissions um but it also touches on things like how do you report and and and manage food production um when there's climate issues um how are you you dealing with um threats to critical infrastructure from the climate there there are actually a mirrored challenges that the government is trying to to address around climate change supply chain disruption this is something that I think we all really live through during the pandemic but you know we can remember back the getting plastic bottles or getting the necessary equipment to be able to administer the the the vaccinations um for Co um supply chain issues can be a massive public health and security threat and then finally artificial intelligence you know this is the topic of the the year I think honestly and artificial intelligence really touches the government in a couple of different ways it's the government's use of artificial intelligence and how do you put the guard rails around Ai and the use of AI and then also you know especially during an election year how do you deal with disinformation that is being created using AI so a couple of challenges there and we'll have webinars coming up over the next couple of months to address each of these so hopefully you'll tune in and listen to the rest of the the webinar series but right now we're going to talk a little bit about combating cyber threats and in our paper we discussed a couple of different um areas of threat here one of them being attacks on on critical infrastructure and that's really what what we see as being the the largest threat um there's a couple of different ways that people are organizations and governments are addressing this um the EU is got n to which is mandating the use of and um the ability to report on critical infrastructure and then um in the United States we have a variety of of regulations one of them focused on energy and utilities which is nurp and the other one is 500 um50 853 and the other n standards honestly um the second area that we look at from cyber threats is a tax on physical assets so if you think about you undee cables the internet and the connectivity the internet provides from a from a government perspective is critical any sort of disruption to the internet to the undersea cables is is going to be a significant threat to our ability to function as a as a nation and also to our potentially National Security and then finally concerns over the use of internal technology sourced for adversarial countries and you see this in some of the Biden mandates about um sourcing um different components from different countries you see it from new regulations that are being discussed around um electronic or electric vehicles and the ability to purchase those from different countries so a lot of a discussion and and concern about that but today we're going to focus on attacks on our critical infrastructure and in particular we're going to focus on nist 853 and I know Brian and Todd you gentlemen have a lot of discussions about this so I want to turn it over Brian to you to tell us a little bit about what n 853 is or n standards in general and also you know get into some of the ways that service now can actually help thanks Teresa yeah absolutely so this is uh the nist 837 that that brings in 853 839 800160 8118 into that big framework that is the nist risk management framework and there are seven steps to that right starting with prepare and then going out to categorize all the way around that Circle to monitoring controls and that's really what Todd's going to show you later in the presentation but the idea behind this is to merge the compliance with the risk as when Todd was doing this in the uh Federal space A lot of times you could choose you can be secure or you can be compliant but you don't have enough manpower to do both the automation of service now allows us to really work towards getting uh compliance and Security in the same ballpark and drive in that direction and I wanted to show you kind of how first you you know we know that people are doing this today right they're they are looking in inside of that uh Circle there they've got everybody working but they're working on different platforms they're working on different pieces of data things are getting lost and and changed and and not followed correctly and there's no automation so what service now does is really try to drive those manual processes into a really automated uh capability uh we call continuous authorization and monitoring or Cam you'll hear Todd uh refer to it in either way but it's everything uh again around that life cycle of collecting evidence creating the documents monitoring the controls and assessing risk tracking poems and then making those Consolidated risk reports and putting them everyone on that same platform so everyone has that their The View that's important to them and they can drive forward with the capabilities that with the answers that they need so that they can again be both compliant and secure at the same time so where do we sit inside of service now service now is you know that flexible platform we're in it we've got that intuitive ux that you'll see today uh a single data model so we can use information from across the service now platform to do this nist RMF work uh because we're in that single architecture and seamless integration uh we are really driving towards making you more successful in meeting your missions in doing all of those things across the top that are important to any organization but it's specifically in the federal space uh to to drive towards those and we use a lot of other uh pre-built workflows whether they're customer workflows employee workflows uh finance and Supply or or our Tech workflows to really drive forward into uh the digitization of government uh to that we connect any system that uh is available that that the uh agency has uh available available so that we can pull that information in not to become the system of record but to be the system of action for that for those those workflows uh we have the impact team that provides insights and services uh so that they can move things forward are risk and compliance audit management resiliency that's really what we're going to be talking about today kind of sits on top of all of this uh capability and because there's risk in all of those areas there's compliance requirements there's resiliency requirements and nist requires that of everyone uh in our space in the federal space we uh put uh our customers into the the FED ramp High GCC government Community Cloud we've got a DOD uh il5 capability as well for our for our our DOD customers um but we offer all of this capability in a very secure environment and so cam is really that that continuous authorization and monitoring sits on top of a couple of things so our irm provides the basis of that in the first part of integrated risk management is the governance risk and compliance piece so policy and compliance risk and audit management together form that GRC capability that uh Gartner has found were in the leading quadrant for Forester is found we're we're uh leading in to that we add third-party risk management as a separate capability uh data privacy riskmanagement business continuity risk management all in the the goal of getting to operational resilience so the ability to look past what you have today to look past that security and compliance and really move towards uh operational resilience continuous authorization and monitoring is a store application in in our apartment so it it sits in our store it's available to irm professional uh users but it is it is um a capability that uses a lot of what we have in policy risk and audit Todd will will show you that in a few seconds as I get through this really what we're doing is sitting on top of that uh that highly capable platform with that GRC overlay putting uh a uh continuous authorization and monitoring capability in to do the seven steps across uh the nist RMF if there for some reason you're using a tool a got's product in in the federal space uh cesam is a government provided Tool uh that doesn't have a good API we can offer RPA to to push that information back and forth in there but we're pulling information as I mentioned before out of it service management operations management Asset Management SPM SEC Ops devops wherever that information is in our platform we're pulling it so that it can be easy to do those compliance jobs to make your environment more secure and with that I'm going to turn it over to Todd so he can drive forward and show you things like our our capabilities in uh um in dashboards and Reporting Todd thank you Brian please make sure you use the Q&A feature down below you know we want to make sure we get your questions Todd's going to be showing you some amazing stuff if you have any thoughts or questions comments please go ahead and share them yep I'm going to try and keep my eye in the chat also but if uh if a question comes up please feel free to ask and but we'll try and we'll try and get to the questions at the end if uh if anything comes up in the chat and I miss so we'll get started out here and uh we're going to start out with the authorization boundary and once we talk about how we can create and maintain boundaries in cam then we'll shift over into an authorization package we'll take that package through the entire RMF process Step Zero through step six so all seven steps we'll stop off at the assessment at step 4 to see how that can be completed and then we will wrap up with generating atto artifacts and continuous monitoring at the end so starting out here with the boundary I kind of look at this form in three different sections the top third here contains the attributes that are specific to the authorization boundary the middle section complain contains the diagrams that will go into the the SSP once generated and the bottom third contains the nuts and bolts of the boundary where the system elements can be found it's important to note that this uh the interface that we're going to look at throughout the entire presentation is very configurable and this is important especially with authorization boundaries because metrics data calls and Reporting is a big part of RMF in the federal space so you can add in additional Fields here to capture data points that you would like to add into your into your reporting requirements so onto the boundary itself down here in the system system elements list this is whatever the information system is comprised of on Prem or Cloud physical virtual networking devices servers workstations whatever applications whatever the information system is this is where it will be defined we can populate this out two ways click new and add in system elements from the cmdb manually or we can automate this process with boundary filters I'm going to show one example of a boundary filter here and this one is pretty simple but you can get very complex with these and you can use as many boundary filters as necessary to Define your boundary the way they work is the the filter is basically a scheduled job that will add and remove system elements from the boundary and for the for the fil uh excuse me for the filter to work we just need to point it to the table where the data resides that we want to filter on once we select that that table in this case we want to pull in all the windows servers from the uh from the from the Windows Server table with a name that does not contain load so when we select the table the filter condition drop down here is has the the the columns that are in the table that we selected we can make the selection there and then build out the filter condition if we want to use a subnet for example instead of using name we would select IP address and then we can for the operator we can use between and then set the top and bottom ranges of the of the IP address subnet and then you'll be able to pull in any system elements that are added to the cmdb and contain an IP address within that within that uh within that range so the schedule jobs run every 24 hours if it if this if the filter picks up a system element in the cmdb that matches that criteria if there is not all that system element is not already in the boundary it will pull that system element into the boundary if the system element is already in the boundary the filter runs again and does not identify it the filter will dynamically pull that system element out and again every 24 hours that happens that's very beneficial for two reasons one we see that is is compliance because your documentation will be up to date with an accurate boundary two is security because when we get all the way to the end and we talk about continuous monitoring we will run continuous monitoring indicators against the system elements in the boundary to measure for compliance so it's important that we have an accurate boundary list the last important note here is that cam does not do the work of populating out the cmdb it's it's not doing Discovery it's not identifying systems on the on the the network or or pulling in data from another cmdb it's just it's just accessing the data that's in the service now cmdb that's been populated out through service now tools or Integrations with third party tools once we have the boundary established we'll be able to create an authorization package we already have one here so we're going to transition over to the package that's in the prepare stuff so it's the intention of NIS that this the tasks that are performed during prepare can be performed during any step in the RF process hence the zero designation but one task that we will do up front and not again throughout the rest of the the uh the the uh subsequent steps is selecting the version of 853 that we will use to apply controls into the package we do provide the controls for rev 4 and rev 5 out of the box and once we've made that selection then we'll be able to further refine the roles and responsibilities here and again these are configurable interfaces so if you would like to add in additional roles and responsibilities you could definitely add in those columns into the table the last thing we'll address during privacy is or I'm sorry during uh prepare is whether or not privacy data is present in the boundary we have four questions here this is the PTA that's defined by nist and if any of these privacy threshold analysis questions are answered yes then cam will designate the the boundary as a privacy sensitive system and it will generate a privacy impact assessment that we will need to assign to a respondent we do provide a privacy impact assessment out of the box however we're aware that most of our customers have a Pia in place now that they would like to either replicate in the platform or achieve a desired State that's easy to do with Cam because the the P they are an assessment instance template that's comprised of these assessment instance questions they're like questions in the question Bank you build them out ahead of time you can apply waiting to them and uh and design some some functionality in there that you would get outside of a PDF so you could have dependent type questions where if you answer a question a certain way it'll open up additional questions and uh you can really replicate what your existing Pia is or get you to that desired State what it will look like from the end users perspective they'll get a notification in platform text message email however you do that that they need to respond to an assessment when they open it up this is what the outof the boox one looks like they can provide the the narratives for all the questions either save or save and come back later or submit once the pia has been submitted over the isso or whoever is working the package will be able to use that to help tailor controls during the select step and then document controls during the Implement step so once we've wrapped up our task storing prepare which are uh assign the control set to the package Define the roles and responsibilities and then address privacy then we will be able to move on to the next step in the process which is categorize Step Zero this is a quick one we'll go through this pretty fast so we can spend more time in the important areas of of RMF all of the all the information types that are defined in nist 800- 60 the special publication are found here in cam we click edit identify the information types that are present in the boundar select them and that will pull in the information types along with their corresponding confidentiality integrity and availability levels of which we are going to take the high water mark in this case it's moderate based on the information type selected and that is what we will use to apply the recommended impact level for the package if your internal policy permits deviating from from that recommended impact level you can and uh a justification statement window will appear here that you'll need to fill out to uh so the AO knows what they are reviewing when you push this package over for approval to do that that's a very easy process we clict we click uh request approval whoever is defined as the AO or the aodr they will get the notification that they need to review the package and this is where you have some configuration options whenever you click request approval at the three different steps during the process that we need to request approval at that point the package will shift over into a readonly state but there are options on whether or not you want to generate the controls here so out of the box we will not generate the controls at this point however you can generate them based on configuration changes we understand that the biggest hold up in a lot of organizations is waiting for the approval so we to to alleviate the that problem becoming even bigger we give you the option to create the controls so you can start to do your tailor and start to do your implementation while you wait for the approval depending on what your internal policy is you can uh you can configure cam to to do either of those options either completely lock down the package to preserve the Integrity for the AO or just lock down the attributes that are editable and then continue to work the controls so you have flexibility in terms of how you want to implement the RMF process with Cam once we have the categorization set we have the approval it has not been kicked back for rework then we're going to be able to move over to the next step of the process which is Select and this is where we are going to apply overlays as well as do traditional control tailoring traditional control tailoring happens from the Baseline controls related list at the bottom of the screen and from here this is where we can Mark our controls as not applicable inherit controls fully inherit from a common control provider partially inherit from a common control provider to create a hybrid and even Market control is common for other packages to inherit from when it comes to na we can do that in bulk because there's nothing to time the the control back to we just uh Mark is not applicable and it will push those controls over into the appropriate list we can also do a subset you can do the select all but you can also click the check boxes to uh do uh uh discrimin so so you can select which controls you want to Mark as as na but when it comes to fully inherited or hybrid controls we are going to want to uh we have to do those one at a time because we need to to link those back to the common control that they will be inheriting from so we'll create a hybrid control here we we'll send ac17 over to a hybrid control to do that we will click the check box to identify that's the control that we want to to create a hybrid for click the button and then the window will open up that gives us an option to to decide which control requirements are being provided for by the common control provider and which control requirements need to be implemented by the system we're currently working in this case we'll just pick ac1 17A as the common control of the uh of of the requirements here and once that designation has been made then we can see the control has shifted over here to the hybrid control related list and if we hit the down arrow we can see AC 17A is the control requirement being provided for by that comma control provider package as we can go through and continue to uh tailor all of our controls out we will see the results of that here so any controls that we fully inherit will uh will show up in this related list anything that's hybrid anything that's not applicable and if we have any common controls we'll have another tab for that one as well the Privacy overlays and technically cam is a uh cam is a is is a uh is an accelerator for irm because it leverages existing irm capabilities just skinned for the RMF use case and I'm going to show an example of that right here with the Privacy overlay so when we apply if we want to pulling additional controls into a package we will just leverage a policy object from policy and compliance and then we will scope out these control objective templates to the Privacy overlay and I say control objective templates because these are the templates that will generate a control when we scope this template out to an entity like the authorization boundary so we have the uh the the the PT control family here listed up as all the different control objective templates assigned back to this policy overlay so when we apply the overlay to the package will generate a control from each one of these control objectives in the list within the package itself so it's important to note here that there's no limitation on U on on POL on on the policy overlays that you can create you have complete control over that here in cam unlike other RMF solutions they give you set overlays and and they're they're static and you either apply them or you don't in cam you have complete control over this so if you need to do a high value Asset a cloud system May your application email system whatever type of overlay you would like to apply you create the Privacy overlay policy record here scope out the control objectives that you can either create manually or pull in from a thirdparty content provider apply this overlay to the package and then you'll get your uh you'll get those controls generated in Click back a couple times to get back into the screen here so now once we've completed all of our tailoring we've applied the overlays that we need to apply and we have done our Baseline control tailoring from the Baseline control list here then we'll be ready to request approval once again and push the package over into the Implement stud implements where we're going to document the controls and this is where we're going to see a lot of the uh the the strength and capability of service now really show its head here when it comes to collaborating between the isso and and the system owner because typically when when you're working at package documenting controls that can take a lot of time not just on the initial uh package cre ation when when you're doing the package for the first time but then again whether you're doing ongoing authorization or you're doing a full authorization every 3 years getting out there and contacting the system owners is that can be challenging there's a lot of moving Parts emails tracking spreadsheets uh uh uh meetings calendar invites tracking things and Outlook it it there's a lot of manual parts to that because assessors and and and Auditors they have freshness States on implementation statements and artifacts and things like that so we need to go out and we need to update these controls where in the past that's a manual process that has been automated here in service now we have across the top of the screen we have the Chevrons that indicate where we are in the in the controls life cycle a test is the important step here because that's when an attestation will be sent out to the control owner to uh to respond back to and the attestation itself it it has uh it has some smarts it has some automation behind it so let me open one up here and we can we can show that so here's our GRC atast station that's been sent out for this control as opposed to doing this through spreadsheets and email the system does this for you it sends out the attestation to the control owner or the control owning group to respond back to you can set the frequency for how often that happens usually annually for controls and RMF but if you'd like to do that more frequently you can and that the way the atast station works is the control implemented yes no not applicable if yes upload an Evidence attachment to show that that is uh that that control is being being fulfilled and provide the implementation statement if no explained another imple statement as to why the control is uh is not compliant and if not applicable why do you feel that the uh control should be non-compliant if you answer yes the control is compliant then then uh you can you go about your business continue to implement more controls no action is taken after that the system sees that as a self-reported compliance to that testation however if the attestation is answered no the system will see that as self-reported non-compliance and then there's automation behind that one which is dynamically making the control non-compliant with no user intervention and two would be opening up a poem or an issue with no user intervention also to help the control owner get that control back into a compliance state so if that and there's also a breakdown here we have a granular breakdown of uh of the control requirements as well we can attest these at the granular level or we can send an attestation out at the main High control level it's configurable both ways if you want to get granular you can if you want to get uh more basic and high level you can do that as well so again the uh the importance of that attestation is it can be sent out here's the frequency tab here this one's been sent to annually when that attestation gets sent out to the control owner they can take that that that uh that assessment or that survey any yes yes answer they Mark that the control compliant anything that's no answers system sees that as non-compliant marks the control non-compliant opens up a poam now if this looks kind of clicky it is this is the most detailed granular version of documenting out of control there this isn't always necessary in in some organizations or all organizations you're going to have some controls that always fail and some controls that always pass the last agency I was at very small civilian agency like 350 employees didn't have much money they never have the resources for an alternate site for Disaster Recovery that's just a that's a control that's going to fail in every single package across the entire agency those kind of controls you can group those together you can attest to them in bulk do some bulk processing to cut down the manual work and then the controls that you know that will always pass you can bulk ATT test to them and then use the process that we just saw to work the delta in the middle to document out those controls that need the additional information once we have documented all the controls and the package and we'll be able to move over to the next step in the process which is assess and now we are going to switch over and actually see this from the perspective of a uh security control assessor so we're going to log in now with stepen Cruz Alba who's our who are who is our assessor and then we're going to open up this package and and see how we can perform the assessment let's get back into let's get back into our assessment here and when we get to step four in the process the system will dynamically create a an assessment uh engagement earlier we saw how policy and compliance was leveraged to do an overlay and now we're leveraging the assessment engagement from the audit management solution if you're familiar with our with uh service now audit risk audit management this is what an assessment engagement looks like there's only some slight differences here for uh for the RMF use case across the top of the screen we see the the workflow steps that we're in right now we're in validate and plan the first thing the the first step here scope the system does that dynamically when we get to step for will create the assessment engagement and scope it out to the entity which is the authorization boundary and by doing that it will pull in all the controls associated with that boundary along with all the test plans from 853a and it will generate the control tests that need to be performed middle of the screen here we'll just run through these tabs we're doing pretty good on time the schedule that's the planned and actual start and end dates for the overall engagement as well as the fieldwork the results when we've completed our assessment then we'll be able to grade the assessment and provide that opinion statement here we're going to see how we can generate a sar when we look at the ATO artifacts but here's the activity tab I like to call this out during audit because this is a place where uh the different assessors can collaborate in a single location outside of teams or or or Skype or Outlook or or any other place this is a a single collaboration location here and you can track the uh expenses and resources if necessary as far as testing controls let's get down to one here that's in progress we'll pick on ec2 again and the outof thee boox offering for audit we have operational test and design test we deviate from that methodology here in in cam because we're not testing the design of the controls they come from the the government they come from National Institute of standard and Technology we're not assessing the design that they provided us with just the operational effectiveness of how the control is implemented the assessment procedures in 853a are all listed here so examine interview and test all those different activities as they're performed they can be documented here in the activities related list the uh evidence request selfishly this is my favorite thing in all of irm because it eliminates a a challenge that on paper it should be easy it just finds a way to be difficult which is the when it comes time for the assessment the auditor the assessor they'll they'll they always hand out the document request L spreadsheet or the provided by customer spreadsheet and inevitably everyone has a different version that we all have different color codes for what means what in the rows and then who's going to provide what and and and who's going to research what it's just it's just something that finds a way to be hard we've eliminated all that in service now with the evidence requests so as we're testing the control here we're looking at ac2 as the assessor need some some addition additional documentation to test the control they can create a new evidence request or add to an existing one link this back to an audit this is for an internal audit short description we need uh files to test and then we can give this person until Friday to respond assign this to a user or a group this is what I need to test your control the the the whoever this is assigned out to will get the notification in platform email text message again however you do notifications they'll be able to access the request upload the evidence and the assessor will be able to access that record and continue to test the control well during testing of the control the assessment procedures list here this is a granular breakdown of all the different determine if statements and the uh and and the different requirements to implement the control in service now you're innocent until proven guilty the control test is marked effective un l any of these different control test requirements are marked as ineffective if we Mark if we Mark any of these as ineffective when we roll back up to the top of the screen we'll see that the control test has been marked ineffective overall this provides a granular breakdown of which one of those determin if statements are not compliant last thing we'll see here for the uh for control testing is the observation and this is where we're able to document What was seen during the control testing and even do the initial draft out of the corrective action plan in service now the corrective action plan and the the uh the poam record they're they're part of the same record they're not separate and this is where that initial corrective action plan will be drafted out and pulled over there into the uh into the U control test I'm sorry into the control test issue so let's get back into the uh let's get back into the main control test here and we'll take a look at some poams as we go through and perform that control testing no organization's perfect everybody has poam this is what that looks like here and we'll jump to one that's in the response St so here's the workflow across the top of the screen the important step here is respond because that's going to determine which different types of tasks are generated to help close this poam out we have the uh the recommendation if corrective action plan was drafted out it will be pulled into this record we can see the uh the issue Source right here and it's also important to note that we we we do not want to send you to work for the Department of redundancy Department we don't want to have poam explosion and have you continue to to work the same poam multiple times if uh depending on the poam source it will update existing poam records so if you have a control test failure or if you have an attestation failure in place and then you have a control test failure on top of that the system will not open up an additional poam it will open it will append additional information to that existing poam to stop from that that uh that poam explosion in this uh in this case we've uh analyed the poem and now we need to take make a response step here uh in this case we'll just go ahead and click accept that we're going to accept this one out and when that happens the system will dynamically generate acceptance tasks and you'll be also be able to create these ad hoc to make sure that they get closed out we still have the concept of Milestones so if implementing new software like service now is what you need to do to close out a poam you can still have your procurement Milestone your contract award kickoff meeting half-point meeting wrapup meeting at the end of implementation you can still have those kind of Milestones but the acceptance tasks are what will be assigned out to folks that will help us drive this poem through to uh through to closure as we finish testing all of our controls and uh generate our our SAR at the end of the at the end of the assessment then we'll be able to move on to the next step in the process which is authorize and this is where we'll we will request that final atto approval to do that we're going to want to generate some reports and in this case we already have one generated to save the time but we uh we we do provide the document template capability here to build out any type of atto artifact necessary for the uh for for the atto package the in this case we have the SSP that we do provide out of the box and the way this template works is we point the template to a table in this case the SSP is pointed to the authorization package table once we've made that selection the variables box on the on the right hand side of the screen shows up and this is how we populate data out into the report here's an example of a of a variable here authorization boundary name to pull these variables in we just click the button and that will uh that that'll that'll put that data point in the report where you want it to be and then it will dynamically populate that based on the data that's in the table so this is how we build out the SSP right here if you want to build out the poam report you point this to the issue table the the SAR at the assessment engagement table at the uh sap at the assessment engagement table the risk assessment report at the risk table so on and so so forth the the same process can be used for any atto artifact the the the template Builder has been enhanced in in recent releases we have the header and footer that you can add in the different page number table of contents and uh it it's it's not we're not competing with word but but we uh we definitely have the capabilities here to put together a strong u a strong atto artifact the let's see some examples here also in the report here at some of the variables and how they pull in the data so here's authorization boundary name here's the acronym uh the is it a privacy sensitive system so the work we did back in the prepare step here the results of our fips 199 from the categorization we did a step zero so when we go back into the the uh the package here and we open up the open up the SSP that was generated in PDF here we can see the program Hasty labor that's the name of the authorization package you scroll down see the the name of the package see the acronym yes it's a privacy sensitive system here are the impact levels or the the different information types that we selected and again this is a template so you can take what we provide out of the box completely blow it away add in your own your own SSP template or your own at artifact template modify what we have uh whatever works best for you so back over into the atto package here we're going to click that one button to generate through reports based on all the templates that have been assigned to the package it will it will generate the different artifacts here we have the atto letter that has been or the uh SSP that has been uh generated and then the authorization tab in the middle of the screen this is where we'll be able to upload those artifacts and see the information on the the authorization that was provided so once we get that ATO that's going to take us to the monitor step in the process and this is another area where Cam really shows the the the the power of the platform so to speak with service now and it the approach that cam takes what makes it different from those other RMF solutions that have been on the market for a while the the different C gots and cots products that that I used over over my 11 years is the platform approach taken by service now the other RMF tools they're static Solutions Point solutions that don't really integrate well with other tools even if they do you still need third party tools and and uh and uh uh utilities to help make those Integrations more effective but service now cams installed on the service now uh platform full access to all the data in the service now cmdb and the more data you have in there the better the risk summary tab here this contains a lot of good information that could have an impact on the ATO or the package including number of change requests it incident security incidence vulnerable items and because we have an accurate authorization boundary and we're going to rewind now all the way back to the beginning of our conversation when I said this authorization boundary is the foundation for continuous monitoring we update this every 24 hours to make sure you have an accurate boundary this is the reason for that when we're going to show the change requests these are filtered Down based on the hardware list based on what's in the based on what's in the boundary so we're only showing the change request for what's relevant it ins for what's relevant we have the hard count here for the number of those records that exist as well as the average risk score for those records that are that are that are open as well in addition to those hard counts we have the actual records down at the bottom of the screen in the related list so as long as everybody has the appropriate permissions then they can see these different records and take action where needed this is also a place where you can build out automation on top of this so with change requests for example if we have a major application package and we have an atto on version 12 if somebody submits a change request to go to version 14 no more atto right the atto's on version 12 not not 14 that's going to be a problem that that might slip through the cracks but that's something an assessor will never miss with flow designer you can build out workflows to notify system owners and issos when certain conditions like a change request that could impact the ATO or exist the the flows work on triggers and actions triggers can be when a record is created or updated based on a Time trigger something like that and then the actions are the if then statement if this happens then do this if this happens then do this so this can there's a lot of automation that can be built into this to assist with your top down look into your risk posture of the of the package so this is one way that we're going to be able to monitor the the package for risk the other way we're going to do this is with continuous monitoring indicators I have two that are open here now we have a a basic indicator which looks at data in the service now cmdb as well as a few manual indicators that just kick off workflows and generate records to substantiate that work is doing in this case we have a uh indicator that's monitoring ra5 the vulnerability scanning control and this has been pointed back to our web server boundary and because this is a basic indicator it's going to look at data that's in the service now cmdb this one we want to this is our our 1902 indicator so it's going to look for critical vulnerable items older than 15 days the supporting data tab here this is where we identify the table where the data resides that we want to monitor so this we're talking vulnerability so the vulnerable item table the indicator is going to look through the supporting data fields in that table and the basic criteria that the indicator is going to look for is if it finds a vulnerability that's in some state of being open it's older than 15 days and has a risk rating of critical this one we're going to run this on a daily basis you probably have to to you're probably scanning every 72 hours for CDM anyways and then we can see the results that the indicator ran in this in in this tab here so the most recent time and the time prior to that and then anytime the indicator runs you'll have a historical record down here at the bottom of the list and again service now is Big relational database it's uh just records in a table in the database so if you want to create create reports like trending information on indicator results you can show the open and closed uh indicators I'm sorry the past and failed indicators based on a on a period of time so to see the impact this failed indicator had on the control we have to go to the control itself and open this one up and this control even though it's in a draft State when it opens up in a second we'll see the status is non-compliant here and the reason for that back to the connective tissue just back to the plat part of the platform we just came from that indicator critical vulnerable items older than 15 days 1902 far right column shows last result passed is false meaning that the indicator failed the so here here's a workflow in service now the trigger was the failed indicator and the action was to make the control non-compliant dynamically with no user intervention and dynamically open up a a poam and assign that back to Susan who's who's our control owner so that's the uh that's how we do automated continuous monitoring based on information that's in the cmdb but we can also uh do this uh do do uh manual indicators anytime somebody actually has to touch the keyboard or put their eyes on the screen au6 for example here we have three requirements the first one is to review your system logs at a defined period of time and look for suspicious activity the second is to report findings to certain roles and roles and personnel and the third is to update the policy if uh or update the monitoring based on policy changes so we have two indicator templates assigned back to this one a6a and au6 C so the first one this is a manual indicator and this is going to send out a uh it's going to it's going to generate a record and kick off a workflow anytime somebody actually has to touch this keyboard so manual indicator the description field up here shows that we have a bracket the organizationally defined parameter RMF is this is nice right they they tell us that we have to do something but not that often they give us the flexibility as to how we're going to implement this control so for this one we're going to review it every quarter and we're going to look for inappropriate or unusual activity the schedule we're going to run this on accordly basis and we'll be able to see every time that this indicator has ran at the bottom of the screen and all of the indicators that have been generated from this template that are monitoring controls in different packages and we can see their statuses which ones have failed and and additional information the when these indicators trigger and they get sent out now we're going to switch over and we're going to see this from a a perspective of of Susan Orwell Susan is the control owner and she has an indicator task that was sent back to here for a6a and she needs to upload she needs to perform her uh upload her comments give her result here yes it was passed put in additional comments uh attach an attachment here with a paper clip at the top of the screen to show that that's happening and this is beneficial because no assessor is going to take your word for it that you're doing this work you have to show them and substantiate that this work is happening the manual indicators are a great great way to uh to substantiate and show that that work is happening so indicators we just saw two of them you have a basic indicator that looks at data in the service now cmdb manual indicator that kicks off workflows and generates records and you can have an indicator for any control in the RMF Library usually the the the controls that have a verb in the title anything that says review uh something like that you can definitely create indicators for that you can monitor uh policies for uh for for compliance to make sure whether or not they're they're in date or if they've been updated on time and reviewed so there's no limit you can have we look at ra5 again you can have an indicator for lows that are older than 365 days one for moderates older than six months one for highs older than uh uh uh 30 days and one for criticals older than 15 so very very flexible when we say digital continuous monitoring that that that's what we mean last thing I'll show here here is the cam overview dashboard we provide five tabs out of the box to track the RMF process authorization boundary packages Baseline controls poam and access assessment activities here these uh these reports that we do provide the ones out of the box you can modify them blow them away if they're not providing data you like if uh you you can create new new reports if you would like if you can work Excel or PowerPoint then you have all the the technical capabilities you need to build out reports and service now so that's a that's a pretty good rundown we've gone through a lot and before I kick it back over to Teresa we'll just do a quick recap we started out with an authorization boundary showed how those boundaries can be created and maintained with filters then we jumped into an authorization package and took that package all the way through the RMF process 0 through six stopped and did a did an assessment at step four showed how we can generate the atto artifacts attach them to the package and then do some continuous monitoring at the end and monitor with reports so I have no voice I'm going to send it back here to Isa and see if there is any uh questions or comments at this time yeah actually Brian was kind enough to answer a really good question that I think would be good for you to answer live also because I'm sure a lot of other people have this question okay um if a boundary element is also an entity does nist 800 impact overall compliance of the entity no the nist uh cam is working at the system level and it's not going to have an impact on that individual uh system system element those system elements are are pulled in through filters and they're related to the authorization boundary but they're not necessarily connected so to speak so there won't be an an impact to to that individual system element out of the box perect but there is a relationship right there it's a entity and then we group those entities the CIS are entities we group those into a boundary entity and that's really what cam is looking at yeah and and we can get we can get a little off rails with semantics here with uh with with entities and such we can pull in they can be entities that they pull into the boundary but in Cam's eyes there there system elements that are that are part of the boundary they're not NE it's not necessarily that that true irm entity scoping but they are entities that are included in the boundary fabulous well thank you both very very much that was an amazing presentation and incredible demo um I put in the chat the link to the um the playlist that you'll be able to view on demand after the fact but please you know visit us at the the cam website you know join us for more Community webinars or just for conversation on the community we really do appreciate and and enjoy you know getting to know our customers and the sharing between customers which is really important um the playlist is currently in the chat and of course you know there's also a registration link to see more webinars which we hope we uh Hope you join us for thank you very very much um again thank you Brian thank you Todd thank you everybody else on the phone um or on our our Zoom call and for those who are going to be joining us later um we're glad that you're been joining us then thank you all great thanks Thea and if you're working with a Federal customer please don't hesitate to reach out to Tod or myself wonderful y thanks folks the beginning of the new back from the rehab with the new point of view been on top been on the bottom and all in between seen it bling see it