You can download and import citations from a Unified Compliance Framework (UCF)
In UCF terminology, a citation record is referred to as an instance of guidance
Each guidance instance has a unique reference number attached to it that groups one or more
instances into a citation
. When you import a UCF authority document into the GRC
application, the system lists them by their reference numbers. UCF citations are imported into
the Authoritative Source Content [grc_authoritative_src_content] table and can have duplicate
reference numbers. For a description of fields in the Citation form not related to a UCF
import, see Creating
. For details about importing citations, see UCF authority document import process
Warning: Fields imported from UCF are read-only, and their values should be protected for data
continuity and accuracy. Do not customize fields to
allow UCF data to be edited. Use the Additional information field to
display any additional details or specifications for this UCF entity that are unique to your
organization, while preserving the original citation from UCF.
Table 1. UCF fields in a citation form
||UCF reference number for this citation. Duplicate reference numbers are
possible in UCF data.
||Not used for UCF citations
||Source of the data for this citation. UCF is the source
of all citations imported from UCF authority documents.
||Internal unique UCF identifier of the citation guidance for this
||Version of the UCF authority document that is the source file for this
citation. Previous versions of this citation are listed in the Other
versions related list.
||Type of citation created. This is an optional field and is not used for any
processing. You can use the value in this field in reports or to query for records
of a specific type.
||Name of the UCF authority document for this citation. When you import UCF
authority documents, the system completes this field with the appropriate authority
||Indicates if this citation is relevant to your organization. By default, this
check box is selected and has a value of True. Clear this
check box to mark this citation as not pertinent to your organization and to prevent
it from appearing in compliance reporting. Components marked as not
pertinent are unavailable for the calculated links that
enable results to rollup for any GRC hierarchy.
||[Read-only] Version number for previous versions of this citation. This value
is a simple integer that is incremented by the system each time the UCF citation is
updated. This number is not the same as the UCF Source
version. The Version field is hidden when the
current version of the record is displayed. You can view all available versions by
selecting records from the Other Versions related list. For
more information, see GRC citations imported from UCF
||[Read-only] The citation imported as UCF Citation Guidance. Since multiple UCF
citation records can have the same reference number, this string identifies this
||Information of any type that is pertinent to this citation This field is not
used for any processing.
UCF citation versions
The ServiceNow system
creates a new version of the citation each time a new UCF authority document is imported
into GRC. When a new version is created, the system adds the previous version to the
Other versions related list in the Control form. These records are
used for reference only and provide a history of how each previous version of the UCF
citation was used. New control tests run against the current control version only. Only the
latest versions of citations appear in lists.
Deactivating and Deleting citations
You cannot delete a GRC record that has a linked dependency to another GRC record. The
Delete button appears in records and record lists, but only
deactivates the entity rather than removing it from the system. Deactivation
clears the Pertinent check box in the record, which removes any links
to other GRC entities. By default, deactivated records are filtered out of related lists.
Manually created GRC records with no linked dependencies can be completely deleted from the
system. UCF records imported into GRC tables can only be deactivated. Only users with the
admin role can deactivate or delete GRC records.