UCF authority document update process

You can update the UCF documents you use in GRC manually or configure the system to do it automatically whenever a new UCF version is available.

By default, GRC downloads the most recent version of the UCF authority documents, which are updated quarterly. The ServiceNow system places these files in staging tables until they are imported into GRC. When you import a new document version, these entities are updated:

  • Authority documents
  • Citations
  • Controls
GRC observes these general rules when importing updated documents from UCF:
  • If UCF authority documents or citations are updated, both entities are imported into GRC and versioned.
  • If only the UCF controls are updated, then only the controls are versioned. In this case, a new link is created between the updated control and the existing citation that uses it.
  • Older versions of updated controls are automatically deactivated and do not appear in lists of controls.

The control test definitions, policies, and risks that use these updated entities are reset to use the latest version. Any control test instances tied to a control from the previous version remain linked to that control. You must generate new control test instances based on the latest UCF version. The system deactivates all previous versions of an imported UCF document and retains them in their respective GRC tables.

Figure 1. Automatic updates to UCF links

Changes to these UCF authority document fields trigger versioning in GRC.

Table 1. Authority document fields
UCF Field GRC Field
ucf_ad_common_name name
ucf_ad_id source_id
ucf_ad_version source_version
ucf_ad_date_modified source_last_modified
ucf_ad_release_version source_release_version
ucf_ad_url url
Table 2. Citation fields
UCF Fields GRC Fields
ucf_citation reference
ucf_citation_guidance key_areas
ucf_citation_id source_id
ucf_citation_date_modified source_last_modified
ucf_citation_release_version source_release_version
Table 3. Control fields
UCF Fields GRC Fields
ucf_ce_control_title name
ucf_ce_control_statement description
ucf_ce_id source_id
ucf_ce_date_modified source_last_modified
ucf_ce_release_version source_release_version