Version history for the Security Operations Configuration Compliance application on the ServiceNow Store.

Important: For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

Version history

Version 15.3.4 - June 2025
Fixed: The scheduled job Rollup test result values to remediation task and configuration test will check the status of the previous background job before starting a new one.
Version 15.3.3 - May 2025
  • New:
    • You can now configure advanced questionnaires as part of the exception management process using Smart Assessment. This improvement allows remediation owners to provide detailed context for exception requests and enables approvers to configure conditional questions to gather the right information needed for informed decision-making.
    • If a questionnaire is marked as mandatory, the test results or remediation tasks remain in the 'Open' state until the questionnaire is completed and submitted. If the questionnaire is incomplete, the state change approval record is saved as 'Draft'. Only after completing the questionnaire can the user submit the exception request, which will then move the test result or remediation task to the 'In Review' state.
  • Fixed:
    • The creation of duplicate jobs for auto-close rules.
    • When the deferral period for remediation tasks expires, the test result state does not revert to Open from Passed.
Version 15.2.6 - March 2025
Fixed: An issue where the Request Extension functionality in version 25.0.4 in the Classic UI. The feature is now working as expected.
Version 15.2.5 - February 2025
  • New: Introduced the ability to manually create Remediation Tasks (RTs) in the List View of Vulnerability Manager and IT Remediation Workspaces.
  • Fixed:
    • The 'sn_sec_cmn.risk_score_changes_add_worknote' system property has been introduced. When enabled, it populates the updated risk score calculation details in the work notes.
    • A Remediation owner can now add work notes for the test results assigned to them.
    • Resolved state management issues: The UI actions and validations in the Remediation Task form now align consistently with the current state.
    • Now, a Remediation Owner can open and view the Vulnerability Entry records in the IT Remediation Workspace without a 403 error.
    • An intermittent issue related to dates on the Request Exception modal, which was preventing the submission, has now been fixed.
    • The issue where a rejection in the State Change Approval (Exception Request) incorrectly marked the rejected approval record as 'No Longer Required' has been resolved.
    • Now, the Impacted CIs widget on the Home page of the IT Remediation Workspace is displayed properly.
Version 15.1.6 - December 2024
  • Changed: When you select the Request Extension button to extend an exception rule, you have the option to extend both the deferred until date' and the exception rule valid to' date.
  • Fixed: Tags added to the test results are displayed in the workspace list view if a tag is associated with it, and the Tags column is included in the list view.
Version 15.1.5 - November 2024
  • New:
    • Granular Role-based access control: Enhanced the role management in Vulnerability Manager Workspace (for watch topics and lists) and IT Remediation Workspace (for lists). This enables precise access control and configuration tailored to specific user roles. CC Analysts can now create watch topics.
    • Workspace search: Efficiently search using the record numbers and open the records in either the Vulnerability Manager Workspace or IT Remediation Workspace, depending on your assigned role.
    • Navigating to Workspaces from the All menu: If the 'sn_vul_cmn_ws.navigate_to_workspace' system property is enabled, selecting predefined filter links in the Configuration Compliance module from the 'All' menu will automatically open these links in the Vulnerability Manager Workspace and IT Remediation Workspace based on your role.
    • Remediation target configuration: The Remediation target rules can now be configured in such a way that the remediation target is calculated based on the Last Opened' date, offering more flexibility in tracking the remediation progress.
    • Customizable Age calculation: The Age and Age Closed calculations of a test result can now be customized so that they are calculated from a choice of available date fields. That is, you can now select any of the available date fields such as last found, created, etc. with reference to which the Age and Age Closed values must be calculated. For more information on how to configure these age calculations, refer to the KB1703270 KB article.
    • Refresh the Saved Filter visualizations: You can now refresh the visualizations for saved filters on the Vulnerability Manager Workspace Home page either once or daily. Additionally, you can manually update these visualizations on demand to reflect the latest data.
    • Performance enhancement in the Workspaces: The glide.ui.list.seismic.omit.count' system property allows you to deactivate the record/row count display on the lists in the Vulnerability Manager Workspace and IT Remediation Workspace, optimizing performance for large datasets.
    • You can now reevaluate the exception rules for a set of selected test results directly in the Vulnerability Manager Workspace instead of reevaluating these rules for all records in the classic UI.
    • A new Properties module has been added to the navigation menu under the Administration section. This module enables direct modification of the flag values, offering a user-friendly method to manage and update system properties directly from the interface.
    • Qualys Test Group/Policy reference from a Test Result and Test: By enabling a system property, the Test Group/Policy can be populated on a Test/Control and can be referenced from Test Result by dot walking to the Test. For additional guidance and prerequisites, see Qualys integration with Configuration Compliance and KB1644268 KB article.
  • Fixed:
    • Fixed the date-format issue for Test Result's Until and Resolution dates.
    • The issue with log messages stating "Cannot read property 'assignment_group' from null" after executing the Qualys PC Results Primary integration has been fixed.
Version 15.0.1 - September 2024
Fixed: Test results in the "Deferred" state in remediation tasks will reopen after the remediation task's deferral time expires.
Version 15.0.0 - August 2024
  • New:
    • You can enable or disable the import of test results for a Qualys test group in the Vulnerability Manager Workspace.
    • The % Test Result Compliance column in the Tests table displays the percentage of test results that are compliant with a test.
    • The % Test Result Compliance column in the Test Groups table displays the percentage of test results that are compliant with all the tests of a test group.
    • Every test is mapped with its test group for Microsoft Defender for Cloud Integration and Tenable integration.
    • Added new columns in the Test Results table to support metrics calculation in parity with Vulnerability Response application.
    • Starting with v23.0 of Vulnerability Response, you can now evaluate the assignments, remediation target dates, remediation tasks, and risk scores for specific test results in the Vulnerability Manager Workspace, instead of reapplying the rules for all test results in the classic UI.
    • The Risk Score is now calculated for passed test results also.
  • Changed:
    • The Close button has been removed for a remediation task.
    • When you resolve a remediation task, the resolution notes reflects in the work notes of all its test results.
  • Fixed:
    • Improvements to policy audits in the Security Posture Control application ensure that retired assets are not evaluated by activated policies. If the state of an asset transitions in test result and remediation tasks from Retired back to Active, it is included in the next policy evaluation.
    • Renamed the Policies list to Test Groups in the Vulnerability Manager Workspace to maintain consistency with the classic UI.
    • The Test Result Compliance percentage of a Configuration Item (CI) is now shown on its respective Discovered Item.
Version 14.12.4 - May 2024
  • New:
    • In the Vulnerability Manager and IT Remediation Workspaces, mark a Remediation Task as false positive with approval workflow.
    • In the Vulnerability Manager and IT Remediation Workspaces, mark a subset of Test Results as false positive, by automatically creating a new Remediation Task with the selected Test Results and submitting for approval.
    • Edit activated policies, save changes, publish, and exit edit mode with UI actions on policy records in the Security Posture Control application. Versions are tracked and version numbers are displayed on policy records and their related test results in Configuration Compliance.
    • If you publish a new version of a policy or delete a policy in the Security Posture Control application, you have the option to close its existing related test results (findings). Test result and remediation task states transition in accordance with the state transition processes of the Configuration Compliance application.
  • Changed: Remediation Target can be calculated from the Last Pass Date. When last pass date is empty, the remediation target is calculated from Created Date.
Version 14.11.2 - February 2024
  • New:
    • List modules from the navigation menu to open in the Vulnerability Manager workspace home page with auto-selection of the corresponding saved filter with enhanced user experience.
    • Address security gaps in your enterprise environments detected through the Security Posture Control application and automatically prioritize, assign, and resolve them with the Configuration Compliance application workflow. The Security Posture Control application requires a separate subscription.
  • Changed: Changes in the Test result and Remediation Task form for the workspace -Added the state details, updated reference links for configuration test, UI sections and Tab Title.
  • Fixed:
    • Fixed rename changes from test result group to remediation task for upgrade customers to version 14.9
    • Resolution will not be cleared when we reopen the test results.
    • Fixed date functions in OOTB client scripts when we use a hyphen as the separator.
    • Risk rating of the test result changing to none when the test result marked as fixed.
    • Fixed remediation target date time issue when the timezone is changed.
Version 14.10.2 - November 2023
New: A deferred remediation task moves to its original state when the exception due date reaches the target date. As a remediation owner, you can now request extension for a deferred remediation task by clicking Request Extension.
Version 14.9.3 - October 2023 (Vancouver)
Fixed: Remediation Status on a test result will be set upon AutoClose.
Version 14.9.2 - August 2023 (Vancouver)
  • New:
    • The Last Pass field is captured for the Test Results.
    • Implemented split task, request exception and create change for configuration compliance remediation tasks in the workspaces.
  • Changed:
    • Test Result Group has been renamed to Remediation Task.
    • When the configuration item associated with a discovered item changes, the configuration item on the passed test results associated with the discovered item also changes now.
  • Fixed: Deferral Date and Deferred by fields will be populated when a Remediation task is deferred.
Version 14.8.6 - June 2023
Fixed: For Advanced Risk Rule Calculators, the resulting risk score information in the sample scenarios was being populated with incomplete information. This issue has been fixed. The resulting risk score information is now correctly populated.
Version 14.8.3 - May 2023
  • New: Introduced OOB table cleaner records on the test results and test result groups.
  • Fixed: Integration processes were timing out after one hour, even if the import queue entry was still being processed. As a result, the integration run status was being updated as 'Error'. Starting from V14.8.2, timestamps (heartbeats) are sent periodically to indicate that the queue is alive and processing valid data.
Version 14.7.5 - March 2023
  • Changed: The system property 'auto_defer_test_result_in_active_exception_window' is now set to 'false' by default.
  • Fixed: The Unassign button on test result groups was not working earlier. This has been fixed.
Version 14.7.3 - February 2023
  • New:
    • Added support for workspace for Configuration Compliance
    • Added configuration for risk score to risk rating mapping
    • Reduced dependency of Configuration Compliance on Vulnerability Response (VR). For native Cloud Security Posture Management (CSPM), VR is not required.
  • Changed: The 'Policy' table is renamed to Test Group.
Version 14.5.4 - November 2022
  • New: Two new Qualys Integrations for importing test results to Configuration Complaince with new sets of Qualys APIs: Qualys PCRS Policy Host Integration and Qualys PCRS Test Results Integration. You might see better performance with the new APIs.
  • Changed:
    • You might see performance improvements when running Assignment Rules and Remediation Target Rules.
    • For Test Result Groups (TRGs) created from group rules, group rules are automatically reapplied when assignment rules are reapplied.
    • On a test result record, choose a date in the data field to calculate the remediation target for resolution. The remediation target is based on the date you select.
Version 14.3.5 - August 2022
  • New:
    • With the Unassign UI action, remediation owners can remove their assignment from records that they determine are not their responsibility. The Unassign feature is available on Test result group (TRG) records. The Unassign UI action clears the Assigned to and Assignment group fields and sends notifications to admins in a daily digest that records are not assigned. Records updated with this feature are displayed on the Unassigned module for Configuration Compliance. A daily scheduled job counts the records that are updated and aggregates them by the assignment rules that initially assigned them. You can use the counts that are displayed for each assignment rule to help you monitor how effective your assignment rules are.
    • Track the number of times a test result or a test result group is deferred in the Multiple deferrals module. A scheduled job, set deferral counts, runs daily to post counts for records that are deferred more than once in the Deferral count column in the Multiple deferrals module for Configuration Compliance.
Version 14.0.1 - May 2022
New: Automatically close test results related to retired CIs: You can automatically close test results associated with retired configuration items. If the Configuration Management Database (CMDB) changes the life cycle stage status of the configuration item to retired, you can choose to automatically close the associated test results. Enable the system property sn_vulc.auto_close_test_results_linked_to_retired_CIs to auto-close TRs that are associated with retired CIs.
Version 13.1.1 - March 2022
  • New:
    • With the Auto-Close test results module, reduce the number of stale, failed test results in your environment.
    • Use the flow designer instead of the workflow to approve exception requests for exception management, exception rules, and false positive management.
    • Use exception rules to automatically defer new and existing test results that can't be remediated or deferred immediately.
    • Use the Exception Management module to create a questionnaire to add to the exception request. This questionnaire provides a better understanding of the reason for requesting the exception.
    • For Risk Calculators in Configuration Compliance generate risk scores by providing custom fields and weights to suit your requirement.
Version 13.0.0 - February 2022
No new features or updates are included with this version. This version ensures that features from the last release are compatible with the San Diego family release.
Version 12.2.1 - October 2021
New: Verify that your assets are in compliance with your policies and controls with imports from the Tenable.io product. The Tenable.io product in the Tenable Vulnerability Integration imports policies, controls (test results), and configuration tests for processing in the Configuration Compliance application.
Version 12.1.3 - June 2021
  • New: The integration run record displays metrics and the duration of each stage of a run.
  • Changed:
    • Modifications to support the newly updated background job framework that ensures that jobs are executed in a resource-optimized manner.
    • Modifed the scope of the events that are generated after an integration run is completed so they are compatible with any third-party scanner.
  • Fixed:
    • Performance issues with reapplying assignment rules and group rules.
    • The Remediation target rule field is populated as expected.
Version 12.0.1 - February 2021
The following list highlights the new features and updates to the application. For more details about these new features and updates, see the ServiceNow Store release notes and Configuration Compliance release notes links for your family release in the Supporting Links section on this page.
Version 11.1.5 - November 2020
  • New:
    • With remediation target rules, define the expected time frames for remediating test results and send status notifications to users and groups.
    • Request to defer the remediation of test results or test result groups for a specified period. Request, review, and approve exception requests with an approval workflow consistent with Vulnerability Response.
    • Use IRE to create new CIs in the CMDB when an existing CI cannot be matched with an imported host from third-party vulnerability assessment products.
Version 11.0.0 - October 2020
New: Version 11.0.0 certified for Orlando and Paris.
Version 10.3.3 - June 2020
  • New:
    • Recertified for version 10.3.3.
    • Risk rollup calculators have been added. View the most current risk scores and risk ratings on configuration tests and test result groups.
Version 10.0.0 - March 2020
New: Recertified for Orlando.
Version 9.0.1 - November 2019
  • New:
    • Added Test Result Group Rules
    • Added Assignment Rules
    • Added remediation owner role (contained in the itil role)
Version 8.0.9 - July 2019
Configuration Compliance exposes configuration-related security vulnerabilities of highest impact to business operations. It streamlines the remediation process across frequently-isolated information security, IT operations, and business process stakeholders.