Skip to content

Categories

Categories organize tickets by the type of work being performed. Every ticket in the platform is assigned a category that describes what the work involves, from routine engineering tasks to compliance-specific activities like continuous monitoring reviews and security assessments.

Category Structure

Categories use a hierarchical structure with parent and child levels, separated by the > character. For example:

  • Continuous Monitoring (parent)
    • Continuous Monitoring > Flaw Remediation (child)
    • Continuous Monitoring > Vulnerability Scanning (child)
    • Continuous Monitoring > Vulnerability > Operating System (grandchild)

This hierarchy allows tickets to be categorized at the level of detail that makes sense for the work. A ticket can be categorized broadly (e.g., "Continuous Monitoring") or specifically (e.g., "Continuous Monitoring > Vulnerability > Web Application") depending on the context.

ITSM Categories

A number of categories cover standard ITSM operational work. These are straightforward and follow common service management conventions:

  • Engineering - configuration, deployment, development, design, maintenance, planning, and testing activities
  • Service requests - general operational fulfillment tracked through their respective ticket types

These categories don't carry compliance control mappings and are used for day-to-day operational work that doesn't need to be tied to a specific framework requirement.

Compliance-Mapped Categories

Many categories are directly mapped to compliance controls across multiple frameworks. When a ticket is assigned one of these categories, the platform automatically associates it with the relevant controls, making it possible to trace operational work back to specific compliance requirements.

Each compliance-mapped category can carry mappings to:

  • CMMC Level 2 practices and assessment objectives
  • FedRAMP Moderate controls (NIST SP 800-53)
  • FedRAMP High controls
  • FedRAMP 20x Key Security Indicators (KSIs)

This means that when an agent categorizes a ticket as "Continuous Monitoring > Flaw Remediation," the platform knows which CMMC practices, FedRAMP controls, and 20x KSIs that work supports, without the agent needing to manually tag each one.

Category Domains

The compliance-mapped categories are organized into the following domains:

Continuous Monitoring

The largest category domain, covering all recurring security review and validation activities. Includes subcategories for vulnerability scanning (by scan type: OS, web application, container, database, code), flaw remediation, misconfiguration review, access reviews, audit log reviews, baseline configuration checks, boundary protection, POA&M management, security functionality verification, and the full continuous monitoring package deliverables.

Mapped to controls across the AU (Audit), CA (Assessment), CM (Configuration Management), RA (Risk Assessment), SI (System & Information Integrity), and SC (System & Communications Protection) families.

Access Management

Covers the full user access lifecycle from a categorization perspective: account creation, modification, termination, disabling, access recertification, MFA, and privileged account management.

Mapped to the AC (Access Control) and IA (Identification & Authentication) control families.

Alerts and Incidents

Categorizes security and operational alerts by type. Organized into three tiers:

  • Security - unauthorized access, malware, phishing, data exfiltration, denial of service, suspicious activity, policy violations, integrity violations, unauthorized changes, unauthorized software, audit log failures
  • Availability - system outages, backup failures, resource exhaustion, automation errors, system errors, security functionality failures
  • Performance - high resource usage, disk full, network latency

Mapped to controls across the IR (Incident Response), AU (Audit), CM (Configuration Management), CP (Contingency Planning), and SI (System & Information Integrity) families.

Security Incident

Categorizes confirmed security incidents by type: credential compromise, malware, misconfiguration, phishing, suspicious activity, vulnerability exploitation, and incident reporting.

Mapped to the IR (Incident Response) and RA (Risk Assessment) control families.

Documentation

Covers the creation and maintenance of key compliance documents: System Security Plan (SSP), Incident Response Plan (IRP), Information System Contingency Plan (ISCP), Configuration Management Plan (CMP), Authorization Boundary Diagrams (ABD), Data Flow Diagrams (DFD), Controls Responsibility Matrix (CRM), and information security policies and procedures.

Mapped to the PL (Planning), CA (Assessment), CM (Configuration Management), CP (Contingency Planning), and IR (Incident Response) control families.

Training

Covers security awareness training, security training, contingency training, incident response training, and training records management.

Mapped to the AT (Awareness & Training) control family, plus contingency and incident response training requirements.

Security Assessment

Covers assessment planning, risk assessments, documentation reviews, interviews, and data requests as part of formal security assessments.

Mapped to the CA (Assessment) and RA (Risk Assessment) control families.

Personnel Security

Covers personnel screening, access agreements, position categorization reviews, and physical access controls including authorization reviews, device inventory, key changes, and access log reviews.

Mapped to the PS (Personnel Security) and PE (Physical & Environmental Protection) control families.

Penetration Testing

Covers penetration tests and red team exercises.

Mapped to CA-8 (Penetration Testing).

Testing

Covers IT contingency plan testing and incident response testing.

Mapped to CP-04 (Contingency Plan Testing) and IR-03 (Incident Response Testing).

How Control Mappings Are Used

The control mappings on categories serve several purposes within the platform:

  • Audit trail - when a ticket is categorized, the associated controls are recorded, creating a traceable link between operational work and compliance requirements
  • Reporting - the compliance and reporting areas can aggregate work by control, showing what activities have been performed against each requirement
  • Evidence - completed tickets with compliance-mapped categories serve as evidence that the organization is actively addressing specific control requirements
  • Continuous monitoring - the ConMon workflow uses categories to ensure each review cycle covers the required control areas
  • Automated control tagging - the GRC-ITSM automation pipeline (powered by n8n) includes workflows that automatically apply control mappings to tickets based on their category. When an issue, vulnerability deviation, or other compliance-relevant ticket is categorized, these workflows read the category's mapped controls and tag the ticket with the corresponding FedRAMP controls, CMMC practices, and FedRAMP 20x KSIs. This means agents don't need to manually look up and apply control references; the automation handles it as part of the ticket lifecycle

Categories are configured and maintained by administrators under Configuration > Tickets > Categories. For related configuration details, see: