Data Request¶
Quick Summary
Tracks the collection of evidence and artifacts for the purpose of proving adherence to control requirements. Data requests can be created manually or on a schedule, and fulfilled by people or automations, supporting evidence collection across all compliance frameworks including FedRAMP, FedRAMP 20x, and CMMC.
The Data Request ticket type is the primary mechanism for collecting compliance evidence within the GRC-ITSM platform. Each data request represents a specific ask for an artifact or piece of evidence that demonstrates the organization is meeting a particular control requirement. This is the bridge between compliance obligations and the tangible proof that those obligations are being met.
How Data Requests Work¶
Data requests can originate in two ways:
| Creation Method | Description |
|---|---|
| Manual | An agent or compliance lead creates a data request when evidence is needed, such as during an annual assessment, a spot check, or in response to an auditor's request |
| Scheduled | Data requests are generated automatically on a recurring schedule to ensure evidence is collected at the cadence required by the applicable framework (monthly, quarterly, or annually depending on the control) |
Once created, a data request is assigned to the person or team responsible for producing the evidence. Fulfillment can be:
- Manual - a person gathers and attaches the evidence (screenshots, exports, configuration files, policy documents, etc.)
- Automated - an integration or workflow automatically collects and submits the evidence on behalf of the organization
This combination of scheduled creation and automated fulfillment enables a continuous evidence collection pipeline: data requests fire on a cadence, automations collect the artifacts, and the completed tickets provide a timestamped, auditable record of compliance.
Evidence & Artifacts¶
Data request tickets serve as the evidence repository for the artifacts they collect. Completed data requests, with their attached evidence, timestamps, and fulfillment records, become the audit-ready proof that the organization reviewed or demonstrated a control at a specific point in time.
Common evidence types include:
- Configuration exports and screenshots demonstrating security baselines
- Access review completion records
- Scan results and vulnerability reports
- Policy and procedure attestations
- Log review summaries
- Training completion records
Framework Coverage¶
Data requests are framework-agnostic by design. The same evidence collection mechanism works across all compliance programs the organization participates in:
| Framework | How Data Requests Support It |
|---|---|
| FedRAMP Rev5 | Collects artifacts mapped to NIST SP 800-53 controls as part of continuous monitoring and annual assessment evidence packages |
| FedRAMP 20x | Supports the continuous, outcome-based evidence model where organizations demonstrate ongoing adherence to Key Security Indicators (KSIs) rather than point-in-time snapshots |
| CMMC | Gathers practice-level evidence for assessment readiness across CMMC Level 1 through Level 3 |
| NIST SP 800-171 | Collects evidence mapped to CUI protection requirements for organizations handling controlled unclassified information |
Relationship to Scheduled Tickets¶
Data requests pair naturally with the platform's scheduled tickets capability. Administrators can configure recurring data requests that automatically generate at the intervals required by each control, ensuring evidence collection doesn't depend on someone remembering to initiate it. This is particularly valuable for continuous monitoring programs where evidence must be produced on a regular cadence to maintain authorization.