Unified Compliance Framework Common Controls Hub

This integration with the Unified Compliance Framework (UCF) helps organizations focus on a strategic plan to comply with multiple regulatory bodies using the same team, tools, and funding. It allows Archer customers to easily pull information from UCF and insert it into Archer. This provides consistent mapping between authoritative documents, citations, and common controls.

The Unified Compliance Framework (UCF) Common Controls Hub Integration is an offering provided through the Archer Exchange to enhance your existing Archer implementation. The Archer Exchange provides offerings to expand the use of Archer solutions into new business processes and address specific industry, geographic, regulatory, or technical requirements.

On this page

Release notes

Release Version

Published Date

Notes

Archer 6.13 P1

July 2024

Resigned JavaScript file

Archer 6.13 P1

November 2023 (Second update)

Resolved issue with data feed 05 not completing correctly due to change in UCF Citation application App ID number

Archer 6.13 P1

November 2023

  • Licensing Updates: Users are required to provide their own license for accessing

  • Design Updates:  Incorporate UCF data into Archer use cases when relevant, instead of relying solely on on-demand applications.

  • ODA Requirement Updates:  Requires 1 ODA rather than 5.

Archer 6.5

November 2022

Archer has removed the old xmldom library. JS file has been updated to use @xmldom/xmldom library.Support for the older version xmldom library is removed. Please ensure you update your JavaScript Transporter Data Feeds using the code described in this blog: https://www.archerirm.community/t5/roadmap-blogs/data-feed-manager-javascript-transporter-scripts-require-update/ba-p/683320

Archer 6.5

February 2021

Resigned expired JS file and repackaged

Archer 6.5

February 2019

Initial Release

Overview of UCF Common Controls Hub Integration

The Unified Compliance Framework (UCF) is an independent initiative to map IT controls across international regulations, standards, and best practices. The UCF harmonizes terms and controls against the backdrop of a master hierarchical list. This allows your organization to focus on a strategic plan (which resources should be applied, when and where) to comply with multiple regulatory bodies using the same team, tools, and funding. 

A fundamental starting point is to identify rules, regulations, and industry best practices, which must be included in an organization's compliance portfolio. Parsing the citations within those authoritative sources that contain control objectives and mapping those objectives to organizational controls are the next steps. With those components in place, an organization has a solid foundation to drive audit, risk assessment, asset prioritization, and a host of other activities to support compliance operations.

Key features and benefits

With the UCF Common Controls Hub Integration, you will be able to:

  • Conveniently overlay organizational control structures with most major authority documents. 

  • Create composite controls lists by defining simple "acceptance lists" of all relevant controls from selected authorities. 

  • Clarify conflicts between overlapping authority documents.

Prerequisites (ODA and system requirements)

The following table lists the components and prerequisites for UCF Common Controls Hub Integration.

Components

Prerequisites

Archer Solution Area(s)

Archer Regulatory & Corporate Compliance Management

Archer Use Case(s)

Archer Policy Program Management

Archer Applications

  • Control Standards

  • Authoritative Sources

Use Custom Application

UCF Citations

Requires OnDemand License

One (1) On Demand Application (ODA) is required.

Archer Requirements

Archer 6.13 P1 and later   

Partner/Vendor Requirements

Valid UCF Common Controls Hub License is required. UCF Patent Information: 

  • U.S. Patent No. 8,661,059

  • U.S. Patent No. 9,009,197

  • U.S. Patent Application No. 13/952,212

  • U.S. Patent Application No. 62/150,237

  • U.S. Patent Application No. 13/723,018

 

Compatible Use Cases and Applications - Related Applications

Application

Use Case

Primary Purpose of the Relationship

Control Standards

Policy Program Management (Regulatory & Corporate Compliance)

  • Storage of UCF Common Controls

 

Authoritative Sources

Policy Program Management (Regulatory & Corporate Compliance)

  • Storage of UCF Authority Documents

Compatible Use Cases and Applications - Impacted Use Cases

  • Policy Program Management Use Case

Compatible Use Cases and Applications - Impacted Fields

Archer Application

Archer Target Field

(Partner/Vendor Name) Source Field

Authoritative Sources

Date Authority Document Added to UCF

date_added

Authoritative Sources

Source Description

description

Authoritative Sources

Source Name

common_name

Authoritative Sources

UCF AD Genealogy

genealogy

Authoritative Sources

UCF AD ID

id

Authoritative Sources

UCF AD Type

type

Authoritative Sources

UCF Authority Document Version

published_version

Authoritative Sources

UCF Category

parent_category

Authoritative Sources

UCF Common Name

common_name

Authoritative Sources

UCF Date Authority Document Last Modified

date_modified

Authoritative Sources

UCF Deprecated By

deprecated_by

Authoritative Sources

UCF Deprecation Notes

deprecation_notes

Authoritative Sources

UCF Description

description

Authoritative Sources

UCF Issuer Effective Date

effective_date

Authoritative Sources

UCF Issuer Release Date

release_date

Authoritative Sources

UCF Language

language

Authoritative Sources

UCF Originator

originator

Authoritative Sources

UCF Published Name

published_name

Authoritative Sources

UCF Reference URL

url

Control Standards

Date Control Added to UCF

date_added

Control Standards

Standard ID

id

Control Standards

Standard Name

name

Control Standards

Statement

name

Control Standards

UCF Control Classification

classification

Control Standards

UCF Control Genealogy

genealogy

Control Standards

UCF Control ID

id

Control Standards

UCF Control Sort ID

sort_id

Control Standards

UCF Control Type

type

Control Standards

UCF Date Control Last Modified

date_modified

Control Standards

UCF Deprecated By

deprecated_by

Control Standards

UCF Deprecation Notes

deprecation_notes

Control Standards

UCF Impact Zone

impact_zone

Control Standards

UCF Language

language

UCF Citations

Citation

reference

UCF Citations

Citation Guidance

guidance

UCF Citations

Citation ID

id

UCF Citations

Date Citation Added to UCF

date_added

UCF Citations

Date Citation Last Modified

date_modified

UCF Citations

Deprecated By

deprecated_by

UCF Citations

Deprecation Notes

deprecation_notes

UCF Citations

Language

language

Additional resources

The following additional resources are available for this offering:

UCF Common Controls Hub components

Architecture diagram

The following diagram shows the relationship between the applications in the UCF Common Controls Hub integration.

A diagram of a solution Description automatically generated

Applications

The UCF Common Controls Hub application UCF Citations contains the UCF Citations which are the specific references within the Authority Document that contain control statements.

A UCF citation includes the specific location of the control within the Authority Document, a summary of what the Authority Document mandates, and a link to the harmonized UCF control.

Every citation is mapped to a single Control Standard, and individual citations may reference multiple locations within an Authority Document (some Authority Documents specify redundant controls). Authority Document information is stored in Authoritative Sources.

Personas and Access Roles

The UCF User function accesses information stored in the UCF Citations application to run searches and generate reports.

Installing UCF Common Controls Hub Integration

Complete the following tasks to install the offering.

  1. Prepare for the installation.

    1. Ensure that your Archer system is Archer Platform version 6.13 P1 or later.

    2. Obtain the Data Dictionary for the ODA by contacting your Archer Account Representative. The Data Dictionary contains the configuration information for the offering.

    3. Read and understand "Packaging Data" in the Archer Platform Help.

  2. Install the package. Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. For more information, see Installing the Package.

  3. Set up the data feeds. You must import and schedule each use case data feed that you want to use. See Setting Up Data Feeds.

  4. Test the installation according to your company standards and procedures, to ensure that the use case works with your existing processes.

Installing the package

Task 1: Back up your database

There is no undo function for package installation. Packaging is a powerful feature that can make significant changes to an instance. Archer strongly recommends that you back up the instance database before installing a package. This process enables a full restoration if necessary.

An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. You must manually delete new objects created by the package installation.

Task 2: Import the package

  1. From the menu bar, click Admin menu> Application Builder > Install Packages.

  2. In the Available Packages section, click Import.

  3. Click Add New. Select the package file that you want to import.

  4. Click OK.

The Available Packages section displays the package file and is ready for installation.

Task 3: Map objects in the package

Important: This step is required only if you are upgrading to a later version of this offering.

  1. From the menu bar, click Admin menu> Application Builder > Install Packages.

  2. In the Available Packages section, select the package you want to map.

  3. In the Actions column, click Analyze for that package.

The analyzer runs and examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instances and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source).

Note: This process can take several minutes or more, especially if the package is large, and may time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings set to less than 60 minutes.

  1. When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance. The objects are divided into tabs, depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub- forms, or Questionnaires.

On each tab of the Advanced Mapping Page, review the icons next to each object to determine which objects you must map manually.

Icon Name Description

A red exclamation point icon.

 

 

 

Awaiting Mapping Review

Indicates that the system could not automatically match the object or children of the object to a corresponding object in the target instance.

Objects marked with this symbol must be mapped manually through the mapping process.

Important: New objects should not be mapped. This icon should remain visible. The mapping process can proceed without mapping all the objects.

Note: You can execute the mapping process without mapping all the objects. This icon is for informational purposes only.

A green checkmark icon.

 

 

 

Mapping

Completed

Indicates that the object and all child objects are mapped to an object in the target instance. Nothing more needs to be done with these objects in Advanced Package Mapping.

A grey icon of an i character.

 

 

Do Not

Map

Indicates that the object does not exist in the target instance, or the object was not mapped through the Do Not Map option. These objects will not be mapped through Advanced Package Mapping and must be remedied manually.

A blue backwards arrow icon.

 

 

Undo

Indicates that a mapped object can be unmapped. This icon is displayed in the Actions column of a mapped object or object flagged as Do Not Map.

 

  1. For each object that requires remediation, do one of the following:

    • To map each item individually, on the Target column, select the object in the target instance to which you want to map the source object. If an object is new or if you do not want to map an object, select Do Not Map from the drop-down list.
      Ensure that you map all objects to their lowest level. When objects have a child or related objects, the parent object provides a drill-down link. You must map child objects before parent objects. For more details, see "Mapping Parent/Child Objects" in the Archer Platform Help.

    • To automatically map all objects in a tab that have different system IDs but the same object name as an object in the target instance, do the following:

      1. In the toolbar, click Auto Map.

      2. Select an option for mapping objects by name.

        • Ignore case - match objects with similar names regardless of the case of the characters in the object names.

        • Ignore spaces - match objects with similar names regardless of whether spaces exist in the object names.

      3. Click OK. The Confirmation dialog box opens with the total number of mappings performed. These mappings have not been committed to the database yet and can be modified in the Advanced Package Mapping page.

      4. Click OK. To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map. (To undo the mapping settings for any individual object, in the Actions column, click Undo.)
        When all objects are mapped, the Checkmark icon is displayed in the tab title. The Missing objects icon is displayed next to the object to indicate that the object will not be mapped.

  2. Verify that all other objects are mapped correctly.

  3. (Optional) To save your mapping settings so that you can resume working later, see "Importing and Exporting Mapping Settings" in the Archer Platform Help.

  4. Once you have reviewed and mapped all objects, click Execute.

  5. Select I understand the implications of performing this operation and click OK.

The Advanced Package Mapping process updates the system IDs of the objects in the target instance as defined on the Advanced Package Mapping page. When the mapping is complete, the Import and Install Packages page is displayed.

Important: Advanced Package Mapping modifies the system IDs in the target instance. Update any Data Feeds and Web Service APIs that use these objects with the new system IDs.

Task 4: Install the package

All objects from the source instance are installed in the target instance unless the object cannot be found or is flagged to not be installed in the target instance. The Log Messages section provides a list of conditions that may cause objects not to be installed. The Package Installation Log section displays a log entry.

  1. From the menu bar, click Admin menu> Application Builder > Install Packages.

  2. In the Available Packages section, locate the package file that you want to install, and click Install.

  3. In the Selected Components section, click the Lookup button to open the Package Selector window.

    • To select all components, select the top-level checkbox.

    • To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install.

Note: Items in the package that do not match an existing item in the target instance are selected by default.

  1. Under the Install Method drop-down menu, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list.

Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package.

  1. To deactivate target fields and data-driven events that are not in the package, in the Post-Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install.

  2. Click Install.

  3. Click OK.

Task 5: Review the package installation log

  1. From the menu bar, click Admin menu> Application Builder > Install Packages.

  2. In the Package Installation Log tab, click the package that you want to view.

  3. In the Package Installation Log page, in the Object Details section, click View All Errors.

    Note: To view individual logs, in the Errors column of the log you want to view, click the Failures link or Warnings link. Clicking View All Errors, Failures, or Warnings opens the specific errors on a different page.

  4. Click the Export icon to export the log file.

  5. Click Close.

Configuring the UCF Common Controls Hub Integration

Before you begin 

This section provides instructions for configuring the data feeds for the offering. This document is not intended to suggest optimum installation or configuration.

This document assumes that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators must have access to the product documentation for all products involved to install the required components.

The Unified Compliance Framework offering must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true prior to proceeding. 

Note: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Professional Services for assistance.

UCF Common Controls Hub configuration

  1. Log into the Common Controls Hub https://cch.commoncontrolshub.com.

  2. Click Workspace.

  3. Select Show Selected Documents in a Hierarchy.

  1. In the Authority Documents section, search for the authority documents that you want to move to Archer.

  2. Click on the document that you want to add to your list. The documents are displayed in your list of selected documents.

  3. Repeat steps 4 and 5 for each authority document that you want added to Archer. 

  4. Click Save List.

  5. Name your list (no spaces) and check the Share this List check box. You will use this name later while generating the UCF content for Archer.

Create API key In UCF Common Controls Hub

This API key is used to configure the solution in “Data Feed Configuration”. Refer to the UCF documentation on https://support.commoncontrolshub.com/. 

Setting Up Data Feeds

The following data feeds are used as part of the UCF integration process. All data feeds must be configured.

Import the data feeds in the following order:

  • 02 UCF Populate Control Standards JS Feed is a JavaScript transporter data feed that fetches data from  https://api.unifiedcompliance.com/cch-ad-list/<list>/tracked-controls/details and creates and updates the records in the Control Standards application.

  • 03 UCF Update Control Standards is an Archer-to-Archer data feed that marks non-UCF Control Standards records.

  • 04 UCF Populate Citations JS Data Feed is a JavaScript transporter data feed that fetches data from https://api.unifiedcompliance.com/authority-document/ID/citations and creates and updates the records in the UCF Citations application. 

  • 05 UCF Relate Authoritative Sources to Control Standards is an Archer-to-Archer data feed that relates UCF Authoritative Sources records to UCF Control Standards records.

There are four data feeds available for the Unified Compliance Framework solution. All data feeds must be configured.

Import the data feeds in the following order:

  1. 01 UCF Populate Authoritative Sources JS Data Feed

  2. 02 UCF Populate Control Standards JS Feed

  3. 03 UCF Update Control Standards

  4. 04 UCF Populate Citations JS Data Feed

  5. 05 UCF Relate Authoritative Sources to Control Standards

After setting up the data feeds, you can schedule 01 UCF Populate Authoritative Sources JS Data Feed to run as needed.  All other data feeds run in reference to the first data feed.

Configure the JavaScript Transporter Settings

Before you upload a JavaScript file, you must configure JavaScript Transporter settings in the Archer Control Panel.

  1. On the General tab, go to the JavaScript Transporter section.

    1. Open the Archer Control Panel.

    2. Go to Instance Management and select All Instances.

    3. Select the instance.

    4. On the General tab, go to the JavaScript Transporter section.

  1. In the Max Memory Limit field, set the value to 2048 MB (2 GB).

  2. In the Script Timeout field, set the value to 120 minutes (2 hours).

  3. (Optional) If you want to allow only digitally signed JavaScript files in the data feed, enable Require Signature.

    1. In the JavaScript Transporter Settings section, enable Require Signature. A new cell appears in the Signing Certificate Thumbprints section.

    2. Double-click an empty cell in the Signing Certificate Thumbprints section.

    3. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.

      Note: For information on how to obtain digital thumbprints, see Obtaining DigitalThumbprints.

      Important: If you enable Require Signature and specify no thumbprints, no JavaScript files will be accepted by the system.

    4. (Optional) If you want to add additional thumbprint sources, repeat steps b-c for each thumbprint.

  4. On the toolbar, click Save.

Obtaining Digital Thumbprints

When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all the certificates in the chain, including the Root CA Certificate and Intermediate CA certificates, must be trusted on both the Web Server and Services Server machines.

Obtaining a Certificate Thumbprint

  1. On the Archer Control Panel environment, open the Manage Computer Certificates program.

    1. Click Start.

    2. Type: certificate

    3. From the search results, click Manage computer certificates.

  2. Ensure that your trusted source certificates are in the Certificates sub-folder of the Trust Root Certification Authorities folder.

  3. In the Certificates sub-folder, double-click the certificate whose thumbprint you want to obtain.

  4. Verify that the certificate is trusted.

    1. In the Certificate window, click the Certification Path tab.

    2. Ensure that the Certificate Status windows displays the following message: This certificate is OK.

      If the Certificate Status window displays something different, follow the on-screen instructions.

  5. Obtain the trusted certificate thumbprint.

    1. In the Certificate window, click the Details tab.

    2. Select the Thumbprint field.

The certificate's digital thumbprint appears in the window.

Set Up the UCF Authoritative Sources Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel.

  1. Go to the Manage Data Feeds page.

  2. In the Manage Data Feeds section, click 01 UCF Populate Authoritative Sources JS Data Feed.

  3. In the General Information section, in the Status field, select Active.

  4. Click the Transport tab.

  5. In the Transport Configuration section:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the signed_ucf_api_complete.js file.

    4. Click Open.

    5. From the Upload JavaScript File dialog, click OK.

  6. In the Custom Parameters section, enter key values.

    The following table describes the value for each key in Custom Parameters.

Key

Value

apikey

[Valid value]

listName

[Valid value]

adurl

https://api.unifiedcompliance.com/cch-ad-list/<list>/authorityhttps://api.unifiedcompliance.com/cch-ad-list/<list>/authority-documentsdocuments

dataSource

adocs

Note: The listed values are in place by default. They can be configured to suit your environment. If a proxy server is needed the parameter “proxy” can be added, with the address added as http://url:port/

  1. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  2. Verify that key field values are not missing from the data feed setup window.

  3. Click Save.

Set Up the UCF Control Standards Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel.

  1. Go to the Manage Data Feeds page.

  2. In the Manage Data Feeds section, click 02 UCF Populate Control Standards JS Feed.

  3. In the General Information section, in the Status field, select Active.

  4. Click the Transport tab.

  5. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the signed_ucf_api_complete.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  6. In the Custom Parameters section, enter key values.

    The following table describes the value to enter for each key in Custom Parameters.

Key

Value

apikey

[Valid value]

listName

[Valid value]

adurl

https://api.unifiedcompliance.com/cch-adhttps://api.unifiedcompliance.com/cch-ad-list/<list>/authority-documentslist/<list>/authority-documents

trcurl

https://api.unifiedcompliance.com/cch-adhttps://api.unifiedcompliance.com/cch-ad-list/<list>/tracked-controls/detailslist/<list>/tracked-controls/details

dataSource

Control

Note: The listed values are in place by default. They can be configured to suit your environment.

  1. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  2. Verify that key field values are not missing from the data feed setup window.

  3. Click Save.

Set Up the Control Standards Update Feed

  1. Go to the Manage Data Feeds page.

  2. In the Manage Data Feeds section, click 03 UCF Control Standards Update.

  3. In the General Information section, in the Status field, select Active.

  4. Click the Transport tab.

  5. In the Transport Configuration section, complete the following:

    1. Enter the URL.

    2. Confirm the Report ID and Report Name.

    3. Enter the User Name and Password

    4. Enter the Instance name

  6. In the Data Map section, verify key value is set to Tracking ID.

  7. Click Save.

Set Up the UCF Citations Data Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel.

  1. Go to the Manage Data Feeds page.

  2. In the Manage Data Feeds section, click 04 UCF Populate Citations JS Data Feed.

  3. In the General Information section, in the Status field, select Active.

  4. Click the Transport tab.

  5. In the Transport Configuration section, complete the following:

  1. Click Upload.

  2. From the Upload JavaScript File dialog, click Add New.

  3. Locate and select the signed_ucf_api_complete.js file and click Open.

  4. From the Upload JavaScript File dialog, click OK.

    6. In the Custom Parameters section, enter key values.

The following table describes the value to enter for each key in Custom Parameters.

Key

Value

apikey

[Valid value]

listName

[Valid value]

adurl

https://api.unifiedcompliance.com/cch-ad-list/<list>/authority-documents

dataSource

citations

Note: The listed values are in place by default. They can be configured to suit your environment.

7. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

8. Click the Source Definition tab.

  1. Click the Tokens sub-tab.

  2. Verify token values.

    The following table describes token values to verify.

 Token

Value

LastRunTime

(Populated by Data feed)

CrossReferencesMode

LinkOnly

RelatedReferencesMode

LinkOnly

BatchContentSave

1000

Note: For more information about tokens, see "Data Feed Tokens" in the Archer Platform Help.

9. Verify that key field values are not missing from the data feed setup window.

10. Click Save.

Set Up the Relate Authoritative Sources to Control Standards

  1. Go to the Manage Data Feeds page.

  2. In the Manage Data Feeds section, click 05 UCF Relate Authoritative Sources to Control Standards.

  3. In the General Information section, in the Status field, select Active.

  4. Click the Transport tab.

  5. In the Transport Configuration section, complete the following:

    1. Enter the URL.

    2. Confirm the Report ID and Report Name.

    3. Enter the User Name and Password

    4. Enter the Instance name

  6. In the Data Map section, verify Control Standards key value is set to Tracking ID and Authoritative Sources is set to Source Tracking ID.

  7. Click Save.

User Permissions for UCF Common Controls Hub

Users must be added to the UCF: Users group to view the solution and the UCF Citations application.  All UCF information in Authoritative Sources, Control Standards, and UCF Citations is read-only.

Certification environment

Date Tested: July 2024

Product Name

Version Information

Operating System

Archer

6.13 P1

Virtual Appliance

UCF CCH

NA

NA