ROH 6.32.0.2 Release

Release Overview

Release Name: ROH Beta Hotfix Release

Release Type: Hotfix

Release Number: 6.32.0.2

Purpose

RegScale Orchestration Hub (ROH) enables organizations to automate the import and export of data between RegScale and external systems through configurable integrations and commands.

This beta release is intended for early adopters and validation of core orchestration capabilities. Functionality, supported integrations, and performance characteristics may change before General Availability (GA). This minor release delivers reliability, usability, and maintenance improvements for early adopters, summarized below.

What's Fixed

  • Ingesting Qualys data with complex filters: Jobs that ingest data from Qualys will now ingest data correctly when users configure the job to include or exclude assets based by combining multiple asset group names and tags.
  • Synchronizing Jira issues with RegScale tasks: Jobs will now correctly ingest Jira issues with rich content and custom metadata fields to properly sync with tasks in their RegScale instance.

Maintenance and Updates

  • Routine dependency and security updates across backend components.

[6.37.39] - 2026-07-15

Added

  • eMASS API hardware and software baseline sync commands to pull asset inventory from eMASS, create or update RegScale assets, and push new assets back to eMASS
  • Stakeholder records now expose the v2 address fields (type, city, stateProvince, postalCode, country) so callers can supply structured address data on create and update
  • CAC/PIV smart card (PKCS#11) authentication for regscale emass_api register, enabling mTLS with an on-card private key that never leaves the device

Changed

  • Airflow container image now built on a FIPS 140-3 compliant base

Fixed

  • Airflow container no longer ships a Starlette version affected by high-severity security advisories
  • Jira Data Center issue sync now records an error for the affected issue and continues instead of aborting the whole batch when Jira returns an unexpected error while updating or closing one issue
  • File uploads through the API (such as checklist import) no longer fail with an HTTP 415 error caused by an incorrect JSON content type on multipart requests
  • Jira task sync no longer crashes when a Jira issue has no priority assigned; such issues now use the default due-date timeline instead of aborting the entire sync
  • Jira sync now renders rich-text (ADF) issue descriptions to plain text so tasks and issues sync successfully instead of being rejected with an empty request body
  • CSAM system security plan import now creates plans successfully instead of failing when the source identifier is numeric
  • CSAM control implementation import now retrieves control statements correctly instead of failing on the report query endpoint
  • CSAM front matter import now maps the Sub-Organization field correctly
  • AWS Security Hub, EC2, and ECR issue imports now post successfully to the batch endpoint instead of being silently rejected and retried one issue at a time, making those syncs faster and quieter
  • Scanner-imported issues now link to their assets in the Related Assets view instead of remaining unlinked
  • Wiz issue titles no longer repeat the CVE identifier (for example "CVE-2024-30105: CVE-2024-30105")
  • Wiz issue remediation guidance no longer reads "Update to version None" and now uses the rule's remediation instructions
  • Wiz issue last-seen date is now populated from the scan time instead of being left empty
  • Wiz synchronization now refreshes its access token during long-running syncs instead of failing partway through when the token expires
  • Wiz synchronization now reports a clear "not configured" error when the Wiz client ID or secret is left at its placeholder value instead of returning an opaque authentication failure
  • Security patches for bundled Python dependencies
  • FedRAMP SSP party imports no longer fail to create stakeholders when the OSCAL party has an address but no country, by populating structured address fields (with country) when available and otherwise sending no address fields
  • StakeHolder model field validator that converts None to empty string for nullable text fields now actually runs, so callers passing explicit None values get coerced to "" as documented
  • eMASS SLCM workbook import now retries failed control implementation updates through the bulk /batchUpdate endpoint instead of a manual single-record fallback
  • Jira Data Center sync commands now honor the configured TLS verification setting instead of always verifying certificates unless the CLI flag was passed
  • Jira Data Center CSV import no longer drops the first row's key when the export file starts with a UTF-8 byte-order mark, and XML import no longer crashes on a non-numeric attachment size
  • Jira Data Center sync now reports a clear configuration error for a non-numeric page size or timeout instead of crashing, and quote characters in project keys or task titles no longer break the generated Jira query
  • Jira Data Center sync no longer stops after the first page of results when the server enforces a smaller page size, so all matching issues are imported

[6.31.1.5] 07-15-2026

Known Limitations and Important Information

This release is a hotfix that is only applicable to the 6.31.1.x releases. If your current version is equal to or greater than the 6.32.0.0 release DO NOT APPLY this hotfix.

Enhancements

POA&M Custom Rules

Added support for configurable custom rules for Plans of Action and Milestones (POA&Ms), providing organizations with greater flexibility to tailor POA&M management to their internal processes and compliance requirements.

Automated Cyber Reportable Risk Flagging

Enhanced automation for POA&Ms and milestones by automatically setting the Cyber Reportable Risk flag based on configured workflows, helping ensure reportable risks are consistently identified and tracked.

Improved Test Result Export Labels

Updated the eMASS test result exports to include the [r5] prefix on applicable controls, providing clearer identification of NIST SP 800-53 Revision 5 content.

Updated CIA Value Color Scheme

Refined the visual presentation of Confidentiality, Integrity, and Availability (CIA) values by introducing an updated color scheme for Low impact ratings, improving readability and consistency across the platform.

Hardware and Software Export Improvements

Improved hardware and software inventory exports by eliminating duplicate component assets, resulting in cleaner and more accurate exported data.


Fixes

Vulnerability Status Board Asset Counts

Resolved an issue where the Vulnerability Status Board always displayed zero affected assets, ensuring accurate asset counts are presented.

Issue Milestone Persistence

Fixed a problem that could cause milestones created on issues to disappear after creation. Milestones are now retained correctly.

FedRAMP POA&M Export Asset Completeness

Resolved an issue where FedRAMP POA&M exports could omit associated assets. Exports now include the complete set of related assets.

Over Time Dashboard Stability

Fixed an issue where the Over Time dashboard reset the selected time period when switching tabs and could display stale data from a previously viewed SSP. The selected timeframe and displayed data now remain accurate throughout navigation.

Scan History Ordering

Corrected the ordering of entries on the Scan History tab so scan history is displayed in the expected chronological order.

CIS/CRM Import Status Mapping

Resolved an issue affecting CIS/CRM imports where setting controls could incorrectly populate the Other Status field. Imported status values are now mapped correctly.

Security Fixes

Updated HTML-to-PDF Conversion Engine Dependencies

Resolved multiple security vulnerabilities affecting the HTML-to-PDF conversion component used for document and report exports. The underlying third-party dependencies were updated to address several critical and high-severity security issues in the legacy rendering engine. This update strengthens the security of PDF generation while maintaining existing export functionality.

Customer impact: Improved security for document and report export capabilities with no expected changes to the end-user experience.

Updated OpenAPI/Swagger Dependencies

Updated the OpenAPI and Swagger components used to generate REST API documentation to remediate a high-severity security vulnerability in a transitive dependency. This enhancement improves the security posture of the API documentation framework while preserving compatibility with existing API documentation and developer workflows.

Customer impact: Enhanced security for API documentation generation with no expected changes to published APIs or the Swagger user experience.

[6.37.6] - 2026-07-11

Changed

  • Security patches for Airflow container dependencies

Fixed

  • FedRAMP DRF import now sends the evidence attachments column to RegScale (the field was silently dropped from the payload), and False Positive rows missing an evidence description or evidence attachments are reported in the import report instead of failing with repeated API errors
  • FedRAMP CIS/CRM import no longer overwrites a control part's implementation statement with customer responsibility text, preserving the existing statement while still updating customer and cloud responsibility fields
  • Wiz vulnerability, end-of-life, and issue synchronization now correctly scope to the selected Wiz project instead of returning findings from every project in the tenant
  • Wiz vulnerability and issue scans now cache results per project and filter so syncing different projects no longer overwrite each other's cached data
  • Wiz synchronization no longer closes findings as resolved when a query fails partway through fetching results, preventing open findings from being incorrectly marked closed after a transient Wiz API error
  • Compliance control assessment synchronization no longer creates duplicate assessments when a transient error prevents loading existing assessments, and now keys deduplication off a wider set of date fields

[6.32.1.1] 07-09-2026

Fixes

  • Enabled SemanticMapping feature as default for installations.

  • Hide the AI provider selection when bring-your-own-LLM is disabled

[6.32.1.0] 07-08-2026

Enhancements

  • Added support for PIV card authentication architecture

    • Introduced foundational platform enhancements to support environments that require Personal Identity Verification (PIV) card authentication, improving readiness for organizations with advanced identity and access management requirements.
  • Introduced a feature-flagged Issue Workflow

    • Added a new configurable Issue Workflow, modeled after the existing Security Plan approval process. This provides organizations with greater flexibility to define and manage issue review and approval lifecycles before broad availability.
  • Improved Workbench Preview Visibility

    • The Workbench preview now correctly displays counts for assigned and owned workflow steps, providing users with an accurate summary of pending workflow activities directly from the preview experience. This aligns Workbench behavior with other modules for a more consistent user experience.
  • Expanded form capabilities

    • Delivered additional form enhancements to improve flexibility and support evolving data collection requirements across the platform.
  • Improved backend scalability

    • Optimized child record counting operations by consolidating multiple database queries into a single aggregated request, improving performance when viewing complex data structures.
  • Improved accessibility

    • Enhanced Form Builder accessibility by improving label association to better meet WCAG 2.5.3 (Label in Name) requirements.
    • Increased color contrast for dashboard elements in dark mode to provide a more accessible experience for all users.

Fixes

  • Fixed an intermittent issue where creating child Issues from Controls was not consistently available.

  • Resolved intermittent failures when creating Control Implementations caused by database operations during save processing.

  • Fixed an issue that prevented questionnaire reviewers from successfully submitting completed reviews.

  • Corrected navigation issues caused by Custom Tab system names containing special characters, restoring reliable navigation and deep-link behavior.

  • Fixed inconsistent email information displayed on User cards within the Email Log.

  • Improved the stability of RegML AI services under heavy load, reducing service interruptions experienced by Author, Auditor, Explainer, and Evidence Mapping capabilities.

  • Fixed an issue where duplicating fields in Form Builder could bypass the maximum field limit for a section.

  • Corrected tenant cause retrieval logic to properly determine Global Administrator permissions using role-based authorization rather than username matching.

  • Updated API create endpoints to return the appropriate view models instead of raw database entities, improving API consistency.

  • Hardened SubModuleForm write operations by enforcing module permissions, strengthening service-layer validation, and improving overall reliability.

  • Fixed an issue where Interconnection records created beneath Security Plans were not correctly maintaining parent relationships.

  • Resolved an issue where advanced Issue searches using the Equals operator against the Comments field returned no matching results.

  • Fixed a that could occur when generating required-only DOCX exports for CMMC and DOE Security Plans using Export Builder.

  • Resolved errors that could occur when applying templates to Security Plans.

  • Fixed an issue that prevented users from entering values into date fields in certain forms.

  • Fixed an issue where the Workbench preview did not display counts for Workflow Steps Assigned and Workflow Steps Owned, even though other module counts were shown correctly. Workflow step counts are now calculated and displayed as expected.

Release Overview

Release Name: ROH Beta Hotfix Release

Release Type: Hotfix

Release Number: 6.32.0.1

Purpose

RegScale Orchestration Hub (ROH) enables organizations to automate the import and export of data between RegScale and external systems through configurable integrations and commands.

This beta release is intended for early adopters and validation of core orchestration capabilities. Functionality, supported integrations, and performance characteristics may change before General Availability (GA). This minor release delivers reliability, usability, and maintenance improvements for early adopters, summarized below.

What's Fixed

  • Ingesting Qualys data with filters: Jobs that ingest data from Qualys will now ingest data correctly when users configure the job to include or exclude assets based upon specific tags.

Maintenance and Updates

  • Updated the bundled RegScale user interface with the latest fixes and refinements.
  • Routine dependency and security updates across backend components.
  • Expanded automated end-to-end and regression test coverage, including checks that guard against duplicated records during data ingestion.

[6.32.0.0] 06-28-2026

Important Release Disclaimer

RegScale version 6.32.0.0 introduces a new and improved UI navigation experience.

Customers may choose to remain on the legacy UI; however, most new features and improvements are available only in the new UI.

Some bug fixes apply to both UI patterns, but not all enhancements are backward compatible.

To learn more about UI changes, refer to the transition guide:
RegScale v6.32 UI Transition Guide


Enhancements

AI Settings (Early Access)

  • Introduced a new RegML adapter allowing customers to connect RegML to their preferred LLM
  • Supports both cloud-hosted and on-prem LLM configurations
  • Enables secure use of AI capabilities while maintaining compliance controls
  • Early access feature — contact your account team to enable

Cause Codes

  • Added import/export capability for Cause Codes
  • Enables standardized categorization of issues across the organization
  • Improves issue tracking and reporting consistency

Compliance Settings Enhancements

  • New framework-based UI tailoring capabilities:

    • Hide irrelevant forms, tabs, fields, and exports per framework
  • Support for multi-framework selection

  • Dynamic UI updates when switching frameworks


Facilities & Organizations

  • Export and import JSON templates for:

    • Facilities
    • Organizations
  • Enables bulk onboarding and system-wide configuration of dropdown data sources


Catalog Enhancements

  • Catalog controls now support direct associations to:

    • Evidence types
    • Risk records
  • Enables cross-system reuse of catalog relationships

Evidence & Risk Linking

  • Added Evidence and Risk views within:

    • CRI Catalog
    • SCF Catalog
  • Users can now manage:

    • Suggested evidence artifacts per control
    • Risk register entries tied to controls

Catalog Importer Improvements

  • Performance improvements for large catalog imports
  • Progressive ingestion with real-time progress indicator
  • Pre-import visual preview of catalog contents

Compliance Explorer

Framework Network Graph

  • Visual graph of framework relationships
  • Interactive control mapping visualization

Mapping Explorer

  • Compare control mappings between any two frameworks
  • View equivalencies and relationships

Gap Assessment

  • Identify coverage gaps between frameworks
  • Switch mapping standards dynamically

Continuous Controls Monitoring Dashboard

Aggregate View

  • Unified compliance posture across all Security Plans
  • Risk plot highlights outliers

Attestation

  • RMF onboarding progress tracking
  • Filter by system, component, or organization

Assurance

  • Control assessment status (pass/fail/validity)

Remediation

  • Identify high-priority risks and vulnerabilities
  • Assign issues directly from dashboard
  • Supports KEV-based filtering and ATO status updates

Risk View

  • Risk cost analysis tool
  • Track mitigation burndown trends

Control Implementations

Kanban View

  • Control workflow visualization:

    • Draft → Pending Approval → Approved → Rejected → Re-Approval Required
  • Filtering by control family or owner

  • Search across all controls

Bulk Editor (Excel-Style)

  • Multi-select editing for:

    • Owner
    • Status
    • Responsibility
    • Source
    • Inheritability

Approval Workflow Automation

  • New workflow trigger capability
  • Automatically initiate approvals on control changes
  • Full audit trail in control timeline

Evidence Locker Dashboard

System-Level Views

  • View all evidence by:

    • Security Plan
    • Component
  • Includes status, owner, control mapping, and due dates

Control-Level Views

  • Search evidence by control
  • Consolidated evidence tracking per control

Drill-Down Enhancements

  • Access files, links, and mappings directly from records

Bulk Editor

  • Edit:

    • Owner
    • Due date
    • Approver
    • Status
    • Frequency

Evidence Module Enhancements

Evidence Versioning

  • Full file version history tracking

  • Download and review historical evidence uploads

  • Available at:

    • Evidence record level
    • System/component level

Multi-Framework Support

RegScale now supports:

  • Secure Control Framework (SCF)
  • Cyber Risk Institute (CRI)

Key Capabilities

  • Import SCF and CRI control profiles
  • Framework-specific evidence and risk mappings
  • Unified cross-framework compliance analysis

Framework Highlights

CRI

  • Financial services regulatory mapping (FFIEC, NYDFS, OCC, etc.)
  • Domain-based control structure

SCF

  • Unified control framework across 250+ regulations
  • Pre-mapped evidence types per domain
  • Can act as a bridge framework across compliance programs

🧭 Map Across Frameworks Workspace

  • Unified compliance posture across frameworks
  • Gap assessment for regulatory coverage
  • Cross-framework scorecard view

Navigation Enhancements

  • Replaced top/right panel navigation with unified left-side navigation

  • Faster access to dashboards and modules

  • Consolidated form toolbar actions

  • Centralized view of:

    • Tasks
    • Work items
    • Active processes

SSP Creation Wizard

  • Single-flow SSP creation experience:

    1. Name security plan
    2. Select compliance profile
    3. Choose catalog
    4. Select threat model (optional)
    5. Review summary
    6. Real-time provisioning progress

Optional Enhancements

  • FIPS 199 categorization
  • Control inheritance
  • Component association
  • AI Author (RegML SSP drafting)

Consolidated Issues View

  • Unified issue tracking per Security Plan

  • Supports:

    • Owner tracking
    • Facility-based issue aggregation
    • Milestone planning
    • Open task visibility

Workflow Designer Enhancements

Triggers

  • Auto-trigger workflows on:

    • Create
    • Update
    • Status change
  • Automates task assignment and process initiation

Digital Signature

  • Add digital signature step to workflows
  • Supports approval and audit requirements

Notes

  • Some features are new UI only
  • Legacy UI does not receive all enhancements
  • AI Settings is early access and requires enablement

Purpose

RegScale Orchestration Hub (ROH) enables organizations to automate the import and export of data between RegScale and external systems through configurable integrations and commands.

This beta release is intended for early adopters and validation of core orchestration capabilities. Functionality, supported integrations, and performance characteristics may change before General Availability (GA). This minor release delivers reliability, usability, and maintenance improvements for early adopters, summarized below.

What's Fixed

  • Reliable recovery of long-running and split jobs during deployments. Jobs interrupted when a background worker restarts during a routine deployment — including large jobs that ROH splits into parallel batches — are no longer incorrectly marked as failed. They now resume automatically and finish on their own merits, so in-progress work is preserved.
  • Accurate "Pending" job status. The Jobs list and API now report a queued job as Pending rather than Running, and the Pending state now displays a clearly visible, color-coded badge consistent with the other job statuses.
  • API documentation now renders in the browser. The interactive API documentation (Swagger UI) previously appeared blank because required page assets were blocked by ROH's strict security policy. Those assets are now served directly by ROH, so the documentation renders correctly with no reduction in security posture.
  • Correct version and build information. The ROH user interface and API now report the actual deployed release version and build details instead of placeholder values. A dedicated version endpoint exposes this build metadata to aid support and troubleshooting.

Maintenance and Updates

  • Updated the bundled RegScale user interface with the latest fixes and refinements.
  • Routine dependency and security updates across backend components.
  • Expanded automated end-to-end and regression test coverage, including checks that guard against duplicated records during data ingestion.

Enhancements

  • Expanded STIG Synchronization Support

    • Added support for synchronizing Wiz STIG checks through the XCCDF Benchmark workflow, providing a more streamlined integration experience.
  • Export Pre-flight Validation

    • Introduced pre-flight validation for eMASS exports to identify potential issues for eMASS required fields before document generation begins, reducing failed export attempts.
  • SLCM Import Support

    • Added support for importing System Life Cycle Management (SLCM) data through the CLI to simplify onboarding and migration workflows.
  • Enhanced eMASS Export Templates

    • Updated eMASS export templates with the latest supported versions as of 06/23/2026.
    • Removed legacy highlights and comments carried over from previous template versions to produce cleaner exports.
  • New Audit & Assessment Experience

    • Introduced an updated Audit and Assessment user interface with improved navigation and usability.
  • Export Performance Improvements

    • Optimized export processing to improve performance and responsiveness, particularly for larger datasets.
  • Improved Data Import Reliability

    • Enhanced CLI import processing to better detect existing users during POA&M imports.
    • Improved handling of custom field mappings during eMASS CLI imports.
  • Improved Vulnerability Processing

    • Enhanced server-side processing to use vulnerability-specific security check data when generating Issues, improving the accuracy of imported findings.

Fixes

  • Fixed an issue where conditional visibility rules for Special Type Description fields did not evaluate correctly.

  • Removed obsoleted required fields that could unnecessarily block user workflows.

  • Resolved an issue that could produce corrupted export files when documents contained empty tables.

  • Fixed an issue where asset manufacturers were not retained during batch asset creation or update operations.

  • Corrected navigation behavior in Lightning Assessments, including improvements to tab scrolling.

  • Improved currency field formatting by limiting input width for better usability.

  • Removed the default Major Application value from System Type where it was incorrectly applied for DoD workflows.

  • Fixed display issues where Cloud-related fields appeared even when the associated functionality was not enabled.

  • Disabled the Move To action for sub-module fields where the operation is not supported.

  • Resolved an issue that could cause assessment milestones to appear incorrectly in POA&M exports.

  • Fixed an issue preventing users from creating new Issue records under certain conditions.

  • Corrected the Asset Issue dialog so open Issues are displayed as expected.

  • Removed the Assessment Result field from Assessment records where it should not be displayed for DoD workflows.

  • Fixed processing logic so disabled fields that cannot be modified are no longer unnecessarily evaluated.

  • Corrected an issue where eMASS Test Result exports did not populate associated test data.

  • Addressed multiple user interface improvements and navigation inconsistencies throughout the application.

  • Implemented a variety of additional stability, reliability, and usability improvements across the platform.