[6.32.0] - 2026-03-18

Changed

• Upgraded Apache Airflow from 3.1.6 to 3.1.7 to address security vulnerabilities
• Compliance integrations now auto-detect framework mismatches and crosswalk controls between frameworks (e.g., NIST source to SOC2 SSP)
• Compliance integrations now skip issue creation for controls that have no matching implementation in the SSP

Added

• Cross-framework control matching in compliance base class for all integrations (Wiz, CrowdStrike, AWS, GCP, etc.)
• Framework auto-detection utility with confidence threshold for SSP and source data

Fixed

• Evidence Model method no longer crashes with a 500 error when called without filter parameters; empty parameters now return all records
• Wiz compliance evidence is now correctly mapped to SSP controls via crosswalk when frameworks differ
• Wiz compliance no longer runs redundant control status updates that duplicated base class logic
• Control matcher now handles generic/custom catalog types (e.g., HITRUST) by falling back to case-insensitive direct matching when no specific framework handler matches

[6.31.0] - 2026-03-16

Changed

• CrowdStrike compliance sync now supports all 7 frameworks (NIST, CSF, SOC2, CMMC, ISO, CIS, OWASP) via option
• CrowdStrike compliance sync now uses SSP compliance settings for proper status mapping (FedRAMP, DoD, NIST)
• CrowdStrike compliance sync auto-detects framework from the SSP's security profile using the framework handler registry
• CrowdStrike integration refactored into modular package structure for improved maintainability
• CrowdStrike SDK reuses authenticated sessions across bulk operations for improved performance
• CrowdStrike compliance notes are now HTML-escaped before rendering
• Consolidated Qualys Airflow DAGs into a single DAG with user-configurable options for VMDR, WAS, Container Security, and Total Cloud services

Added

• CrowdStrike command to export prevention policy configurations as audit evidence
• CrowdStrike command to generate comprehensive SOC2 evidence packages (host inventory, policies, alerts)
• CrowdStrike evidence auto-links to matching control implementations using compliance mapping data with cross-framework support (NIST, SOC2, CSF, CMMC)
• CrowdStrike vulnerability sync from Spotlight API with severity and CVE mapping
• CrowdStrike asset sync from Hosts API with platform detection and device inventory
• CrowdStrike compliance sync supports Full and Partial control implementation levels
• Cross-framework mapping utility to automatically translate compliance controls between NIST, CSF, SOC2, CMMC, ISO, and CIS
• CSF (Cybersecurity Framework) handler for control ID detection and parsing

Fixed

• CrowdStrike FalconPy 1.6.0 deprecated API compatibility (Incidents, Intel, UserManagement)
• CrowdStrike SDK authentication validation and SSL verify configuration support
• CrowdStrike compliance sync no longer requires catalog lookup, reads control implementations directly from SSP
• Entra ID evidence collection no longer fails to upload when PIM licensing (AadPremiumLicenseRequired) is unavailable; successfully collected evidence now uploads to the RegScale SSP regardless of downstream licensing errors (REG-20943)
• Fixed OOM crash in Qualys Total Cloud import caused by swallowing instead of re-raising it, which caused to loop infinitely accumulating values
• Fixed unclosed Rich markup tag in CLI disclaimer ( → ) that could cause rendering artifacts

[6.29.2.0] - 2026-03-13

Changes

• Added notifications for Access Requests to improve visibility for administrators.
• Introduced Request Access link to streamline user onboarding.
• Implemented Cross-BU reporting capabilities.
• Added endpoint to return available exports for all modules.
• Added RBAC endpoint to add or remove group permissions from a record in AppBuilder.
• Added support for enabling modules during tenant creation.
• Migrated module enablement seeding from to module configuration files.
• Updated RegScale AI routing to leverage v1 primitives instead of calling models directly.
• Implemented prompt access pattern (), response contracts, and telemetry usage for RegML integration with the RegScale app.
• Marked legacy Export Builder exports as DEPRECATED.
• Removed NGRX Store from the application.
• Added New Threat Models functionality.
• Introduced New Risk creation option on Capability Risks tab.

Fixes

Access Requests & User Access

• Fixed issue where new user access requests were not handled correctly.
• Fixed issue where users could not approve access requests from Setup > Users.
• Fixed issue where access requests disappeared after refreshing the page.
• Fixed issue where users were incorrectly redirected to the App Store page to request access after upgrade.
• Fixed issue preventing users from being added to the tenant admin list.

Performance & API

• Improved performance of the Request Access API, which previously took ~50 seconds to respond.
• Fixed query failures when was not set.
• Fixed Policy Generator timeout issues due to insufficient async polling attempts with v1 query.

Security & RBAC

• Fixed multiple role-based access control issues, including:

  • Users with CR access able to update Assessment Plans
  • Users with CR access able to delete Assessment Plans
  • Users with CRU access able to delete Threats
  • IssueScreener and IssueUser roles not receiving Issue Screening access

UI / UX

• Fixed Browse Applications grid spacing issues on lower screen widths.
• Fixed Login banner intermittently not appearing.
• Fixed App Management > Group back button navigating incorrectly to General instead of Groups.
• Fixed Create New buttons appearing in Cross-App mode where creation should not be allowed.
• Fixed Bulk Editor appearing in Cross-App mode.
• Fixed Component > Bulk Actions appearing in Cross-App mode.
• Fixed Add Mappings appearing in Cross-App mode.
• Fixed Multiple field not disabled on Questionnaire while in Cross-App mode.
• Fixed Create New appearing in Component > Score Card > Manage Risk when not permitted.
• Fixed Create New Risk appearing incorrectly in certain contexts.
• Fixed Mini Subsystem buttons missing in UI.
• Fixed Tags dropdown opening behind modal in Mini Subsystem files.

Data Integrity

• Fixed issue where file attachment (paperclip) created records with incorrect parent ID/module.
• Fixed issue allowing access to Request records after deletion.
• Fixed issue where Threat Model owner field changed unexpectedly on creation.

Export Builder

• Fixed Export Builder preview errors when viewing export files.
• Fixed Export Builder XLSX functionality regressions introduced in 6.29.1.

RegML / AI Features

• Fixed Response Automation not returning responses.
• Fixed AI Generator progress status bar not updating correctly.
• Fixed AI Generator cost savings showing when run by app users or admins.
• Fixed RegML features returning 403 errors.

AppBuilder / Controls

• Fixed Control Builder Primary Responsible Role not setting correctly (422 error).
• Fixed Control Implementations loading slowly.
• Fixed Tasks Advanced Search not working.

System / Environment

• Fixed email functionality not enabling correctly.

Reporting

• Fixed issue where Reports failed to load in Cross-App view with a 400 console error.
• Fixed issue where Tenant Admins could not create new reports in Cross-App view.

Vulnerabilities & Security

• Fixed vulnerability in mop-up functionality.
• Fixed error loading vulnerability data.

Implementation Limitations and Known Issues in this Release

This is for everyone to be aware on any updates for SSO that involve our government customers.
With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

Other

• To avoid unexpected timeouts and being logged out of the application, set the session timeout value greater than the browser inactivity value. Session timeout is being enforced prior to inactivity. There is currently no warning to the end user before being automatically logged out of the application.

• Inorder to delete an Interconnection the user must have both Update and Delete permissions.

[6.30.1.0] - 2026-03-12

Fixed

Changed

• Updated error_and_exit to show where it was called from

Fixed

• Scanner integrations now correctly assign assets to components when using
  -FedRAMP POAM Import:
  • No longer crashes with an illegal hardware instruction on CPUs that lack AVX2 support; pandas is used automatically as a fallback
  • Correctly falls back to the default POAM ID column when a custom value is not present on a given sheet
  • AttributeError failures when POAM IDs are stored as integers in the spreadsheet
  • Incorrect column numbers in various warning messages
• unit and integration tests package import issue
• ci build-info updates

[6.29.1.2] - 2026-03-10

Fixes

• Export Builder
  • Fixed an issue that was preventing control enhancements from populating for FedRAMP Appendix A.

Known Limitations and Issues

This is for everyone to be aware on any updates for SSO that involve our government customers.

With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

[6.29.1.1] - 2026-03-09

Fixes

• Control Implementation

  • Fixed an issue where the More Tools → New Assessment option was missing.
  • Resolved a problem where the Create New button did not function for non-tenant administrators.

• Export Builder

  • Corrected an issue in the Seeded Labs export where certain tables contained missing or misaligned data.

• FedRAMP SSP Export

  • Fixed a failure preventing FedRAMP SSP exports from completing successfully.

Known Limitations and Issues

This is for everyone to be aware on any updates for SSO that involve our government customers.

With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

[6.29.26.1] - 2026-03-09

Fixed

• Key value pairs being overridden from the default template when running in Automation Manager jobs

[6.29.26.0] - 2026-03-09

Added

• Wiz compliance_report command:
  • creation of evidence records in RegScale: uploads the CSV compliance report, maps it to the SSP, and maps it to each control that has compliance data via the control lookup cache
  • flags (enabled by default) which follows the same pattern as GCP SCC compliance evidence attachment

[6.29.25.0] - 2026-03-06

Added

• ISO 27001:2013-to-2022 cross-edition control mapping for AWS Audit Manager compliance sync (REG-20509)
• Evidence record creation for SSM () and CloudTrail () integrations, matching the Audit Manager pattern

Changed

• BREAKING CHANGE: All AWS integrations now default to creating Evidence records instead of SSP-level file attachments. This makes evidence visible in the RegScale Evidence module. To restore the previous behavior, pass (for SSM, CloudTrail, CloudWatch, S3) or (for GuardDuty, IAM, KMS, Org, Config).

Fixed

• Microsoft Defender crash on when member objects have inconsistent list field types (e.g. empty vs populated )
• AWS Config compliance evidence upload: CLI now builds ConfigEvidenceConfig/ConfigFilterConfig objects instead of passing individual kwargs that were silently discarded
• Evidence file upload: cast parent_id to str in multipart form data to prevent httpx encoding failures, and surface the actual exception instead of a generic "File upload failed" message
• Issue asset-identifier updates: truncate assetIdentifier to 500 chars to avoid API rejections when findings reference many resources
• Incorrect domain being set when running in Automation Manager
• Compliance reports with multiple controls not mapping to Control Implementations during command

[6.29.1.0] - 2026-03-04

Overview

This release represents a major evolution of Export Builder, including:

• Full Excel export framework
• Sub-templating architecture
• Advanced filtering capabilities
• Large-scale FedRAMP and program conversions
• Significant service refactoring and architectural alignment
• Expanded test coverage and stability improvements

New Functionality

Excel (.XLSX / .XLSM) Export Support

• Added support for .XLSX and .XLSM export types in Export Builder..
• Added Formula preservation for statistical and computed fields.
• Added Support for Excel text-based date formats.
• Added worksheet switching in XLSX mapping tab with autosave.
• Added data filtering for:
  • Repeating Excel rows
  • Repeating table row elements

DOCX Enhancements

• Support for RTF data type field mapping.
• Added sub-template document generation support.
• Added autosave when switching between mapping pages.
• Added export capability for data filters when exporting field mappings.
• Added ability to insert multiple images in template via file store tagging.
• Improved style preservation in source template.
• Improved TOC generation reliability.
• Added ability to "clone" standard OOTB templates for customization.

Extended Export Builder Data Services

• Refactored ExportBuilderService into logical alignments with RegScale architecture.
• Added Deviations data to Export Builder data service.
• Added Linked/Mapped Component data for Security Plans.
• Extended data services to return linked control components.
• Added export/import support for field mappings (JSON).

FedRAMP, DOE, CMMC, and Program Conversions

Converted the following exports to the new Export Builder framework:

• FedRAMP SSP (Rev 5)
• FedRAMP SAP
• FedRAMP SAR
• FedRAMP CIS/CRM Workbook
• FedRAMP Appendix Q (Cryptography)
• FedrAMP Separation of Duties Matrix (SOD)
• DOE SSP
• BNL SAP
• BNL SAR
• CMMC SSP Report
• Labs SSP
• Tailored SSP

Additional enhancements:

• Support for Master Assessment selection when generating SAP/SAR

Changes

• Removed the word “Template” from Export Builder titles and output file names.
• Improved automapping accuracy and speed in field tagging.
• Added export capability for data filters in field mapping exports.
• Improved filtering behavior in data services.

Fixes

• Fixed “No mappings” message not spanning full UI width.
• Fixed export field mapper paging issue after service refactor.
• Fixed filter options not copying in export configurations.
• Fixed various UI issues in Export Builder.
• Fixed importing export mappings causing field loss.
• Fixed automapping incorrect tag associations.
• Fixed filter tag replacement bug
• Fixed repeating data sets failing in sub-templates.
• Fixed repeating template tables duplicating first row.
• Fixed filtering of References data not persisting.
• Fixed sub-template repeating datasets malfunction.
• Fixed exception on empty DOCX template upload.
• Fixed exceptions during export template upload.
• Fixed 500 error when selecting Security Plan module.
• Fixed Export Builder seeding failure during post-startup.
• Fixed Export Builder SOD output file generation failure.
• Fixed list of Table of Figures causing TOC generation failure.
• Fixed incorrect image replacement during generation.
• Fixed SafelyUpdateParagraphText generation errors.
• Fixed Export Builder not handling documents without tags.
• Fixed inconsistent TOC generation.
• Fixed PersonExportModel (Lead Assessor) not populating.
• Fixed DILs not populating in SSP export.
• Fixed POCs not populating in SSP export.
• Fixed duplicate SOD figure header in SSP Rev 5.
• Removed incorrect content from SSP Rev5 and FedRAMP SAR.
• Fixed parameter replacement in Tailored SSP requirements.
• Fixed no connection between Ports/Protocols and Cryptography data.
• Fixed FR SSP multi-document tagging diagram issue.