CHANGELOG

[6.16.1.3] - 2025-03-25

Fixed

Reverted version update of graphing library that caused inconsistent rendering
Additional style changes on padding between elements

[6.16.1.2] - 2025-03-23

Fixed

General styling updates

Changed

Upgraded Angular

CHANGELOG

[6.16.1.1] - 2025-03-19

Fixed

Task Date Due works correctly

[6.16.1.0] - 2025-03-18

Added

Security logging

Changed

Performance improvements

Fixed

Task Date Due works correctly

[6.16.0.0] - 2025-03-14

Added

Risk Rollup Status Board
Compliance Hygiene Status Board
RegML SSP Author (Feature Flagged)
RegML Cost Savings Calculator (Feature Flagged)
Option to validate exports in OSCAL XML export model
OSCAL exports for Security Profiles and Catalogs
External mapping support for OSCAL catalog export
SPRS weights into the CMMC 2 Catalog

Changed

Moved IAM and Scorecards to tabbed navigation
Paging on the Asset List for a Vulnerability
Delete confirmation modal
AI Editors to Kanban Tasks
Enhanced Catalog printing
Adjusted viewing zones to better accommodate Parts
Toggle to adjust the font size of tiles
Role is first card on the Control Implementation module

Fixed

Resolved RegML TypeError console error
CVE information in Vulnerability Detail works correctly
Generate password follows password security policies
Questionnaire module assignment works correctly
Lines of Inquiry Files Mini-Subsystem saves correctly
Server-side timestamps are in UTC
Comment dates render correctly
Set default SortId for Security Controls
"Not Applicable" selection within Control Settings works correctly
Continuous Monitoring test creation works correctly
SaaS auto-issued temporary passwords for new users work correctly
Task closed date can be modified
Evidence frequency changes correctly change the Next Update Due Date field
Assessment results can be changed

Security

Applied routine dependency upgrades to enhance security and stability

[6.15.2.0] - 2025-03-12

Changed

RegML Extractor file upload uses standard file input
Improved RegML Extractor experience

Fixed

"Extract All" option restored in RegML Extractor
Custom fields work correctly after upgrade.

[6.15.1.0] - 2025-03-11

Added

"Copy Link" button for easier access to Questionnaire Self-Assign URL
Validation messages for invalid LOI Assessments
Warning message displayed on the page if a record could not be deleted due to dependencies

Changed

Platform Deviation Form evidence attachments now return to a rich text field
Make user wait to download another catalog when one is already being added to RegScale
"Catalogues - Control Framework Gap Report" renamed to "Control Framework Gap Report (RegScale)"
"Catalogues - UCF Control Overlap Report" renamed to "Control Framework Gap Report (UCF)"

Removed

Import Profile button on a Security Profile record
New Profile button on the Security Plan Builder

Fixed

Evidence Owner field is set correctly for evidence workflows
Evidence collection mapping system displays the control ID and the parent ID
Uploading files to a Kanban task works as expected
DOE SSP export works as expected
FedRAMP Appendix A export works as expected
FedRAMP Deviation Request export works as expected
FedRAMP Inventory export works as expected
FedRAMP POAMs export works as expected
FedRAMP SSP export works as expected, including Tables 7.1, 8.1, 10.1, and Inventory discrepancies
Control test plan creation displays validation warnings for missing information
Leveraged Authorization field on a security plan can be unset
Previous and next navigation buttons in the Control Builder load the correct control information
Advanced search works correctly when searching by organization membership or facility
Advanced search works correctly for fields with multi-select dropdowns
Kanban tasks can be due on the current date
Selecting a control for a questionnaire question works as expected
Built-in reports appear correctly in on-prem instances
Evidence module can be accessed with the following roles: SecurityPlanUser, AssessmentUser, SupplyChainUser
Lines of Inquiry test results of "Not Applicable" are excluded from the compliant calculation
Lines of Inquiry validation messages are displayed
Lines of Inquiry gauge colors are no longer hardcoded
Dropdown lists render correctly in dark mode
Duplicate dropdown values removed from Assets and other modules
Sorting by date or user in GridView works correctly
White space bug preventing full scrolling fixed
Swagger loads correctly in all environments
File uploads in Subsystem Kanban no longer disappear on refresh
Tailored Export evidence on Controls is correctly represented
Tailored Export missing data location issue addressed
Control Implementation status updates correctly and does not cache on first save
Incident and Threat addition in Risks functions as expected
Change Record - Outages Start and End Dates save correctly

Security

Routine hardening and patching

[6.15.0.0] - 2025-03-09

Added

Report Builder
- Support for pie charts and line charts
- Done button on the preview step which returns the user to the report list view
- My Organization option when filtering by organization
- Ability to sort reports by column in view mode and on dashboards
- Ability to delete a report

Changed

Report Builder: report names must be unique

Removed

Report Builder: ID-based fields for facility, organization, and user

Fixed

Report Builder
- Drill-in functionality for charts grouped by organization, facility, or user works as expected
- Custom system labels render correctly

[6.14.2.1] - 2025-03-06

Fixed

Upgrade to .NET 9

[6.14.2.0] - 2025-03-03

Added

PUT /api/compliance/migrate/ to support migrating existing security plans (including controls and parts) to a new compliance setting
FedRAMP Exports support the FedRAMP Compliance Setting
Pass and fail scanner integration fields added to Compliance Settings

Changed

FedRAMP exports align with the FedRAMP compliance settings
POST /api/securityplans will use the default compliance settings when a compliance setting is not defined in the request
Navigating to /dashboard redirects users to /my-dashboard

Fixed

Save buttons work as expected when using the control builder on a security plan record
Compliance Setting APIs no longer return data recursively
Components inheritance works as expected

[6.14.1.0] - 2025-02-25

Removed

Validation for Basis for Adjustment for an issue in a deviation summary (handled in the deviation utility)

Fixed

Compliance setting values are unique
Available Information Types and Selected Types tab for a security plan's categorization section render correctly
Custom fields marked as "Not Required" save correctly
Navigation panel
- Deleting records updates the panel entries with the new record count
- Clicking links only updates parts of the page that have new information
- Item counts do not include soft-deleted records
Navigating between different security plans shows the expected data
Module selection on the News Feed works correctly
Deviation Summary tab fields for an issue are readonly
CVSS Score field on the Vulnerabilities tab for a security plan displays correctly
Data Entry fields have single scrollbar
Compliance Settings migration works correctly
Migrated fields display correctly
Clicking the RegScale logo returns user to their default homepage
Changes module respect ITIL Force Changes Through Workflow setting
CVSS Score displays correctly in CVE List
Custom fields work correctly on Exceptions form

[6.14.0.0] - 2025-02-20

Added

RegML
- Functionality for exposing vectorized supporting documentation to AI language models
- Extractor
  - Ability to export RegML Extractor results to Excel
  - WYSIWYG editor and AI-supported pop-out text editor when reviewing resulting recommended statements
Dashboard Manager - Build and Share Your Own Dashboards
- List of dashboards with the ability to add new dashboards and edit, preview, and delete existing dashboards
- Ability to share dashboards with a group
- Tabs to search/filter by widget, reports, or module
- Ability to favorite a dashboard
- Fully integrated with Report Builder
Questionnaires and workflows
- Questionnaires tab available across most RegScale modules
- Ability to assign a reviewer at the module level
Streamlined Group Management
- Users with GeneralUser, Maintainer, or Manager roles can create and manage groups (located in the user profile menu)
- Add and manage groups without the need for administrator support
Links subsystem has file share (e.g., OneDrive) URL support and works with Evidence Locker
Audit Info option under a record's More Tools menu to display additional audit information (date created, date last updated, UUID, created by, and last updated by)
Description field available in Kanban for tasks
Workflow History tab on workflow records
Warning about unsaved changes in both the Classifications and Data subsystems

Changed

RegML
- Extractor
  - User interface updated to be more consistent with the rest of the application
  - Faster response times
  - Workflow failures (such as from missing environment variables) are handled gracefully
  - Auto-generates control level statements
  - Allows for discretely saving or discarding generated statements
- Chatbot
  - Improved efficiency and robustness of integration with the AI language model
- Author
  - Generating suggested implementation statements is now in the More Actions menu of the Control Implementation page
  - Improved consistency of results
  - Improved efficiency and robustness of integration with AI the language model
- Explainer
  - Translating complex control requirements into simple, accessible language is now in the More Actions menu of the Control Implementation page which is more easily accessible
Admin and configuration
- Utilization admin panel
  - User can specify a reporting date range
  - Access Logs tab contains email address and admin status
- Evidence Locker workflows can be enabled/disabled (Admin > Modules and Features)
- Improved toggle for enablement in the Organization Manager
UI and layout enhancements
- Improved styling via a "more options" style menu
  - Lines of Inquiry checklist view on an assessment
  - Continuous Monitoring Controls in Scope list
- Condensed layout and improved iconography for the Files subsystem
- Improved tab look and feel throughout the application
- Improved readability for issue status workflow progress steps
- Streamlined layout for the Fix Issues tab scorecard on a security plan
- Tile scorecard layout for the Utilization admin panel
- Smaller screen support
  - Auto-calculate button changed to an icon button in the Control Builder
  - Improved Kanban layout
- Improved look and feel for lightning assessments
- Assessment tab for a control implementation uses a tabbed layout for increased readability
Performance and optimization
- Optimized database access for improved performance
- Improved catalog filtering performance
- Simplified API models to improve application and Swagger performance
- Control Scorecard loads significantly faster
- Improved performance for quick search in list views across the application
- Export list now loads nearly instantly
Subsystems
- Files subsystem: improved readability/contrast for JSON/XML/YAML preview mode
- Added validation for file types to the Data subsystem
Business impact analysis has instructions and more helpful validation errors
Risk assessment
- Financial Modeling step updates/runs automatically once enough information has been provided
- Trend Analysis field is not required for completion
- Target Risk field moved to the top of the form
- Improved overall flow and click path
- Treatments, Controls, and Issues are available on the Risk Scorecard

Removed

Dashboards
- Dashboards tab on the Issues module list view (widgets are now available in the Dashboard Manager)
- CISO Dashboard workspace (can be recreated and better customized using the Dashboard Manager)
Risk
- Risk record Inherent Risk and Business Impact Assessment tabs (part of the risk assessment wizard)
- Publish Results button for risk assessments (performed automatically by advancing to the next step)
- Pie charts from the risk scorecard
- Risk Score Details tab from the supply chain status board
From column on the user admin page that shows email activity
Schemas section of Swagger page

Fixed

Navigation and UI
- Relationships subsystem entries correctly navigate to the related records in other modules
- Assessment tab for a control implementation renders correctly
- Navigating through controls in the Control Builder clears the search field
- YAML preview pane in the Data subsystem renders correctly
- Issues tab on the Mitigations section for a risk's scorecard renders correctly
Fields and validation
- Date validation logic for Assessment, Change, and Exception records works as expected
- Risk Assessment form validation errors match the field names used on the form
- Exception records can have a submission date from a previous year
- Audit data is set correctly for custom fields
- Applying a threat model to a component creates risk records with an inherent risk that's explicitly undefined
- When creating a new risk, inherent properties (e.g., probability, frequency, impact) are hidden until initial risk assessment is performed
Evidence Locker
- Only the Evidence Approver role can approve evidence
- Evidence Owner and Evidence Approver cannot be the same user
- Links within Evidence Locker records correctly map to a control
- Rejecting evidence correctly sets the evidence record status
User roles
- Modules menu only displays options that are available based on the user's role(s)
- Maintainer can...
  - Create new categorization engine records
  - View security control records
- IssueScreener can view causal analysis and issues records
- ProgramUser can access the Programs, Capabilities, and Questionnaires modules
Risk assessment and controls
- Advanced search for Annual Loss Expectancy (ALE) in the Risks module works correctly
- Performing a risk assessment properly sets the Initial Risk Assessment and Next Assessment Date fields and updates the risk trend
- Not Applicable scorecard tile in the Attest to Controls scorecard for a security plan filters as expected
- Control Status by Owner widget works as expected
- Control implementation options for parts render correctly
- Lightning assessment view for a control implementation with parts renders correctly
Causal analysis step for issue screening works as expected
Adding steps to a workflow template works as expected
Tasks created within a record regardless of the source (e.g., Kanban subsystem, issue screening, risk assessment, child record) all roll up into the same place
api/assessments/complianceTrendsByParent works correctly
eMASS Hardware Software List export option shows the correct file extension
Questionnaire import process completes as expected

Security

Security patching and API hardening

[6.13.0.0] - 2025-02-10

Added

Compliance settings (see the Compliance Settings admin panel)
- Preconfigured implementation statuses and control origin selections
  - RegScale default
  - FedRAMP
  - PCI
- Ability to associate a wayfinder and/or profile(s) to a compliance setting
Compliance rollup (see the Compliance Settings admin panel)
- Ability to associate one or more compliance settings to a single customizable value
- Ability to map a compliance setting value to a performance status color

Changed

Control implementations with parts have an aggregate status (i.e., the combination of their parts' statuses)
Creating a new security plan prompts the user to select a compliance setting as well as an optional wayfinder and profile
CISO dashboard supports compliance settings and rollup colors
Performance statuses (see the Theming admin panel) support configurable colors and icons

[6.12.0.0] - 2025-02-07

Added

Report Builder
- Bar chart type
  - Aggregation by field count (as well as sum and average for numeric values)
  - Drill-in functionality for a given bar
- Grouping by a single field
- Date picker for date filters
- Support for organizations and facilities
- Date filter: Within the Next number of days
Ability to add bar chart report widgets on My Dashboard
Report subscriptions (email) based on frequency (daily, weekly, monthly, quarterly)

Changed

Report Builder
- Drop-down selections are sorted alphabetically
- Date fields render only the date portion (i.e., without the time portion)

Removed

Date Between filter for dates (accomplished by using two filters: Date Before, Date After)

Fixed

Report Builder
- Fields that support rich-text render as plain text in the report
- Control field (in the Control Implementations module) displays the control's name
- Grouping and aggregation settings display correctly when editing the configuration for an existing custom report
- Filter operators work as expected
My Dashboard renders correctly

[6.11.3.0] - 2025-02-06

Added

Customer-specific customizations for SAR and SAP exports
Templated exports
- /api/ExportOrchestration/GetList to return the list of export records
- Ability to replace data in tables with non-repeating data
- Ability to preserve text formatting of placeholders and paragraphs with sections
FedRAMP Appendix M support for multiple IP addresses in Column C

Changed

Improved logging for templated export generation

Fixed

eMASS CYBERSAFE export
- Shows correct success message
- eMASS ID derived from system field
Date validation logic (i.e., approval, submitted, expiration) for Exception records works as expected
Global admin has correct creation date for initial seeding
Data for several Assessments and Control Implementation webhooks is populated as expected

[6.11.2.1] - 2025-02-01

Fixed

Auth token expiration works as expected
Startup process ensures form field names, tab names, and dropdown choices are unique

[6.11.2.0] - 2025-01-29

Added

eMASS POA&M export: support for handling issues that impact multiple control implementations

Changed

GET api/issues/{intId} includes a list of related control implementations

Fixed

Inherited tile on the Control Status scorecard of a security plan shows the correct count
Issues of a control implementation have the expected parent/child relationship
Security controls in the eMASS POA&M export have a .1 suffix
PUT api/issues/batchUpdate correctly accounts for related control implementations

[6.11.1.0] - 2025-01-24

Changed

Security plan Expiration Date is now called Authorization Termination Date

Fixed

Navigating away from the Lines of Inquiry tab on an assessment prompts the user only if there are unsaved changes
User avatar renders as expected after logging in
Control mappings appear in the Mappings tab of a security control after using the Control Transformer tool
SAR export (Rev4 and Rev5) references the correct data for deviations
Dashboard widget titles appear correctly in dark mode
Drill-down works as expected for the Security Plan Status Board (Aggregate View)
A user can log in after a successful password reset
Data subsystem works as expected when switching between records
Navigating to the Control Implementations module displays the list view as expected
Labs SSP export contains the expected content
Clicking the logo in the upper left corner navigates to the user's preferred home page
Tailored SSP export
- Fonts are consistent
- Implementation statement and responsibilities honor inherited controls
Regulations tab of a requirement record displays as expected
Tenant creation view supports dark mode
Creating a new security plan from the Security Plan Status Board works correctly
Security plan scorecards update correctly when navigating to other security plans
Outage window fields save correctly on a change record

Security

Routine dependency upgrades
Stronger restrictions around password reset and rotation frequency

[6.11.0.1] - 2025-01-21

Changed

RegML Extractor
- Progress is shown via a single progress bar
- Next actions are more clearly defined once processing has completed

Fixed

RegML Extractor uses batch processing for increased responsiveness
Lines of inquiry work as expected
Assessment tab on a control implementation renders correctly

[6.11.0.0] - 2025-01-17

Added

Left panel that gives users the ability to use a Wayfinder in context, easily access the Workbench, and see the full data structure of the parent record
Right panel that lists all of the tabs and utilities for the current record
Form Builder (via a new admin panel) that provides the ability to add/edit fields and configure the form layout

Removed

Wayfinder modal (replaced by the new left panel)
Form tabs (replaced by the new right panel)
Metadata, Custom Fields, and Custom System Labels admin panels (replaced by the new Form Builder admin panel)

[6.10.0.0] - 2025-01-13

Added

/api/SecurityControls/get/{id} has an option to resolve security control parameter values
Ability to forward history events to the syslog to support third-party monitoring
RegML Auditor (in a security plan's Assess Controls workspace)
- Completeness checks by control
- Quality checks by control with explanations
- Ability to auto-generate issues for controls below the completeness or quality thresholds
- Auto-generated audit / assessment record
Security plan Assess Controls workspace
- Scorecard filters for completeness/grade
- Excel export of the audit report
- Audits view that lists audits and their statuses
AI Assistant text editor modal for text area fields throughout the app
- Ability to create new or refine existing text content
- Visualization of what refinements the AI Assistant made and the ability to undo them
Assessment print view: summary statement, tests, lines of inquiry, colored status badges
Assessment form: Compliance Score field
Issues can have child issues
Catalogs available to install
- Cybersecurity Maturity Model Certification (CMMC) 2.0
- Nuclear Regulatory Commission (NRC) 5.71
Preview of assessment results as the last step of a lightning assessment
Busy indicator that displays while the issues scorecard is loading
Assessment preview (last and next) for a control implementation
Compliance History over Time chart on the Assessment tab of a control implementation
Lines of inquiry on an assessment: Toggle between Data Collection and Audit Results view
Ability to remove a control from a scheduled audit
Inherent Risk Score column on the Risks module list view

Changed

Input fields for control implementation parts support rich text format
Controls can be added to an existing continuous monitoring (CONMON) scheduled assessment
Request Evidence button on a lightning assessment moved next to existing buttons (Comments, Files, Links)
Improved performance for features that can be enabled/disabled
Completing the business impact assessment (BIA) auto-publishes the assessment
More Info button in the classification subsystem replaced with a smaller icon

Removed

Audit section on the Continuous Monitoring tab for a security plan (moved to the Assess Controls workspace)
RegML Explainer feature toggle (replaced by the broader RegML feature toggle)

Fixed

Tests grid and Conduct Assessment button appear after starting a lightning assessment
Security Profiles module is available for the GeneralUser role
Security Controls and Categorization modules are available for the Maintainer role
Create New button for each module is only available if the user role is not ReadOnly
AI features are only available when the RegML - Enable AI for the RegScale Platform feature is enabled
Batch-updating assessments (API) correctly updates the parent control or requirement
Count of assessments due soon matches in the Workbench and the dashboard widget
New Risk Assessment option under More Tools is only available for risk records
Threat model print view displays the Print and Back buttons
Audit progress report displays correctly when the start and finish date are the same
Mini-subsystems (Links, Files, Comments) for evidence on a control display contents correctly
Lightning assessment test information updates as expected when there are multiple tests
Reverting a time travel record works as expected
Assessment form loads correctly
Publishing a risk assessment sets the current risk to the new high water mark
Lines of inquiry
- Type is required
- Manually creating lines of inquiry works as expected
- Scorecard tiles show the correct counts
- Date types save correctly
- Assessments with lines of inquiry can be deleted
- Validation errors display (when needed) and prevent further progress until addressed
Header for the modal shown from classification subsystem records has the correct color contrast
Finalize Risk Assessment button works as expected
Questionnaire instance webhook payload includes parent ID and parent module fields
Risk models load consistently
Financial Modeling section of a risk assessment is available only if the Financial Risk Modeling feature toggle is enabled
Date field values on forms match before and after each reload/save

Security

Reduced visibility to account management APIs
Increased logging for unauthorized access

[6.9.8.0] - 2025-01-07

Changed

eMASS PPSM export
- Updated to the latest version required by eMASS
- Enhanced error logging

Removed

Footer link to deprecated RegScale University

Fixed

eMASS exports
- SLCM export content is generated as expected
  - Control test plans
  - Values in columns C, H, K, and L
- PPSM and USN PPSM exports have unique filenames
- USN PPSM has numbers preceding the name of the boundary being crossed
- .xlsm files are generated correctly
- Hardware/Software (HW/SW) export includes the SSP's child assets

[6.9.7.0] - 2025-01-06

Fixed

Filters work correctly on the Issues/POAMs tab of a security plan

[6.9.6.0] - 2024-12-31

Added

Ability to assign an existing questionnaire to an asset

[6.9.5.1] - 2024-12-17

Added

60-second timeout on the APIs page (Swagger)

Fixed

Questionnaires sent to recipients without a RegScale account can be saved and submitted

[6.9.5.0] - 2024-12-16

Changed

FedRAMP POA&M Export includes point of contact (column H) information if available
Illegal filesystem characters (<>:/\|?*";) are removed from export names

Fixed

Filter operators in Report Builder match the type of data being filtered

[6.9.4.0] - 2024-12-13

Added

Ability to update an existing SBOM record via the API PUT /api/sbom/{id}
Ability for an unparented issue to have a parent asset assigned
Fully qualified domain name (FDQN) field is available for software assets
Relative date filter (i.e., within the last N days) when building reports

Changed

Vendor Name is a required field if a POA&M issue has a vendor dependency
When creating a deviation for an issue where the types are either Risk Adjustments or OR & RA...
- Adjusted risk cannot be more than one level above/below the original risk
- Requested risk adjustment cannot be the same as the severity level
In the Automation Manager, selecting a job for an integration displays only the keys required to perform that job

Fixed

Continuous monitoring link in a security plan's wayfinder works correctly
Questionnaires: File Access question type supports marking a question as answered once the user uploads a file
api/deviations/getAllBySecurityPlan/{sspId}/{includeDrNumber} returns the correct response
FedRAMP POAMs export's Supporting Documents column matches the FedRAMP Deviation Request export's List of Evidence Attachments column
FedRAMP Deviation Request export's columns A and B are populated correctly
Issues/POAMs tab on a security plan shows issues that belong to assets tied to the SSP
Custom date fields can be marked as required
Unset custom fields render correctly for records
Navigating to child records works as expected

Security

Dependency updates

[6.9.3.0] - 2024-12-10

Added

Risk
- More ways to conduct a risk assessment
  - Button below a risk's scorecard
  - Option in the More Tools menu
- Risk visualizations
  - Trend chart of annual loss expectancy (ALE) of a risk over time
  - Spider charts of inherent and current risk
- Ability for risks to have child issues
- Endpoints
  - Business impact assessment by risk and type (api/business-impact-assessments/getAllRiskAndType/{intRiskId}/{strType})
  - Risks by threat scenario (/api/threatScenarios/getAllRisksByScenario/{intScenarioId})
  - Risk rollup data for a threat model (/api/threatModels/riskRollup/{intThreatModelId})
- Risk Assessment Wizard
  - Header with back button and information about previous assessment
  - Ability to view threat scenario information (if the risk is based on a threat model)
  - Issues tab for the Review Controls section
  - Business Impact Assessment section
  - Current Risk section
  - Trends & Impacts section scorecard
Threat model
- Risk rollup table, including drilldowns and Excel export
- Print view
Administration
- Scoped roles for service accounts
- Database usage statistics
  - /api/logging/getSqlStorageStats (limited to Administrators)
  - SQL Storage tab on the Utilization admin panel
- Ability to unlock administrator accounts that were locked because of inactivity (limited to Global Admin)

Changed

Risk
- Date Closed is required when a risk's status is Cancelled
- Risk scorecard and visualizations use the term inherent rather than current
- Heatmap on the risk scorecard shows the highest score in the top-right corner
- Risk Assessment Wizard sections
  - Review Controls section of a risk assessment uses the term Actions rather than Preventative Actions
  - Improved layout for Status Update section
  - Utilization admin panel uses a tabbed layout
Administration
- Email Test button is hidden on the Email admin panel if email is disabled
- Time Travel functionality can be enabled/disabled (enabled by default)
- Selecting a different admin panel scrolls to the top of the screen

Removed

Requirements tab on control implementations (duplicate of the Control Builder tab)
My Workbench workspace
- My Activity tab (duplicate of activity icon in the header)
- Profile panel (duplicate of user menu in the header)

Fixed

api/securityplans/megaAPI/{indId} returns control implementation responsibility
api/authentication/changePassword returns correct reponse for invalid requests
Warning notifications are shown when email is disabled
- Emailing a questionnaire
- Creating a new user
Control implementations
- Tabs show as expected
- Justification for Exclusion field works as expected
- Responsibility field shows correctly
- Planned Implementation Date and Steps to Implement are required if the status is Planned
Risk records created from a risk assessment can be deleted
Risks Remediated scorecard tile for an asset displays the correct format
Print view displays correctly for catalogs
Evidence Locker correctly maps evidence when there are multiple controls
Default session length values are set correctly
Tabs in the My Workbench workspace display as expected
Expiration Date in service accounts grid view is formatted correctly
Test descriptions on a security control's Test Plan grid support HTML content

Security

Email and print events captured in the History subsystem
Passwords cannot be reset for inactive accounts
Visibility to some account endpoints restricted

[6.9.2.0] - 2024-12-10

Added

Questionnaire export includes rules, descriptions, and instructions
eMASS ID field added to an asset's Basic Info tab

Changed

eMASS Hardware/Software export matches the new format required for later import

[6.9.1.0] - 2024-12-03

Added

Support for the CRI (Cyber Risk Institute) Profile v2.0
Ability for security controls to have external mappings
- Support for catalog import and export
- Listing of external mappings on the Control Builder
Map Across Frameworks workspace on a security plan
- Chart to show the status of controls across frameworks
- Chart to show percent compliant by framework
- Grid of controls that are not fully implemented to help prioritize high impact areas
Large modal window for editing text-based Control Builder fields

Changed

Control Builder
- Evidence Summary section shows the counts of comments, files, and links
- Tiles can be collapsed/expanded
- Roles is the first tile
- Control title truncated to the control ID if the title is lengthy
- Updated labels for role-based fields
- Clearer user experience for saving a part for reuse

Removed

Auto-save functionality when editing control settings and parts in the Control Builder

Fixed

RegML Extractor instructions have consistent formatting
Validation error message appears when required control settings are missing in the Control Builder

Security

Implemented refresh tokens
Added concurrent session limits
Enhanced logging

[6.9.0.3] - 2024-11-27

Fixed

Improved performance
- Module grid views
- Issues/POAMs tab for SSPs
View button on dashboard widgets that display user-centric lists (e.g., My Tasks Due Soon) navigates correctly

[6.9.0.2] - 2024-11-19

Changed

Change record's Date Change Approved and Date Work Completed are set automatically via workflow

Fixed

Default change record status is Draft

[6.9.0.1] - 2024-11-18

Note: Starting 2024-11-18 versions will use the Major.Feature.Minor.Hotfix format.

Fixed

Users with GeneralUser role can create a security plan

[6.9.0] - 2024-11-17

Added

Support for templated exports in Microsoft Word format
Quick filters (open, all, recently added, recently closed) when viewing a security plan's issues
POST /api/regml/query endpoint
Gantt chart on the scorecards' Fix Issues workspace for security plans, components, and policies
Change record statuses (assess, schedule, implement, review)
Ability to make status fields readonly so that they are only changed via workflows

Changed

List of vulnerability scans for a security plan is sorted by scan date (descending)
Files subsystem is initially sorted by date uploaded (newest to oldest)

Fixed

Policy editor
- Changes save as expected
- Busy indicator deactivates when operations complete
Deviation Summary tab for issues displays correctly
GET /issues/getAllByParent/{id} returns an empty list if there are no child issues
JSON Preview tab works correctly in the Data subsystem
ProgramUser role has correct module access
Searching for issues by parent module works as expected
List of vulnerability scans for a security plan contains the correct number of entries
Gantt chart on a security plan's Issues/POAMs tab uses the first detected date as the start date
Querying assets via GraphQL works as expected
Grid views
- Columns better accommodate long text
- Pagination, row count, and sorting work correctly

[6.8.0] - 2024-11-14

Added

Soft-delete support for primary record types

Fixed

Webhooks event data payloads work correctly
Data from triggered webhooks is populated as expected
Addressed technical debt areas such as data models and unused functionality
Various link routes navigate to the correct from
Evidence files can be previewed in the Evidence Locker and when mapped to a control
Search functionality for components that show file uploads works as expected
Policy option can be de-selected on a control implementation record
Viewing a lineage record on a security plan navigates to the correct profile
Assets can be unlinked from a component
Tailored SSP export honors rich-text formatting
Files subsystem upload functionality works as expected

Security

Routine dependency upgrades

[6.7.0] - 2024-11-11

Added

Ability to add user reports as widgets on My Dashboard

Changed

My Dashboard
- Enhanced usability when rearranging widgets
- Custom labeling is honored
Report Builder
- Editing a custom report navigates to the report builder screen
- Certain fields are marked as required before saving

Fixed

System reports show in the reports list when no user reports exist
All modules are supported for creating custom reports

[6.6.1] - 2024-11-06

Fixed

Red Hat UBI container contains the expected catalogs
Question responses save correctly for questionnaires assigned via the process of self-assigning to a non-RegScale user (i.e., authenticated by access code)

[6.6.0] - 2024-11-06

Changed

Control implementation statements are displayed from inherited controls within the auto-calculated control implementation summary

Fixed

Standardized button labels for grid views
Labs SSP export document is populated correctly
FedRAMP SSP export
- Placeholder is provided for the user to insert an Appendix Q reference
- Table K.1 populates correctly
Links within questionnaires work as expected
Due Date for Next Update is auto-calculated after creating an evidence record
Asset SBOM copy and export/download operations work correctly

[6.5.1] - 2024-11-04

Fixed

Control parts appear as expected in the control builder

[6.5.0] - 2024-11-02

Added

Deviation Summary tab for issues that displays relevant information from a deviation request
- Deviation Rationale
- Known Exploitable Vulnerability
- False Positive?
- Operational Requirements?
- Auto-Approved
- Adjusted Risk Rating
- Risk Adjustment?
- Basis for Adjustment

[6.4.0] - 2024-11-01

Changed

CCIs are hidden from the control parts view for a given control
eMASS POA&M export is updated to reflect the most recent format

[6.3.0] - 2024-10-31

Added

Support for Wiz commands
- wiz vulnerabilities
- wiz add_report_evidence
- wiz attach_sbom
Sampling methodology field for lines of inquiry
Lightning Assessment
- Evidence tab that lists associated files and provides file previews
- Navigator dropdown that allows the user to select a control to assess
Assess Controls workspace for the security plan dashboard
- Tiles to show assessment status counts
- Predefined filters (e.g., assessment status, due next 30 days)
- Search by control ID or title
Continuous monitoring (CONMON)
- View Evidence option for CONMON records
- Busy spinner while the progress report is loading
- File preview capability for Deliverables tab
- Clickable control titles for the Controls In Scope progress report

Changed

Automation Manager
- When viewing previously run jobs, the secrets are hidden by default
- Available badge shows the number of total integrations rather than number of integrated products
- "DAG", a term specific to the implementation, is replaced with "job"
- Page load time improved
Return button on the Lightning Assessment tool navigates to previous page in the workflow
Improved usability for the workspaces on a policy's scorecard view
Status and owner fields are adjacent on the requirement record form

Fixed

Automation Manager
- UCF integration appears as expected
- Jobs names can contain spaces
- Fetch Names button for the Tenable integration allows selection of an SSP for a parameter
- Running jobs appear as expected
- Job parameters match the CLI job parameters
- Performance is improved
Lightning Assessment content fully displays on the page
All required fields for creating a new requirement show a red asterisk
Control titles render correctly in the Collect Evidence workspace for a policy's scorecard

[6.2.0] - 2024-10-29

Changed

Improved styling for menu slide-outs on form tabs and user input controls
Addressed technical debt around color theming

Fixed

Switching between list view and dashboard view for Security Plans works correctly
User avatar appears in the header
Dark mode legibility works as expected
- Security plan dashboards
- Input fields in the Links subsystem
User's API token is set correctly after logging in
Warning prompt is shown if the user has unsaved input when creating a line of inquiry
Scan history and scan results charts have matching color schemes

[6.1.0] - 2024-10-28

Added

Report builder (Phase 1) that allows users to build and view reports for one level of data (i.e., a single module)

Changed

Browser inactivity timeout is configurable from the Security Policies admin panel
Improved performance when loading large lists of security controls or control implementations

[6.0.0] - 2024-10-22

Changed

Major version release to 6.0.0

Added/Updated

Advanced Workflow Automation Manager
New User Experience
Streamlined Workflows
Enhanced, compliance-trained AI
450+ integrations
Wayfinders, predefined, step by step guide for most common tasks

[5.82.1] - 2024-10-14

Fixed

File Access question type for questionnaires works as expected

[5.82.0] - 2024-10-14

Added

Ability to assign a specific questionnaire to a RegScale user from the Questionnaires tab on a Security Plan, Project, Program, Supply Chain, Capability, and Policy
Questionnaire responses (when tied to a specific control implementation) show on that control implementation
Submitting a questionnaire assigned from an SSP saves the questions and answers in the Properties subsystem to that SSP (API support only)

Fixed

Deviation requests require a Requested Risk Rating only if the Deviation Type is Risk Adjustment or Exception Request.
Auto-approved? field for POA&M issues only supports Yes or No values
Setting the security profile for a questionnaire works as expected

[5.81.0] - 2024-10-13

Changed

eMASS export auto-populated fields
- eMASS ID (SAP/SAR and SCF)
- Lab Environment Testing (SAP/SAR)

Fixed

eMASS-specific fields are hidden if the eMASS Fields setting (Modules and Features admin panel) is disabled

Security

Package/dependency updates

[5.80.0] - 2024-10-10

Changed

Questionnaire rules textbox displays more lines/rows

Fixed

Dropdown selections are unique
FedRAMP Deviation Request export contains the CSP name, system name, impact level, and submission date
Editing a categorization works as expected
Workflow created after uploading evidence to the Evidence Locker functions correctly
Saving an advanced search as a report works as expected
Readability improved for the RegML Extractor results form
Overall CIA categorization is dynamically updated to reflect the highest watermark value of the selected information types, including when a lower watermarked information type is chosen to override

[5.79.0] - 2024-10-10

Added

Initial API support for creating and updating export configurations for Excel-based templated exports

[5.78.1] - 2024-10-08

Fixed

eMASS SLCM report exports successfully

[5.78.0] - 2024-10-03

Added

Questionnaires
- Ability to link one or more security controls to a question
- Ability to resolve comments on a response; resolution is also shown on the Feedback tab
- Badge (reviewer side) that indicates questionnaire status
- Access code within the assignment email body
- Ability to delete a comment

Changed

Scoring columns are hidden if a given questionnaire doesn't have scoring enabled
Increased spacing between the page header and the list view header/content

Fixed

Page header for reports and questionnaire module fonts are consistent with the rest of the application
Electronic signature images for questionnaires render correctly in the Feedback tab
Selections for Inherent Probability/Frequency and Inherent Impact/Consequence/Severity appear correctly

[5.77.0] - 2024-10-02

Added

Column mappings for the eMASS SLCM export
Column mappings for the eMASS SAP/SAR export
Support for Criticality in eMASS SLCM export

Changed

eMASS CYBERSAFE export uses questionnaire data from the Files subsystem

Fixed

eMASS SLCM export shows custom fields as expected
eMASS SCF export displays the Info Type Identifier correctly

[5.76.1] - 2024-10-01

Fixed

Large white-label images are resized to 300x50 px

[5.76.0] - 2024-09-28

Added

Description column on the Controls tab for a risk record
Questionnaires
- Multi-factor authentication (MFA) support for questionnaire login
- Analytics tiles on the Scoring tab for a response
- Ability to email an assignee to request updates
- Ability for an assignee to only see questions/responses deemed unsatisfactory on a reopened questionnaire
- Overall percentage score/grade on Scoring tab

Changed

Questionnaires
- Questionnaire input form page
  - Consolidated layout
  - Submit button added at the bottom of the page
  - Submit button is always available even if the form isn't complete
- Response view is streamlined via tabs (Feedback, Scoring, Response)
- Login page uses the new design
- Back button on the response view navigates to the Responses list
- Assignment view is redesigned
- Bulk assignment option shows instructions
- Assignees can re-open questionnaires
- Rejecting a questionnaire also emails the assignee
Comments subsystem uses the new design
Improved design for assigning mitigating controls during a risk assessment

Fixed

Questionnaires
- Assignee name shows on the input form page if they are a RegScale user
- Feedback column works as expected on the Scoring tab
- QuestionnaireUser role works correctly
- Updating the title works as expected
- Show/hide question rules work as expected
- Submitting a questionnaire sets the state correctly
- Sending feedback via email to external users works as expected
- Access code check trims whitespace before validation
- Multi-answer question types are scored correctly
- Scoring row is hidden if the maximum score is zero
Time Travel subsystem correctly includes the most recent change
Managing Risk workspace on a security plan's scorecard has a list of risks that scrolls correctly
Inherent and Current Risk Scoring utilize the override values defined in the Advanced configuration of the Risk Configuration model
Risk matrix tooltips show current information after updating titles and guidance
Risk assessment
- Business impact assessment displays correct risk titles
- Updated business impact assessment values carry through to the final step of the risk assessment
- Mitigating controls are unique

Security

Improved logging around questionnaire access
Questionnaire access code is not shown in cleartext on the Responses view (replaced by Copy button)

[5.75.0] - 2024-09-28

Added

/api/deviation/getAllBySecurityPlan/{sspId}/{includeDrNumber:bool?}
Hour and minute resolution for Timeline subsystem entries
"Risk Accepted" status for security controls

Changed

Updated styling
- Dropdown menus
  - Modules
  - Workspaces
  - Status Boards
  - User Profile
  - Notifications
- Menu and header section
- Classification banner
- Page frame and header for all status boards
Dropdown menus are sorted alphabetically

Fixed

Calendar button color on date picker matches the UI theme
Links the Links subsystem navigate as expected
RegML Extractor results for objectives include the name of the parent control
ReadOnly user has access to Catalogues, Categorization Engines, and Security Controls modules
Areas render correctly in dark mode
- Navigation visualizer tab
- SSP Utilities tab icons
Set My Home Page at Login fields appears as expected on the user profile screen
Pending status is accurate for several dropdowns in the Issues module
Metadata values for each tenant load only when they are marked as active
Long module names (i.e., when customized) are truncated with an ellipsis

[5.74.0] - 2024-09-20

Added

OSCAL XML
- Ability to export with multiple implementation statuses and control origins
- Support (on import and export) for OtherId field from catalogs and security controls

Changed

SSPs can have multiple selections for implementation status and control origin

Removed

Support for OSCAL v1.0.4

[5.73.0] - 2024-09-19

Added

Informative alert that scheduled questionnaires are sent at 2am

Changed

Tailored SSP export also includes any evidence mapped via the Evidence Locker
FedRAMP Rev5 SSP (Word document) Table 11.1 refers the reader to a separate appendix

Removed

Validation rule that requires current risk score to be equal or greater to the target risk score

Fixed

Questionnaire template upload process is more resilient with regard to section numbers
My Activity section on the Identity & Access Management admin panel correctly shows a user's activity
Scheduling continuous monitoring for an SSP from a UCF catalog works as expected
RegML Extractor
- Process successfully runs to completion
- Results show control descriptions for controls without objectives
- Edits to control statements generated by the RegML Extractor save correctly
Inline parameter references display correctly in the Control Implementation form
Exports
- CMMC SSP export includes implementation statement and implementation status as expected
- eMASS export options are disabled when viewing a component
- eMASS SLCM export generates correctly
- FedRAMP Test Case Procedures export is enabled when viewing an SSP
Control Implementation list display performance improved
Navigational arrows for controls in an SSP work as expected
Visualization/charts in the History subsystem render correctly for each event type
Cancelling from the delete confirmation alert immediately returns the user to the page

Security

Routine package/dependency updates

[5.72.0] - 2024-09-18

Added

Ability to make an existing RegScale file accessible for download to a questionnaire responder/assignee
Ability to add tags to properties that enables users to categorize or mark properties as needed

Changed

SSP export satisfies the recommendations per SP 800-18 Rev1 (Guide for Developing Security Plans for Federal Information Systems)

Fixed

DOE SSP export Table 3 (Security Categorization of Management and Support Information) shows the correct information types, their CIA values, high watermarks, and information system categorization

[5.71.1] - 2024-09-12

Fixed

Risk Adjustment? value in the FedRAMP Rev5 POAM export works correctly
Inactive account cleanup task is scheduled to run daily at 3AM

[5.71.0] - 2024-09-11

Added

API endpoints
- POST /api/systemRoles/batchCreate to create multiple system roles
- POST /api/assessments/batchRecurringPreview/ to preview recurring assessments that would be created
Risk and compliance hygiene
- Ability to select a risk model in the Risk Assessment Wizard
- Ability to add a control in a risk assessment
- Spider chart for business impact assessment on the Risk Scorecard
- Ability to build and run financial models in the Risk Assessment Wizard
- Transfer as a risk strategy option
Software Bill of Materials (SBOM) is available at the component and SSP level
Description field for threat scenarios
RegML license acknowledgement prompt when enabling RegML from the Modules and Features admin panel
User interface enhancements (e.g., layout, style, typography)
Lines of inquiry for an assessment
- Citation and Line Type columns for grid view
- Support for collecting data based for various data types
Admin panel (and My Dashboard) widgets
- Error count by month
- User logins by month
- Activity by month
Risk assessments are enabled for programs and capabilities
Recurring questionnaire scheduling

Changed

Increased resiliency around missing data for catalogs list and update functionality
Each line of inquiry for an assessment can have its own attachment
Continuous monitoring Progress Report tiles can be selected to filter the list view based on the selected tile
FIPS Impact Level, Strategic Tier, and Contract Type are now optional fields on a supply chain record
Updated the Risk Assessment Wizard to work with Bring Your Own Risk Matrix feature
Default tests (if they exist) load automatically for a control implementation test plan
Lines of inquiry without the scoring flag set are ignored in the scorecard
When navigating to an audit in the CONMON view of a SSP, the progress report is the default
Yellow and other dark colors for informational alerts are softened to a lighter gray and use a different icon
Risk scorecard: trend lines are above heat maps
Redesigned Control Builder
- Always shows control
- Uses custom system labels
- Has more prominent progress visualization
- Provides clickable steps
- Fields auto-save after moving to another field
News Feed layout and styling are more cohesive

Removed

Transformer capability when printing a security plan
Risk Status Board
Default probabilities and default impact fields from Threat Scenarios
Inherent risk step from the Risk Assessment Wizard
Toggle to switch between previous and new forms layouts
FedRAMP Rev4 exports

Fixed

Export availability conditions work as expected
Control Builder
- Only shows fields marked as visible in the Custom System Labels admin panel
- Progress panel is updated as items are defined
New tenant setup Storylane works as expected
Continuous monitoring assessment records save successfully after being edited
Names of export format options display correctly
Importing a policy template and saving parameter defaults works as expected
Labeling and descriptions in the Project Builder match the functionality shown
PDF and Office document previews in the Files subsystem display correctly
Lines of inquiry
- List view shows titles without HTML tags
- Adding a new entry resets previous text input
- Planned Finish and Actual Finish can be the same date
Risk
- Annual loss expectancy (from a risk's Financial Modeling tab) appears correctly in the Risk Workspace scorecard
- Ad hoc lines of inquiry for an assessment display in the right-hand panel
- Risk treatment titles are required
- Risk status label renders correctly
Inactive user deactivation job runs correctly
Global admin account is excluded from account inactivity deactivation rules
Lightning Assessment
- Assessment Result, Differences, and Risk Model are required fields
- Implementation & Evidence section values are correctly mapped
Classification subsystem grouping works correctly if there is no family defined
Sorting catalogs by Catalog Date works correctly
Exception records can have the same value for Date Approved, Expiration Date, and Date Submitted
Recurring assessments work as expected
Service Level Agreement field is required for a workflow template
Custom systems label list displays as expected
New user login works correctly
Controls for the default control assessment schedule match the default assessment schedule set at the SSP
Assigning an embedded Wayfinder to an SSP works as expected
Deleting a risk configuration from the admin panel works correctly
Audit log entries for comments and links are created as expected
Programs and capabilities can be deleted if they have child records
Policy editor parameter editing works as expected
GeneralUser role has access to Categorization Engines and Security Controls modules
Milestone dates on programs update and display correctly
FedRAMP Rev5 Risk Exposure export is based off issues
Multiple consistency issues with New Forms

Security

Applied routine framework and package updates
Improved server-side model validation
Tightened role authorization for some APIs

[5.70.5] - 2024-09-10

Added

Risk Adjustment? field to the issues form to support POA&M export
IntegrationFindingId on issue records to support CLI integration (API only)

Fixed

Email settings are available if the RegScale instance is not hosted by RegScale (i.e., regscale.somecompany.com)
Exports correctly represent assets linked or related to other records
- eMASS Hardware/Software List
- FedRAMP Rev5 Inventory Workbook
Components shared by multiple SSPs display and export as expected

[5.70.4] - 2024-09-06

Fixed

Functionality (e.g., POA&M/issues export, Gantt chart view of POA&Ms/issues) that involves issue records correctly accounts for lineage (i.e., issues being child records of various other records such as security plans or components)
Efficiency of determining available exports is improved
FedRAMP Rev5 inventory report generates as expected

[5.70.3] - 2024-08-30

Added

Improvements to the FedRAMP Deviation Request export
- Evidence list
- Other Identifier field to track FedRAMP DR numbers of imported deviation requests

Fixed

FedRAMP Deviation Request export
- Null dates are handled correctly
- Mappings of Deviation Request calculator values for Availability, Confidentiality, Integrity, Attack Vector, Remediation Level, and Initial Risk Rating are correct

[5.70.2] - 2024-08-29

Security

Applied security updates to components

[5.70.1] - 2024-08-26

Fixed

FedRAMP Rev 5 POA&M export shows closed POA&Ms and expected values in columns A, E, F, H, J, U, and V
POST /api/data/ returns the ID of the created data record

[5.70.0] - 2024-08-21

Removed

NIST 800-60 identifier for Associated Information Type column in Section 6 of the tailored SSP export
Action column in the Related User Information table for groups on the My Profile admin panel
General access to GET api/securityplans/exportFedRAMPPoams/{intId}/{version} as it's not needed as part of the public API

Fixed

Deep links in a Wayfinder correctly place the input focus on the desired form field
Catalog category dropdown has unique entries
Fields in advanced search for catalogs have unique entries
A validation warning appears (Ports and Protocols tab for an SSP) if the start port is greater than the end port
GET api/securityplans/export/{intId} returns a 404 response if the given ID cannot be found
PUT /api/files/renameDuplicateFileName/{parentId}/{parentModule} generates a display name if its previous value was empty or null
RegML Chatbot icon appears correctly
FedRAMP POA&M export completes for large numbers of POA&Ms
Job to check for inactive accounts runs as expected
All action tiles in the upper right of the CISO dashboard appear correctly
Program record and capability record (JSON) exports work as expected
Dashboards link above list views is disabled if there are no dashboards to view
List of vulnerabilities under an SSP only shows open vulnerabilities
Updated control parameter values appear correctly in the FedRAMP Rev 5 Appendix A and OSCAL XML (SSP) exports

[5.69.0] - 2024-08-21

Changed

Menu items for data entry, subsystems, and utilities for a given record's form are sorted alphabetically
Grid views where it's possible to create new records show a Create New button

Fixed

Numerous fixes (e.g., validation, consistency, console errors) for new forms
Descriptions for parts of a security control do not contain HTML tags
Files (subsystem) list refreshes after an upload finishes
New programs created under the Supported Programs tab for a capability are correctly linked to that capability
User avatars (i.e., generic avatar, user initials, photo) display consistently in grid views
Risk financial modeling shows the correct number of decimal places for financial values

[5.68.0] - 2024-08-17

Added

Support for API endpoint versions (both directly and in Swagger)
Control Framework Gap Report that explains how a current framework satisfies other frameworks within RegScale

[5.67.0] - 2024-08-09

Added

Automation Manager provides the ability to...
- View logs of executed jobs
- View the configuration used to trigger a job

Changed

Webhooks and Message Queue are listed separately in the Automation Manager

Fixed

Automation Manager
- SAML integration tile shows as expected
- Job names can only contain alphanumeric characters, periods, underscores, tildes, colons, plus signs, and hyphens
- Available integration tiles render correctly
Catalog list displays correctly even if UCF authentication fails

[5.66.0] - 2024-07-30

Added

Ability to check for and apply updates to installed UCF catalogs, which includes a update preview report

[5.65.0] - 2024-07-30

Added

Ability to disable Certificate Revocation List (CRL) checks in MailKit

Changed

FedRAMP POA&M export has default column values and handles missing data
FedRAMP Rev 5 SSP Appendix A includes the full control implementation statement
CMMC SSP Report export lists requirements alphabetically
Webhook calls are non-blocking to improve performance

Fixed

Excluding Metadata Fields option for exporting a catalog works correctly
Category field for a catalog can be edited
Other ID field for a catalog is not a required field
Exports work correctly:
- Tailored SSP export
- FedRAMP exports
- Deviation Request export
- CMMC SSP Report export
- OSCAL POA&M (XML) export
Built-in catalogs and catalogs from the RegScale website work as expected:
- NIST 800-82 Rev 2 overlay (moderate)
- SOC 2 Version 2020.3
- CSA Cloud Controls Matrix (CCM) Version 3.0.1
Creating a vulnerability mapping via the API works correctly
Vulnerability scan results rollup/chart shows correct results
Email configuration fields appear as expected in the Setup admin panel

[5.64.0] - 2024-07-25

Added

Vulnerability mapping API endpoints
- GET /api/vulnerabilityMappings/findByVulnerability/{vulnerabilityId}
- GET /api/vulnerabilityMappings/findByAsset/{assetId}
- GET /api/vulnerabilityMappings/findByIssue/{issueId}
eMASS exports
- Several fields and validation rules in the PPSM export
- Updates to the SCF export

Fixed

Questionnaires
- RegScale users with the GeneralUser role can access assigned questionnaires
- Non-RegScale users are not required to authenticate before accessing assigned questionnaires
- Assignment by email works as expected
API for updating a vulnerability correctly handles null values
DADMSId field for an asset record saves successfully
API for creating a security plan does not require the DITPRID to be defined

[5.63.0] - 2024-07-23

Added

Vulnerability lists on security plan and asset forms now have a...
- Column that lists how many assets are impacted
- Drilldown view to show impacted assets for a given CVE
- Details link to an external site that provides more details about a given CVE
Create POA&M button on vulnerabilities detail form
Support for currencies other than USD (configurable per tenant)
Automation Manager: ability to copy the Airflow token to the clipboard before the token is hidden

Changed

Automation Manager
- Fields for specifying a security plan are drop-down lists with security plan titles
- Keys and Secrets screen shows which keys are required for jobs
- List of integrations is dynamically generated based on available jobs
- Keys for a given integration that have no defined secret/value show as blank

Fixed

Sorting by a given column on the vulnerabilities grid view for a security plan works correctly
Automation Manager external documentation links work as expected

[5.62.0] - 2024-07-23

Added

Feature flag for having New Forms be the default view

Fixed

Multiple issues with New Forms

[5.61.0] - 2024-07-19

Added

Support for inactive account deactivation
- Setting on the Security Policy Configuration admin panel
- Warning email sent in advance of user deactivation
- Users are deactivated if they exceed inactivity limit

Changed

Security

Strengthened existing security measures

[5.60.0] - 2024-07-15

Added

StateRAMP Moderate catalog
FedRAMP Low Appendix A export
Ability to export Other ID fields in catalog export

Removed

OSCAL JSON exports

Fixed

Webhooks
- Asset status webhook triggers when updated
- Casual Analysis status webhook triggers when updated
- Removed duplicates in webhook list
- Questionnaire deletion webhook triggers when updated
- Incident status webhook response includes current and previous severity
- Default control assessment field is included in webhook responses
- Facility and Organization fields are included in webhook responses
Generating policy template export works as expected
Assessment mapping in FedRAMP Test Case Procedure Workbook works as expected
Licensed user count does not include disabled users
Last evidence update is included in Evidence export
Requirements section of CMMC SSP export works as expected
FedRAMP POAM export includes all issues
Resolved issue with being unable to enable RegML in specific environments
Inherent risk calculates as expected
Security Controls breadcrumb navigation works correctly

[5.59.0] - 2024-07-03

Added

Ability to remove questionnaire assignments
Filtering controls on the SSP Scorecard that have a specific status (e.g., Not Implemented)

Changed

Control Builder supports custom labeling
Deviations utility for issues uses the page's main save button to save changes
Button for creating a child record is only available on records that support child records

Removed

FedRAMP SAP and SAR export options at the security plan (SSP) level
RegML button from the catalog form

Fixed

Multiple issues addressed in new forms functionality
Vulnerability ID field for issues is editable
Assessment by Status card on the Assess Program dashboard shows the correct record count
FedRAMP CIS/CRM export generates into the Files subsystem as expected
Editing the last assessment for a control implementation works correctly
DADMS ID field for assets works as expected
Access control inheritance for an SSP's security controls works correctly
Creating capabilities under a program works as expected
Viewing records in the Data subsystem works correctly

[5.58.2] - 2024-07-01

Fixed

Webhook fires correctly when assessment results are modified

[5.58.1] - 2024-06-28

Changed

Quality Assurer selection moved to a more appropriate location for the issue screen process
Causal analysis limited to a single causal record following a rejection by the screener

[5.58.0] - 2024-06-28

Added

Dashboard widgets
- Control status by family
- Control maturity by family
- Control maturity by SSP
- Control last assessment result by SSP
Continuous Monitoring (ConMon)
- List of deliverables
- Ability to load deliverables based on FedRAMP categorization
- Ability to upload deliverables
Explanation field for causal analysis records
Prompt to auto-close an assessment if the last line of inquiry is complete
Feature flag for financial marketing data entry tab for risks (Enterprise only)

Changed

Lines of Inquiry manual entry form resets after creation, making it easier to manually add multiple entries
Save button moved to the top of lines of inquiry entry form
Workflows only require comments for rejection
Risk scorecard displays current risk before target risk
Required fields for issue records are grouped together
Risk treatment control description field is a WYSIWYG editor

Fixed

Deleting a widget from the dashboard works as expected
Certain dates must be the current date or earlier
- Issue first detected
- Issue completed
- Assessment actual finish
- Causal analysis completed
- Task completed
Risk scorecard labels are aligned correctly
Back button works as expected after creating a Kanban task
Unsaved changes notification appears correctly for line of inquiry form
Quality assurer field displays when selected
Setting the inherent risk updates the risk scorecard correctly
Canceling the creation of a new risk treatment works as expected
Selecting a control for a risk treatment dismisses the selection modal

[5.57.2] - 2024-06-21

Fixed

Catalog import process only removes existing controls that aren't present in the new catalog

[5.57.1] - 2024-06-21

Fixed

Risk Scorecard for a risk updates after a risk assessment is finalized
Inherent risk score updates correctly
UCF tab for catalog import is only available if the UCF API key is populated

[5.57.0] - 2024-06-17

Added

Deviation Request export for FedRAMP

[5.56.0] - 2024-06-16

Added

Build your own dashboards, including widgets for
- Systems for highest annual loss expectancy
- My risk assessments due soon
- My issues due soon
- My tasks due soon
- My evidence due soon
Evidence Locker workflow
Asset by Component view for an SSP
Ability to set default landing page per user
Rollup reporting for vulnerabilities and CVE in the Security Plans module

Fixed

Issue lifecycle prompts work as expected
API /api/authentication/validateToken works correctly in IIS
My History API performance improved through pagination
Links subsystem
- Editing works as expected
- Links can be deleted
"Job Title" field for a user is available via GraphQL
API for getting groups by user and users by group works correctly
Lines of inquiry render correctly on an assessment plan
Control Builder works correctly if a control's user has been archived
SSP implementation objectives must be unique
SSP parameters must be unique

Security

Routine updates applied to packages

[5.55.0] - 2024-06-14

Added

Catalog registry to provide catalog state
Ability to update an existing catalog
- Update report of what elements will be added, deleted, or updated
- Archival of existing catalog before applying updates
Ability to import UCF authority documents (catalogs) and associated controls

Removed

Integrated catalogs feature flag

Fixed

Security control references are imported when loading a catalog
Catalog IDs must be valid when working with security controls via the API
Control identifiers must be unique within the same catalog
Creating a new record from the workbench works as expected
Webhooks for both capabilities and programs fire as expected
Tailored SSP export includes correct field values
Functional roles can be deleted
SSP scorecard renders correctly
eMASS SCF export produces results that can be successfully imported into the eMASS system

[5.54.0] - 2024-06-13

Added

Integrations listed in the Automation Manager (AlienVault, Azure Active Directory, Azure Intune, CrowdStrike, Qualys, Salesforce, Sicura)

[5.53.0] - 2024-06-11

Added

"Description of How Information Type is Contained in System" field on Available Information Types data entry tab for an SSP

Changed

List of control instances for the Evidence Mapping System is alphabetized
SBOM export (JSON) for an asset is pretty-printed

Fixed

eMASS SCF export guards against invalid users
eMASS SCF export description fields are populated correctly
Risk configuration updates propogate correctly
eMASS SLCM export option only appears if all data exists to generate the report
Export option availability works correctly when and SSP has no assets
.xlsm file type is supported for SSP exports
Ports and protocols boundaries for an SSP display as expected

[5.52.0] - 2024-06-10

Added

Ability to create a new child issue from within the Issues tab on an SSP record

Changed

Issues tab is always displayed for an SSP

Fixed

Login banner appears after logging in
New forms
- Evidence collection workspace displays correctly
- Step navigation works as expected for the Control Builder
- Forms for creating a new capability, program, risk, issue, component, or asset records only shows relevant tabs
- Organization field for a capabilities record populates correctly
- Tags can be added to RegScale-generated files in the Files subsystem
- Security Profiles chart view renders all charts as expected
- Creating a security control that is a child of a catalog works correctly
- All parts for a control implementation save as expected
- Creating a new risk record works correctly
- Security profile record validation works as expected
- Creation of new threat scenario and component records works correctly
- Files subsystem refreshes the view after an export is generated
- Navigating to a new-record URL when logged out navigates to the login page
- Mappings and Control Implementation tabs for an evidence record display correctly
- Deletion of an evidence record works as expected
- Implementing Roles can be deleted from a security control
- Validation for Status field when creating a new SSP works correctly
- Text for the export modal renders correctly in default and dark themes
- Objective options for a control can be archived
- Required field section of the new form cockpit shows the expand/collapse icon

[5.51.0] - 2024-06-07

Added

Security Categorization Form (SCF) export
eMASS System Level Continuous Monitoring (SLCM) Implementation Plan export

[5.50.0] - 2024-06-06

Added

Endpoint to get all scan history records by parent filtered by date

Fixed

Component mapping APIs work as expected
Unsaved-changes check for Questionnaires works as expected
Control implementations support soft-deleted controls
Assessment Methods tab in the eMASS SAP/SAR export contains correct data
Categorization tab (new forms) on an SSP displays correctly
Inherited controls appear as Implemented in the SSP XML export
RegML Extractor correctly lists the controls a policy satisfies
FedRAMP Rev 5 SSP export's Leveraged Authorization section is correctly formatted

[5.49.3] - 2024-05-30

Changed

List of system roles for an SSP automatically updates when a role is added, updated, or deleted
Alert shown if assigning an external user to a system role on an SSP when there are no stakeholders in the subsystem

Removed

Issues from the SSP scorecard

Fixed

SSP scorecards
- Status icons show for inherited controls
- Correct status shown even if multiple SSPs inherit from the same profile
- Planned or In Remediation tile displays correctly in new forms design
Exported documents do not contain a watermark
Creating and saving a new workflow works as expected
RegML chatbot feature restored that supports providing content from ReadMe and FedRAMP's website
System roles created during an SSP import can be deleted
Saving duplicate implementation objectives is prevented

[5.49.2] - 2024-05-23

Fixed

Control Builder (Build Mode for a control implementation) works as expected
Control Builder for one SSP only updates control implementations for that SSP even if other SSPs imported the same controls

[5.49.1] - 2024-05-23

Added

Back button on the security controls options view for when there are no objectives
New endpoint POST /api/implementationObjectives/deleteDuplicates to remove duplicate implementation objectives

Fixed

Improved validation to prevent the creation of duplicate implementation objectives and parameters
Control owner name in the Control Builder defaults to "Unknown" if the owner could not be found

[5.49.0] - 2024-05-23

Added

Toggle for legacy and new forms design (shown on the record view/edit form)
Ability to "deep link" to a specific form tab or form field; this feature is also used for Wayfinders
Preventative Actions section on the Controls tab for a risk record

Changed

Increased web accessibility with expanded keyboard navigation and screen reader support
Tools for a given form moved to a new context menu dropdown for new forms design
New features from the past several releases work correctly with the new forms design
RBAC renamed to Security in the context menu dropdown
Improved action button UI for the Files subsystem
Added spacing to multi-select checkboxes
Improved styling and UI for Wayfinders

Deprecated

Feature flag for new forms design

Fixed

Several minor defects in the new forms system have been corrected
Email Configuration settings save as expected
Enabling modules and features in the Admin panel works as expected
Newly created links in the Links subsystems section of an SSP save as expected
Record security modal window renders correctly
Resetting custom fields works as expected
Continuous monitoring exports generate correctly
Tabs containing required fields for creating a new SSP are visible
Exports generated to the Files subsystem appear as expected
Correct hash type (MD5 or SHA-256) badges appear next to file names in the Files subsystem
Help icon for a module's scorecard view directs the user to the documentation
Creation and viewing of SSPs and security controls are no longer blocked by the progress spinner
Recurrence Wizard is configured to handle recurrences for assessments
Deleting a causal analysis record navigates the user back to the list view
White buttons have a drop-shadow so they're easier to see on a white background
Utility modal windows load correctly

[5.48.0] - 2024-05-22

Added

New endpoint GET /api/access/GetLevels/ that determines a user's access (i.e., None, Read, Update) to given entities
RegML learning and output can be performed over related documents for the current module
RegML chatbot (Reggie) can be asked questions based on RegScale's ReadMe site and FedRAMP's website; responses include links to those information sources

Fixed

Reggie fails gracefully if there are issues with storage or search

[5.47.0] - 2024-05-17

Added

Parameter guidance is imported from OSCAL-based catalogs and displayed when users are populating parameters

Fixed

Group permissions for child records are correctly inherited from parent records
Updating catalog records works as expected
Batch creation of issues correctly links parent record ID
User retrieval APIs have the correct required fields
Security Plan Users can view Evidence Locker records
Workflow Approvers can approve workflow steps
Viewing a workflow step from the Notifications panel works as expected
Tenant list appears when the global admin logs in
ID field is available in advanced search for both Programs and Capabilities modules
Sort ID fields within catalogs are imported and used for listing security controls in that order

Security

Global admin account has more restricted access
Safeguards for account unlock function increased

[5.46.0] - 2024-05-17

Added

OSCAL XML exports for Rev 5
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)

Changed

Updated OSCAL XML SSP, SAP, SAR and POAM exports to include all required information to pass NIST OSCAL CLI validations
Made additional updates to OSCAL XML SSP, SAP, SAR and POAM exports such that they validate correctly for file conformance, as well as the majority of FedRAMP Schematron validation requirements
Creating and updating issues via the API support providing the Control ID

Fixed

FedRAMP Rev 5 OSCAL XML SSP, SAP, SAR and POAM exports
- Back matter section does not include a non-displayable character
- Embedded base64-encoded images and other encoded characters are not included in the SSP XML export for description fields
Control implementation options update API's validation check for duplicates works as expected
SSPs can be saved without defining confidentiality, integrity, availability, and overall categorization

[5.45.0] - 2024-05-14

Added

Web accessibility features for the Notifications menu

Changed

Most exports are generated directly to the Files subsystem rather than via browser download
Security control ID is listed in the Evidence Mapping System

Removed

"View" button from system-level file tags in the File Tag Manager (Admin page)

Fixed

Exports
- Categorization must be specified before the FedRAMP Test Case Procedure export option is enabled
- FedRAMP POA&M Export (OSCAL JSON) functionality works as expected
- FedRAMP POA&M Export (Excel) accounts for Rev 5 Configuration Findings
- Default control parameters are passed to the control implementation such that they appear as expected in an export
- Column P (SSP Implementation Differential?) in FedRAMP Test Case Procedures export is blank if there is no differential
- FedRAMP Integrated Inventory Workbook (Appendix M) export matches the template format
API
- POST and PUT for /api/securityplans return a 400 status when required fields are missing or invalid field data is provided
- POST and PUT for /api/profiles return a 400 status when required fields are missing
- Documentation for POST and PUT for /api/issues matches API behavior
- Swagger page section for GET /api/customFieldsData/{id}/{moduleID} works as expected
Minor UI corrections (e.g., typos, button content alignment, and tooltip text)
"View" buttons support right-clicking (i.e., provide an option to open in a new browser tab)
Compliance Visualizer modal is horizontally centered
"% Complete" field labels for projects and tasks are customizable
Child issues for a security plan that are designated as POA&Ms save as expected
Metadata seeding (Admin page) works as expected
Username fields populate correctly on page refresh
Security control inheritance completes as expected
Creating a standalone questionnaire from an existing questionnaire saves as expected
Security plan scorecard shows the correct number of icons (with correct statuses) for each part of a given security control
Advanced search fields for Assets are unique
Control implementation part option edit modal is populated once opened
Control implementation status remains set correctly after clicking "Auto-Score Overall Implementation"
Catalogs can be edited by any user that has the appropriate permissions
Copying a security control record works as expected

Security

Removed an unsupported library

[5.44.0] - 2024-05-13

Added

Two-way encryption for SAML single sign-on (SSO)

Fixed

Ports and protocols that are either directly or indirectly related to an SSP are included in the FedRAMP Rev 5 SSP export
Child and grandchild risks, issues, and assessments work correctly at the SSP level

[5.43.0] - 2024-05-09

Added

Workflows
- Fields for SLA, duration (auto-calculated)
- Workflow SLA Performance report

Changed

Default parameter type in the Control Builder is "string"

Removed

Module selector from the Workflow

Fixed

Workflows
- Clicking "Back" only alerts the user if there are unsaved changes
- Steps are sorted correctly
- Approval interface works as expected
- Module column in the workflow list populates correctly
- Assignments for owners and assignees appear correctly in users' notifications
- Workflow initiation and completion send email notifications
- Workflow slider list has higher visual contrast
Workspace dropdown links render correctly in dark mode
RegML response notifications have higher visual contrast

[5.42.0] - 2024-05-04

Added

Cryptography tab on the security plan form to support FedRAMP Appendix Q export and cross-linking with Ports and Protocols tab
Classification Configuration admin panel
- Family, identifier, and load fields
- Search capability
- Ability to export and import configurations
Details modal for information types on an security plan's Categorization tab
Ability to search/filter Classification subsystem items by family and identifier
External Services tab to show existing interconnects and allow adding new interconnects
Control Builder
- Ability to remove an implementation option
- Ability to link a control to a policy
- Additional Save button at the top of the Parts viewer
Questionnaire tab on program form

Changed

Security Plan form
- Names of fields and their "required" status on the Leveraged Authorization tab
- Cloud Info tab renamed to System Information
- System Owner, ISSM, ISSO, and AO moved to System Information tab
- "Required" fields for Ports and Protocols
- Classification fields moved to System Information tab
- Classification subsystem is visible when viewing the Categorization tab
- Bulk Editor on the Scorecard tab supports changing the Inheritable? field
- Categorization tab and Categorization subsystem have the UI for selecting information types
Control Builder
- Responsible field renamed to Control Origin
- Levels for control implementation parts are auto-generated if they remain blank
My Activity list has a more consistent and compact appearance

Deprecated

Control Context Viewer; functionality is available via View Mode on the Requirements tab for a control implementation record

Removed

FedRAMP tab on the Control Implementation form
Key Dates tab on the Security Plan form

Fixed

Leveraged Authorization dropdown in the Control Builder works as expected
System Owner dropdown excludes service accounts

[5.41.0] - 2024-05-01

Added

Automation Manager -- a new, centralized hub for configuring integrations and automations

[5.40.0] - 2024-04-30

Added

Link to SAML documentation on its configuration panel
Caching of frequently used tenant and configuration operations to improve application performance over time
API endpoints to upload and delete Wayfinders
API endpoint to get all assets by parent

Changed

Save button on an Admin panel only saves settings for the active page
Password rotation frequency and session length settings have defined upper limits
Wayfinder selection dropdown is dynamically generated to support new Wayfinders being added

Fixed

Save functionality for Modules and Features configuration page works as expected
Back button on SAML Configuration modal works as expected
SAML single sign-on redirect works as expected
Catalog Importer works as expected
GET /api/config/indexLogs works as expected
Reset Child Record Permissions button on a security plan set associated asset group access with the same access as the security plan
Observations and Gaps columns on the Tests tab for an assessment exclude HTML tags
RegML Extractor produces control objectives that include the name of the parent control
Batch creation and update set record group access based on the parent record's access level
Greater/less than or equal to operators in questionnaire rules work as expected

[5.39.0] - 2024-04-25

Added

Control bulk editor -- shows everything on a single screen and allows reassigning owners in bulk
Programs and Capabilities modules -- provide the ability to capture core processes and report on enterprise risk
Control Builder Wizard -- streamlines the writing of control implementations via a guided experience
File tagging -- gives the ability to organize and identify certain types of attachments
Tenant export/import -- allows admins the ability to save and restore settings
Classification subsystem
- Search bar
- Adjustable C/I/A values with adjustment rationale
Webhooks for security control creation, link creation, and comment creation
Managing Risk workspace for the SSP scorecard
- Risk Control Self-Assessment (RCSA)
- Analytics rollup
Additional fields for Risk Treatments and Risk Assessments
Count of risk treatments column for the Risks list view
Ability to track due date slippage for tasks in the Kanban system
Password rotation frequency configuration and enforcement

Changed

Improved performance on batch operations (e.g., creation) and general query operations
Updated validation for implementation option APIs
FedRAMP tab values for a control implementation are set automatically based on how Parts are implemented
Classification subsystem has a tabbed interface
Improved description of the Builder utility for supply chain records
Primary system role has a more prominent location on the Implementing Role tab for a control implementation
Notification performance is optimized
Group Manager admin panel shows the number of members for each group
Risk records
- Residual Risk now called Current Risk
- Input fields for Threat Scenario tab fields support rich-text formatting
- Added new fields for Threat Scenario tab
- Validation rules relaxed for Inherent Probability, Inherent Consequence, Target Risk Score, and Inherent Risk score
Improved performance for Compliance Visualizer
Threat Model validation rules relaxed for Default Probability and Default Impact
Threat scenarios are linked to risk created using the Risk Assessment Wizard via a threat model
Improved image rendering performance

Deprecated

Integrations that are now managed by the Automation Panel via the CLI
- Jira
- ServiceNow

Removed

Title column from the My Activity graph drilldown in the Workbench
Risk recommendation field

Fixed

Classification fields on the SSP categorization tab have the correct labels
Dismissing notifications for workflows works as expected
Classification subsystem displays the selected classifications of the SSP and the justification that was previously defined
SSP export option availability works as expected based on the SSP's child records
Parts and Parameters tabs are visible in the scorecard view of an SSP
Risk treatments associated with a risk are displayed in the Risk Assessment Wizard
Requirements records display as expected
Questionnaires created via API can be edited in the application as expected
RegML icon is only used for AI-related features
SSP scorecard filter for Planned or In Remediation works as expected
Profile importer progress indicator message is more informative
Wayfinder modal close button and Workspaces dropdown option appear correctly in both default and dark themes
Control implementation IDs in the SSP scorecard render correctly
Page footer
- Sandbox link points to the correct URL
- License edition shows correctly after login
- Copyright year is the current year
Notification metadata is logged
Risks can be deleted if they have child records from an assessment

Security

Stronger hashing mechanism for Time Travel entries
Hardened page caching rules
Stricter GraphQL role-based access control
Password reuse prevented

[5.38.0] - 2024-04-12

Added

Wayfinders support links to content outside the RegScale platform
Overall categorization (via Categorizion subsystem) values can be adjusted with justifications to support the eMASS Security Classification Form (SCF)
Users can self-assign questionnaires using single sign-on (SSO)

Changed

Vulnerability scan results for an asset are shown by scan date
eMASS export options for a security plan are generally available (i.e., no longer in Beta)

Fixed

Responsibility field on the Control Implementation tab for security plans is customizable
Security controls can be copied for the same parent catalog
Email icon is available in the top toolbar
Hiding Control Implementations fields via the Custom System Labels feature works as expected
Unsaved data alerts only appear when leaving the current page
FedRAMP Rev5 SSP exports use items on the References tab
- Appendix B refers to Acroynm items
- Appendix C refers to Policy and Procedure items
- Appendix D refers to User Guide items
Updating issues in batch via PUT /api/issues/batchUpdate works as expected
Actions involving catalogs (and their subparts such as controls) take into account whether or not records are archived
Newly added users are immediately available as questionnaire owners
Issue screening marks records as screened
eMASS exports
- Hardware Software
  - Includes assets at both the SSP and component level
  - Includes FDQN as the device name (if specified); otherwise, the asset name is used
- PPSM includes POC phone number if defined; otherwise, the cell is highlighted
- POAM export is available if any issues marked as POA&M exist at any level within the security plan
Various fixes to support test automation

Security

Routine updates to packages/modules

[5.37.1] - 2024-04-10

Fixed

Changes to tenant settings are limited to the specified settings within that tenant

[5.37.0] - 2024-04-09

Added

Ability to set and enforce a session inactivity timeout

Changed

Improved FedRAMP Rev5 OSCAL exports
Catalogs, security controls, and categorization engines support soft-delete (i.e., archival)

Fixed

NIST 800-53 Rev5 security profiles

[5.36.1] - 2024-03-29

Fixed

Lightning Assessment test navigator dropdown shows all available tests, and test information changes appropriately when toggling between tests
eMASS Hardware Software List Export (.xlsx) is available when an asset is in a security plan at any level (i.e., security plan, component) with only the minimum fields completed
eMASS PPSM Export correctly shows the system owner phone number so long as it's defined in at least one of the phone number fields for that user

Security

Critical security patches

[5.36.0] - 2024-03-29

Added

Questionnaires
- Ability to grade and score questionnaires using the rules system
- Rule for enabling/disabling score display on the responder's view
- Validation messages for when rule conditions are invalid
Further enhancements and improvements for Forms Redesign (BETA)

Fixed

Questionnaires
- Save operation works correctly if no rules exist
- Import of a questionnaire (Excel) with multiple lines for single-answer questions works correctly
- Imports where sections are not correctly defined yield default sections

[5.35.0] - 2024-03-19

Added

Initial implementation of the RegML chatbot (Reggie)
Security Impact Assessment field on Change Request records

Changed

FedRAMP Rev 5 Appendix A export...
- Lists all implementing roles for each control
- Orders parts under security controls and parts in alphabetical order
FedRAMP Rev 5 Inventory export...
- Saves to the Files subsystem
- Includes assets directly linked to the SSP
FedRAMP Rev 5 SSP export labels single parts of security controls correctly
eMASS Ports and Protocols (PPSM) export works when any asset in the SSP or components in the SSP have assets that define ports and protocols

Fixed

Activity tab of the News Feed workspace works as expected
Save issues/errors for a new SSP record keep the user on the current form
Warning alerts are shown if a user tries to navigate away from unsaved changes on a/an...
- Existing Risk record form
- New Profile record form
RegML icon/button appears consistently when the feature is enabled
Advanced Search works as expected
Reloading questionnaires and profiles works as expected
Adding privacy records under an SSP works as expected
Questionnaire import and export work as expected

[5.34.2] - 2024-03-15

Fixed

Files subsystem and Evidence Locker store contents correctly

[5.34.1] - 2024-03-14

Fixed

Fixed issue validation rule with due dates
Default tenant color theme is set correctly

[5.34.0] - 2024-03-14

Added

Ability to create implementing roles from the Control Implementation form
eMASS Hardware Software export is generated directly into the Files subsystem
Deviation management system (in the Issues module as a utility)
Common Vulnerability Scoring System (CVSS) as part of the deviation management system
API to look up a vulnerability from NIST National Vulnerability Database (NVD) via /api/vulnerability/lookupCVE/{cveId}
White labeling support (i.e., custom logos) via tenant configuration in the Setup panel
Ability to choose small or large RegScale page footer size via the tenant configuration in the Setup panel
Email templating via the notifications configuration in the Setup panel
New filters for assessment status in the Evidence Workspace
Ability to resend an access token for a user via the User Management System
Reports
- Issue by Security Plan and Deviation Status
- Evidence Freshness Report

Changed

Tailored SSP export pulls control type from the Responsibility field in the control implementation
Evidence Locker system now integrated with the Evidence workspace
Evidence Workspace can launch Lightning Assessments
Google Authenticator setup sends a user access token via e-mail that can be used to unlock a QR code in the RegScale app
File upload progress bar auto-closes once the upload is complete

Removed

Automation panel from the Setup page; now located in the User menu

Fixed

Details from inherited controls from a different SSP appear in the SSP export
Leveraged authorizations for an SSP save as expected
Responsible roles populate correctly for all controls in the FedRAMP Rev 5 SSP Appendix A export
Drilldown appears when clicking on the My Activity chart in the Workbench
eMASS POA&M export
- POA&M comments appear as expected
- Each device has its own line in the Devices Affected cell
- Multiple milestones are listed chronologically on their own lines in the Milestone with Completion Dates cell
Tenants with no defined risk matrix will have a standard matrix created automatically
Search functionality in the Evidence workspace for an SSP scorecard works as expected
Issues form loads without console errors
Password generation functionality on the New User setup form updates password criteria validation

Security

Updated packages for Angular, NgRx, Kendo, and other supporting packages
New user workflow generates separate emails for username and temporary password
Ability to disable password distribution via email (in Security Policies in the Setup panel)
Changed password cannot be the same as the previous password

[5.33.0] - 2024-03-06

Added

Wayfinder
- Saving progress
- Ability to enable/disable via the Modules and Features Configuration screen

Changed

Wayfinder task buttons show only if there are activities to complete
New security controls have a default control type of Stand-Alone
Security controls created via catalog import have a default control type of Stand-Alone
Exported catalog fields use empty strings to represent null values
Hierarchy of facilities within the selection drop-down shows as expanded by default

Deprecated

Removed

Service accounts no longer receive emails, as those inboxes are often unattended
Questionnaires module link from the User menu

Fixed

Wayfinder
- Completed activity count updates correctly when tasks are marked as completed or incomplete
- Each SSP has its own Wayfinder
NIST 800-53 Rev 4 catalog import completes as expected
New security control records show as public
New security control record form saves properly with non-required fields
Security Controls tab for a catalog shows the control ID in the list view
Navigating to the Security Controls tab on the new catalog form does not prompt the user about unsaved changes
Chart view for Security Profiles renders correctly
Exported date fields for Change records from the API and the web app both match
GraphQL token link appears correctly upon dashboard refresh
Risk treatments and mitigating control implementations both carry over during a risk assessment review
Creating a child security control for a catalog works as expected
Analyzing Risk task on a lightning assessment works as expected

Security

[5.32.0] - 2024-02-28

Added

NIST CSF 2.0 catalog

Changed

eMASS Export Support
- DITPR ID field added to security plan records
- Network Approval and Last Date Allowed fields have DADMS prefix
- DADMS Last Date Allowed field loads correctly after form refresh
- Acronyms in the software inventory are not highlighted if they are defined
- PPSM export is available when Ports and Protocols exist on the security plan
- Devices Affected cell contents are delimited by line breaks
- Ports and Protocols tab on the Security Plan form supports selecting one or more listed boundaries
- Added verification of system owner before generating export
Bug Fixes
- Drilldown modal for the Events chart under the Activity tab of the Newsfeed lists corresponding events
- Importing the FedRAMP Rev 5 High Baseline bundled catalog imports the correct revision
- Workflow emails are no longer sent to unattended service account inboxes (i.e., admin@admin.com)

[5.31.0] - 2024-02-23

Added

Evidence in the Evidence Locker can be mapped to multiple controls in the same component(s) or security plan(s)
Evidence Locker record View button supports browser right-click context menus

Changed

Policy scorecard no longer shows compliance score percentage
Commas for checkbox-type questionnaire questions are disallowed (replaced by spaces)
Bug Fixes
- Tasks dashboard graph shows correct y-axis label (status)
- Navigating lines of inquiry on an assessment only prompts to save if there are unsaved changes
- Components module link visibility is correctly controlled via the Modules and Features setup screen
- After reviewing and finalizing a risk assessment, the user is redirected to the Risks tab for the newly created risk
- Empty/incomplete profiles cannot be created
- Date Closed field is not required for Risks that are not Closed or Cancelled
- RegML Auditor modal has correct title
- Supply Chain records with a CAGE code display correctly
- API PUT /api/securityplans/{id} gives the correct response if the approval date is after the expiration date
- Threat model export option displays correctly
- Threat model export process works as designed
- API GET /api/accounts/getRolesByUser/{strUser} returns the correct response if the user does not exist
- Purhcase Date and End of Life Date fields for assets respect local time
- API GET /api/securityPlans/getList returns a smaller, more efficient set of data
- When creating a new risk assessment, the default probability, consequence, and mitigation scores are 1
- Evidence record export process works as designed
- Catalog export works as designed
- Automation Manager loading spinner is deactivated once the page has loaded
- Asset record date pickers work as designed

[5.30.0] - 2024-02-13

Added

Option to filter issues that are Closed and Cancelled for the Issues by Component and Issues by Security Plan reports
Implementing Roles data for the MegaAPI call for an SSP
Ability to import catalogs that are deployed with the application
Automation Panel
- Ability to view/set keys
- Consolidated all automation functions into the automation panel
RegML: Control parameters are now properly seen, formatted, and handled by the RegML Extractor

Changed

Workbench - removed non-actionable items (i.e., have a defined due date, some action to be performed)
Forms redesign (BETA) updated to new grid views
Catalog import and export logic occurs on the backend (server) rather than the client
Redesigned the UI for the Implementing Roles tab on the Control Implementations form
Angular performance improvements (fewer unneeded look-ups)
Bug fixes:
- Avatars load correctly
- PUT /api/SecurityControls/{id} returns a 404 if the security control's ID is not found
- Software list in eMASS export no longer shows duplicates
- GET /api/SecurityControls/findByUniqueID/{securityControlId}/{catalogId} Swagger docs updated to reflect 204 response
- User can create child records of different module types from Creation Wizard
- Addressed issue where user dropdown may sometimes be empty on initial page load
- Validation message for "Default Assessment Days" field on components and security plan forms is correct
- Updated tooltips for OSCAL exports to be more helpful as to why an export isn't available
- Continuous Monitoring tab on the Security Plans form correctly loads assessment data
- User can create a new assessment from the Continuous Monitoring tab on the Security Plans form
- Issue Screening utility is only available if that feature is enabled in the Modules and Features admin panel
- Evidence Locker record form populates the list of mapped records correctly
- Component Status Board correctly shows all status types for POA&Ms
- Assess Risks utility for Security Plans produces no errors when reviewing and finalizing
- SAML authentication redirects to the origin rather than host
- New assessments can be saved successfully when the assessment result is set
- Collecting Evidence workspace on a security plan's scorecard correctly displays controls
- Module names appear correctly in dropdowns

[5.29.0] - 2024-02-09

Added

Automation Platform: Can schedule automation jobs directly from the RegScale Admin panel
SBOM: Added a download button
Workspaces: Improved the evidence workspace and analytics
Feature flag for Automation portal
BETA: Forms Redesign now optionally available
BETA: List of available catalogs and installation status (display only; non-functional)
Several new fields to support the eMASS Hardware/Software Export

Changed

Automation:
- Required secrets are now checked before and during scheduling a job
- Fixed bug where required parameters weren't displaying correctly
Removed SignalR from the application
Performance:
- Optimized loading of nearly every Angular page on the client side to speed up RegScale page loading
- Improved performance of query selecting Time Travel subsystem data
Catalog import page has a toggle to support future upload types
Re-enabled AppInsights for the Angular app
POAM export (column F is auto-fit, Column AC displays N/A instead of being blank)
Tech debt:
- Refactored the control objectives controller and business logic to match current conventions/standards
- Refactored the control parameters controller and business logic to match current conventions/standards
- Refactored the control test plans controller and business logic to match current conventions/standards
- Refactored the CCIs controller and business logic to match current conventions/standards
- Risk Matrix uses NgRx to retrieve and update colors and matrix data
Catalog UUID is also returned as part of the /api/catalogues/getList endpoint
Bug fixes:
- Role deletion button appears correctly on the Implementing Roles tab for a control implementation
- Supply Chain Status Board status label is named correctly
- Addressed issues on form rendering with custom data labels
- API for getting all security controls by catalog returns the expected list
- Fixed copy button on SBOM
- User sees a warning about a missing (deleted/archived) parent security control for an implementation
- Security controls can be deleted without showing errors
- /api/profiles/applyProfile correctly respects tenant separation and has improved input validation
- Questionnaire response completion progress displays correctly on the Responses tab
- Pagination on the Questionnaire Responses tab works correctly
- Security controls can be added at the same time a new policy is being created
- File uploads for an Evidence Locker record can be deleted via the Files Subsystem on that record
- Removed "routerLinks" on application navigation system to avoid duplicate page requests
- Validation of and clearer Swagger documentation about the Originator property for catalog creation and update
- Tailored SSP export (section 3 control tables) has correct formatting
- Enabled modules are listed correctly in the Modules dropdown after logging in
- Risk matrix colors are correctly set on each new creation of risk matrix
- Threat Model events are available in the event topics list
- Reset Password email links are correctly formed
- Supported export file types are retrieved from the tenant configuration service
- Email service uses the correct domain
- Color theme is correctly set on login
- Outage dates/times on change records work as expected when accounting for local time
- Integrations images display with correct aspect ratios
- Manager is a required field when creating Organizations
- Policies with templates display properly

[5.28.4] - 2024-01-27

Added

Changed

Bug Fix: Addressed issue with form rendering from Custom System Labels

[5.28.3] - 2024-01-26

Added

Single Sign On (SSO) login button for a Questionnaire instance

Changed

[5.28.2] - 2024-01-24

Added

Changed

Bug Fix:
- Addressed issue with creating child records on a catalog
- New record forms no longer generate 404 (not found) errors
- SSP export options are disabled (with explanation tooltips) if there is insufficient information to generate a given export
- Changes made in the Risk Configuration setup screen are reflected when displaying a risk record afterward

[5.28.1] - 2024-01-19

Added

Changed

Performance: Optimized loading of nearly every Angular page on client side to speed up the RegScale page loading
Bug fixes:
- When loading a form with tabs, the first non-hidden tab is selected
Syncfusion license key is deployed properly so that no watermark text appears on exports
Restored missing module and fixed seeding file so that Custom System Labels works correctly
SSP exports save to the Files subsystem as expected
New record forms no longer generate 404 (not found) errors

[5.28.0] - 2024-01-17

Added

Wayfinder
- Ability to manually mark activities as complete
- Tracker display (per stage) of how many activities are complete vs. incomplete
- Dropdown to select a preconfigured Wayfinder to use
Feature flag support for integrated catalogs
Support for future catalog workflows (ability to create, read, and update download URL and default name values)
Questionnaire API to create and return questionnaire instances for a given questionnaire

Changed

Performance:
- Consolidated caching functions into a single client side store in NgRx
- Optimized form and list view loading code
- Optimized caching updates/refresh/deletes for improved performance
- Removed unused cache items from NgRx to reduce memory pressure
Tech debt: Standardized naming of Wayfinder for the Angular app
Moved catalog update button behind the integrated catalogs feature flag
Questionnaire instance creation API supports setting a specific due date
Bug fixes:
- Control implementation view (Requirements tab) shows all content when scrolling
- Pagination for Questionnaires list view works as expected
- Questionnaire export works as expected for all question types
- Addressed bug with loading Lightning Assessments

[5.27.2] - 2024-01-12

Added

Security Controls tab is now available on the Catalog form

Changed

Bug Fixes:
- Improved styling and input for security control test plans
- Default test results now load properly in Lightning Assessments
- Components tab on Assets is visible to the General User role
- QuestionnaireInstances API for getting an instance by ID returns the correct results
- Collecting Evidence workspace for SSP scorecards appears correctly in dark mode
- Controls on Policy scorecards render properly
- Setting a risk as Closed makes the Date Closed field required

[5.27.1] - 2024-01-11

Added

Bring Your Own Risk Matrix Feature including defining the number of levels for Consequence/Probability, descriptions for each level, custom scoring, and ability to define custom colors and color ranges for matrix visualization
Annual Loss Expectancy added to the Risk Scorecard
FIPS Categorization - Categorization is no longer a required set of fields to create a SSP. Instead, you use the classification subsystem to pick your information types. There is a new engine that auto-calculates "system high" and then lets you override. Once you have picked all of your types, you can save the categorization which will update the SSP. The SSP fields are made read only.
BREAKING CHANGES: If running IIS, will need to update the .NET Runtime to version 8 before upgrading to this version
New Control Navigation: Replaced control strip with inline navigation in the Control Context Viewer
File Subsystem: PDFs can now be previewed inside of RegScale like images
Control Freshness - Assessment Frequency
- Can now set a default number of days by which controls must be assessed on a security plan
- Can now set a default number of days by which controls must be assessed on a component
- Control implementations now track assessment frequency desired and use it to auto-set the next assessment due date
- Builders updated to auto-set assessment frequency based on the parent security control or component
- Control Context Viewer now lets users view and set the desired assessment frequency for a given control (overriding the default at SSP level)
- Assessing a control auto-sets the next assessment due date for the control based on the desired assessment frequency
Initial stages of the Wayfinder tool for SSPs (feature-flagged)
Questionnaires: Instructions field content now included at the top of questionnaire assignment email to support instructions/introduction for that questionnaire

Changed

Performance Enhancements:
- Risk matrix now pulls from cache in NGRX
- Organization and Facility picklists on forms now pulls from cache in NGRX
Upgraded core platform technologies:
- Angular from Version 15 -> 17
- Node.js from Version 16 -> 20
- Telerik from Version 13 -> 14
- NgRx from Version 14 -> 17
- .NET Core from Version 7 -> 8
- Various NuGet package upgrades and security patching
Packaging: Removed eCharts and all NPM-related dependencies from the project
Removed heatmap visualization from the Status Boards (replaced by per Family view on the Scorecard)
Swagger REST APIs now default to collapsed to provide a more concise list by object
Issues API endpoint to remove a quality assurer
Assessment Result module has custom labeling support
Automatic creation of issues from assessment results also populates description, facility ID, org ID, date first detected, activities observed, and recommended actions
Assets API endpoints to create and update assets in batches
Relaxed validation on new risks to streamline data entry
eMASS Ports and Protocols export:
- POC fields are now highlighted with a comment on how to populate these fields when System Owner isn't selected
- Optimized data fetching during export
- Added logic to fetch ports and protocols of child assets for the security plan
Tech debt: Refactored the catalogs controller and business logic to match current conventions/standards
Performance:
- Refactored Asset APIs to dramatically improve query performance
- Added list view saved reports to client side caching to eliminate server side calls
Quality Improvements:
- Refactored the Catalogs controller and business logic to match current conventions/standards
- Refactored the Security Controls controller and business logic to match current conventions/standards
Lightning assessments can now be edited
Exports: Conditionally show and hide SSP and related exports based on completing the categorization step
Bug Fixes:
- Corrected validation issue on the assessment POST API
- Addressed edge case issues with event driven notifications
- DOE SSP export has templated system security manager, highlights missing data, supports image tagging system, and uses correct categorization
- Issue process flow supports removing a quality assurer
- Threat Scenarios tab no longer shows until the Threat Model is saved
- Admin and service accounts are no longer available as choices in user dropdown menus
- Corrected formatting issues with Error Log table in the Admin panel
- Submit for Screening button for Issues works as expected
- Outage window start/end dates for Changes use local time
- Lightning Assessments: now correctly set initial status of the assessment to "In Progress" v/s "Draft"
- Lightning Assessments: addressed bug where duplicate assessments could be scheduled under some circumstances
- Addressed edge case issue with some status items not displaying correctly in list view
- Fixed intermittent failure on event webhook for Incident severity change

[5.26.1] - 2023-12-22

Added

Changes - added ability to track testing information for a change

Changed

Bug Fixes:
- Workbench and News Feed now properly show/hide based on configuration settings
- Fixed issue with the Asset Mapping API endpoint
- New Threats Models form cockpit correctly shows which required fields have values
Questionnaire response Excel export formats cells with top vertical alignment
Catalogs module
- List view shows new information to support UCF
- Detail view shows new information to support UCF
- Import functionality accounts for new information to support UCF
Performance: Uses front-end caching to reduce the number of API calls to the api/email/getDomain endpoint

[5.26.0] - 2023-12-20

Added

Re-imagined Scorecard for visualizing control status
Evidence Workspace added to Scorecard
Workflows use custom data labels
File Subsystem now supports a preview mode for images

Changed

Questionnaire status stepper was removed
Code quality: Cleaner separation of RegML Explainer modal component and the accompanying service
Performance: Replaced database calls for tenant and configuration data with NgRx caching
Bug fixes
- Rejecting a submitted questionnaire instance shows a toast notification
- Questionnaire title heading updates after making changes to the title and saving
- Questionnaire response export (Excel) cells have word wrap enabled
- Export buttons for the questionnaire responses list are always visible
- RegML Extractor works with "flat" control implementation statements
- Progress spinner disables after a new tenant has been created
- "Upload Enabled" flag on questionnaire questions is supported for import and export
- Added validation when loading facilities on forms

[5.25.0] - 2023-12-13

Added

Re-imagined Scorecard for visualizing control status
Progress bar for completing control parts on a Control Implementation
Progress bar for completing control parameters on a Control Implementation
Button for auto-scoring a control implementation based on its parts
SicuraId field to ScanHistory to support Sicura integration
Financial Modeling for Risk
New control implementation parts status: "Alternative Implementation"
Server-side guards against deleting files within a module that originated from the Evidence Locker
Accounts API endpoint to get the list of inactive users for the current tenant
Control Tests: Now add the ability to provide default text per test to help prompt assessors during the lightning assessment
"Other identifier" for issue records
"Task Type" for task records
API endpoint for Accounts to get all delegate users for a given user
Performance: Optimized loading of tenant and license configuration information using NgRx; reduced backend calls
Infrastructure: Resiliency for cache access (missing username, case sensitivity)

Changed

Questionnaire response export format includes historical responses
Single workflow step rejection cancels subsequent steps
Deleting files from the Files Subsystem is only supported in the Evidence Locker module
Removed beta tags from the following:
- SSP exports: FedRAMP Rev5, CMMC, More options
- Setup: Custom System Labels, Events & Webhooks
Bug fixes
- Questionnaire instance endpoint getAllByParent returns 404 if the parent questionnaire doesn't exist
- Event topic list in Event and Webhook Configuration Management populates correctly
- Import button is available for Security Profiles
- Workspaces now longer show in menu for the Global Admin account
- My Activity now longer shows in menu for the Global Admin account
- Copying an existing Continuous Monitoring Assessment works as designed
- Risk Strategy is a required field when creating a new Risk
- Custom labeling support for the Asset Mapping tab on the Component form
- Implemented paging, sorting, and filtering to Asset Mapping list view
- Time remaining (e.g., days overdue, days due) on Issues uses correct heading levels and colors
- Custom validation is limited to that field's module
- Child issues for an assessment are only created if one doesn't already exist
- Parent cause codes for causal analysis must have a value before being assigned
- Manual Detection ID field for Issue records saves as expected
- Dropdown menus have unique values on the Threats Scenarios tab for a Threat record
Migrated README.md reference sections into separate files and updated docs on how to run locally via localdev

[5.24.1] - 2023-11-28

Added

Changed

Bug Fixes:
- Prevent saving multiple duplicate tenants through rapid clicking
- Control Origination checkbox fixes
  - Inherited from pre-existing FedRAMP Authorization option
  - FedRAMP Tab prioritizing
- Security Plan delete now performs a NULL check
- Control Implementations: Planned Implementation Date and Steps to Implement are only required if the status is Planned
- Catalog count no longer includes archived controls
- Supply Chains module name is correct

[5.24.0] - 2023-11-27

Added

Type of Service field on the Basic Info tab for Interconnections
Tenable Nessus ID and Burp ID for Issues (Integration tab)
Support for using a shared database server and shared storage account
API endpoint to get all questionnaire instances for a given questionnaire
Enterprise Risk
- Threat Model module
- Ability to generate a library of threat scenarios for a given threat model
- Risk Assessment Wizard on organizer now loads based on selected threat model

Changed

Status boards use custom data labels
Workbench uses custom data labels
Swagger: Brought documentation for the Time Travel endpoints up to standard
Error logging for questionnaire submission
Type of Service column populated in FedRAMP SSP export (Table 7.1)
Questionnaire list view by default sorts by ID (descending)
Minor updates to FedRAMP Rev5 CIS/CRM export
Tech Debt: Asset service read operations implement cleaner role-based access control
Version bumps for GraphQL packages (Hot Chocolate and Strawberry Shake)
Bug Fixes:
- Improved validation for bulk questionnaire assignment via Excel workbook upload
- Questionnaire option (e.g., multiple choice) text that has commas exports correctly
- For Issues, moved the Salesforce Case # field to the Case Management section under the Integration tab
- Risk field values and required fields function and save as expected
- Record selection dropdown when assigning questionnaires to a module appears correctly in dark mode
- Workspaces dropdown appears correctly in dark mode
- Asset PUT and POST APIs properly check for missing and whitespace-only fields
- Appendix A contains implementation statement overrides if present
- FedRAMP XML export logic properly handles a file with an empty filename in the attachments

[5.23.1] - 2023-11-14

Added

Independent scroll to assessment Lines of Inquiry
Using assessment workflow system now locks down form fields so they cannot be directly edited

Changed

Bug Fixes:
- Converted token date check to UTC time
- Added more helpful error message for exports that use the Files subsystem in the case where a specific file type (e.g., .xml) is not enabled for the RegScale instance
- Entering questionnaire prompt data no longer produces console errors
- Added dirty form checks in the questionnaire builder
- Validation for MAC addresses on assets works correctly
- Validation for URLs works correctly
- Export logic updated to ensure the export button is responsive
- RegML features will not be enabled if the user chooses to cancel the enable action

[5.23.0] - 2023-11-12

Added

Home page (dashboard) uses custom data labels
Support for feature flags
Ability to hide tabs and fields in forms via the Custom System Labels panel
Infrastructure for automated UI testing with Playwright
Record creation wizard uses custom data labels
Questionnaire response scoring
Improved User Profile to better display readonly fields for LDAP/SSO users
Mapping of discrepancy fields in the SAR export
Refresh button to Issue Status page to force update of lifecycle and workflow actions
Questionnaire instances can have assigned reviewers
Enterprise Risk
- Added Progress to Risk Scorecard
- During a risk assessment, risk assessment auto-calculates and defaults (user can still over-ride)
- Inherent Risk score now displays in the Risk Assessment table
- Consolidated treatments, preventive actions, and related controls into a single tab on the risk screen

Changed

FedRAMP Appendix A export prioritizes information on the FedRAMP tab for a control implementation
Infrastructure: Feature flag source is more explicit when running standalone vs. SaaS
Inline view of questionnaire responses works correctly for all question types
Security: Patching NPM vulnerabilities
Bug fixes
- FedRAMP and eMASS exports do not contain encoded HTML characters (e.g., &)
- FedRAMP Rev 5 SSP export does not contain HTML tags
- FedRAMP Rev 5 SSP export does not have redundant placeholder text in Appendix E
- Updating an existing Change record no longer produces console errors
- RegML Extractor status bar shows completion even if errors occur
- When selecting a facility that has sub-facilities for an Issue, a sub-facility must be chosen
- Questionnaires module uses custom data labels correctly
- Resetting custom data labels correctly sets visible and editable states for labels
- Icons for Threats module corrected
- RegML Extractor supports PDFs with up to 100 pages
- General system description is available in the FedRAMP Rev 5 SSP export
- Can now create custom security controls properly using the record creation wizard
- Workflow for submitting an Issue for screening works as expected
- Added guard for an edge case concerning OSCAL export file creation
- New-form pages for Security Controls and Control Implementations are inaccessible via URL
- For OSCAL XML export of an SSP, the system-id and identifier-type URLs are correct whether or not a FedRAMP ID# is provided
- Questions in the questionnaire builder cannot be moved to a different section without a prompt
- Assigning a manager workflow now uses the correct Angular route
- Questionnaires cannot be resubmitted unless the questionnaire instance is reopened
- Profile import (file selection) process works as expected
- Validation for required signature question types in Questionnaires works as expected
- Questionnaire user registration shows the correct message about minimum password length
- Comment fields for questionnaire review are only visible when the Feedback toggle is set
- Dropdown tree controls (e.g., facility selection) can be cleared of their selection
- Child tasks appear correctly in the crumbcake nav and Compliance Visualizer
- Custom fields for the Profiles, Categorization, Questionnaires, and Control Implementations modules update as expected

[5.22.0] - 2023-10-31

Added

Changed

Completion indicator for the required Status field works correctly for new components
Creating questionnaires via an Excel worksheet correctly uses the "Required" column
Improved readability of long answer fields in questionnaires for dark mode
Process flow visual for Issues in the Status tab works correctly in dark mode
Count of files in the Files subsystem for Control Implementations and Security Plans is correct
Workspaces dropdown is only available if user is logged in
More consistent user experience when creating relationships for a record
Crumbcake navigation uses custom data labels
Kanban subsystem works correctly with custom data labels

[5.21.0] - 2023-10-27

Added

New Fields
- Other Identifier - added to the assessments and issues modules
- Org Code and External Identifier can now be assigned to an organization
- Risk Categorization added to Components
- Added Original Planned Finish date field to assessments (used for calculating date changes over time)
New API endpoints (to support Nessus integration)
- Batch creation of assets
- Batch creation of vulnerabilities
Questionnaire owners can make a questionnaire public so that users can self-assign to new responses/instances
Utility: Due Date Extension - allows you to request and approve date extensions
Workflow
- Implemented Close and Re-Open Issue Actions
- Workflow approval screen now shows information on any associated actions tied to the workflow
- Ability to create workflows for a specific manager or user
Security
- Added ability to set and enforce max password retries and lockout period

Changed

Refactored module metadata seeding procedure to make it simpler
Replaced checkboxes on the Hardware Info tab in the Assets form with dropdowns (Yes/No/blank)
Advanced Search for Asset records supports fields whose options are Yes/No/blank
Questionnaire responses export includes email addresses for recipients that aren't RegScale users
Action to show dashboards for questionnaires and questionnaire responses removed until proper dashboards are available
Optimized field mapping for FedRAMP rev4 & rev5 excel exports
Bug Fixes
- Evidence Locker: Evidence is linked to controls when mapping to controls
- Dismissing a workflow in the Notifications area leaves the workflow active in the Workbench
- Canceling license update now properly resets the form
- Control implementation forms render correctly
- Updated Assigned Instances function works for questionnaires assigned to non-RegScale users
- RegML icon only appears once on the Control Implementation form
- FedRAMP Rev 5 Appendix A export contains the correct implementation status, control origination, and solution implementation details
- Notification appears when a user reopens a questionnaire response instance
- Reordering questions within sections and between sections works correctly
- Required custom fields for new record forms display correctly after saving
- Advanced search works correctly with custom data labels
- FedRAMP R5 Inventory Fixes:
  - Correctly maps Function (Column X) for hardware and software assets
  - Added asset.Manufacturer to Make/Model Column (Column M)
  - Hardware Assets with Software Inventory will be now have their software inventory mapped to the correct rows
- Required custom fields appear in the new-form cockpit
- Airflow DAG triggers work as expected
- Removed erroneous warning about custom fields being unavailable
- Workflow instance changes properly trigger webhooks
- Adjusted the save functionality in the questionnaire builder to prevent data loss
- Removed placeholder text in the FedRAMP Rev 5 SSP export (Table 3.1)
- Removed instruction boxes from the FedRAMP Rev 5 SSP export
- Removed duplicate alert when no manager is assigned for a user in the workflow system

[5.20.2] - 2023-10-18

Added

Changed

Custom Data Labeling
- Updated warning prompt for reset to be clearer
UX
- Banner colors now match US Government classification standards
- Admin panel now listed in alphabetical order
Bug Fixes
- Questionnaire assignee email address shows in the Responses list
- Questionnaire assignment via Excel workbook upload works as expected

[5.20.1] - 2023-10-18

Added

Changed

Hot Fix: Addressed issue with seeding on startup of container

[5.20.0] - 2023-10-18

Added

Ability to reset all custom data labels in the Admin panel
APIs
- Programmatically delete custom fields
- Retrieve workflow actions for a given parent record ID and module
- Pull all available metadata for a given module
Facilities now support a hierarchy structure similar to the organization hierarchy
FedRAMP
- Fields for Rev 5 SAP/SAR exports
- Rev 5 Inventory Export for Security Plans with Assets
- Lightning Assessment now auto-calculates Risk Exposure based on FedRAMP formula
Logging
- Error logging to the database via Serilog
- Default level is Error and a scheduled task will remove entries older than 14 days every night at 1 and 3 am (limited to 5k records per run)
RegML:
- Extractor to RegML Tools on a System Security Plan, allowing the automatic extraction of implementation statements from user-uploaded PDFs
- Auditor can use control objectives or control implementation statements
- Auditor shows links to open a control in a separate window
Tasks: Description and results fields
Unified Compliance Framework (UCF)
- Added integration to the Admin panel
Web accessibility
- Support for 200% zoom
- Right-click support for top navigation menu dropdowns

Changed

Architecture:
- Refactored how files are handled for standalone and SaaS versions
- Refactored and cleaned up APIs for Master Assessments
Custom Data Labeling
- Support for changing field labels and basic module metadata
- Driven by the database rather than JSON files
Custom Fields: Now allowed on tasks
Email service refactor, with support for OAuth
Evidence Locker
- Mapping evidence to Security Plans
- Improved mapping experience
- Display of all records mapped to an Evidence Locker record
- Ability to start Evidence Locker mapping from the Utilities widget
- Ability to navigate to Evidence Locker directly from a Security Plan
FedRAMP exports: In Rev 4 and Rev 5, images and narratives are split for Authorization Boundary, Network Diagram, and Data Flow Diagram
Gantt Chart: Security plans now show draft issues to work better with the Lightning Assessment system
Issue Screening:
- Removed analysis step
- Default certain checkboxes to reduce clicks in the screening process
Risk: Status Board now displays the Target and Residual Risk Scores from the new risk assessment engine
Questionnaires
- Added back-end structure for scoring questionnaire instances
- Enhanced response Excel export readability and usability
- Owner receives an email when a questionnaire response is submitted
Performance: Refactored all picklist module calls to use the new form service
Risk Assessment: Multiple UX improvements based on customer feedback
Security
- Can now only delete records if user is an Administrator or the user who created the record
- LDAP now records the last login date for the user
- SSO new user now records the last login date for the user when thin provisioning
- Deletion of records no longer cascade-deletes the audit logs or Time Travel records to provide improved forensic analysis
- Fixed various access control restrictions for consistency across roles
User experience
- Improved child record creation experience
- Removed gradients on CISO Home Page
Wiz CI/CD scan integration support
Bug Fixes
- Accessing questionnaire instances produces no errors whether or not the user is logged into RegScale
- Fixed error when uploading SBOM during release publish
- Addressed issue with reseeding metadata
- Variable casing corrected so that module data loads correctly
- Evidence Locker: View and Delete buttons on mapped controls align correctly
- Adding a new assessment under Continuous Monitoring for a component brings up the new assessment form
- Module data seeding works correctly through both the application UI and the Swagger interface
- Severity Level by Date Identified chart in Issues module renders correctly
- Schedule recurrence options for questionnaire assignment renders properly in dark mode
- Dropdown to select number of rows for Supply Chain board works as designed
- Raised events are no longer case-sensitive
- Control origination checkboxes for FedRAMP Rev 4 or Rev 5 SSP exports match the RegScale SSP
- New assessment form loads correctly
- GraphQL code generator utility correctly accounts for the new Angular file structure
- RegML Extractor GraphQL queries are adjusted to address overfetching
- Master assessments dropdown selections are properly seeded on app startup
- Added input validation when updating an asset record
- RegML Controls Author uses the company name for the tenant
- Module data is correctly seeded on initial database creation
- RegML Extractor input is limited to 25 pages
- Vulnerability drilldown modal for assets displays correctly
- Questionnaires can be submitted for recipients that aren't RegScale users (i.e., only have an access code)
- Questionnaire section index changes correctly update assigned instances
- Viewing catalogs no longer produces console errors
- Generated export files correctly appear in the Files subsystem
- Webhook events for deletions fire for archival as well
- Webhook events for modifications fire as expected
- Status board row-count selector works correctly
- Change Management bar charts have tooltips and the drilldown modals render correctly
- Issues By Identification chart shows the N/A title where needed
- When adding a new record via the Compliance Visualizer, the modal now dismisses properly
- Addressed several issues with GraphQL queries
- Addressed issue with redirect after login for SSO
- Addressed issue with importing some catalogs
- Drilldowns for Exceptions dashboards display correct titles
- Reset All Custom Labels works as expected
- Fixed edge case issue with Lightning Assessment progress calculation
- Subheaders that use custom data labeling render correctly
- For interconnections, the external fully qualified domain name saves as expected
- For components, if the status is "Other" the explanation field is marked as required
- Fixed input validation checks that were being corrupted from dynamic loading
- Lightning assessments now load properly from the Scorecard

[5.19.0] - 2023-10-03

Added

Risk: Improved initial risk scoring UI and functionality
Risk: Added risk treatment effectiveness and direct link back to control implementations
Risk: Added business impact to the risk assessment wizard
Risk: Risk assessments now allow you to evaluate the effectiveness of each risk treatment

Changed

Bug Fix: Properly show/hide links on the footer based on login status
Bug Fix: Risk Scorecard now shows N/A for difference and residual risk if risk assessment has not yet been conducted
Bug Fix: Questionnaire can be assigned without errors to a RegScale user
Questionnaires: Progress feedback is shown when bulk-assigning questionnaires
Bug Fix: Only asked questions are considered in the percent complete for a questionnaire instance
Bug Fix: api/metadata/reseed correctly loads the seed file content
Bug Fix: Removed Controls by Type options for the policy scorecard view
Web accessibility: single-page application structure, dashboard percentages, alternate text for status icons and logos
Bug Fix: Software inventory is displayed in the tailored SSP if software is within a hardware asset
UX: Reorganized data entry form for Supply Chain to be more efficient
Bug Fix: Addressed issues with Lightning Assessments on Supply Chain records
UX: Scorecard now redirects to new lightning assessment form versus opening in a slider

[5.18.2] - 2023-09-29

Added

Field for Assets under the Integrations tab: Sicura

Changed

Bug Fix: Record addition, modification, and deletion events trigger properly
Bug Fix: Addressed edge case where a user could bypass the login banner

[5.18.1] - 2023-09-29

Added

Security: Added support for OAuth authentication for email security

Changed

Policies: Parameters are now only required if the status is "Active"
Removed CQRS from Assets module
Added Assets Service to handle all business rules for the Assets controller and corrected Swagger documentation
UX: Addressed spacing issues on password toggle
Bug Fix: New risks created via the Risk Assessment Wizard do not require a target risk score

[5.18.0] - 2023-09-27

Added

Components: Added external ID field and API for ease of integrating with outside tools/data
FedRAMP: Added fields to support FedRAMP Rev 5 requirements for Leveraged Authorizations
FedRAMP: Expanded interconnect module to support FedRAMP Rev 5 requirements
FedRAMP: Added fields to support Risk Exposure Template export in Rev 5
Lightning Assessment: Now shows parts and parameters on the left side view
Lightning Assessment: Now shows the parent security control on the left side view
Lightning Assessment: Left and right side are now independently scrollable
Lightning Assessment: Now allows incremental progress (can save 1 control at a time)
Lightning Assessment: Now allows editing assessments
Lightning Assessment: Allows you to flag an issue as reportable and will auto-generate an issue
Questionnaire Security: Added access control for both internal and external users
Ability to export POA&MS from a Security Plan as FedRAMP Rev 5 Risk Exposure Excel workbook
UX: Added persistent footer to the application
Workflow: Added options for assigning workflows and building new ones using the subsystem
Workflow: Added ability to assign and create workflows directly to a manager
Issue Screening: Added quick action buttons to create Causal Analysis records
UX: Workbench is now the default landing page
FedRAMP Rev 5 SSP Appendix A export in Word format
FedRAMP Rev 5 CIS export in Excel
FedRAMP Rev 5 Test Case Procedure export in Excel at Security Plan level and Continuous Monitoring level
Continuous Monitoring tab now has a "Create New" button
Issues: new fields for manual issue detection
Web accessibility attributes for the RegScale logo, notifications area, and page landmark regions
Questionnaire question file upload support
Workflow: Added a new API for creating custom workflows programmatically

Changed

Performance: Optimized page loads for RegScale forms
UX: Change list view fields for Privacy Impact Assessments
UX: Consolidated dashboards into the List View system of modules
UX: Removed sidebar from left side of the screen
Performance: Improved indexing on Components
Performance: Improved query speed when retrieving a Security Control or Control Implementation
Context Viewer: Now shows the part description when creating a new option and auto-closes once option is completed
Enhancement: Catalog error messages now persist on the page when uploading
Bug Fix: Removed duplicate FedRAMP tab on Control Implementations
Bug Fix: Risk scorecard now renders properly
Added logic to ReadMe.io version update during release pipeline to parse the version from the environment first, then defaults to version # in package.json
Bug Fix: Addressed issue where Control Context Viewer always returned to Parts when editing Parameters
Bug Fix: Addressed you are already logged in bug when redirected to login page
Bug Fix: Addressed various issues with maintaining questionnaire state
Print: FedRAMP fields added to control implementation printable form
Bug Fix: Global admin redirect now works properly
Bug Fix: Editing tasks in the Kanban subsystem does not result in console errors
Bug Fix: Ports and Protocols table is present in the FedRAMP SSP (Rev 4 and Rev 5) export
Bug Fix: Supply Chain contract owner dropdown does not contain duplicated usernames
Bug Fix: Issue ID is returned as part of the api.issues.create event
Bug Fix: Login banner must be acknowledged before using the application after login
Security: Patching NPM vulnerabilities
Updated the executive summary text for the FedRAMP SSP Rev 4 templates (Moderate and High)
Bug Fix: Catalogue export as OSCAL JSON uses correct encoding
Added 'deprecated' label for FedRAMP Rev 4 SSP and continuous monitoring exports
Bug Fix: Leveraged authorizations appear in FedRAMP SSP export
Questionnaire: Process questionnaire rules when dropdown answer changes
Bug Fix: Validation in the policy form and policy template now apply together
Bug Fix: Automation panel only shows DAG execution date-time
Bug Fix: The api/Organizations/getList endpoint correctly displays organization managers and manager IDs
Bug Fix: Saving a new questionnaire presents a single toast notification
Bug Fix: Editing a questionnaire QUID doesn't automatically move the cursor to the end of the QUID
Questionnaire instance comparison export (Excel) format is now one instance per row
Questionnaire rich text editor control styling matches the rest of the application
Updated SSP's MegaAPI result to include an asset's list of software inventories
Bug Fix: Addressed issue with updating a Task within the Event system
Lines of Inquiry: Now warns you if navigating forward or back without saving

[5.17.1] - 2023-09-13

Added

UX: Can now create a new profile from the Builder Wizard

Changed

Bug Fix: Custom fields dropdown list addresses issue with adding new items
Bug Fix: Addressed SSO login issue for thin provisioning and logging in new SSO users
Bug Fix: Addressed issue with launching Security Profile importer
UX: Replaced Digital Signature with Electronic Signature labels

[5.17.0] - 2023-09-12

Added

Questionnaire: Add execution constraint to rules to limit when certain rules are executed

Changed

Cause Code Admin Panel for Causal Analysis
Sonarqube integration for issues
Updated CSP Name for FedRAMP Test Case Procedures export to use CSP Organization Name from the Preparation tab of the Security Plan
Questionnaire: Allow various Action Functions to accept list of questions to change
Questionnaire: Make Action Functions resilient to updating question (quid) that does not exist
Questionnaire: Update rules of open instances when updating open instances
Support: Improved logging for toasts to assist with testing and debugging

[5.16.3] - 2023-09-11

Added

Ability to dynamically set fields to read-only based on record state
List Views: Added ability to create a child record from the list view
Security: Hardened JWT timeout checks for all Angular routes
Reports: Improved FedRAMP export of the Risk Exposure Report
Workflow: Now supports management approvals
Workflow: Added functional role assignments
Workflow: Added action system
Workflow: Added comments, files, and links to the workflow record viewer

Changed

UX: Catalog importer moved to the list view next to the "New" button
UX: Improved formatting of the print screen
Bug Fix: Removed FedRAMP tab from SSP
Bug Fix: Added FedRAMP tab to control implementations
Bug Fix: Navigation system not showing titles as links
Bug Fix: Addressed error on Group retrieval
UX: Improved formatting of the user list in the Admin panel
Bug Fix: Manage risk visualization on home page updated
Bug Fix: Issue screening now pulls the correct comments, files, and links

[5.16.2] - 2023-09-08

Added

FedRAMP: Added risk fields to POA&M to support the Risk Exposure Template export
Metadata: Added reseeding option to the Admin panel (accommodates new changes over time to picklist)
Automation: Support for scheduling, pausing, and checking status of Airflow jobs
RegML: Added license confirmation box allowing all SaaS customers to opt-in to AI/ML capabilities in RegScale
Ability to export FedRAMP POAMs for Rev 5

Changed

Enhancement: Refactored seed metadata method to be consistent across the application
Bug Fix: Added SQL check to skip some specialized indexing for unsupported SQL Server versions
Bug Fix: User activation API returns 400 when the request is empty
Accessibility: Added more keyboard-based navigation and alternative text content
Bug Fix: Required field count and completion percentage for new records works correctly
Bug Fix: After making a change on a control implementation record, when navigating away and choosing "Cancel" no navigation occurs

[5.16.1] - 2023-09-07

Added

Changed

Bug Fix: CONMON display fix for progress report
Bug Fix: Addressed issues looking up Security Plans on controls list view
Performance: Database index tuning based on Azure recommendations
Performance: Multiple query optimizations for fetching control implementations
Performance: Refactored Navigation system query to be more performant
Bug Fix: Addressed issue where subsystems would sometimes not show for a control implementation with related evidence
Bug Fix: Setting a new task as Closed updates the percent complete to 100%
Bug Fix: Phone number fields on questionnaires require a valid phone number before saving
Bug Fix: Security Control Implementations list view Control ID sorting matches other Control ID sorting in the application

[5.16.0] - 2023-09-06

Added

FedRAMP: POAMs now export as OSCAL
FedRAMP: Added XML Export for OSCAL SSPs
Security: All event logging is now performed server side
Performance: Optimized the subsystem count query to be more performant
Issue Status: Can now manage the full lifecycle with status gates and workflows
Flag to dynamically set fields to readonly based on workflow

Changed

Bug Fix: Added fix for multiple quick clicks of the login button
Tech Debt: Forms now centrally driven by a single config (pre-requisite for enabling custom data labels in the future)
Explanation for Other than Operational Status field is only required for FedRAMP SSPs now
OAuth: Fixed login issue to improve Okta support
Security: Now record date a user was deactivated
508 Compliance - added scope attribute to table headers
DEPRECATED API: Removed all GetAll endpoints, now requires using filter methods or paging in GraphQL to avoid performance impacts
Bug Fix: New Requirements form tab names match the cockpit section names
Bug Fix: Added missing fields for advanced search in questionnaire
Bug Fix: Counts in Risk by Trend chart on the main dashboard match the number of records in the drilldown modal
Bug Fix: Moving a slider no longer reloads a tab's data
Bug Fix: Changing a security plan's status updates the form to trigger validation rules
Bug Fix: Scorecards, Status Boards, and Gantt charts now use the same query
Bug Fix: System roles pulldown now provides a "blank" user since it is no longer required
Bug Fix: Addressed many role-based authorization queries based on specialized roles
UX: Fixed minor rendering issue with search bar on Status Boards
UX: Added line breaks to Implementation Part statements
UX: Fixed issue with comments tab sometimes rendering off screen in Lightning Assessments
Bug Fix: Control Implementations and Requirements now require a parent ID and parent Module
Bug Fix: Addressed issues with Security Plan not printing controls in Community Edition
UX: Group manager now displays the group ID in the list
Error Logs - now supports a back button
Tech Debt - removed legacy SecurityPlanId field from Control Implementations
Bug Fix: Changed questionnaire Rules field back from RichText to TextArea
Made event topics more consistent
Bug Fix: Source OSCAL URL field saves correctly when creating a new catalogue
Removed event manager columns pertaining to Active status and updated list filtering
Saving after adding a new questionnaire section works as expected when reloading the page
Questionnaire: email question type supports validation before proceeding
Questionnaire: Renders properly if the questionnaire only has instructional questions

[5.15.4] - 2023-08-31

Added

Questionnaire: Export one or more responses to a single Excel worksheet
Accessibility: Additional support for tab-key navigation, aria labels for icons
Data Subsystem - Code Mirror added for editing raw XML and JSON in the platform
FedRAMP: POAMs now export as OSCAL
FedRAMP: SSPs now export as OSCAL
FedRAMP: Added new fields to stakeholder system and flag to set if Individual or an Organization
FedRAMP: Can now add external stakeholders to a system role assignment (previously was just internal users)
FedRAMP: Added new features to support tracking Cryptographic modules

Changed

Bug Fix: Addressed periodic issues in pulling Status Board data for Security Plans
Tech Debt: Improved POST/PUT APIs for Facilities and Stakeholders
Tech Debt: Improved OSCAL XML export code for SSPs to be more resilient
Catalog MegaAPI for efficiently fetching a catalog with all related child data (controls, parameters, tests, options, etc.)
Bug Fix: Text-based questionnaire answers are not accepted if they contain only whitespace
Bug Fix: DOE SSP export matches new data and formatting requirements
Bug Fix: Asset Type field only appears on the Basic Info tab for Assets

[5.15.3] - 2023-08-29

Added

Logic to prevent duplicate file names when uploading a file to a record
API endpoint to rename duplicate files for a provided record ID and module name
FedRAMP: Lightning assessments now support Risk Analysis
Mini-Subsystem - added to Lightning Assessments, can add files, comments, and links at the assessment test level along with assigning Quick Actions - Request Evidence or Create Issue
RegML Auditor for control implementation evaluation (BETA)
FedRAMP - added asset types to components
Logic to prevent duplicate file names when uploading a file to a record
API endpoint to rename duplicate files for a provided record ID and module name
Swagger: Brought documentation for the Push Notifications endpoints up to standard
Delegate System: Profile now allows you to set delegates for your approvals
Create endpoint for Ports and Protocols available via Swagger
Functional Roles: Ability for administrators to define functional roles and to add users to those roles
"Create" endpoint for Ports and Protocols available via Swagger
Event-based Architecture: Added events for questionnaire status changes
System URL text field on the Basic Info tab in Security Plans
API endpoint for creating a classified record
Organization URL text field on the Organization Manager form
FedRAMP: RegScale Assigned User is now an optional field on a System Role

Changed

UX: Administration panel for system administrators now shows options in Alphabetical order
Bug Fix: Changing SSP status to anything other than Operational sets Explanation for "Other than Operational Status" as required
Bug Fix: Questionnaires module does not appear in the user menu when it has been disabled
Bug Fix: Changing an asset's category updates the available tabs accordingly
Bug Fix: Setting an incident's phase as "Closed" makes the Date Resolved field required
Tech Debt: Optimized TypeScript library loading with Angular
OSCAL: Objectives renamed to "Parts" throughout the UI to align with current NIST/FedRAMP terminology
Removed drill-down from module record History charts
Updated all exports generated from RegScale follows a naming convention that ends _YYYYMMDD
Several fixes for DOE template and SSP exports in general
Bug Fix: Questionnaires required to have at least one section
Analytics (dashboards) side nav only displays dashboards for which the current user can access with their roles
Navigating via URL to a dashboard the current user doesn't have access to shows a toast notification and redirects to the home dashboard
Bug Fix: Evidence Locker advanced search works correctly for Date Created and Evidence Owner fields

[5.15.2] - 2023-08-25

Added

FedRAMP: Ability to assign multiple sources, origination, and status at the control implementation level
Questionnaires: Ability to download the Excel import template
Questionnaires: Ability to export questionnaire to Excel
Questionnaires: Ability to export a questionnaire response to Excel
Questionnaires: Ability to modify a questionnaire that has already been published
Keyboard accessibility for the form menu (e.g., back, save)

Changed

Bug Fix: Advanced search for a blank item in a picklist now works properly
Bug Fix: Addressed validation logic on new Security Plans
Bug Fix: Addressed issue deleting Lines of Inquiry
Bug Fix: Removed roles from the workbench
Tech Debt: Added missing IDs on links to support testing automation
Tech Debt: Truncate strings for Excel exports to avoid corrupting the workbook
Performance: Refactored required field validation to be more performant on the client side
Infrastructure: Event topic names are pluralized
Bug Fix: Webhook form saves successfully even with a misconfigured webhook
Bug Fix: Marking a task as "completed" requires the user to enter a value for the Date Completed field
Bug Fix: By Point of Contact chart on the Incident Response dashboard renders user names correctly
Bug Fix: Required custom fields for a new Case Management record appear in the cockpit regardless of status change
Bug Fix: Fixed issue with security profiles being unable to update
After assigning a questionnaire the Responses tab is automatically updated to reflect the new assignment
UX: Improved the display of the control in the Lightning Assessment and added deep link to view the parent control
Bug Fix: When creating a new questionnaire form, the Builder, Assignment, and Responses tabs require saving the questionnaire first

[5.15.1] - 2023-08-24

Added

Reporting: New report showing all comments on controls for a given Security Plan
Loading spinner to Inheritance Engine to show progress as work is executing
Keyboard accessibility for top nav bar and left nav bar (WCAG)

Changed

Improved alerting and labeling when a parent security control is not found for a control implementation
Bug Fix: Addressed issue with inheriting between Security Plans
Bug Fix: Functional areas can now be searched for Assessment Plans
Bug Fix: Server side auditing working properly for comments
Bug Fix: Addressed console error when loading components for an SSP
Bug Fix: Print Preview shows all pages
Bug Fix: When creating a new task with a closed status, the cockpit correctly lists required fields completion
Bug Fix: Questionnaires save correctly when the created-by and last-updated-by user are the same

[5.15.0] - 2023-08-23

Added

FedRAMP: System Roles can now have multiple users assigned
FedRAMP: Add button to auto-assign all FedRAMP defined system roles
FedRAMP: Added explanation field if "Other" checked for Cloud Model
FedRAMP: Added "Other" option for Cloud Deployment Model
FedRAMP: Added Data Center tab to Security Plans
FedRAMP: Expanded properties subsystem to add Label and Other Attributes fields (optional)
Causal Analysis Role - restricts creating, updating, and deleting a Causal Analysis to users with this role (who normally have specialized training)
Assessment Lines of Inquiry - multiple enhancements: Can dynamically add new lines of inquiry without a parent Assessment Plan and can apply multiple assessment plans
FedRAMP: Added validation to the deployment option selections if a FedRAMP SSP (flag based on FedRAMP ID # not being empty)
FedRAMP: Added "Under Major Modification" and "Other" status to components
FedRAMP: Added Explanation for Other status to components
FedRAMP: Expanded links to support external identifiers and attributes
FedRAMP: Security Plans added field for explanation for Other than Operational status
FedRAMP: Allows system role assignments at the Component and Control Implementation level (one to many)
FedRAMP: References now support optional description field and UUIDs
FedRAMP: Added Responsibility and Leveraged Authorization fields at the Control Objective level
POA&M checkbox for Issues under POA&M Info tab to indicate if the issue is a POA&M item
FedRAMP: Added all reference types allowed from FedRAMP to the References tab
Metadata - added ability to define external keys for metadata (allows for mappings, i.e. to FedRAMP/OSCAL values), metadata is now editable
Event Driven Architecture - added status changes and fixed several edge case bugs

Changed

Tech Debt: APIs cleaned up to remove logging fields (Created By, Date Created, Last Updated By, Date Last Updated)
Bug Fix: Improved validation for properties system on the server side
Lines of Inquiry - added ability to remove a line of inquiry from a given assessment
Tech Debt: Added many missing tables to the GraphQL layer
Bug Fix: Export of DOE SSP fixes special character issues
Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to it
FedRAMP POAMs Export will now only export issues with the POA&M checkbox checked under POA&M Info tab
Bug Fix: Marking a security plan as "operational" makes key date fields required
Swagger: Brought documentation for the Threads endpoints up to standard
Bug Fix: Marking an assessment as "complete" marks newly required fields as required
Bug Fix: Marking a case as "complete" marks newly required fields as required
Bug Fix: Marking a causal analysis as "complete" marks newly required fields as required
Bug Fix: Marking a data call status as "complete" marks newly required fields as required
Bug Fix: Marking an exception status as "complete" marks newly required fields as required
Bug Fix: Marking an incident status as "complete" marks newly required fields as required
Bug Fix: Marking an issue as "complete" marks newly required fields as required
Bug Fix: Marking an interconnection status as "complete" marks newly required fields as required
Bug Fix: Marking an project as "complete" marks newly required fields as required
SECURITY: Hardened forgot password feature based on penetration testing recommendations
Bug Fix: Marking a project as "complete" marks newly required fields as required
Bug Fix: Marking a risk as "closed" marks newly required fields as required
Bug Fix: Marking a threat as "mitigated" or "eliminated" marks newly required fields as required
Bug Fix: Marking a policy as "active" marks newly required fields as required
Added "Risk Accepted" status option for control implementations
Change: "Partially Implemented" controls no longer require planned implementation date or steps to implement
Changed the way team data is displayed SSP export (Word format)
Moved SAP and SAR exports from Security Plans to Continuous Monitoring
Event architecture: Added interceptor to handle status and severity changes

[5.14.1] - 2023-08-18

Added

Org Chart Viewer - organization manager now lets you visually browse the org chart
BETA: New version of DOE SSP export released
SECURITY: Improved login experience for MFA and SSO users and hardened the process end to end (NOTE: Customers may want to test in DEV before rolling to PROD)
Security Plans - added version field
FedRAMP: Vulnerability system added to Continuous Monitoring
FedRAMP: Added multiple new fields to support SAR exports (Actual Finish Date and flag for Date Adjustment for Corrections)
Infrastructure to support unit testing

Changed

Bug Fix: Paging now works properly for Service Accounts, improved layout of page formatting
Security: NPM patching for vulnerabilities
Security: Service account tokens now hidden in the UI, added copy button for ease of pasting with CLI and Swagger
Improved RegML automated reviewer interaction with the control implementation form
Bug Fix: Change validation for required fields now works properly on edits
Bug Fix: Changing status to closed auto-sets % complete to 100 on saves and edits
Updated CIS/CRM export to include Security Plan Name, CSP Name, and Security Plan's impact level to the Instructions tab
Fixed incorrect logic for controls with an implementation status of "Not Applicable" in FedRAMP Test Case Procedures export
Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to
Bug Fix: Custom fields only populate after save operation completes

[5.14.0] - 2023-08-16

Added

Risk Scorecard
Data Subsystem - stores raw JSON, YAML, and XML data for integrations
Questionnaire: Added electronic signature support
Questionnaire: Added new field types for Dates, Phone Numbers, and Emails
Process questionnaire rules after each question response and choice change
Added Questionnaires tab to the following modules to make it easier to navigate to associated questionnaires: Components, Policies, Security Plans, Supply Chain
Questionnaires: Added alerts for unanswered required questions within current section before leaving the current section
Questionnaires: Added support for linking directly to a specific page of a questionnaire
Questionnaires: Added updating browser's displayed to specific page of a questionnaire when user navigates with Next and Back buttons
Check to ensure the user is on a supported browser (Edge or Chrome)

Changed

SECURITY: Patching of core .NET packages
Improved validation and error handling for Control Objectives, Tests, and Test Plans
Bug Fix: Addressed issue where validation of control implementations did not match server and client side preventing being able to update a reecord in "Not Implemented" status
Bug Fix: Misconfigured/unavailable webhook endpoints yield better logging
Bug Fix: Drilldown links for the Fix Problems dashboard display a modal a list view with the same number of records as shown on the dashboard
Bug Fix: Assess Program dashboard modal links have list views that match the record counts shown on the dashboard
Bug Fix: Assessment-role users have access to the Tasks module
Bug Fix: When creating a system administrator with break glass account, system now checks config to make sure email is enabled before trying to send the email
Bug Fix: Questionnaires can be submitted without being logged in
Questionnaires: Navigating between questionnaire pages returns to the top of the page
Questionnaires: Responses now have a back button
Questionnaires: Rules are processed after each question response and choice change
Questionnaires: Assigned By and Block Layout toggle removed from assignee view of the questionnaire
SUPPORT: Added a new environment variable, "EMAIL_NO_TLS", to allow customers to disable TLS for email in legacy environments where it is not supported
Questionnaires: Submitter name for assignees outside of RegScale no longer required for submission
Bug Fixes: Fixed multiple bugs causing the FedRAMP Test Case Procedures export generating a corrupt Excel workbook

[5.13.0] - 2023-08-05

Added

Support for webhooks to listen for specific events in RegScale externally
Application Insights for SaaS monitoring and troubleshooting for Customer Success
Architecture implementation for event queues and distributed processing
Chart views have a checkbox to toggle auto-fitting of charts to the viewing region
Questionnaire instances can be reopened
Added email validation to bulk questionnaire assignment
Backend support for questionnaire instance history
Questionnaires: consolidated assignment functionality into a single screen
Questionnaires: responses now show as a tab under the questionnaire record
Questionnaires: now auto-generate a security token to provide access control protection for external users
(Beta) SSP export in Department of Energy (DOE) format
Support for Salesforce integration with issues for Case Management
(Beta) Admin tab for events to allow managing event topics and webhooks

Changed

Bug Fix: RegML Author button appears correctly based on tenant state
Bug Fix: Drilldown works correctly on the My Activity tab of the Workbench
Questionnaires: Can now be attached to any parent module (removed hard coding to Security Plans)
Questionnaires: Consolidated functionality into instance table (removed assignment table)
Questionnaires: Share link now opens in a new tab, added "Copy" icon
Bug Fix: Questionnaire response form no longer reports console errors
Bug Fix: Toast notification dismisses properly in Lightning Assessments
Bug Fix: Addressed console errors when viewing a continuous monitoring record
Bug Fix: Addressed RegML loading infinite loop when connection not found
Bug Fix: Analyze Risk functionality in Lightning Assessments creates a risk record
Bug Fix: Controls Author timeout increased to handle longer control implementation statements
Bug Fix: Causal Analysis Step 2 renders correctly in dark mode
Bug Fix: Target Risk Score field is required when creating a new risk
Bug Fix: Users can be readonly for some modules and have greater rights in other modules
Bug Fix: Chart views render correctly
Bug Fix: Swagger page loads correctly
Bug Fix: Outage Summary field displays in the cockpit if an outage is required
Bug Fix: Close button on Workflows slideout works correctly
Bug Fix: Controls and Implementations cannot be created without a parent
Improved user feedback for bulk-assignment of questionnaires via email
Improved performance of the recurrence components in Tasks, Assessments, and Data Calls

[5.12.0] - 2023-08-02

Added

Performance: Optimized all Angular queries to eliminate slowed performance over time and need to refresh the application
Questionnaire system supports grouping questions into sections
Questionnaire system supports creating rules that can show/hide questions and set/clear answers based on user-defined conditions
Questionnaire system Excel import supports multiple question types, required flag, section IDs, and question IDs
Questionnaire system sends emails to assigned recipients
Questionnaire system allows bulk assignment via Excel worksheet of recipients
Organization Hierarchy support
Properties endpoint to support batch updates
Ability to create a new Assessment Plan directly from the assessment record
Ability to auto-generate an issue from a failed Line of Inquiry on an Assessment Plan
FedRAMP: Added fields for "guidance" and "constraints" to parameters
Reports: Added Date Last Updated to the SPRS 800-171 Report

Changed

Dropdown lists are initialized from configurations and are populated through Angular caching (support work for dynamic data labeling)
UX: Improved data validation warnings across 34 different screens
Bug Fix: Questionnaire responses display information instead of a blank page
Bug Fix: Templates for FedRAMP Moderate and High include additional placeholders for Table 6-1 and 6-2
Bug Fix: Drilldown and Status board counts for issues on an SSP match
Bug Fix: Due date validation messages for tasks is easier to understand
Bug Fix: For interconnects, IP addresses are validated only if non-empty
Bug Fix: Assessment Plans list view displays correctly
Bug Fix: URL fields in Supply Chain records support automated testing
Bug Fix: Improved target risk score label in the Required Fields section when creating a new risk
Bug Fix: List of required fields for new issues works correctly when changing issue status
Bug Fix: Updated the Policies Controller such that Swagger loads correctly
Bug Fix: Outage Summary field for Change records is only required for completed changes
Bug Fix: Saved contents on the Lookups tab for Supply Chain records persist after page refresh
Bug Fix: Charts on Issues by Severity Level by Status report render correctly
Bug Fix: Changes module loads correctly
Bug Fix: Addressed task validation error with due dates in the past
Bug Fix: Fix for module name to re-display questionnaire responses in list view
Bug Fix: RegScale user list populates correctly on page refresh
Bug Fix: Deleting a questionnaire marks it as inactive
Bug Fix: Default question for a new questionnaire is auto-assigned a unique ID (QUID)
Bug Fix: Addressed some HTML formatting issues in the control test preview
Bug Fix: Questionnaire link in email points to the unique response
Change: Request Evidence is now the first option on the Lightning Assessment buttons
Change: User baseball cards now have a header and dismiss modal button
Change: Scorecard now shows % of controls assessed and % passing in Overall Compliance section
Change: Removed closed issues from the Status Boards
Change: Improved ability to handle unencrypted email via SMTP
Change: Component Status Board only shows components that are active

[5.11.1] - 2023-07-20

Added

Architecture support for feature flags
Update endpoint for the Scan History API

Changed

Bug Fix: Button colors for the Policy Template editor match the rest of the application
Bug Fix: Policy Template editor renders properly in dark mode
Bug Fix: FedRAMP SSP export handles missing controls and suppresses unnecessary errors
Bug Fix: Documents that are generated directly into the Files subsystem have the correct content format
Bug Fix: Method in Questions controller marked ignorable to Swagger

[5.11.0] - 2023-07-19

Added

Risk Assessment Wizard
Security: Login banner now forces the user to acknowledge the banner before proceeding
Scorecards are now the default view for existing records on organizers
CMMC Export for Components (uses inheritance)
Questionnaires support multiple choice, checkboxes, and dropdowns
Questionnaire builder supports required fields and question IDs
Continuous Monitoring - can add all controls with a single button click (supports initial authorization flow)

Changed

Moved Delete button further away from the save button to avoid accidental clicks
Removed Authorizing Official (AO), System Owner, and ISSO as required fields for SSPs
Improved user experience for the questionnaire response form
Bug Fix: Addressed data validation errors and labels throughout the application
Bug Fix: Addressed issue on SAR export
Bug Fix: Addressed issue where the clickable area of a button was sometimes too large
Bug Fix: Addressed new issue validation bug
Bug Fix: Addressed miscellaneous problems with issue counts between Status Boards, Scorecards, and Gantt charts
Bug Fix: Delete button now works on Teams and Tools tabs
Bug Fix: Removed duplicate close buttons on the dashboards
Bug Fix: Analysis button removed from Vulnerabilities tab for an asset record
Bug Fix: Questionnaires must have at least one question before being assigned
Bug Fix: Addressed issue where new SSO user button was not showing
Bug Fix: Security Profile module is available for users with Evidence, Projects, Policies, Security Plans, or Supply Chain
Improved user experience for the questionnaire response form
Remediated vulnerabilities from UBI build process
Bug Fix: Corrected typo on logged in alert message
Bug Fix: Password validation checks for new users show green and red appropriately

[5.10.0] - 2023-07-12

Added

Enterprise Risk: Added Risk Treatment tab to the Risk module
Enterprise Risk: Added Risk Action tab to the Risk Module
Enterprise Risk: Added fields for tracking timelines for conducting risk assessments of a risk

Changed

Reports: Added "All Time" as a filter to date ranges (pull last 10 years of data)
Questionnaire system supports submitting a questionnaire response
Questionnaire system allows assigning a questionnaire to a security plan
Bug Fix: Addressed issue with "auto-login" for SSO users after logging out
Bug Fix: Fixed edge case on login logic
Bug Fix: Service accounts can be deleted
Bug Fix: Addressed data validation issue on the client side for assessments
Bug Fix: Personal Access Tokens (PATs) cannot be created if the service account user cannot be created
Bug Fix: Fixed many validation issues on new records
Bug Fix: Security Plan tabs are hidden if the user doesn't have access to view the contents
Bug Fix: Corrected CSS errors and legacy code
Bug Fix: Corrected classification count in the subsystem (paging bug)
Issue Screening: Severity Level, Issue Owner, and Due Date lock after screening
Bug Fix: OSCAL FedRAMP SAP and SAR export options for Continuous Monitoring work as designed
Tech Debt: Reduced build warnings by 68%
Bug Fix: FedRAMP Risk Exposure export for Security Plans has applicable threats and mitigating controls/factors

[5.9.0] - 2023-07-05

Added

Issue Screening feature
Ability to generate tenant specific service accounts
Labels shown in dashboards are dynamic rather than hard-coded
OSCAL: SSP export - controls now export using the sort-id
FedRAMP: Control implementation now use the NIST Control ID v/s the RegScale primary key in the export
FedRAMP: Added planned implementation date and steps to implement for a control implementation
FedRAMP: SSP exports now support FedRAMP status settings and control originations
FedRAMP: System Roles now export in OSCAL for control implementations
FedRAMP: Control implementations now properly export statements (objectives) using the by-component OSCAL format
OSCAL: Attachments, Links, and Comments now export into the OSCAL SSP

Changed

Bug Fix: Corrected data validation problem on issues
Bug Fix: FedRAMP SSP responsible role field is populated by role instead of the owner name
Bug Fix: All required fields for SSP system roles are identified and validated
Bug Fix: Threat identified date cannot be in the future
Bug Fix: Policy preview works correctly when uploading a new template
Bug Fix: Lookahead view works correctly upon direct navigation by URL
Bug Fix: The spinner deactivates and a message is displayed if a list view query fails
Security: Added the ability to delete/revoke Service Accounts
Bug Fix: Validation errors message in Issues module appears correctly at the bottom of the page
Bug Fix: Issues Workflows dropdown in the Workflows subsystems supports scrolling
Bug Fix: Minor fixes in the FedRAMP Test Case Procedures export
Bug Fix: Confirm Account button for a new account works correctly
Enhancement: Scorecard font increased for table view
Tech Debt: Removed legacy issue severity level service
Security: Tightened up MFA login to only use the current code (removed the recent code grace period)
Bug Fix: Addressed issue with count being off 1 on Time Travel subsystem
Enhancement: Replaced colored shield icon with padlocks to indicate public vs access controlled records
UX: Validation errors now render inside of the alert v/s below it
Bug Fix: Long lists of user roles now properly render on the Workbench panel
UX: Assess button on Scorecard no longer switches sides on the card when toggling into Edit mode
Bug Fix: Addressed Mega-API error when exporting system roles for a control implementation
Bug Fix: Fixed grand totals column on the issues by severity report

[5.8.1] - 2023-06-29

Added

Changed

Security: Improved route trimming for the Global Admin
UX: Improved tenant setup experience for Community Edition customers
Improved system setup wizard (differentiates between Global Admin and System Administrator now)
Bug Fix: Lightning Assessment toggle for implementation and evidence has a default state
Bug Fix: Replaced bad link for Community Edition license registration
UX: Minor formatting and button alignment tweaks
UX: Addressed formatting on the user confirmation page

[5.8.0] - 2023-06-28

Added

Questionnaire system supports adding questions to a questionnaire
Assessment Plan Module with Lines of Inquiry
Lines of Inquiry experience for conducting checklist based audits using the Assessment Plan module

Changed

Tech Debt: Removed unused files from two code projects
Bug Fix: Added attribute to an API method so that Swagger loads successfully
Enhancement: Added button route information to support automated testing
Bug Fix: Security Plans' GET API returns a 404 response when there is no security plan by a given ID
Bug Fix: Importing a policy template Word document completes without a 500 error
Bug Fix: User is informed why a policy template preview is unavailable
Security: Nuget patching for vulnerabilities
Bug Fix: Homepage dashboards with little or no data render correctly
Bug Fix: List view of risks on Risk Dashboard has correct title/header
Bug Fix: Section headers for the Risk Score card on the Risk Status Board are aligned
Bug Fix: Better contrast on Analytics sidebar slide-out
Bug Fix: Organization page renders properly when navigating via direct URL
Bug Fix: Facility form in the Setup panel validates input
Bug Fix: Control Implementation form shows validation messages
Bug Fix: Improved validation on Variables and Secrets section of the Admin panel

[5.7.1] - 2023-06-21

Added

Changed

Fixed bug in FedRAMP Test Case Procedure export button not displaying
Security: Patching of Nuget packages for .NET
Bug Fix: Policy editor tab is hidden until a new policy is saved

[5.7.0] - 2023-06-14

Added

Basic questionnaire builder features (BETA)
Basic RegScale ML features (BETA - SaaS only)
FedRAMP: Added System Role to control implementations
FedRAMP: Added overlays to OSCAL SSP export in system characteristics
FedRAMP: Added new fields to assets for FedRAMP
FedRAMP: Added FedRAMP overlays to the inventory section of the SSP export
Gantt view now allows for adding issues directly from the UI
Lightning Assessment: added the parent, title, and description to the left panel
Ability to make an implementation option private so that it is not shared
FedRAMP: Excel export of test case procedures
Reporting: Adding Evidence Locker files to the Component & Security Plans Evidence Reports

Changed

Performance: Refactored breadcrumb/navigation system lookup to be significantly faster
Performance: Refactored subsystem lookup to be significantly faster
Bug Fix: Page titles in the Changes module match the module name
Bug Fix: Creating new configuration variables works as expected
Bug Fix: Login works even if the login banner is not defined (or blank)
Bug Fix: Addressed logout issue when session expires
Bug Fix: User is prompted about unsaved changes when navigating away from a form
Bug Fix: Crumbcake navigation dropdowns dismiss when clicking outside them
Bug Fix: Crumbcake level links correctly navigate to their target records
Bug Fix: Minor rendering issues on assets
Bug Fix: Addressed validation error for assessments
Bug Fix: Icon close window fixed
Bug Fix: In evidence locker, delete button is now hidden in readonly mode
Bug Fix: Addressed logo rendering issue on the Unauthorized page
Bug Fix: Paging now works on the Tenant list for the global admin account
Bug Fix: Addressed a date comparison issue in the Incident Response module
Security: Trimmed access to missed routes based on authorization
Security: Added route guards preventing the Admin account from accessing other admin pages they should not
Bug Fix: System Administrator list on the global admin screen can now longer see service account users
Bug Fix: Addressed edge case error on FedRAMP POAM exports
Bug Fix: Time Travel count in subsystem menu is now correct
Bug Fix: Control tests now sort by Test ID providing a better index for sorting
Improved issue and task validation checks

[5.6.2] - 2023-06-09

Added

Continuous Monitoring to Supply Chain
FedRAMP - added FedRAMP System Roles to the SSP and OSCAL export
FedRAMP - now auto-generates the default system component based on the SSP
Questionnaires System supports uploading an Excel-based questionnaire
Added functionality to highlight missing data in exports (currently only available with SAR export)

Changed

Bug Fix: Comments will now prompt the user to confirm before allowing a delete
Bug Fix: Addressed issues with assessing requirements using the Lightning Assessment
Enhancement: You can now dynamically add tests to a Lightning Assessment as part of Continuous Monitoring
Bug Fix: Calendar option removed from Modules and Features configuration screen
Bug Fix: Fixed SSO auto-login after logout (now must take an overt action to SSO back in)
Enhancement: Various improvements to login flow to reduce confusion and improve the UX
Tech Debt: Removed Datadog monitoring code from SaaS
Bug Fix: Addressed issue checking LDAP status for the 'admin' break glass account
Bug Fix: Addressed dual logo rendering on the change password page
Bug Fix: Fixed error with routing between pages for first time with the admin account login
Enhancement: Removed login link since the application auto-redirects the user if not logged in
Security: QR code now emailed to setup MFA; further protecting the QR code secrets
Security: Added a prefix for MFA to distinguish between multiple environments (DEV, QA, PROD, etc.)
Bug Fix: Risks dashboard shows the correct number of open and closed risks
Bug Fix: Files subsystem shows pagination controls

[5.6.1] - 2023-06-08

Added

Software inventory feature for hardware assets
Billing Utilization: Ability to pull daily access logs as an Admin on the Utilization panel

Changed

Bug Fix: SSO now properly supports new user thin provisioning
Bug Fix: Fixed validation checks on control implementations with a "Not Applicable" status
Improved OSCAL SAP/SAR export for FedRAMP
Security: Improved role checks with JWT tokens throughout user and RBAC service
Fixed errors in UBI docker image

[5.6.0] - 2023-06-07

Added

Multi-Factor Authentication (MFA) support for all local accounts using Google Authenticator
FedRAMP Security: Now recording the date of the last password change
FedRAMP Security: Now records the date a user account was de-activated
FedRAMP Security: Re-organized the login experience to hide details and improve the authentication flow
SSO flag to indicate whether user accounts are externally managed by a 3rd party SSO provider
Kanban: Now tracks original due dates for tasks and any associated date slides
Patching: UBI Docker image that has fewer vulnerabilities
New export experience for transforming compliance artifacts

Changed

Bug Fix: Selecting multiple options in Value to Search dropdown for advanced search works as designed
Bug Fix: updated SBOM workflow to work on GitHub runners
Bug Fix: Fixed legacy link to C2 Labs support email
Bug Fix: Change password button works as designed
Improved SAP/SAR exports for OSCAL - now version 1.04 compliant
Tech Debt: Removed legacy atlasity ids throughout the application
Enhancement: Improved Asset endpoint comments for Swagger (getAll, GET, PUT)
Removed duplicate asset tab on Components
Enhancement: Improved button layout for integrations in the Admin panel
Naming convention for Docker images has changed from regscale:ubi-VERSION to regscale-ubi:VERSION as well as regscale-rocky:VERSION

[5.5.0] - 2023-05-31

Added

Workflow to automatically update the CHANGELOG on ReadMe.io when a new release is created
Workflow to automatically update the version on ReadMe.io when a new release is created
FedRAMP: Added security policies to the Admin panel (BETA feature)
Contingency Planning roles to cyber team responsibilities
BETA: Added SAR export to Word

Changed

Bug Fixes: Fixed console errors when loading the Context Viewer
Bug Fix: OSCAL exporter now works properly on Security Plans
Bug Fix: Evidence locker now accepts an update frequency of zero
Bug Fix: Operational SSP key date validation works as designed
Bug Fix: Continuous Monitoring instructions supports lengthier text
Bug Fix: Corrected issues on the Home Page dashboard
Bug Fix: Continuous Monitoring instructions can now handle long text
Bug Fix: Various improvements to inheritance UI
Bug Fix: Corrected date validation issues on the SSP
Tech Debt: Corrected various namespace issues in the controllers
Enhancement: Evidence locker now displays which controls are already selected
Enhancement: Evidence locker now allows hitting enter to search v/s having to press the button
Improved standards support for OAuth configuration of tokens

[5.4.0] - 2023-05-24

Added

Controls, Issues, Risks, and Assets tabs added to organizers
Refactored the Lightning Assessment experience within Continuous Monitoring
Evidence Locker - added fields (Evidence Owner, Update Frequency, and Last Evidence Update)
Evidence Locker now tracks owner and update frequency requirements - added to the Workbench for accountability tracking
Evidence Locker - uploading new evidence now automatically updates the Last Evidence Update field

Changed

Performance: Optimized indexing across modules to improve DB query performance
Bug Fix: Fixed weird logo rendering when logging in with break glass account
Re-arranged tabs on Security Plans for ease of data entry
Bug Fix: SortId added to control implementation filter API
Bug Fix: YAML upload works as designed
Bug Fix: Child record drop-down in the crumbcake nav dismisses when the user clicks outside of it
Bug Fix: Evidence Locker now looks up parent component in addition to parent security plan when doing bulk mapping
Bug Fix: License check validation improved to do a "soft" cap on users
Bug Fix: Lightning Assessments now validate that all tests have a valid result before saving
Bug Fix: Lightning Assessment failed tests now require a gap to be identified
Bug Fix: Manual assessments now correctly apply a compliance score
Bug Fix: All fields now correctly set defaults when saving manual assessments
Bug Fix: Addressed compliance calculation issues with Inherited controls
GraphQL: Added the Reference table to the graph

[5.3.2] - 2023-05-19

Added

FedRAMP: Added user logout alert

Changed

Security: Patched all NUGET libraries for .NET
Bug Fix: Addressed issue with CLI config API
Bug Fix: Removed analytics sidebar for GlobalAdmin
Performance: Optimized SBOM query to find all entries for an asset
Bug Fix: Improved change detection and fixed errors on several Angular pages
Bug Fix: Sort ID now properly set for a control on catalog import
Bug Fix: Classification system paging now works properly
Bug Fix: Evidence icon now renders properly in light mode
Bug Fix: Addressed issue with trying to save an objective without selecting an option

[5.3.1] - 2023-05-18

Added

Asset Cloud Identifiers for AWS, Azure, and GCP

Changed

Labeling: Security Checklist visualization now says Risks Remediated v/s Risks Mitigated
Added "Not Reviewed" to Security Checklist status options
Bug Fix: "Today" button for the date picker works in dark mode
Enhancement: "Dismiss" text for toast notifications is green
Bug Fix: Control Implementation now displays correctly when no objectives or parameters

[5.3.0] - 2023-05-17

Added

Improved UI for Inheritance and Control Mappings
Added ability to better document controls at the Objective level

Changed

Security: Performed some API hardening
Tech Debt: API controller class/files names match endpoints visible in Swagger
Bug Fix: Child records that are the same type as their parents render correctly in the crumbcake navigation
Bug Fix: Toast notifications work correctly in the Evidence Mapping Wizard
Bug Fix: Percent of issues closed on time is correctly computed on the Fix Problems dashboard
Bug Fix: Save button for editing user profile works properly
Bug Fix: "Other" status for security plans displays correctly in the status bar
Bug Fix: Security Plans Dashboard drill-down modals display correctly
Bug Fix: Security profile mapping renders correctly in dark mode

[5.2.2] - 2023-05-12

Added

Changed

SSO Bug Fix

[5.2.1] - 2023-05-12

Added

Changed

Privacy Impact Assessment (PIA) form streamlined based on customer input
Bug Fix: Refresh now works properly with the counters on the Evidence Locker
Buttons and badges are styled consistently
Fixed styling of the Risk Status Board for dark mode
Bug Fix: Added null-check before validating the CLI configuration
Tech Debt: Project and solution files simplified to not compile unused code

[5.2.0] - 2023-05-10

Added

FedRAMP System Roles added to the Security Plan
Automation admin panel to allow the CLI configuration to be saved securely in the RegScale database
Evidence Locker System
Description (Requirement Text) added to tailored SSP template and parameters replaced in description
- If replaced, parameter is bold; if no parameter exists, parameter tag is highlighted
Categorization Justification added to tailored SSP template

Changed

Bug Fix: Fixed issues with usernames that have a capital letter in them
Bug Fix: Print view for Security Plans shows correct child record counts; also displays spinner when loading security control implementations
Bug Fix: The status bar has consistent arrow usage and a status indicator for active records
Bug Fix: Assignment link within emails navigates to the correct URL
Bug Fix: Usernames are not case-sensitive.
Bug Fix: Redirecting to a page after login works correctly.

[5.1.2] - 2023-05-05

Added

New risk scoring fields to the Risk module

Changed

Renamed all Azure AD labels to OAuth SSO
Bug Fix: Addressed Red Hat UBI build issue
Added UPN support for SSO with Azure AD

[5.1.1] - 2023-05-04

Added

New APIs for querying Supply Chain records
Categorization justification to the Security Plan module

Changed

Bug Fix: Fixed chart alignment for iPad
Bug Fix: Errors when connecting to LDAP
Big Fix: Pagination works correctly in the Files subsystem

[5.1.0] - 2023-05-03

Added

Outage Summary field to the Change Management module
Updated eMASS Software List sheet and mappings
Control Source and Exclusion Justification to Control Implementations
Home page sidebar is expandable/collapsable
Issue Status by Owner and Security Plan and Issue Status by Owner and Component reports have charts; those reports also default to all dates

Changed

Fixed warning on scope for renewing OAuth tokens
Bug Fix: Search works properly for Security Control Implementation and Scorecard
Tech Debt: Eliminated legacy calls to pre-load the old home page
Bug Fix: Improved chart queries and fixed various errors
Bug Fix: "Show More" button on the newsfeed is enabled/disabled properly
Bug Fix: Custom color theme works properly for multi-tenancy
Bug Fix: Form input left and right padding increased to accommodate scrollbars to prevent focus state border from being cut off
Bug Fix: Top nav buttons stay present when going from dashboard to any other page
Bug Fix: Overall status for Component dashboard calculates percentage correctly
Bug Fix: Users can properly log in after access token expires
Bug Fix: User Management System correctly shows added roles for a user
Bug Fix: User Management System correctly shows existing roles for a user
Big Fix: Drilldown modals from the dashboards show a close button

[5.0.1] - 2023-04-27

Added

Improved Lightning Assessment formatting for Dark Mode
Hover effects for My Activity and Notifications icons

Changed

Bug Fix: Tweaks to home page
Bug Fix: Technical POC on Exceptions now shows as a required field
Bug Fix: Corrected problem where issues may not save correctly
Bug Fix: Removed duplicate export option on SSPs
Truncated Lightning Assessment scoring
Removed console.logging on login
Improved validation for Security Plan FedRAMP Authorization status
Removed redundant "Close" buttons in modals
Multiple minor tweaks to Dark Mode formatting
Bug Fix: Addressed some issues with drilldown on Causal Analysis

[5.0.0] - 2023-04-26

Added

OAuth Identity Provider Support for Bring Your Own Identity (BYOI) and SSO
Ability to support sending unauthenticated SMTP email
Redesigned Home Page
Dark Mode
Changed GraphQL timeout to 60 seconds; added Initialize on startup for faster first queries
Redesigned the Lightning Assessment System
Added eMASS Hardware and Software list to Security Plans

Changed

Bug Fix: Organization Manager and Reports modules redirect to the login page if the user isn't authenticated
Updated logic for eMASS POAMs Export on SSPs to populate the milestone columns when no milestones are associated with the issue
Bug Fix: Policy Editor now hidden until the record is saved
Bug Fix: Children of Change Management records now correctly inherit RBAC permissions
Bug Fix: SecurityPlanId field for Issues is now properly assigned on creation
Bug Fix: Workflow now allows for formatted content in the comments field
Bug Fix: You can now create multiple custom fields with the same name if they are in a different tenant
Multiple enhancements and bug fixes to the security checklists for assets
Added warning on delay time for the Password Reset token
Bug Fix: OSCAL SAP & OSCAL SAR exports are available for Continuous Monitoring
Policy editor enhancements to utilize the Files subsystem for faster loading of large Word documents
Bug Fix: Ports and protocols now properly map in the SSP export

[4.26.3] - 2023-04-20

Added

FedRAMP: improved classification markup in OSCAL, added internal/external user counts
FedRAMP: Added support for Leveraged Authorizations
Security: Added SHA-256 Hashes to File Uploads
Vulnerabilities can now be associated with Assets
Asset Check Visualization
Improved drilldown into charts along with performance improvements throughout the application
Security control implementations have two independently scrollable content panes for Control Context and Configuration

Changed

Bug Fix: Modal dialogs from within the dashboards and crumbcake navigation now dismiss when navigating to the home page, status boards, modules, reports, or notifications.
Bug Fix: Fixed the SBOM pipeline
Bug Fix: Fixed issue where eMASS POAMs export was not handling special characters in issue description during export
Bug Fix: Modal for the file hash in the Files subsystem renders and closes correctly
Bug Fix: Catalog - FindbyGUID API now works properly
Bug Fix: RBAC inheritance now works properly throughout the application
Updated the warning on Control Inheritance (supports external Leveraged Authorizations now)
Bug Fix: Drilldown for some dashboard charts has been restored
Bug Fix: Policies can now be properly saved

[4.25.0] - 2023-04-12

Added

FedRAMP Automation overlays to SSP OSCAL export
FedRAMP E-Authentication levels to the System Security Plan (SSP)
FedRAMP Authorization Process flows
Spinner when loading large Asset SBOM files or when pulling SSP Status Board issues

Changed

Privacy Impact Assessment (PIA) data is now included in the SSP OSCAL export
Bug Fix: Exceptions can now be added to issues and risks
Bug Fix: Control tests now show properly as a Tab on assessments
Bug Fix: Addressed issue where group manager sometimes would not refresh group name after a change
Bug Fix: Addressed issue where Add User modal would not launch for a new user in a group
Bug Fix: Addressed issue where validation message would sometimes be off the page for Privacy Impact Assessment
Bug Fix: User avatar on side strip now navigate to user profile
Bug Fix: Generic SSP export updated for edge case issues on export

[4.24.2] - 2023-04-06

Added

Tenable ID field under integrations for Assets

Changed

Both the implementation statement and cloud implementation statement are now written to the Implementation Overview of the tailored SSP export
Bug Fix: Crumbcake navigation modal now closes when clicking on the app logo, My Activity, Notifications, and user profile menu
Bug Fix: Changes to generic SSP export

[4.24.1] - 2023-04-05

Added

Changed

Bug Fix: Fixed periodic export issue with generic SSP in Word
Bug Fix: Labels fixed on PIA Module
Bug Fix: SBOM workflow uses the correct internal URL
Bug Fix: Gantt charts now show for components
Replaced Azure AD with OAuth integrations panel
Provided a more friendly gnome graphic for control assessment failures

[4.24.0] - 2023-04-04

Added

Privacy Impact Assessment (PIA) Module
Security checklist queries via GraphQL
Improved signaling on Gantt charts plus the ability to toggle between Gantt and List Views
Importing policy templates from Word docs
Export tailored (generic) SSP in Word format
Qualys ID field for Assets under Integrations
APIs for batch creation and update of Security Checklists

Changed

Bug Fix: Gantt chart visualizations now sort by date and only show open issues
Improved signaling on the Scorecards for control status
Bug Fix: FedRAMP POAM export no longer highlights cells non-empty cells
Bug Fix: Several minor enhancements to the new Change Management module
Bug Fix: Gantt chart visualizations now sort by date
Bug Fix: Print view no longer includes icons from left nav
Bug Fix: Save button is available when creating a new supply chain
Bug Fix: Compliance visualization modal now properly dismisses

[4.23.0] - 2023-03-29

Added

Supply Chain Identifiers
Change Management Module
Endpoint to validate RegScale token
CMMC: Added Information Owner role to Teams system and Management Type to Assets
FedRAMP POAM Export
FedRAMP Risk Exposure Export
Asset Owner added to the MegaAPI for Security Plans
CUI SSP Export in Word format for NIST 800-171 (security plans only)

Changed

Increased size of toolbar options (e.g., save, delete)
Bug Fix: Enterprise utilities now properly show/hide based on license
Bug Fix: FedRAMP CIS/CRM Export - added FedRAMP High Template for Security Plans with a High overall categorization
Removed TestTimeout API
Fixed typos on eMASS SAP/SAR template
Tech Debt: Organized FedRAMP and eMASS template files into better structure
Added logging for SBOM workflow script
Bug Fix: Pressing Enter in search no longer toggles form to readonly mode
Bug Fix: Console errors no longer occur for custom fields
Bug Fix: Components tab for Assets module now accessible for Asset Users
Bug Fix: Gantt Chart tab correctly displays for Organizer modules
Bug Fix: Fixed issue where sometimes a new asset could not be saved
Increased button spacing on the toolbar to support touchscreens (e.g., iPad)

[4.22.0] - 2023-03-21

Added

Changed

Bug Fix/Tech Debt: Added many missing fields to search and consolidated search field lookup
Bug Fix: Fixed styling on icons in Threats module
Bug Fix: Validation messages now show properly in the Threats module
Bug Fix: Addressed issues on time travel revert
Bug Fix: Interconnects - fixed IP address validation issues

[4.21.2] - 2023-03-19

Added

Enhancements to risk form and process flow indicators

Changed

Bug Fix: Objective/Parameter Order Fixed

[4.21.1] - 2023-03-18

Added

FedRAMP: Continued improvements to the handling of parameters

Changed

Bug Fix: Addressed issues with modals

[4.21.0] - 2023-03-15

Added

FedRAMP: Exported FedRAMP SSP now directly attaches to the file system for download
Improved the overall Parameter user experience

Changed

Bug Fix: Removed bad link to old registration form (broken during website migration)

[4.20.2] - 2023-03-09

Added

FedRAMP: Address and company fields to the user profile

Changed

Performance: Increased timeout to 5 minutes for long running jobs (i.e. FedRAMP SSP export)
Performance: Refactored SSP Word export to reduce build times, improved document formatting

[4.20.1] - 2023-03-09

Added

Assets: Added fields to fully support FedRAMP Inventory workbook

Changed

Bug Fix: Code behind errors fixed on forms
Bug Fix: Addressed styling issues on export buttons and added missing export options
Security: Enhancement for email encryption
FedRAMP SSP: Added more logging, interconnections, ports and protocols

[4.20.0] - 2023-03-08

Added

New Home Page navigation bar on side panel and discrete routes for dashboard analytics
New toolbar added to forms, utility UI consolidated into new design
Tenant Id added to the JWT providing for more efficient API calls
Security: Added support for TLS 1.2 for sending email using FIPS approved services
Improved error handling and logging for all form saves/updates
Fine grained access control per API call to accomodate Read Only use cases
FedRAMP: Detailed logging to Mega API and FedRAMP exports to help troubleshoot environmental issues
eMASS: SAP/SAR Export

Changed

Bug Fix: Fixed bug showing option to create child security controls directly under security plans (forces through Builders)
Security: Now refreshes the server side user cache after any change to a user role
Bug Fix: Improved formatting on Personal Access Token
Bug Fix: Formatting on Security Plan print improved
Bug Fix: Addressed issue where sometimes RBAC editing would not be properly enabled
Bug Fix: Addressed issues with readonly permissions throughout the application
Bug Fix: Import catalogue parameter UUID if it exists when importing catalogues
Performance: Fixed slow loading speed with large numbers of security controls
CSS: Fixed deprecated style tags
Enhancement: Ports and protocols data added to Interconnects in the MegaAPI
Enhancement: Display catalogue date imported
Enhancement: Import catalogue parameter default if it exists when importing catalogues
Security: Container patching for Linux Alpine image
Bug Fix: Addressed periodic date rendering issues throughout the application
Improved completeness of FedRAMP SSP export
Fixed rendering issues on Status Board spacing
Bug Fix: Fixed import issues on UUID and default parameter values

[4.19.1] - 2023-03-03

Added

Theming system selecting custom colors throughout the application
Longer timeouts for doing FedRAMP exports to accomodate large jobs

Changed

Bug Fix: Interconnects can now be created under Security Plans
Scorecard now defaults to using the SortId field for ordering controls
Bug Fix: Sort ID now used by default in profile mappings

[4.19.0] - 2023-03-01

Added

Improved formatting of Catalog print page along with adding more information (parameters, objectives, and tests)
Digitized the FedRAMP Low, Moderate, and High catalogs using FedRAMP resolved catalogs
Additional filtering options to the scorecard controls (customer responsibility)
Added rollup by control family to the Scorecard visualization
Built out additional FedRAMP and eMASS automated exports

Changed

Security: Red Hat UBI and Rocky Linux patching
Catalog print now sorts by "sort-id"
Security: Improved validation of user data when creating a new user
Improved data validation in all back end controllers
Improved export file names to include object title, module, and RegScale record ID
Added indentation to the downloaded catalogues (JSON)

[4.18.2] - 2023-02-24

Added

Changed

Bug Fix: Corrected issue where sometimes eMASS exports can become corrupted in Excel files
Bug Fix: Improved validation and error handling for FedRAMP exports

[4.18.1] - 2023-02-22

Added

Cloud implementation field for Control Implementations - supports Hybrid cloud use cases
Security Checks capability to Assets
Parameters on security controls can now accept default values
Support for eMASS POAM export

Changed

Bug Fix: Fixed typo Security Plan Cloud tab
Bug Fix: Options now refreshes objectives when a new one is created
Bug Fix: Periodic issues with corrupting Word exports
Tweaked CI/CD pipeline files and added GitHub templates
Security: Fixed an issue related to Azure AD SSO deactivation
Security: Last login now properly stored for SSO users

[4.18.0] - 2023-02-21

Added

STIG fields to issues (Security Checks and Recommended Actions)
Cloud fields added to SSP metadata to support FedRAMP
FedRAMP fields added to Interconnect module
Dynamic Policy Authoring Capability
CMMC Enhancements - loaded 800-171A objectives and tests to the catalog
Support for Australian ISM catalog (leveraging our OSCAL importer)
Control status strip to the Scorecard
Mega-API - added Teams and References

Changed

Bug Fix: Addressed alignment issues in the compliance visualizer
Bug Fix: Addressed issue where sometimes the vertical scrollbar on the page would not reach the last field
Bug Fix: Close button now works properly on lightning assessments
Bug Fix: Improved status coloring in the compliance cockpit
Bug Fix: Creating components from SSPs now works properly
Bug Fix: Security controls can now be edited without errors
NPM security patching
Refactored and consolidated the Continuous Monitoring experience in the application
Rearranged the control implementation form to streamline data entry and intelligently render the UI based on objectives and parameters being available

[4.17.0] - 2023-02-15

Added

API support in Readme.io with example code for testing API code in 20+ languages
Control Context Viewer
Interconnect information is now returned as part of the SecurityPlan Mega-API
FedRAMP Preparation fields and tab to the Security Plans module
Components and SSP Evidence reports

Changed

Bug Fix: You can now properly search within Explorer list view tables
Security: Patching of all NUGET packages for .NET
Objectives now show parameters values for control implementations
Bug Fix: OSCAL SSP now properly exports all control implementation data
Improved layout and token explanation on the user profile page
Simplified "My Profile" side panel text and display
Added sorting and indexing to improve control display and retrieval

[4.16.1] - 2023-02-09

Added

Changed

Hot Fix: Issue page loading (missing migration)

[4.16.0] - 2023-02-08

Added

Crumb Cake Navigation
Added SortId to Security Controls (allows for custom sorting algorithms for catalogs such as NIST)
Adverse Condition reporting to Issues Module
Added ability to import and export Classification Types (published 800-60 options on the website)
Continuous Monitoring records now have an editable form for metadata
Ports and protocols to FedRAMP SSP Export

Changed

Moved up Risk Dashboard toggle button
Bug Fix: Duplicate components can no longer be added for an asset
Bug Fix: Security Controls paging now works correctly in list views
Bug Fix: Add New user button now works correctly
Group names are now editable
Tech Debt: Refactored group service and improved security
Bug Fix: Fixed issue with loading Categorization profiles
Bug Fix: Improved validation for creating implementation options on a security control

[4.15.1] - 2023-02-03

Added

Control Owner added to Security Plan Mega API
Improvements to subsystem intra-system navigation
Support for linking issues to Microsoft Defender for Cloud
Pagination to Classified Record Subsystem
Added risk and issue drilldown to the Status Boards

Changed

Tech Debt: Angular 15 upgrade along with multiple NPM package updates, security patching
Bug Fix: Fixed issue where sometimes the spinner would not load or dismiss
Bug Fix: Fixed periodic rendering issues with the Time Travel system
Bug Fix: Removed Date Created column on Service Account queries
Bug Fix: Back arrow now works on navigation strip for control implementations
Bug Fix: FedRAMP and eMASS exports now only show on the appropriate modules
Bug Fix: Security Plan print and Transformer now working properly
Bug Fix: Paging now works properly on Classification
Bug Fix: References field now properly displays on Security Controls

[4.15.0] - 2023-02-02

Added

Support for Rocky Linux containers
FedRAMP Export to Word SSP (BETA)
"Archived" as a status for Control Implementations
Unified Subsystem UI for easier navigation between systems

Changed

Bug Fix: Fixed issues exporting OSCAL related to Time Travel
Bug Fix: Added server side validation to the license key
Bug Fix: Risk tabs now show the correct related modules
Bug Fix: All related tabs now properly check for duplicates
Bug Fix: All related tabs have been refactored to work with the Read Only toggle
Security: Disabled password reset and password change for AD/LDAP users
Implementation options are now set at the control level v/s the objective level
Security: Removed Bearer token from the UI, no longer displays
Bug Fix: Pagination now works properly with multiple grids on the same page
Bug Fix: Fixed edge cases where Time Travel was not rendering properly

[4.14.0] - 2023-01-25

Added

New Inheritance Engine supporting many to many architecture

Changed

Bug Fix: Charts now format properly on the security plan print form
Bug Fix: Recurrence engine now works properly for assessments
Bug Fix: My Activity now formats and pulls data correctly
Bug Fix: Expiration date now displays properly for Interconnects
Bug Fix: Components mapping now shows valid security plans in the picklist
Bug Fix: Lineage tab now properly pulls all Inheritance data
Bug Fix: History system now properly records all view events
Enhancement: Improved documentation linking system
Enhancement: Explorer is now more resilient to data issues and renders properly

[4.13.0] - 2023-01-18

Added

OSCAL - supports "by-component" markings on SSP controls now
Refresh button for notifications
Upgraded all .NET Core SDK and Nuget packages to .NET 7
Completed major UI redesign
Refactored forms and list views to reduce duplicate code and improve quality
Added server side auditing to all records in RegScale
Added support for Azure Key Vault for SaaS secrets
Added higher performance Role Based Access Control (RBAC) on the server side
Added Properties subsystem
Added stricter validation to server side for ParentId and ParentModule to support API integrations
Added method for purging logs (used by the CLI) and improved indexing on Log queries
Expanded Exceptions module - added Technical POC, Risk Analysis, and Mitigations to the form
Read-only views for all modules; ability to toggle into Edit view
Expanded response plan fields/data in support of the Incident Response module
New References system to support FedRAMP use cases
Security Plans - added Purpose and Conditions of Approval
New risk fields to support automated FedRAMP exports
New threat fields to support automated FedRAMP exports
FedRAMP methodology fields to Continuous Monitoring
Significantly expanded the assessment module to support larger scale audit needs
Team system for tracking teams and points of contacts for various applicable modules
Milestone system added for tracking key dates on projects, assessments, issues, etc.
Conditions system added for tracking assumptions, deviations, and constraints
GraphQL system for dynamic data querying
Tools system added for conducting assessments with automation (supports FedRAMP)

Changed

Bug Fix: Modals on reports are now formatted properly
Bug Fix: Catalogs no longer duplicate subsystems in the JSON export (50% file size reduction)
Updated End User License Agreements (Enterprise and Community)
Transformer feature is now hidden when no mappings exist
Bug Fix: Transformer modal for mapping now properly maintains state, eliminated duplicate code
Bug Fix: Transformer now properly renders on the Security Plan printable form
Modal styling improved throughout the app
Bug Fix: Risk Assessment Wizard now properly resets all fields when creating new
Bug Fix: Component Mappings now checks for duplicates
Bug Fix: Improved validation for the assessment result
Bug Fix: Relationship modal issues are now fixed
Bug Fix: Database seeding now properly timestamps tenant creation
Bug Fix: Incident module now appropriately disables in the App menu without role
Removed subscription/poller that updated notifications to improve application performance
Removed support for Windows container builds, now Linux only
Bug Fix: Fixed security setting blocking Azure AD SSO popup window
Improved alert system styling while adding ability to dismiss
Multiple performance optimizations for list views
Bug Fix: Control Implementation API - QuickUpdate now works in Swagger
Bug Fix: RBAC checks now enforced on Delete operations
Dramatically improved performance for cascade delete operations
Bug Fix: Improved the ability to delete (cascading) records throughout the system with higher efficiency
Refactored print services for better quality of reporting
Bug Fix: Fixed multiple errors with missing/incorrect links in emails
Optimized dashboard rendering and toggling between years
Expanded responsibility list for controls to meet FedRAMP requirements
Cutover links to new documentation system at README.io
Added warning when creating custom fields that they cannot be deleted
Redesigned dashboard UI
Improved performance of backend calls to minimize network traffic
Security patching and upgrades of all .NET Nuget and NPM packages to the latest versions
Updated process for publishing Helm charts
Improved build times for CI/CD pipeline, cleaned up legacy code
Improved logging and checks for startup environment variables

[4.12.2] - 2022-11-29

Added

Changed

Hot Fix: SSO login fix

[4.12.1] - 2022-11-11

Added

Improve Azure Object storage support
SBOM generation added to CI/CD pipeline

Changed

Removed all legacy Sentry.io monitoring code (using Datadog for SaaS)
Bug Fix: Resolved security control preventing OSCAL download
Removed OSCAL validation from RegScale code, now done by CLI
Updated Kubernetes managed service installation instructions
Bug Fix: Causal analysis now displays properly in the Explorer
Security: Patching of NPM vulnerabilities (fixed critical)

[4.12.0] - 2022-11-02

Added

Added support for Microsoft Defender via CLI/APIs
Software Inventory Tracking
Many additional fields for asset tracking
Added support Azure blob/object storage
Added Datadog Application Performance Monitoring (APM) for SaaS
API for filtering issues by integration type
Added support for Software Bill of Materials (SBOM)
PrettyJSON print functionality with dark mode
Security.txt record for security researchers to contact RegScale for vulnerabilities (https://securitytxt.org/)

Changed

Patched Kendo libraries, Angular, TypeScript, and other libraries
Bug Fix: Fixed catalog spinner not disappearing when import is completed
Security: restricted sensitive API calls
Security: Enabled Content-Security-Policy
Tech Debt: Stored CSS files locally to prevent need for internet access
Removed Google Maps feature - now supported via external Business Intelligence reporting
Refactored System Configuration UI
Bug Fix: corrected issue where Tenant ID may not be properly set for a new user in a tenant
Security: added server side checking for User Profile edits to prevent account spoofing
Security: comment metadata is now set server side
Security: Limited LDAP logging to avoid exposing sensitive information
Performance: Improved indexing for returning logs in the admin panel

[4.11.0] - 2022-10-22

Added

Increased logic, cascading, and logging for deleting security plans
New APIs to support the Reminder CLI
OSCAL: SSP Export upgraded to support 1.0.4 version
OSCAL: Added support for exporting inventory
OSCAL: Now exports all SSP properties
OSCAL: Comments are now exported as remarks
OSCAL: Attachments and links are now exported as links
OSCAL: Objectives are now exported as statements
OSCAL: Added generic method to export all properties of an object in OSCAL format, enriched data in the export
OSCAL: Added specific validators to prevent errors in the export

Changed

License check is now performed pre-login
Bug Fix: Fixed legacy Atlasity tag on email notifications
Improved performance of bulk deletes on subsystem records
Bug Fix: Security profile importer now has the correct label
Bug Fix: Categorization no longer shows the toolbar options (print, email, etc.)
Security Patching: Nuget and NPM

[4.10.1] - 2022-10-16

Added

Changed

Bug Fix: Routing for risk assessment wizard
Bug Fix: Parent linkage for risk assessment wizard
Enhancement: Improved risks assessment UI when no controls are available

[4.10.0] - 2022-10-15

Added

Risk Assessment Wizard
Reminder APIs to support the CLI
OSCAL Version 1.0.4 enriched for SSP model

Changed

Patched Telerik libraries with latest upgrades and bug fixes.
Added timer and progress spinner to catalog upload (useful for long uploads (i.e. for 800-53))
Bug Fix: properly redirects after login
Security: Password reset must always be done server side now.

[4.9.2] - 2022-10-02

Added

Billing/Utilization system
Improved error handling for file uploads
Task reporting

Changed

Added way to revert inherited controls back to a default status if done by mistake
Archived controls can now be found when looking up a control implementation's parent security control
Time Travel system now removes HTML tags and properly formats text for display to the user
Bug Fix: Kanban now properly resets status when moving from "Closed" to "In Progress"
Group list is now sorted alphabetically and permissions were relaxed for READ operations
Workflow: Selecting a workflow now auto-closes the modal in the subsystem

[4.9.1] - 2022-09-26

Added

New assessment reporting

Changed

Bug Fix: Password buttons are now hidden for AD/LDAP users
Bug Fix: Filter tasks now works properly on the list view

[4.9.0] - 2022-09-25

Added

Access Logs added to User Admin Panel
AD/LDAP Distinguished Name is now inferred v/s explicitly set on login (supporting a wider variety of configurations)
Centralized Avatar component used throughout the application
Security Plan Mega API to pull all details and pre-format for processing
Additional details now print on the Security Plan:
- Objectives
- Parameters
- Attachments
- Comments
- Links

Changed

Added ID tags to all home page elements to support automated E2E testing
Added default alert if a user logs in without any roles assigned
Bug Fix: Tweaked alerts for creating System Admininstrator in the Admin Panel

[4.8.3] - 2022-09-22

Added

Password complexity component to centralize business logic
New multi-tenant management experience
Distinguished Name field for customizing AD/LDAP sync functionality

Changed

Bug Fix: Tenant manager now redirects properly to the Admin form for new tenant setup
Improved formatting/spacing for license info

[4.8.2] - 2022-09-19

Added

Now able to enable/disable the email feature in RegScale
Copy component - for easily copying and pasting info to the clipboard

Changed

Improved error handling for detecting invalid or malformed JSON uploads for a catalog or profile
Bug Fix: Now prevent Chrome autofills on Email form
Security Enhancement: All email now requires authorization to send
Bug Fix: Catalogs now correctly set the UUID
Enhancement: Added fallback to try and find a control by ID when importing a profile (more resilient)

[4.8.1] - 2022-09-12

Added

Ports and Protocols tab to Interconnects
Increased SQL Timeout for Long Running Jobs
Ability to edit links
Refactored security plan print to pull more data

Changed

Bug Fix: Fixed minor formatting issues on Look Ahead and New Form Cockpit
Minor color and styling tweaks throughout the application for issues
Enhancements: Inheritance now only displays security plans for selection with one or more inheritable controls
Mnor improvements to fonts/styling throughout the application
Bug Fix: Continuous Monitoring now logs properly to history
Bug Fix: Login "admin" check is no longer case sensitive
Tenant form now defaults to the User view in the IAM panel

[4.8.0] - 2022-09-05

Added

Support for Exporting/Importing Profiles via OSCAL in RegScale
Redesigned Master Assessment/Continuous Monitoring System
Improved UX for managing Users
Gantt Chart - now supports toggling for a List View
Added new risk fields - Title/Unique ID and Risk Tier
API for retrieving license info (used by RegScale-CLI)
Login now captures history of logins by users
Added a guided/interactive walkthrough for Admins to setup RegScale
Added a Setup panel for Admins to guide progress for initial system setup
Refactored catalog upload to be more performant and resilient for large catalogs (i.e. 800-53)
Spinner added to Logs page when looking through large amounts of data
AD/LDAP Sync now shows directory attributes to assist in mapping, refactored and improved UX
Added ability to deactive/delete all AD/LDAP users for the Global Admin account
Lightning assessments now prompt you to create tests if none exist

Changed

Bug Fix: RMF mapping features are now properly locked to enterprise
Bug Fix: Service accounts no longer show in the User Role assignment list
Bug Fix: Bulk editing security controls now works properly
Bug Fix: Inherited controls now properly show in the wizard for security plans
Bug Fix: Added try/loopback logic on catalogs (avoids intermittent network errors on very large catalog uploads)
Bug Fix: Master catalogs are now locked to Enterprise Edition
Bug Fix: Mapping conversion panel now dismisses the modal
Bug Fix: Notifications can now be properly disabled in the Admin panel
Bug Fix: Modal for AD/LDAP sync now renders properly
Bug Fix: Tested and fixed all catalog import/exports
Bug Fix: OSCAL Profile exports now work properly
Consolidated all export functionality to simplify code
Added Excel export option to tables in reports
Improved design of headers within the Admin panels
Components can now use the Continuous Monitoring feature

[4.7.2] - 2022-08-28

Added

Admins now have the ability to manually change a user's password

Changed

Bug Fix: AD/LDAP sync now properly shows/hides based on enabling/disabling the feature
Bug Fix: Administrators can no longer change other user's profile pictures
Bug Fix: Several options for configuration now properly disabled for the Global Admin account
Bug Fix: Categorization header on the modal now formats properly

[4.7.1] - 2022-08-24

Added

Changed

Inheritance engine now only allows inheritance of Security Plan controls that are flagged as inheritable
Bug Fix: Navigation panel now properly pulls the correct controls in all situations

[4.7.0] - 2022-08-23

Added

Inheritance Engine
Lineage Tab now shows inheritance info

Changed

User ID is now copyable to the clipboard on the User Profile
Replaced Bootstrap Modals with Angular Material
Multiple minor enhancements to reporting
Fixed bug with strange characters sometimes showing in Kendo UI
Added CISA KEV as a Threat Type
Bug Fix: Project builder now properly links to profiles
Bug Fix: CMMC fields now properly show/hide
Bug Fix: Fixed periodic errors fetching a user ID

[4.6.1] - 2022-08-12

Added

Ability to delete Custom Reports on List Views
Added multiple new reports for Issues/POAMs
Added support for Red Hat Universal Base Image (UBI) containers for RegScale
Added support for publishing RegScale containers to Amazon Container Registry
Redesigned Look Ahead system on the main dashboard
Added Azure Sentinel SIEM/SOAR monitoring for managed service customers

Changed

Issue Report by Date Range - can now show/hide details
Refactored list views to remove unnecessary services
Bug Fix: Drilldown for assessments, issues, and risks on the Status Boards now pulls all data regardless of what level it is stored
Bug Fix: Categorizations can now be properly exported
Refactored reports based on customer feedback, added minor new features

[4.6.0] - 2022-08-02

Added

Categorization Engine MVP
News Feed Redesign for the Main Dashboard
eMASS Exports

Changed

Added custom icons for the modules in the navigation menu
Added missing module toggles for Components and Catalogues
License check now trims whitespace to avoid copy/paste errors
Bug Fix: Fixed issue with non-OSCAL naming convention not showing objectives
Bug Fix: Made "Name" a database required field for Security Profiles
Bug Fix: Icons now load correctly without a 3rd party pre-loading NPM package
Bug Fix: Assessment charts now render correctly on list views
Bug Fix: Supply Chain Status Board - chart rendering issue
Bug Fix: Replatformed icons to remove NPM package and work with Angular 14
Bug Fix: Fixed search on Requirements Navigation Bar

[4.5.1] - 2022-07-07

Added

Improved Control Status visualization across Status Boards and Scorecard
Ability to describe the mitigation type for a control for a risk (Key Control or Compensating Control)
Master Assessment now allows the user to select specific controls to assess in support of continuous monitoring programs
Status Boards now pull deep-linked issues and risks for a more complete compliance picture (matching the Scorecards)
Optimized startup file configuration
MVP of Risk Status Board

Changed

Fixed coloring on Status Board aggregate view for control status
Bug Fix: Security controls can now be edited
Bug Fix: Wrapped Serilog in try/catch to ensure it doesn't block new installation startup
Renamed Master Assessments to Continuous Monitoring
Refactored status board logic to be more efficiently rendered, multiple minor bug fixes
Consolidated SSP and Component status boards into one
Consolidated compliance scoring for status boards and score cards
Master Assessments now can be scheduled for components
Added Draft as a Risk status
Added Validation to do NULL checks on strings

[4.4.4] - 2022-06-22

Added

Now supports dynamic OSCAL content authoriing for objectives and parameters
Parameters now inherit from their parent catalog
Added advanced logging support via Serilog
Added support for parsing and dynamically updating OSCAL parameters in the control implementation module
Added SignalR for real-time communications on notifications (removed polling)
Added Route Titles in Angular
Addded Logs tab to the Admin panel to improve Customer Support experience
Added notification toast when classification options are saved/removed
Added a new "toast" system for notifications using Angular Material
Deep linking to Jira tickets for Issues/POAMs
Component name now shows on control implementation list view
Database rearchitecture in Entity Framework to allow multiple database support
ServiceNow integration
"Inherited" option for a Control Implementation status

Changed

Bug Fix: Page now refreshes after editing license key
Username and password are now trimmed of whitespace to avoid paste errors
System service-account no longer shows in the user list
Fixed CSS on user role tables
Bug Fix: can now create a component from a SSP
Implemented AsNoTracking on all read queries to improve query performance against the database
Removed legacy logging system
Removed blank status option for Requirements
Bug Fix: Controls can no longer be added as children to Assets (only to their parent Components)
Suppressed false errors on Angular build
Removed legacy Jira code (now bulk processes in CLI)
Refactored to fix FirstOrDefault inconsistency bug
Assessment buttons now intelligently show/hide based on the state of the form (isDirty)
Fixed critical alerts from Sonarqube
Security Plan Status Board now properly reflects all status options for a Control
Bug Fix: Progress calculation on control navigation strip now excludes NA and Inherited from total

[4.3.0] - 2022-06-05

Added

Deep linking for Wiz.io issues in RegScale
Enhanced container error logging for LDAP issues
Control navigation bar in the Control Implementation and Requirements forms
New Assessment and Naviations System UX for Controls/Requirements
Added support for AWS Simple Email Service (SES)
Added mouse hover effect for Status Board links
Angular 14 upgrade
Ugraded CI/CD deployment process - removed legacy pipeline files
ServiceNow Integration for Incidents

Changed

Improved signaling for Volpe integration (better handles errors on Volpe side)
Improved threat data validation
Security Plan Print - now shows additional parent control fields
Security hardening, patching, and remediation from penetration tests
Added a spinner to the Password Reset to visualize progress
Bug Fix: Multiple drilldown issues fixed on Status Boards
Bug Fix: Component to Asset mapping is now fully bi-directional
Security: All Nuget .NET packages patched and updated
Removed legacy/inefficient AI code
Security: NPM upgrades/patching of packages
Caching bug fixes on tenant form
Bug Fix: Data Call - fixed missing toasts
Bug Fix: Security Controls - Control ID is now sortable

[4.2.0] - 2022-05-30

Added

Deep linking URLs to support SSO use cases
eMASS fields added to the risk form
Risks and Issues can now be tightly related for improved risk modeling
Risks and Incidents can now be tightly related for improved risk modeling
Risks and Threats can now be tightly related for improved risk modeling
Modules now have a label tag in the Compliance Cockpit for ease of module identification
Threats - now have a "Date Resolved" field
Compliance cockpit now has a tooltip showing the full title for longer length titles

Changed

Bug Fix: Interconnects modules now display correctly
Interconnect form - conditionally shows red asterisks for date fields
Security Plan form - conditionally shows red asterisks for date fields
Risk from - conditionally shows red asterisks for date fields
Security - Password reset token can now be used only once (formerly were good for 24 hours - now will expire in 24 hours or upon first use)
Enhanced formatting of Compliance Cockpit
Added a tooltip to Transformer to explain "Master" catalog
Incidents module now has a new Forensic tab
Threat module has a new Analysis and Mitigations tab
Risks - "Mitigation Effectiveness" is now a required field

[4.1.2] - 2022-05-26

Added

Changed

Bug Fix: Objective options now save and refresh correctly
Bug Fix: Avatars now can be changed without refreshing the page

[4.1.1] - 2022-05-25

Added

Enhancements to Issue Reporting

Changed

Bug Fix: Report page renders properly
Bug Fix: SPRS drilldown on View link

[4.1.0] - 2022-05-23

Added

Enhancements to Toast System
Enhanced Custom Field validation
Assets can now be mapped to many components
Components can now be created stand-alone (not required to be a child of a security plan)
Components can now be mapped to many security plans
Can now load default tests from the catalog into control implementation tests (templates from the catalog to feed Lightning Assessments)
Added spinners when building artifacts using the Builder Wizards to show progress
Objectives tab on control implementations now shows/hides based on parent catalog
New top navigation system to better organize modules
Unit testing framework to support automated testing
Wiz integration for Assets
Report - Issues by Time Range - query and see status of closing issues/POAMs due in a given time range, grouped by issue owner
Explorer now shows the Level flag for better visual indication of the tiering
Added logging and spinners to better show progress when importing and deleting catalogs

Changed

Bug Fix: Can now add Assets to Components
Bug Fix: Asset mapping APIs are no longer hidden
Profile mapping engine now shows IDs of the parent catalogue
Bug Fix: Fixed intermittent bugs on Component and Project Builder Wizards
Refactored assessment services for performance optimization
Bug Fix: Fixed naming convention on Excel download files
Trivy was added to the container build as a second vulnerability scanner for defense in depth
Startup file was refactored to be more efficient on launching the application
Improved logging to detect intermittent upload errors with catalogs
Bug Fix: Avatars render properly on user admin forms
Bug Fix: Added null check for custom fields on security control form
Bug Fix: Subsystems now show properly on security control forms
Bug Fix: Catalog export now excludes archived controls

[4.0.3] - 2022-05-11

Added

Changed

Bug Fix: Removed Avatars on Excel downloads
Bug Fix: Improved error handling for catalog uploads
Bug Fix: Corrected intermittent issues with custom fields

[4.0.2] - 2022-05-10

Added

Changed

Fixed POAM tab not showing
Improved RBAC logging for access control issues

[4.0.1] - 2022-05-09

Added

Changed

Improved hide/close button on builders (always shows)
Questionnaires now have a BETA tag
Cleaned up legacy Print, Email, and Export code
Bug Fix: Errors on Project Builder
Build optimizations on backend
Supply Chain tables now sort correctly by Title
Create New stakeholder button now shows/hides when displaying the data entry form
Updated SPRS Report CMMC Links
Password confirmation now supports additional special characters
OSCAL download now working correctly
Bug Fix: Fixed error where numbers were sometimes converted to dates by the Time Travel system

[4.0.0] - 2022-05-08

Added

Redesign of the Compliance Cockpit and RegScale form system
NGRX for client side caching and extreme front-end performance improvements
Updated Support Links to the new RegScale Hubspot system
Component Builder

Changed

Refactored all Builder code
QA: Added validation to Supply Chain cost fields (contract value, funded amount, and actual costs)
Reordered case management form to be more logical for data entry
Fixed user button label
Various minor bug fixes from Sonarqube
Section 508 improvements
Minor bug fixes and enhancements throughout the application
Updated and improved icons and styling
Date check bug fixes throughout the forms

[3.13.0] - 2022-04-25

Added

Catalog import/export now include child tables
API to retrieve a specific service account
API to rename a system security plan
Integrations for Security Plans with Wiz Projects, ServiceNow Assignment Groups, Jira Projects, and Tenable Asset Groups

Changed

Bug Fix: Printable version of control implementation now works
Updated verbiage in the Time Travel system
Control tests can now be batch created
Scorecards are now properly locked to Enterprise Edition customers
CSS: Explorer now shows link cursor for child items
Rebased to master to pickup CI/CD changes
Bug Fix: Transformer mappings now work properly on the security plan print form

[3.12.0] - 2022-04-20

Added

Added ability to exclude components from SPRS report
Added account lockout features (5 bad passwords disables the account)
Added a Close button for the Explorer modal

Changed

Bug Fix: Subsystems now show correctly on control implementation form
Bug Fix: Prevented API calls that were throwing errors when unauthenticated
Bug Fix: Can now delete tasks from the Kanban board
Bug Fix: Control Implementations now render properly for emails
Bug Fix: Added validation for Draft issue status
Bug Fix: Security Plan Print now works properly

[3.11.1] - 2022-04-19

Added

Changed

Hot Fix: License count now calculates correctly on login

[3.11.0] - 2022-04-18

Added

SPRS Rollup Report available for NIST 800-171 (rolls up score for SSP and all child components)
Control Implementation - Navigation buttons now check for changes before allowing navigation away from the page (Next and Previous buttons)
Added Mediatr pattern for improved testability of C# code
Catalog Import/Export now processes child records of the security control (objectives, parameters, tests, CCIs)

Changed

Bug Fix: Fixed View Model for Control Implementations - dramatically reduced data query size
Controller optimization for improved API performance at scale
Bug Fix: Gantt chart queries now execute exponentially faster
Bug Fix: Gantt chart hidden for new records
Bug Fix: License key generator fixed after Node.js patch
Bug Fix: System configuration now listens for license key changes and updates after saving

[3.10.0] - 2022-04-13

Added

Added support for DISA CCIs to support STIG scanners
Added support for classification banners in the header/footer of the application

Changed

Bug Fix: Licensed user count no longer counts deactivated users
Exceeding licensed user count no longer prevents login, just throws a warning

[3.9.0] - 2022-04-10

Added

Added Cancel button when editing RegScale system configuration
Added Parts to Objectives to support OSCAL modeling
Added Parameter Types to Security Controls (extension to OSCAL for improved automation)
Added Parent Parameter to Control Implementation parameters (allowing inheritance from a catalog's parameters to better align with OSCAL)
Added API to retrieve all Objectives for a given catalog

Changed

Bug Fix: Corrected issue with generating new license keys after patching CryptoES
Bug Fix: "Other ID" on Control Objective is no longer required
Bug Fix: Removed datetime checks on required fields in C#, removed compiler warnings
Bug Fix: Fixed loop logic in ApplyProfile C# API
Bug Fix: Security Control subsystems now listen for changes when navigating
Improved formatting and labeling of security control objectives

[3.8.0] - 2022-04-06

Added

API for applying Security Profiles via API
Extended Issues/POAMs module to support all FedRAMP fields
Added support for the CISO Known Vulnerability Exploits feed

Changed

Bug Fix: Inheritance of objectives on the SPRS report is fixed

[3.7.4] - 2022-04-04

Added

Changed

Security Plans now hide Gantt Chart and Ports/Protocol tabs until the record is saved
Refactored security plan builder to work more efficiently and consistently, removed redundant code
Builders: View profile links now work properly and open in a new tab
Builders: Now close consistently after clicking finish
Added server side validation for Case management status/date resolved

[3.7.3] - 2022-04-02

Added

Changed

Bug Fix: Control implementations now search properly in the Relationship module
Bug Fix: Multiple enhancements to the SPRS report

[3.7.2] - 2022-03-30

Added

Security - forced patching of the base image prior to initial build

Changed

Minor bug fixes to builders
Changing an Implementation Option now changes the status of all related Objective option selections
Bug Fix: Component Statusboard now pulls issues from all levels
Tweaked CI/CD build and release files
Minor Sonarqube bug fixes

[3.7.0] - 2022-03-28

Added

New UX for builders for:
- Policies
- Security Plans
- Supply Chain
- Projects
Added Sonarqube Cloud source code scanning
Added additional fields to the user object:
- ExternalId - for syncing with external accounts (i.e. Active Directory)
- DateCreated
- LastLoginDate
- Read-Only Flag
Improved User Experience for Scorecard

Changed

Cleaned up CI/CD pipeline files
Added API to pull a simple list of user accounts (with no sensitive data)
Removed legacy Cypress testing to reduce file size of the build
Added API to support bulk syncing of Azure AD groups

[3.6.2] - 2022-03-16

Added

Views can now be toggled between SSP and Component on the SPRS Report for NIST 800-171

Changed

Toggle now available to show objectives in a printable form for each control on the SPRS Report for NIST 800-171

[3.6.1] - 2022-03-14

Added

SPRS Report - bug fixes and added logging to show missing objectives

Changed

Created View/Create models to simplify the APIs for creating and updating Profile Mappings
Bug Fixes: Minor tweaks to Component Dashboards and Gantt charts
Bug Fixes: Profile mapping not showing in the API list

[3.6.0] - 2022-03-10

Added

Subsystem redesign of the UX
New SPRS scoring report for NIST 800-171
Categorization functionality to RegScale to better support control selection for overlays
Issue Gantt chart functionality for visualizing issues/corrective actions
Component Dashboard

Changed

Bug Fix: Fixed security plan builder issue where some controls improperly showed redundant
Bug Fix: Comment alerts on delete are more intuitive.
Bug Fix: Link alerts on delete are more intuitive.
Bug Fix: Comment alerts now work on creating a new comment.
Bug Fix: File system deletion alerts are now green v/s red on success.
Bug Fix: Subsystem now hides until loaded.
Bug Fix: Classified records now wrap properly in the subsystem.
Fixed rebasing issues across branches

[3.5.0] - 2022-02-24

Added

Aggregate APIs for pulling bulk data visualizations in external data visualization tools
Explorer now auto-expands the current record and shows/hides the sneak peek if you are already on the record
Requirement form now shows the parent control if it exists in the Regulations tab
Component Status Board
Lineage and deep linking added for Assessments and Risks (previously just on issues)
Aggregate queries added for external data visualization

Changed

Bug Fix: Main dashboard for security plans now loads with no data (checks for null first)
Bug Fix: LGPL license now points to RegScale
Bug Fix: Form labels now display correctly for change password, password reset, and confirmation pages
Bug Fix: Added validation to prevent the maximum length of a Requirement title from being exceeded
Requirement form reorganized to show/hide fields based on whether it has a parent control
Bug Fix: Child issues and assessments now showing correctly on the Policy Status Board

[3.4.2] - 2022-02-17

Added

Added UUID info for the user on the workbench
Reformatted user profile page

Changed

Hotfix: Issue External ID queries refactored for non-null set
Bug Fix: Spinner updated for OSCAL export for security plans
Bug Fix: CSS styling on Workbench

[3.4.1] - 2022-02-16

Added

Changed

Hotfix: Issue External ID queries refactored for null set

[3.4.0] - 2022-02-15

Added

Improved user caching to make more consistent
New dashboards/home page design
Ability to link issues to multiple records/tiers for ease for querying and reporting
Issues can now be related at multiple layers for ease of querying/reporting, to include:
- Control Implementations
- Assessments
- Requirements
- Security Plans
- Projects
- Supply Chain
- Policies
- Components
- Incidents
Added a bulk processor API to issues to allow the RegScale CLI to do bulk conversions for customers with legacy data
Project, Security Plan, Supply Chain, and Policy Status Boards redesigned and improved UX

Changed

Subsystems - close button made smaller and moved to the top to avoid visual confusion with Save button
Time Travel UX refactored to work better in a modal view
All Find by "External ID" APIs on issues now return multiple records instead of a single (Prisma, Wiz, ServiceNow, and Jira)
Added method to show plural name of modules in the Module Service
Improved Login styling
Bug Fix: Fixed issue where spinner would sometimes not dismiss on session timeout from the login page
Bug Fix: Parent ID and Module now passes correctly to the new record creator
Bug Fix: Editing security controls now works properly
Bug Fix: Catalogs now corectly display metadata
NPM package updates for vulnerabilities
Fixed footer links to point to RegScale.com and updated EULAs and Privacy Policy

[3.3.1] - 2022-01-25

Added

Kanban view optimized to be in a modal view

Changed

Added configuration to slow down monitoring endpoints
Removed legacy Cucumber testing tags on the List Views
Bug Fix: Lightning Assessment sliders now work again
Bug Fix: Kanban drag and drop now works correctly/consistently

[3.3.0] - 2022-01-23

Added

Copy token button added to user profile
Health monitoring system added for RegScale
Add multiple new layers to the Security Control model for OSCAL to improve the UX:
- Implementation Options
- Test Plans
- Control Objectives/Enhancements
- Parameters
Added spinner to Transformer to show that it is still processing for larger data loads
Objectives can now be assessed at the control implementation level
Added the ability to categorize risk through various lenses
Added support for Risk Trending
Added level of effort for Tasks and Issues to help with resource loading
Added CMMC Asset category to components and assets

Changed

Bug Fix: errors with date filters pulling on the dashboards
All dashboards are now driven by a year selection
Added more options for Security Plan and Control Implementation Status
Bug Fix: Requirements and Security Controls now parsed correctly in Explorer
Bug Fix: Subsystem Reload after Save
Bug Fix: Health check stylesheet now served properly within a container deployment
Classification levels can now be archived from the List View
Ports and Protocols: default end port to be the same as the start port
Changes to ports and protocols now are logged in history
SSP OSCAL export now provides more control implementation metadata

[3.2.0] - 2022-01-04

Added

TreeView visualization to Explorer - accordion expansion
Volpe Threat Modeling Integration - MVP 1

Changed

Bug Fix: Formatting on system configuration
Changed favicon to new RegScale logo
Optimized all images for faster browser loading

[3.1.1] - 2021-12-23

Changed

Bug Fix: Fixed .NET Core bug with IIS 6

[3.1.0] - 2021-12-19

Added

Added support for Volpe Risk Modeling integration
History table is now sortable and filterable
Drilldown is now available on all charts

Changed

Bug Fix: Fixed formatting on Lightning Assessment Header
Bug Fix: Eliminated security risk on password reset
Improved visualization, sorting, and filtering on My Activity and the News Feed
Improved button layout for user management
Email service improved with better logging/validation

[3.0.6] - 2021-12-13

Changed

Bug Fix: .NET Core Optimizations

[3.0.5] - 2021-12-10

Changed

Bug Fix: Removed legacy wait-for-it script, made SQL startup more resilient

[3.0.4] - 2021-12-10

Changed

Bug Fix: Bash optimization for multi-stage build

[3.0.3] - 2021-12-10

Changed

Bug Fix: Added bash back to the Linux container

[3.0.2] - 2021-12-10

Changed

Bug Fix: Permission error on wait for it.sh file

[3.0.1] - 2021-12-08

Changed

.NET Core Version 6 upgrade including all Nuget packages
Container hardening and upgrades

[3.0.0] - 2021-12-05

Added

Rebranded from Atlasity -> RegScale
New form system design with three columns and floating toolbar
Tenable.sc integration
Jira integration
Ability to model control implementations by responsibility (i.e. provider, customer, shared)
New Overall/Master dashboard for home page
Requirements now support Lightning Assessments
Scorecard now implemented for Projects, Supply Chain, Components, and Policies
Angular 13 upgrade
Loading spinnners added for sending emails
Security Controls can now be exported
Add labels to drill down charts on the List Views
Added links to online documentation
Header to dashboard

Changed

Improved the loading spinner implementation when fetching data
Dashboard filters can now be toggled on/off
Security Plan status board now has tabs to toggle between individual and aggregate views
Bug Fix: Fixed issue with incorrect lookup of catalog title on Transformer
Bug Fix: Copying a requirement no longer copies last assessment result
Bug Fix: Policy Status Board now calculates 'Not Assessed' status correctly
Bug Fix: Service Accounts are now properly locked as an Enterprise feature
Supply chain module can now track actual costs
Project module can now track actual finish date
All spinners are now consistently styled
Removed legacy PWA code
Refactored to remove a large amount of redundant code
Profile mapping moved into a tab v/s subsystem
History visualization now shows by default and has labels
Cause Code Tree is now in its own tab
Upgraded Kendo UI for Angular packages to the latest
Security patching of NPM packages
Bug fix on Requirement controller
Updated routing to allow for more efficient copying
Profile Mapping User Experience enhanced
Fixed periodic rendering issues on history visualization
Swagger API cutover to RegScale branding - no impact to customer integrations/routes
Bug Fix: Fixed RBAC errors on default settings (parent inheritance working again)
All Builders/Wizards have the UI/UX refactored
Scorecard now defaults to showing open issues v/s total
Bug Fix: eliminated double API calls to the subsystem
Bug Fix: requirement module now correctly pulls control tests

[2.4.0] - 2021-10-11

Added

Enriched data model for Catalog OSCAL export
Supports namespaces for OSCAL
Ports and protocol support added for Assets, Components, and Security Plans
Azure Active Directory (AD) Single Sign On (SSO) Support
Integration dashboard for improved ease in managing integrations
Added ability to generate Personal Access Tokens (PATs) to support Service Accounts that can be leveraged for API automation
Added integration with MITRE Security Automation Framework (SAF) via Inspec/STIG profiles using OSCAL
Indicators to grids to better indicate sorting functionality
Master assessments now allow you to visualize the individual assessments that make up the overall score
Added support to generate OSCAL SAP/SAR documents from Atlasity assessments
Improved dashboard visualizations including stacked bar charts
Profiles now display info for Control Ids and and Catalogs

Changed

Bug Fix: Check for null on Login Banner
Bug Fix: OSCAL Security Plan export handles null dates
Bug Fix: OSCAL Catalog export handles null dates
Lightened N/A CSS on the Security Plan Scorecard
Bug Fix: Fixed memory leak to unsubscribe on notifications
Replaced Chart.js with Telerik Charts - improved UI
Replaced eCharts pie charts with Telerik Charts - improved UI
Improved UI for Security Plan Print - added Catalog data
Improved UI for Security Scorecard - added Catalog data
Added "Automation" fields to assessments to support OSCAL and integrations
Improved labeling around risks
Bug Fix: Control Id is now sortable
Default styling changed for form focus
Workbench impersonation renamed
Custom fields now show a default view when no fields
Bug Fix: Some fields were not sorting correctly and have been fixed
Bug Fix: Copy security control did not copy control type
Bug Fix: Deactivated users can no longer log in
Moved custom fields to a tab on the component form
Custom fields all moved into the tabbed interface
Bug Fix: Copy security control did not copy control type
Bug Fix: Catalog print now correctly displays all controls
Back button only prompts warning if data has changed (form is dirty)
Login now redirects to the dashboard as the Home page
Bug Fix: Control implementation sorting now works in the grids
Security: Added a flag to allow the warning banner to be bypassed for security scans

[2.3.0] - 2021-09-12

Added

Validation to .NET controllers and simplified Create/Update APIs
Security profiles can now be printed and emailed
Added Login Banner capability that can be customized by tenant
Added Privacy Police notice to the footer of the application

Changed

Removed ElasticSearch integration
Added ability to toggle on Sentry.io monitoring with an environment variable for .NET Core
Removed Angular Sentry.io monitoring (not useful)
Bug Fix: Workflow enabled for cases
Bug Fix: Notification link now works for questionnaires
Bug Fix: Pivot table visualization works for cases
Bug Fix: Toasts now correct when creating a new organization
Bug Fix: Component print and email now works

[2.2.3] - 2021-08-31

Added

Integration fields for issues (JIRA, ServiceNow, Wiz, Prisma)
Classification subsystem
New tenant auto-seeds picklist metadata
Indexing for Relationships module to improve performance
Indexing for Classified Records to improve performance
Indexing for Events/Timeline to improve performance
Indexing for Workflow to improve performance
Indexing for Cases to improve performance
Additional features and functionality for OSCAL exports of Security Plans and Components

Changed

Patched JWT Nuget package to address security vulnerability
Updated Telerik PROD License Key
Fixed legacy CSS issues with / and moved to math.div
Upgraded to Angular 12.2
Added Step indicator to recurrence wizards
Added server side data validation and API simplification for assessments and issues
Custom fields now print
Added warning when creating a custom field that data type cannot be changed
Added properties to parameters for OSCAL

[2.2.2] - 2021-08-24

Added

Scorecard now shows modal for open issues

Changed

Added Control ID to show on the control implementation form
JWT tokens now expire in 24 hours instead of 2
ControlId added to Transform Mapper
Transformer now refreshes controls when the base control changes
Fixed duplicate IDs on the catalog form
Fixed bug where child issues were not always pulling correctly on the Scorecard
Fixed bug to default printable if security control type is undefined
Security groups are now sorted for RBAC
Lightning assessment always refreshes when closing the page now
Fixed CSS styling on date picker controls
Added CSS styling to show N/A controls are excluded from Scorecard calculations
Fixed bug where control type was not being set properly when loading a new catalog

[2.2.1] - 2021-08-17

Added

Security Plan Scorecard
Added Wizard interface for Assessments, Data Calls, and Tasks Recurrence

Changed

Bug Fix: All events on the status board are now processed correctly when hovering over the heat maps
Uploading files now generates a toast to confirm the upload
Softened colors on the Security Plan Status Board
Bug Fix: Bulk edit of control implementations now works properly
Bug Fix: Last Assessment hover fix
Improved tooltips on the Status Boards
Bug Fix: Updated date formatter based on NPM library update

[2.1.3] - 2021-08-06

Added

Case Management Module
Added mapping flag to catalogs as a visual indicator
Enhanced date picker added throughout all modules
Improved data validation prompts
OSCAL: Inheritable flag added to control implementations (used for leveraged authorizations)
Transformer feature now shows mappings in the UI
Builders now track linkages between profiles and the records they create (OSCAL)
Dashboards now have pageable/filterable grids
Catalogs now have links to the source OSCAL file that generated them
All modules have an API to be queried by custom fields

Changed

Bug Fix: Catalog title is now a required field via the API
Performance - rewrote the export JSON functionality
Bug Fix: Logic was broken on show/hide mapping wizard
Bug Fix: Confirmation email link now works
Bug Fix: Registration link now works
Bug Fix: Removed deprecated Service Account API
Bug Fix: Can now delete catalogs and security controls with mapped controls
Added warning when trying to map a catalog with no controls
Risk matrix removed hard coded thresholds
Bug Fix: Date picker popups now work in modal windows
Catalog and security controls are now archived versus deleted
Bug Fix: Setup now shows for Global Admin on Community Edition
Bug Fix: Menu options now hidden from the Global Admin account
Angular 12.1.4 minor upgrade and various npm package upgrades
Bug Fix: Get all controls by security plan query was not always accurate, fixed lookup
Bug Fix: Fixed sporadic bug where lightning assessments sometimes would not create for general users
Bug Fix: Kanban not showing tasks on workbench
Kanban button colors are now white
Bug Fix: Tasks on workbench now reset correctly with impersonation
Bug Fix: Kanban now shows profile pictures again
OSCAL validation no longer prevents downloads - just throws warnings

[2.0.2] - 2021-07-19

Added

Added Record Level access control to all modules
OSCAL export functionality for Security Plans, Catalogs, Profiles, and Components with AJV schema validation
Each Atlasity instance now has a unique GUID tied to its license for improved Software Assurance
License is now checked on login and access is enforced based on license validity
Upgraded WYSIWYG Editor
Recurrence Engine - now allows preview and group assignments
Performance - major improvements to query performance on list views

Changed

License key management - Community Edition locks after 30 days and requires a license registration
License now managed only at the Global Admin account, removed on Setup page
Added support for Stored Procedures for SQL performance optimization on the backend
Bug Fix: Org list not shown when creating users using the Global Admin account
Added password validation when creating a new user
Bug Fix: Domain now set properly on login
Multiple backend performance improvements (query optimizations)
Minor bug fixes and improvements
AI for issues now driven by a button click instead of defaulted for performance reasons
Bug Fix: All licensing now set from Admin panel versus environment variables
Bug Fix: Catalog export now working
Added Control ID to security control list view

[1.6.1] - 2021-06-06

Added

Added Risk Mitigation module to map controls to risks they mitigate
Added Control Mapping matrix visualization
Component module with OSCAL export functionality
Added builders to components and flowed down to assets (with visualizations)
Date graphing throughout the application
Kanban Task Board feature enabled for all modules

Changed

Assets can now be mapped to many components
Assets now have tabs to organize the form
Provided a GUI for adding/managing control parameters
Angular 12 upgrade
Swapped crypto-js library for crypto-es (TypeScript friendly)
Cleaned up NPM vulnerabilities
Updated NPM dependencies, removed unneeded packages
Bug Fix: Domain lookup now functions properly under all circumstances

[1.5.0] - 2021-05-07

Added

Added Project Status Board
Added Supply Chain Builder
Added Project Builder
Added Policy Builder

Changed

BUG FIX: Security plan delete now works and removes control tests and results

[1.4.1] - 2021-04-30

Added

Master Assessment feature (schedule many assessments at once)
Relationship Manager for many to many linking of records
Lightning assessments now support links, comments, and attachments

Changed

Reformatted Quality system on control implementations
Lightning Assessment feature now hidden when there are no tests created
BUG FIX: Lightning Assessments works properly again for a single assessment
BUG FIX: Delete button works again for assessments
BUG FIX: Toggle off for Supply Chain and Policy now works

[1.3.0] - 2021-04-17

Added

Questionnaire Module
Added metadata fields to Control Implementations
Added tabs to Control Implementations UX
Added quality management to Control Implementations
Added Risk Maturity Tier to Security Plans
Added filters to the Calendar for user (default), facility, and org
Google style search bar added to all modules
Added Control Tests to each Control Implementation for Enterprise Customers
Added Lightning Assessment Functionality
Added a new API to pull all child records for a given security plan in a single call

Changed

Controls now show in the preview box for the security plan builder
Bug Fix: Search bar formatting improved for CSS
Added reset to search on Security Plan Status Board

[1.2.0] - 2021-03-30

Added

MD5 checks and enhancements for Time Travel
AI Engine built for issue recurrence analysis
Refactored reporting engine page
Added summary info to the Security Plan module
Enhanced pagination support for large data sets
Added export functionality for all modules (JSON format)

Changed

Bug Fix: Handled null records on Time Travel and improved formatting
Bug Fix: Org pivot tables now work when visuallizing records in lists
Fixed width of user table in the Admin panel
API key merged into the User Profile versus a separate page
Bug Fix: Corrected calculation error on the DOD 171 self-assessment scoring
Added divider between catalog controls on printable form
Re-organized catalog print page
Bug Fix: Hide control implementations until save on security control form
Enhancement: Moved action buttons on user form to the left to prevent scrolling off page
Security Control weight now accepts decimals; not just integers

[1.1.1] - 2021-03-21

Added

Persists login username in localStorage, uses it to remember username and to check LDAP status

Changed

Bug Fix: AD/LDAP bug fixed
Bug Fix: Creating new users

[1.1.0] - 2021-03-15

Added

License key is now driven by the Admin panel versus an environmental variable
Additional fields for risk modeling
Added Organization module
Added Questionnaire backend
Added Reporting module with DoD 800-171 Self-Assessment Scoring
Risk visualization to the risk form
Greater visualization and interactivity to the Security Plan Status Board
Added visualization for all control implemenations of a given security control

Changed

Bug Fix: Security plan status board can now handle nulls when parsing data
Bug Fix: Google Maps API now allows connections from any domain
Updated licensing agreement
Updated copyright date
Bug Fix: Reset on search now resets the data
Bug Fix: Login now resets the license type without a refresh
Bug Fix: Can now add multiple users without refreshing, enhanced validation and logging

[1.0.2] - 2021-02-07

Added

More options for risk categorization
CMMC options to the policy module
Added ability to handle multiple mapping options via the wizard

Changed

Bug Fix: Controller fixed for Status Board
Bug Fix: CMMC data was not printing on security plans or control implementations
Bug Fix: Search bug fixes for .NET 5 (IndexOf -> Contains)

[1.0.1] - 2021-02-04

Added

Mapping functionality now locked to Enterprise customers

Changed

Bug Fix: Controller fixed for Status Board

[1.0.0] - 2021-02-02

Added

Added catalogs and support for all baselines of NIST 800-53 Rev4
Added catalogs and support for all FedRAMP baselines
API for interacting with unique ControlIds for security controls
Licensing info now shows on the tenant Admin panel
Added ability to delete a workflow template step from the designer
Added ability to delete workflow instances
Added workflow ID to the workflow instance form
Major dashboard refactoring and improvements
Added Parent Slider to the Workflow Instance system
Added Component module to support the OSCAL standard
Added Parameter to the data model to support the OSCAL standard
Added ability to print the full Catalog with all child controls
Added NIST 800-171 Self-Assessment Report for DoD

Changed

Bug Fix: Hot fix for DB migration issue
Bug Fix: Workflow now passes ID properly to the instance page after creation
Bug Fix: Worfklow system now auto-creates the "System" group if it doesn't exist
Bug Fix: Supply chain system now handles null stock data
Bug Fix: Catalog search now works properly
Bug Fix: Security controls search now works properly
Bug Fix: Security Plan status board explanation no longer interferes with My Activity slider
Bug Fix: Time Travel "Revert" button now works
Bug Fix: Sort order on custom fields now works properly under all circumstances
Enhancement: Workflow notifications give a better indication of what is happening (Approval v/s Notification)
Enhancement: Colors are now consistent on graphs relative to status
Enhancement: Added advanced visualizations to the security plan status board
Enhancment: Minor UX tweaks throughout the application
Enhancement: Added a prompt before reverting Time Travel to a previous state

[0.9.8] - 2020-1-14

Added

Added Control Mapping system to map controls from multiple catalogs into a single control mapping
Added a unique Control ID to the security control module to allow a "business friendly" control name for easier searching and lookups
Added AD/LDAP auto-sync job with the ability to map attributes for a deeper sync process with Atlasity
Custom Fields can now be ordered with drag and drop on the Admin panel. Display consistently on the form.
Can now view the related module on the workflow template designer

Changed

Bug Fix: Now hides password related features if AD/LDAP sync is turned on
Bug Fix: Broken icon on delete toasts fixed across the application
Bug Fix: Navigation system now shows child security plans for a profile
Improved data validation on the front and back end; better visual indicators and API protections
Additional status options for interconnects added
Bug Fix: Links in Sliders now close modals
Bug Fix: Notifications now loads properly on login/logout
Bug Fix: My Activity now loads properly on login/logout

[0.9.7] - 2020-1-07

Added

Time Travel feature implemented
Bulk editing of security control implementations
Supply Chain Risk Status Board
Supply Chain - configuration panel added for analyzing 3rd party risk
Security Plan - now has form data for Authorization Boundary, Network Architecture, and Data Flow
Security Plan Form - now implements tabs to make the form more compact with less scrolling
Security Plan Print - UX improved to add dynamic charting and visualizations
At a Glance Tags added to security plan for quick visual indication of key data
User Groups - can now be viewed on the user profile
Workflow - now tracks start and end times for the overall workflow and each step
Upgrade to Angular 11 and .NET Core 5.0.1
Performance Optimization - Supply Chain, Policy, and Security Plan Status Board refactor

Changed

Bug Fix: Removed domain check since it is config driven.
Bug Fix: News posts links for Supply Chain and Causal Analysis are now formatted correctly.
Performance: Index optimization for frequently executed queries
Packaging: Optimized build to decrease container size
Security: Hardened the base image to eliminate vulnerabilities and reduce the attack surface
Refactored News Posts to be more efficient
Removed Catalog field from security control form (could cause data integrity issues)
Added new status for Security Plans (Retired/Decommissioned)
Bug Fix: Removed register new user link on the Forgot Password page
Bug Fix: Fixed bug that would not allow adding Interconnects to a security plan
Bug Fix: fixed broken breadcrumb links on the workflow modules
Group Management - now disabled for Global Admin (god-mode account), must login with regular Administrator role to access group management
Group Management - UI refactored to improve the user experience
Workflow Designer - UX refactored to improve the user experience
Bug Fix: Worflow notifications now go to all users in the group, not just to the first user
Bug Fix: Added history events for workflow
Added ability to toggle on/off bulk editing of security controls and added alerts for saves
Bug Fix: fixed issue with Javascript changing numbers to dates under some circumstances
Bug Fix: Removed index on control implementations to allow for large field sizes
Bug Fix: Fixed back button when deleting a security plan
Bug Fix: Fixed hidden elements from a bad DIV tag on the security plan print report
Bug Fix: Supply Chain Risk parent ID is no longer nullable
Bug Fix: If same parent type (i.e. nested security plans), child controls now render correctly
Validation: Refactored for Security Plans

[0.9.6] - 2020-11-18

Added

Base image changed to Linux Alpine for smaller size and improved security
UUIDs added to all modules to improve machine to machine data interchange
Added navigation to app menu to view My Activity in a slide out panel
Added user "baseball cards" to display contact info for any user selected
Added validation for all environmental variables on startup. Now throws errors in the container logs when validation fails.

Changed

Applied phone masks for improved formatting
Fixed duplicate IDs on HTML tags on the Catalog
Fixed print error on security controls
Assessments can now be added to assets
Bug Fix: Can no longer view dashboard when module is disabled in setup
Bug Fix: Can no longer 'Add Child' records when module is disabled in setup

[0.9.0] - 2020-10-30

Added

Improved logging
Added functionality to hard reset the admin password with an environment variable and restarting the app
OSCAL SSP Import
Added Stakeholders subsystem
All Home Page Dashboards completed
Added System Owner to the Security Plan Module
@Mention feature implemented for notifications (Comments Subsystem, Workflow, and News Feed)
Added Policy Status Board
Added Control Weight to Security Controls (used for risk calculations and DFARS Self-Assessments)
Email Viewer
Added Export for Security Plans and Control Implementations - used for external integrations
Can now "opt in" to receive email notifications
Notifications now issued for new record assignments (within Atlasity and via email if "opted in")
Added "Slide out" feature to preview the parent record
Base image changed to Linux Alpine for smaller size and improved security
UUIDs added to all modules to improve machine to machine data interchange
Added navigation to app menu to view My Activity in a slide out panel
Added user "baseball cards" to display contact info for any user selected

Changed

Bug Fix: No longer shows option to add a Control Implementation to the Security Plan using the Add Child button (must use the builder)
Refactored Security Plan report to allow for more customization in reporting
Can now delete comments
Improved signaling on navigation links
FIPS and System Type and now configurable as Metadata
Refactored notification system UI for performance
Group manager now displays a default of 25 records
Fixed email viewer bug, now displays all sent emails correctly
Fixed bug for 'Create New' on Supply Chain Status Board
Date Last Assessed and Last Assessment Result are now labels - must be set via assessment
NIST 800-171 now available as a catalog
Increased length of security control titles
Changed the cursor on the navigation tab
Added more discrete validation to the tenant configuration form
Fixed blank password bug for email configuration
Improved validation for AD/LDAP settings
Bug Fix: Exception lookup now working correctly
Add Child button now hidden until a module is selected
Cleaned up divider lines based on permissions in the Navigation bar
All logins now redirect to the workbench as the standard home page
Bug Fix: System Owner now displays properly in the list view
Added ability to enable/disable email SSL by tenant
Applied phone masks for improved formatting

[0.8.0] - 2020-10-2

Added

OSCAL Security Plan Export
Performance Tuning - Lazy Loading in Angular, Bundle Size Optimization
Added Cypress Front End Testing (rebased with testing branch)
MITRE Heimdall Integration for Assessment
Added Help system for all modules
Metadata seeding re-factored for each module
Refactored global admin workflow
Control owner visualization for security plans
Added the Maintainer role
Users default to activated
Facility Status Board now handles offline gracefully

Changed

Added ability to show/hide CMMC fields based on Admin Config
Fixed bug where Atlasity would not accept complex email addresses with multiple periods
Bug Fix: Fixed route on creating a new user
Added "Last Assessment Result" graph to the Security Plan Visualizer
Bug Fix: Recurring assessment route fixed
Bug Fix: Fixed "Create New" route for projects
Bug Fix: Cause codes now load defaults on new installations
Bug Fix: Supply Chain picklists now configurable
Bug Fix: License now displays properly when not logged in
Bug Fix: Fixed date validation errors from the testing harness
Bug Fix: User profile system bug fixed, can now upload photos
Cache now clears on logout and when adding a user
SMTP Email Password is no longer required (for non-authenticated use cases)
Bug Fix: Notification count reset to zero on logout
Bug Fix: Non-admins can now access their User Profile

[0.7.0] - 2020-08-28

Added

Added Supply Chain Module
New landing page with dashboards
Custom fields can now be ordered via drag and drop
Angular 10 upgrade
FontAwesome now installed locally v/s CDN include
Calendar now supports Angular 10
Facility Status Board MVP 1

Changed

Added currency formatting to the Project input controls
Renamed Atlasity export files
Workbench component now properly named
Fixed bug on AD sync
Added Post-Incident Evaluation field to the Incident Response module
Email alerts now indicate that it was sent to you
Hides ID field on Security Control Implementations
Refactored Facility Status Board for efficiency

[0.6.0] - 2020-07-31

Added

Added support for email CC
Activew user toggle added for the user list
Fixed max filesize setting on Startup
Fixed bug on test email, made code more resilient
Help/Support now points to Atlasity.io
Added the Facilities module to the Admin panel
Printable reports now have clickable headers
Added causal analysis module
Added event module for timeline
Custom fields are editable

Changed

User search now shows by default
File size limit now in MBs
Admin email now updates when saving a new email in the Admin panel
Cache now refreshes when new user is created or AD is synced
Improved security of account creation when doing an AD/LDAP sync
Facilities added to all forms/searches
ListView buttons are always formatted on the right now
Fixed 'Setup' link for non-Enterprise installs
Required fields properly marked on the user form
Email now saves to the database before sending and throws error prompt when it has issues sending
Many multi-tenant user flow bug fixes
Fixed routes to profiles and catalogs (no longer have to be an administrator to view)
Domain stored locally to reduce API traffic
Fixed back icon on Control Implementation form
Domain name now adds '/' character to the end if not provided
Link to CMMC added throughout security plans
Save button now disabled until Save events complete (prevents multiple saves of the same record when clicking quickly)
Facility name must now be unique for a given tenant
Added test button for Slack/Teams
Prevents duplicate cause codes
Added cause type to causal analysis
Fixed bug when copying security plans
Auto-adds controls to plan using Security Plan builder without having to click an add button
Added link icon to compliance navigator
Removed Apparent Cause and minor UI tweaks
Email configuration labels and validation improved

[0.5.0] - 2020-05-29

Added

Custom Reporting and Dynamic Searching
Expanded test coverage and integrated with CI/CD
ELK stack expanded for enterprise monitoring and reporting
User-defined fields implemented
Added Email GUI
Rebranded to ATLASITY
App configuration now driven by license key
Licensing info now displayed for global admin users
FSSC Catalog import functional
One step import/export now for a catalog and all child controls
Custom fields are now tenant specific
Added test button for SMTP email configuration
Service Account now displays the current token
Tooltips and instructions now provided on the AD/LDAP admin panel
Custom fields now allows a choice list
AD/LDAP now allows test/sync on the Admin panel, searches nested accounts

Changed

IAM flow improved along with UI
Fixed various security authorization bugs
Fixed email bug in the ATLAS container
Fixed various container deployment bugs and improved documentation
Fixed bugs in the build process, sped up build times significantly
My Activity moved under user profile and user form for Admins
Calendar now graphs assessments across days
Worked through Sonarqube bug fixes and Angular build bug fixes
Removed cyber specific fields where possible (can add via Custom Fields for a customer)
Fixed validation errors where form was not resetting
Fixed bugs on workbench and adding items, moved config to a service
Various multi-tenancy fixes
Recurring bug fix - bi-annually now calculates correctly
Custom fields now hidden for Community Edition
Clearing security controls no longer throws an error toast message (warning instead)
Fixed AD/LDAP bug on login
Logout now in red and moved to bottom to be easier to find
Create security plan now shows a spinner while building the plan with controls
Fixed registration bug for users

[0.4.0] - 2020-03-27

Added

Tenant and User services now cache results to improve performance
Combined IAM modules into one config panel and re-factored
Custom monitoring solution for K8s, APM, SQL Server, and Containers built using ELK
Refactored user group by queries - improving query performance

Changed

Fixed password reset bug
Added show/hide fields to all password fields (default hides)
Refactored service accounts for multi-tenancy
Files are now searchable/sortable and show the MD5 hash
Bug Fix - News Feed and My Activity filters now work for over time visualization
Bug Fix - URL now updates after saving a record, fixing issues with the Back button

[0.3.0] - 2020-03-13

Added

Created Admin panel for configuration
Enabled AD/LDAP authentication
Added deploy instructions for catalogues
Added AES-256 encryption for secrets in the DB
Added Group Management functionality for users
Added System Integration tests with Cucumber/Selenium
Angular now caches lookup fields
Added ability to create and manage User Groups

Changed

Updated deployment instructions for persistent storage on local installs
Bug fixes on redirects after Catalogues and Security Plans are built
Sorted/updated regulations on the Splash page
Removed workflow trigger from new forms
Made max number of file uploads configurable
Can now enable/disable Microsoft Teams, Slack, and AD/LDAP authentication
Bug Fix: Only activated users show in the user list

[0.2.0] - 2020-02-28

Added

CMMC fully implemented
Avatars now stored in the DB
Workflow now supports drag and drop
Added Print/Email capability for Catalogues and Security Controls
Added ability to mount storage in K8s for file storage
Catalogues now allow for JSON import and export
Angular Unit Testing
Added LGPL license to ATLAS
Added Compliance Status Board for Security Plans
Added Slack and Microsoft Teams integration
Added multi-tenancy

Changed

Minor icon bug fixes on the News Feed
Re-factored dashboards to use the list view
Add CMMC filters to security plans and control implementations
Tuned SonarQube rules to filter out false positives
Allows multiple file uploads
Shows counter for number of catalogues on the Splash page
Added C# unit tests and new folder structure
Fixed bugs and legacy alerts
Can now tie issues to assets

Changelog

[0.1.10] - 2020-01-31

Added

Basic workflow system engine
Re-factored News Feed, comments on the news now flow down to the record
Update API for Links
Replaced all Alerts with Toasts for a modern UI experience
Security Plan Builder Wizard implemented
Pipelines updated and SendGrid bug fixed
Upgrade to .NET Core 3.1
Added the DoD CMMC into ATLAS

Changed

Deletions via API now remove all child/related objects
Improved form validation across all modules
Removed version history, moved to the change log
Improvements to file upload
Replace Feather icons with Font Awesome - reduced build size
Metadata manager now hides modules with no fields to customize
File upload now throws an error if no file provided
Cleaned up instructions for recurring records

[0.1.9] - 2020-01-10

Added

Added search capability to all subsystem tabs
Added a list view for security control implementations
Added Kubernetes configuration files for ease of automated deployments
Built Windows DEV environment
Added GUI for creating service accounts
Added loading spinners
Added profile owner to security profiles
CI/CD now handles DB changes
Added search to history
Added logic to "Show/Hide" the Show More button on the News Feed and My Activity
Added URL encoding to search
Added end of life, status, and purchase date to Assets

Changed

New navigation system implemented
Performance improvments for the navigation system
Removed legacy breadcrumb system
Removed sensitive user data from API calls
Fixed bug on "add child" wizard in the navigation system
Fixed Docker build error with new Angular update

[0.1.8] - 2019-12-06

Added

Added error checking on all forms for 'Record Not Found'
Added a requirements module
Created a wizard interface for building security plans
Created a wizard interface for managing compliance requirements
Added a view of all implementations for a given control
Added event type filter to the News Feed
Added Select All and Remove All buttons to the security profile
Added toggle to show/hide search filters on the list view

Changed

Multiple data validation bug fixes
Re-factored assessment API to support automated DevOps testing
Re-factored UX for all forms
Improved formatting of the Splash page
Improved density of the UI on all subsystem tabs

[0.1.7] - 2019-10-30

Added

All APIs compliant with Swagger/OpenAPI format
Added initial Swagger API documentation page
All APIs have Swagger documentation
Added recurring assessment feature
Added recurring data call feature
Added recurring task feature
Comments are now integrated with the News Feed and History
File upload/download is now integrated with the News Feed and History
Links are now integrated with the News Feed and History
Added Swagger documentation to the ATLAS models
Added High Value Asset toggle to the Security Plan module
Required fields are now marked on the forms
Added Refresh button to the News Feed
Added catalogue to the News Feed and My Activity
CSA CCM controls uploaded
Assessments auto-update control implementations
Added control implementation details to the dashboards

Changed

Fixed workflow step bug on the News Feed
Fixed bug with blank avatars on the News Feed
Fixed issues on the Catalogue Form
Updated the Security Controls data model
Security profile refactoring
My Activity now shows unique records
Refactored the Workbench UI
Updated Splash page - compliance frameworks + Star Wars

[0.1.6] - 2019-09-30

Added

Added click-through license agreement
Added printer dialogue button
Added validation to the RBAC manager

Changed

Fixed checkbox indent
Made blob storage private - validated encryption of files and privacy of URLs

[0.1.5] - 2019-09-06

Added

Added email notification for new account creation
Added a password reset feature
Improved validation for login processes
Added support for Markdown files in ATLAS
Added initial Help system with Markdown support
Added progress bar, totals, and legend to the calendar

Changed

Upgraded to Angular 8
Fixed NPM package vulnerabilities

[0.1.4] - 2019-08-26

Added

Tested new navigation menu on mobile, Mac, and Windows
Added a warning banner for ALPHA testing
Enhanced data validation logic across all modules
Improved formatting of date picker controls

Changed

Moved all navigation to the top to allow more screen real-estate on small screens
Fixed navigation bug on mobile with dropdown menus
Fixed login/logout flow
Fixed status check logic for tasks
Removed max/min controls
Fixed a rare show/hide bug in the navigator

[0.1.3] - 2019-08-10

Added

Changed

Fixed card height issues on the splash screen
Fixed login/logout issues with showing/hiding content

[0.1.2] - 2019-07-27

Added

Added data validation to new user account creation
Added vanity URL for the ATLAS sandbox: atlas.c2labs.com
Added default image

Changed

Fixed width issues on mobile platforms for logins
Improved password management features on new user creation
Fixed data validation when updating the user profile
Updated format of the unauthorized access page and footer

[0.1.1] - 2019-07-10

Added

Changed

Updated readme.md file to better describe the modules and build process
Various fixes to improve support on Windows (IE and Edge)
Disabled service worker code (throwing errors and not being used right now)
Removed xlsexport, incompatible with latest Angular framework
Fixed duplicate tags on the home page
Fixed logic on login/logout/user creation