CHANGELOG
almost 2 years ago by ReadMe API
CHANGELOG
[6.9.0.2] - 2024-11-19
Changed
- Change record's Date Change Approved and Date Work Completed are set automatically via workflow
Fixed
- Default change record status is Draft
[6.9.0.1] - 2024-11-18
Note: Starting 2024-11-18 versions will use the Major.Feature.Minor.Hotfix format.
Fixed
- Users with
GeneralUser
role can create a security plan
[6.9.0] - 2024-11-17
Added
- Support for templated exports in Microsoft Word format
- Quick filters (open, all, recently added, recently closed) when viewing a security plan's issues
POST /api/regml/query
endpoint- Gantt chart on the scorecards' Fix Issues workspace for security plans, components, and policies
- Change record statuses (assess, schedule, implement, review)
- Ability to make status fields readonly so that they are only changed via workflows
Changed
- List of vulnerability scans for a security plan is sorted by scan date (descending)
- Files subsystem is initially sorted by date uploaded (newest to oldest)
Fixed
- Policy editor
- Changes save as expected
- Busy indicator deactivates when operations complete
- Deviation Summary tab for issues displays correctly
GET /issues/getAllByParent/{id}
returns an empty list if there are no child issues- JSON Preview tab works correctly in the Data subsystem
ProgramUser
role has correct module access- Searching for issues by parent module works as expected
- List of vulnerability scans for a security plan contains the correct number of entries
- Gantt chart on a security plan's Issues/POAMs tab uses the first detected date as the start date
- Querying assets via GraphQL works as expected
- Grid views
- Columns better accommodate long text
- Pagination, row count, and sorting work correctly
[6.8.0] - 2024-11-14
Added
- Soft-delete support for primary record types
Fixed
- Webhooks event data payloads work correctly
- Data from triggered webhooks is populated as expected
- Addressed technical debt areas such as data models and unused functionality
- Various link routes navigate to the correct from
- Evidence files can be previewed in the Evidence Locker and when mapped to a control
- Search functionality for components that show file uploads works as expected
- Policy option can be de-selected on a control implementation record
- Viewing a lineage record on a security plan navigates to the correct profile
- Assets can be unlinked from a component
- Tailored SSP export honors rich-text formatting
- Files subsystem upload functionality works as expected
Security
- Routine dependency upgrades
[6.7.0] - 2024-11-11
Added
- Ability to add user reports as widgets on My Dashboard
Changed
- My Dashboard
- Enhanced usability when rearranging widgets
- Custom labeling is honored
- Report Builder
- Editing a custom report navigates to the report builder screen
- Certain fields are marked as required before saving
Fixed
- System reports show in the reports list when no user reports exist
- All modules are supported for creating custom reports
[6.6.1] - 2024-11-06
Fixed
- Red Hat UBI container contains the expected catalogs
- Question responses save correctly for questionnaires assigned via the process of self-assigning to a non-RegScale user (i.e., authenticated by access code)
[6.6.0] - 2024-11-06
Changed
- Control implementation statements are displayed from inherited controls within the auto-calculated control implementation summary
Fixed
- Standardized button labels for grid views
- Labs SSP export document is populated correctly
- FedRAMP SSP export
- Placeholder is provided for the user to insert an Appendix Q reference
- Table K.1 populates correctly
- Links within questionnaires work as expected
- Due Date for Next Update is auto-calculated after creating an evidence record
- Asset SBOM copy and export/download operations work correctly
[6.5.1] - 2024-11-04
Fixed
- Control parts appear as expected in the control builder
[6.5.0] - 2024-11-02
Added
- Deviation Summary tab for issues that displays relevant information from a deviation request
- Deviation Rationale
- Known Exploitable Vulnerability
- False Positive?
- Operational Requirements?
- Auto-Approved
- Adjusted Risk Rating
- Risk Adjustment?
- Basis for Adjustment
[6.4.0] - 2024-11-01
Changed
- CCIs are hidden from the control parts view for a given control
- eMASS POA&M export is updated to reflect the most recent format
[6.3.0] - 2024-10-31
Added
- Support for Wiz commands
wiz vulnerabilities
wiz add_report_evidence
wiz attach_sbom
- Sampling methodology field for lines of inquiry
- Lightning Assessment
- Evidence tab that lists associated files and provides file previews
- Navigator dropdown that allows the user to select a control to assess
- Assess Controls workspace for the security plan dashboard
- Tiles to show assessment status counts
- Predefined filters (e.g., assessment status, due next 30 days)
- Search by control ID or title
- Continuous monitoring (CONMON)
- View Evidence option for CONMON records
- Busy spinner while the progress report is loading
- File preview capability for Deliverables tab
- Clickable control titles for the Controls In Scope progress report
Changed
- Automation Manager
- When viewing previously run jobs, the secrets are hidden by default
- Available badge shows the number of total integrations rather than number of integrated products
- "DAG", a term specific to the implementation, is replaced with "job"
- Page load time improved
- Return button on the Lightning Assessment tool navigates to previous page in the workflow
- Improved usability for the workspaces on a policy's scorecard view
- Status and owner fields are adjacent on the requirement record form
Fixed
- Automation Manager
- UCF integration appears as expected
- Jobs names can contain spaces
- Fetch Names button for the Tenable integration allows selection of an SSP for a parameter
- Running jobs appear as expected
- Job parameters match the CLI job parameters
- Performance is improved
- Lightning Assessment content fully displays on the page
- All required fields for creating a new requirement show a red asterisk
- Control titles render correctly in the Collect Evidence workspace for a policy's scorecard
[6.2.0] - 2024-10-29
Changed
- Improved styling for menu slide-outs on form tabs and user input controls
- Addressed technical debt around color theming
Fixed
- Switching between list view and dashboard view for Security Plans works correctly
- User avatar appears in the header
- Dark mode legibility works as expected
- Security plan dashboards
- Input fields in the Links subsystem
- User's API token is set correctly after logging in
- Warning prompt is shown if the user has unsaved input when creating a line of inquiry
- Scan history and scan results charts have matching color schemes
[6.1.0] - 2024-10-28
Added
- Report builder (Phase 1) that allows users to build and view reports for one level of data (i.e., a single module)
Changed
- Browser inactivity timeout is configurable from the Security Policies admin panel
- Improved performance when loading large lists of security controls or control implementations
[6.0.0] - 2024-10-22
Changed
- Major version release to 6.0.0
Added/Updated
- Advanced Workflow Automation Manager
- New User Experience
- Streamlined Workflows
- Enhanced, compliance-trained AI
- 450+ integrations
- Wayfinders, predefined, step by step guide for most common tasks
[5.82.1] - 2024-10-14
Fixed
- File Access question type for questionnaires works as expected
[5.82.0] - 2024-10-14
Added
- Ability to assign a specific questionnaire to a RegScale user from the Questionnaires tab on a Security Plan, Project, Program, Supply Chain, Capability, and Policy
- Questionnaire responses (when tied to a specific control implementation) show on that control implementation
- Submitting a questionnaire assigned from an SSP saves the questions and answers in the Properties subsystem to that SSP (API support only)
Fixed
- Deviation requests require a Requested Risk Rating only if the Deviation Type is Risk Adjustment or Exception Request.
- Auto-approved? field for POA&M issues only supports Yes or No values
- Setting the security profile for a questionnaire works as expected
[5.81.0] - 2024-10-13
Changed
- eMASS export auto-populated fields
- eMASS ID (SAP/SAR and SCF)
- Lab Environment Testing (SAP/SAR)
Fixed
- eMASS-specific fields are hidden if the eMASS Fields setting (Modules and Features admin panel) is disabled
Security
- Package/dependency updates
[5.80.0] - 2024-10-10
Changed
- Questionnaire rules textbox displays more lines/rows
Fixed
- Dropdown selections are unique
- FedRAMP Deviation Request export contains the CSP name, system name, impact level, and submission date
- Editing a categorization works as expected
- Workflow created after uploading evidence to the Evidence Locker functions correctly
- Saving an advanced search as a report works as expected
- Readability improved for the RegML Extractor results form
- Overall CIA categorization is dynamically updated to reflect the highest watermark value of the selected information types, including when a lower watermarked information type is chosen to override
[5.79.0] - 2024-10-10
Added
- Initial API support for creating and updating export configurations for Excel-based templated exports
[5.78.1] - 2024-10-08
Fixed
- eMASS SLCM report exports successfully
[5.78.0] - 2024-10-03
Added
- Questionnaires
- Ability to link one or more security controls to a question
- Ability to resolve comments on a response; resolution is also shown on the Feedback tab
- Badge (reviewer side) that indicates questionnaire status
- Access code within the assignment email body
- Ability to delete a comment
Changed
- Scoring columns are hidden if a given questionnaire doesn't have scoring enabled
- Increased spacing between the page header and the list view header/content
Fixed
- Page header for reports and questionnaire module fonts are consistent with the rest of the application
- Electronic signature images for questionnaires render correctly in the Feedback tab
- Selections for Inherent Probability/Frequency and Inherent Impact/Consequence/Severity appear correctly
[5.77.0] - 2024-10-02
Added
- Column mappings for the eMASS SLCM export
- Column mappings for the eMASS SAP/SAR export
- Support for Criticality in eMASS SLCM export
Changed
- eMASS CYBERSAFE export uses questionnaire data from the Files subsystem
Fixed
- eMASS SLCM export shows custom fields as expected
- eMASS SCF export displays the Info Type Identifier correctly
[5.76.1] - 2024-10-01
Fixed
- Large white-label images are resized to 300x50 px
[5.76.0] - 2024-09-28
Added
- Description column on the Controls tab for a risk record
- Questionnaires
- Multi-factor authentication (MFA) support for questionnaire login
- Analytics tiles on the Scoring tab for a response
- Ability to email an assignee to request updates
- Ability for an assignee to only see questions/responses deemed unsatisfactory on a reopened questionnaire
- Overall percentage score/grade on Scoring tab
Changed
- Questionnaires
- Questionnaire input form page
- Consolidated layout
- Submit button added at the bottom of the page
- Submit button is always available even if the form isn't complete
- Response view is streamlined via tabs (Feedback, Scoring, Response)
- Login page uses the new design
- Back button on the response view navigates to the Responses list
- Assignment view is redesigned
- Bulk assignment option shows instructions
- Assignees can re-open questionnaires
- Rejecting a questionnaire also emails the assignee
- Questionnaire input form page
- Comments subsystem uses the new design
- Improved design for assigning mitigating controls during a risk assessment
Fixed
- Questionnaires
- Assignee name shows on the input form page if they are a RegScale user
- Feedback column works as expected on the Scoring tab
- QuestionnaireUser role works correctly
- Updating the title works as expected
- Show/hide question rules work as expected
- Submitting a questionnaire sets the state correctly
- Sending feedback via email to external users works as expected
- Access code check trims whitespace before validation
- Multi-answer question types are scored correctly
- Scoring row is hidden if the maximum score is zero
- Time Travel subsystem correctly includes the most recent change
- Managing Risk workspace on a security plan's scorecard has a list of risks that scrolls correctly
- Inherent and Current Risk Scoring utilize the override values defined in the Advanced configuration of the Risk Configuration model
- Risk matrix tooltips show current information after updating titles and guidance
- Risk assessment
- Business impact assessment displays correct risk titles
- Updated business impact assessment values carry through to the final step of the risk assessment
- Mitigating controls are unique
Security
- Improved logging around questionnaire access
- Questionnaire access code is not shown in cleartext on the Responses view (replaced by Copy button)
[5.75.0] - 2024-09-28
Added
/api/deviation/getAllBySecurityPlan/{sspId}/{includeDrNumber:bool?}
- Hour and minute resolution for Timeline subsystem entries
- "Risk Accepted" status for security controls
Changed
- Updated styling
- Dropdown menus
- Modules
- Workspaces
- Status Boards
- User Profile
- Notifications
- Menu and header section
- Classification banner
- Page frame and header for all status boards
- Dropdown menus
- Dropdown menus are sorted alphabetically
Fixed
- Calendar button color on date picker matches the UI theme
- Links the Links subsystem navigate as expected
- RegML Extractor results for objectives include the name of the parent control
- ReadOnly user has access to Catalogues, Categorization Engines, and Security Controls modules
- Areas render correctly in dark mode
- Navigation visualizer tab
- SSP Utilities tab icons
- Set My Home Page at Login fields appears as expected on the user profile screen
- Pending status is accurate for several dropdowns in the Issues module
- Metadata values for each tenant load only when they are marked as active
- Long module names (i.e., when customized) are truncated with an ellipsis
[5.74.0] - 2024-09-20
Added
- OSCAL XML
- Ability to export with multiple implementation statuses and control origins
- Support (on import and export) for
OtherId
field from catalogs and security controls
Changed
- SSPs can have multiple selections for implementation status and control origin
Removed
- Support for OSCAL v1.0.4
[5.73.0] - 2024-09-19
Added
- Informative alert that scheduled questionnaires are sent at 2am
Changed
- Tailored SSP export also includes any evidence mapped via the Evidence Locker
- FedRAMP Rev5 SSP (Word document) Table 11.1 refers the reader to a separate appendix
Removed
- Validation rule that requires current risk score to be equal or greater to the target risk score
Fixed
- Questionnaire template upload process is more resilient with regard to section numbers
- My Activity section on the Identity & Access Management admin panel correctly shows a user's activity
- Scheduling continuous monitoring for an SSP from a UCF catalog works as expected
- RegML Extractor
- Process successfully runs to completion
- Results show control descriptions for controls without objectives
- Edits to control statements generated by the RegML Extractor save correctly
- Inline parameter references display correctly in the Control Implementation form
- Exports
- CMMC SSP export includes implementation statement and implementation status as expected
- eMASS export options are disabled when viewing a component
- eMASS SLCM export generates correctly
- FedRAMP Test Case Procedures export is enabled when viewing an SSP
- Control Implementation list display performance improved
- Navigational arrows for controls in an SSP work as expected
- Visualization/charts in the History subsystem render correctly for each event type
- Cancelling from the delete confirmation alert immediately returns the user to the page
Security
- Routine package/dependency updates
[5.72.0] - 2024-09-18
Added
- Ability to make an existing RegScale file accessible for download to a questionnaire responder/assignee
- Ability to add tags to properties that enables users to categorize or mark properties as needed
Changed
- SSP export satisfies the recommendations per SP 800-18 Rev1 (Guide for Developing Security Plans for Federal Information Systems)
Fixed
- DOE SSP export Table 3 (Security Categorization of Management and Support Information) shows the correct information types, their CIA values, high watermarks, and information system categorization
[5.71.1] - 2024-09-12
Fixed
- Risk Adjustment? value in the FedRAMP Rev5 POAM export works correctly
- Inactive account cleanup task is scheduled to run daily at 3AM
[5.71.0] - 2024-09-11
Added
- API endpoints
POST /api/systemRoles/batchCreate
to create multiple system rolesPOST /api/assessments/batchRecurringPreview/
to preview recurring assessments that would be created
- Risk and compliance hygiene
- Ability to select a risk model in the Risk Assessment Wizard
- Ability to add a control in a risk assessment
- Spider chart for business impact assessment on the Risk Scorecard
- Ability to build and run financial models in the Risk Assessment Wizard
- Transfer as a risk strategy option
- Software Bill of Materials (SBOM) is available at the component and SSP level
- Description field for threat scenarios
- RegML license acknowledgement prompt when enabling RegML from the Modules and Features admin panel
- User interface enhancements (e.g., layout, style, typography)
- Lines of inquiry for an assessment
- Citation and Line Type columns for grid view
- Support for collecting data based for various data types
- Admin panel (and My Dashboard) widgets
- Error count by month
- User logins by month
- Activity by month
- Risk assessments are enabled for programs and capabilities
- Recurring questionnaire scheduling
Changed
- Increased resiliency around missing data for catalogs list and update functionality
- Each line of inquiry for an assessment can have its own attachment
- Continuous monitoring Progress Report tiles can be selected to filter the list view based on the selected tile
- FIPS Impact Level, Strategic Tier, and Contract Type are now optional fields on a supply chain record
- Updated the Risk Assessment Wizard to work with Bring Your Own Risk Matrix feature
- Default tests (if they exist) load automatically for a control implementation test plan
- Lines of inquiry without the scoring flag set are ignored in the scorecard
- When navigating to an audit in the CONMON view of a SSP, the progress report is the default
- Yellow and other dark colors for informational alerts are softened to a lighter gray and use a different icon
- Risk scorecard: trend lines are above heat maps
- Redesigned Control Builder
- Always shows control
- Uses custom system labels
- Has more prominent progress visualization
- Provides clickable steps
- Fields auto-save after moving to another field
- News Feed layout and styling are more cohesive
Removed
- Transformer capability when printing a security plan
- Risk Status Board
- Default probabilities and default impact fields from Threat Scenarios
- Inherent risk step from the Risk Assessment Wizard
- Toggle to switch between previous and new forms layouts
- FedRAMP Rev4 exports
Fixed
- Export availability conditions work as expected
- Control Builder
- Only shows fields marked as visible in the Custom System Labels admin panel
- Progress panel is updated as items are defined
- New tenant setup Storylane works as expected
- Continuous monitoring assessment records save successfully after being edited
- Names of export format options display correctly
- Importing a policy template and saving parameter defaults works as expected
- Labeling and descriptions in the Project Builder match the functionality shown
- PDF and Office document previews in the Files subsystem display correctly
- Lines of inquiry
- List view shows titles without HTML tags
- Adding a new entry resets previous text input
- Planned Finish and Actual Finish can be the same date
- Risk
- Annual loss expectancy (from a risk's Financial Modeling tab) appears correctly in the Risk Workspace scorecard
- Ad hoc lines of inquiry for an assessment display in the right-hand panel
- Risk treatment titles are required
- Risk status label renders correctly
- Inactive user deactivation job runs correctly
- Global admin account is excluded from account inactivity deactivation rules
- Lightning Assessment
- Assessment Result, Differences, and Risk Model are required fields
- Implementation & Evidence section values are correctly mapped
- Classification subsystem grouping works correctly if there is no family defined
- Sorting catalogs by Catalog Date works correctly
- Exception records can have the same value for Date Approved, Expiration Date, and Date Submitted
- Recurring assessments work as expected
- Service Level Agreement field is required for a workflow template
- Custom systems label list displays as expected
- New user login works correctly
- Controls for the default control assessment schedule match the default assessment schedule set at the SSP
- Assigning an embedded Wayfinder to an SSP works as expected
- Deleting a risk configuration from the admin panel works correctly
- Audit log entries for comments and links are created as expected
- Programs and capabilities can be deleted if they have child records
- Policy editor parameter editing works as expected
- GeneralUser role has access to Categorization Engines and Security Controls modules
- Milestone dates on programs update and display correctly
- FedRAMP Rev5 Risk Exposure export is based off issues
- Multiple consistency issues with New Forms
Security
- Applied routine framework and package updates
- Improved server-side model validation
- Tightened role authorization for some APIs
[5.70.5] - 2024-09-10
Added
- Risk Adjustment? field to the issues form to support POA&M export
IntegrationFindingId
on issue records to support CLI integration (API only)
Fixed
- Email settings are available if the RegScale instance is not hosted by RegScale (i.e., regscale.somecompany.com)
- Exports correctly represent assets linked or related to other records
- eMASS Hardware/Software List
- FedRAMP Rev5 Inventory Workbook
- Components shared by multiple SSPs display and export as expected
[5.70.4] - 2024-09-06
Fixed
- Functionality (e.g., POA&M/issues export, Gantt chart view of POA&Ms/issues) that involves issue records correctly accounts for lineage (i.e., issues being child records of various other records such as security plans or components)
- Efficiency of determining available exports is improved
- FedRAMP Rev5 inventory report generates as expected
[5.70.3] - 2024-08-30
Added
- Improvements to the FedRAMP Deviation Request export
- Evidence list
- Other Identifier field to track FedRAMP DR numbers of imported deviation requests
Fixed
- FedRAMP Deviation Request export
- Null dates are handled correctly
- Mappings of Deviation Request calculator values for Availability, Confidentiality, Integrity, Attack Vector, Remediation Level, and Initial Risk Rating are correct
[5.70.2] - 2024-08-29
Security
- Applied security updates to components
[5.70.1] - 2024-08-26
Fixed
- FedRAMP Rev 5 POA&M export shows closed POA&Ms and expected values in columns A, E, F, H, J, U, and V
POST /api/data/
returns the ID of the created data record
[5.70.0] - 2024-08-21
Removed
- NIST 800-60 identifier for Associated Information Type column in Section 6 of the tailored SSP export
- Action column in the Related User Information table for groups on the My Profile admin panel
- General access to
GET api/securityplans/exportFedRAMPPoams/{intId}/{version}
as it's not needed as part of the public API
Fixed
- Deep links in a Wayfinder correctly place the input focus on the desired form field
- Catalog category dropdown has unique entries
- Fields in advanced search for catalogs have unique entries
- A validation warning appears (Ports and Protocols tab for an SSP) if the start port is greater than the end port
GET api/securityplans/export/{intId}
returns a 404 response if the given ID cannot be foundPUT /api/files/renameDuplicateFileName/{parentId}/{parentModule}
generates a display name if its previous value was empty or null- RegML Chatbot icon appears correctly
- FedRAMP POA&M export completes for large numbers of POA&Ms
- Job to check for inactive accounts runs as expected
- All action tiles in the upper right of the CISO dashboard appear correctly
- Program record and capability record (JSON) exports work as expected
- Dashboards link above list views is disabled if there are no dashboards to view
- List of vulnerabilities under an SSP only shows open vulnerabilities
- Updated control parameter values appear correctly in the FedRAMP Rev 5 Appendix A and OSCAL XML (SSP) exports
[5.69.0] - 2024-08-21
Changed
- Menu items for data entry, subsystems, and utilities for a given record's form are sorted alphabetically
- Grid views where it's possible to create new records show a Create New button
Fixed
- Numerous fixes (e.g., validation, consistency, console errors) for new forms
- Descriptions for parts of a security control do not contain HTML tags
- Files (subsystem) list refreshes after an upload finishes
- New programs created under the Supported Programs tab for a capability are correctly linked to that capability
- User avatars (i.e., generic avatar, user initials, photo) display consistently in grid views
- Risk financial modeling shows the correct number of decimal places for financial values
[5.68.0] - 2024-08-17
Added
- Support for API endpoint versions (both directly and in Swagger)
- Control Framework Gap Report that explains how a current framework satisfies other frameworks within RegScale
[5.67.0] - 2024-08-09
Added
- Automation Manager provides the ability to...
- View logs of executed jobs
- View the configuration used to trigger a job
Changed
- Webhooks and Message Queue are listed separately in the Automation Manager
Fixed
- Automation Manager
- SAML integration tile shows as expected
- Job names can only contain alphanumeric characters, periods, underscores, tildes, colons, plus signs, and hyphens
- Available integration tiles render correctly
- Catalog list displays correctly even if UCF authentication fails
[5.66.0] - 2024-07-30
Added
- Ability to check for and apply updates to installed UCF catalogs, which includes a update preview report
[5.65.0] - 2024-07-30
Added
- Ability to disable Certificate Revocation List (CRL) checks in MailKit
Changed
- FedRAMP POA&M export has default column values and handles missing data
- FedRAMP Rev 5 SSP Appendix A includes the full control implementation statement
- CMMC SSP Report export lists requirements alphabetically
- Webhook calls are non-blocking to improve performance
Fixed
- Excluding Metadata Fields option for exporting a catalog works correctly
- Category field for a catalog can be edited
- Other ID field for a catalog is not a required field
- Exports work correctly:
- Tailored SSP export
- FedRAMP exports
- Deviation Request export
- CMMC SSP Report export
- OSCAL POA&M (XML) export
- Built-in catalogs and catalogs from the RegScale website work as expected:
- NIST 800-82 Rev 2 overlay (moderate)
- SOC 2 Version 2020.3
- CSA Cloud Controls Matrix (CCM) Version 3.0.1
- Creating a vulnerability mapping via the API works correctly
- Vulnerability scan results rollup/chart shows correct results
- Email configuration fields appear as expected in the Setup admin panel
[5.64.0] - 2024-07-25
Added
- Vulnerability mapping API endpoints
GET /api/vulnerabilityMappings/findByVulnerability/{vulnerabilityId}
GET /api/vulnerabilityMappings/findByAsset/{assetId}
GET /api/vulnerabilityMappings/findByIssue/{issueId}
- eMASS exports
- Several fields and validation rules in the PPSM export
- Updates to the SCF export
Fixed
- Questionnaires
- RegScale users with the GeneralUser role can access assigned questionnaires
- Non-RegScale users are not required to authenticate before accessing assigned questionnaires
- Assignment by email works as expected
- API for updating a vulnerability correctly handles null values
- DADMSId field for an asset record saves successfully
- API for creating a security plan does not require the DITPRID to be defined
[5.63.0] - 2024-07-23
Added
- Vulnerability lists on security plan and asset forms now have a...
- Column that lists how many assets are impacted
- Drilldown view to show impacted assets for a given CVE
- Details link to an external site that provides more details about a given CVE
- Create POA&M button on vulnerabilities detail form
- Support for currencies other than USD (configurable per tenant)
- Automation Manager: ability to copy the Airflow token to the clipboard before the token is hidden
Changed
- Automation Manager
- Fields for specifying a security plan are drop-down lists with security plan titles
- Keys and Secrets screen shows which keys are required for jobs
- List of integrations is dynamically generated based on available jobs
- Keys for a given integration that have no defined secret/value show as blank
Fixed
- Sorting by a given column on the vulnerabilities grid view for a security plan works correctly
- Automation Manager external documentation links work as expected
[5.62.0] - 2024-07-23
Added
- Feature flag for having New Forms be the default view
Fixed
- Multiple issues with New Forms
[5.61.0] - 2024-07-19
Added
- Support for inactive account deactivation
- Setting on the Security Policy Configuration admin panel
- Warning email sent in advance of user deactivation
- Users are deactivated if they exceed inactivity limit
Changed
- Login screen updated to current branding
Security
- Strengthened existing security measures
[5.60.0] - 2024-07-15
Added
- StateRAMP Moderate catalog
- FedRAMP Low Appendix A export
- Ability to export Other ID fields in catalog export
Removed
- OSCAL JSON exports
Fixed
- Webhooks
- Asset status webhook triggers when updated
- Casual Analysis status webhook triggers when updated
- Removed duplicates in webhook list
- Questionnaire deletion webhook triggers when updated
- Incident status webhook response includes current and previous severity
- Default control assessment field is included in webhook responses
- Facility and Organization fields are included in webhook responses
- Generating policy template export works as expected
- Assessment mapping in FedRAMP Test Case Procedure Workbook works as expected
- Licensed user count does not include disabled users
- Last evidence update is included in Evidence export
- Requirements section of CMMC SSP export works as expected
- FedRAMP POAM export includes all issues
- Resolved issue with being unable to enable RegML in specific environments
- Inherent risk calculates as expected
- Security Controls breadcrumb navigation works correctly
[5.59.0] - 2024-07-03
Added
- Ability to remove questionnaire assignments
- Filtering controls on the SSP Scorecard that have a specific status (e.g., Not Implemented)
Changed
- Control Builder supports custom labeling
- Deviations utility for issues uses the page's main save button to save changes
- Button for creating a child record is only available on records that support child records
Removed
- FedRAMP SAP and SAR export options at the security plan (SSP) level
- RegML button from the catalog form
Fixed
- Multiple issues addressed in new forms functionality
- Vulnerability ID field for issues is editable
- Assessment by Status card on the Assess Program dashboard shows the correct record count
- FedRAMP CIS/CRM export generates into the Files subsystem as expected
- Editing the last assessment for a control implementation works correctly
- DADMS ID field for assets works as expected
- Access control inheritance for an SSP's security controls works correctly
- Creating capabilities under a program works as expected
- Viewing records in the Data subsystem works correctly
[5.58.2] - 2024-07-01
Fixed
- Webhook fires correctly when assessment results are modified
[5.58.1] - 2024-06-28
Changed
- Quality Assurer selection moved to a more appropriate location for the issue screen process
- Causal analysis limited to a single causal record following a rejection by the screener
[5.58.0] - 2024-06-28
Added
- Dashboard widgets
- Control status by family
- Control maturity by family
- Control maturity by SSP
- Control last assessment result by SSP
- Continuous Monitoring (ConMon)
- List of deliverables
- Ability to load deliverables based on FedRAMP categorization
- Ability to upload deliverables
- Explanation field for causal analysis records
- Prompt to auto-close an assessment if the last line of inquiry is complete
- Feature flag for financial marketing data entry tab for risks (Enterprise only)
Changed
- Lines of Inquiry manual entry form resets after creation, making it easier to manually add multiple entries
- Save button moved to the top of lines of inquiry entry form
- Workflows only require comments for rejection
- Risk scorecard displays current risk before target risk
- Required fields for issue records are grouped together
- Risk treatment control description field is a WYSIWYG editor
Fixed
- Deleting a widget from the dashboard works as expected
- Certain dates must be the current date or earlier
- Issue first detected
- Issue completed
- Assessment actual finish
- Causal analysis completed
- Task completed
- Risk scorecard labels are aligned correctly
- Back button works as expected after creating a Kanban task
- Unsaved changes notification appears correctly for line of inquiry form
- Quality assurer field displays when selected
- Setting the inherent risk updates the risk scorecard correctly
- Canceling the creation of a new risk treatment works as expected
- Selecting a control for a risk treatment dismisses the selection modal
[5.57.2] - 2024-06-21
Fixed
- Catalog import process only removes existing controls that aren't present in the new catalog
[5.57.1] - 2024-06-21
Fixed
- Risk Scorecard for a risk updates after a risk assessment is finalized
- Inherent risk score updates correctly
- UCF tab for catalog import is only available if the UCF API key is populated
[5.57.0] - 2024-06-17
Added
- Deviation Request export for FedRAMP
[5.56.0] - 2024-06-16
Added
- Build your own dashboards, including widgets for
- Systems for highest annual loss expectancy
- My risk assessments due soon
- My issues due soon
- My tasks due soon
- My evidence due soon
- Evidence Locker workflow
- Asset by Component view for an SSP
- Ability to set default landing page per user
- Rollup reporting for vulnerabilities and CVE in the Security Plans module
Fixed
- Issue lifecycle prompts work as expected
- API
/api/authentication/validateToken
works correctly in IIS - My History API performance improved through pagination
- Links subsystem
- Editing works as expected
- Links can be deleted
- "Job Title" field for a user is available via GraphQL
- API for getting groups by user and users by group works correctly
- Lines of inquiry render correctly on an assessment plan
- Control Builder works correctly if a control's user has been archived
- SSP implementation objectives must be unique
- SSP parameters must be unique
Security
- Routine updates applied to packages
[5.55.0] - 2024-06-14
Added
- Catalog registry to provide catalog state
- Ability to update an existing catalog
- Update report of what elements will be added, deleted, or updated
- Archival of existing catalog before applying updates
- Ability to import UCF authority documents (catalogs) and associated controls
Removed
- Integrated catalogs feature flag
Fixed
- Security control references are imported when loading a catalog
- Catalog IDs must be valid when working with security controls via the API
- Control identifiers must be unique within the same catalog
- Creating a new record from the workbench works as expected
- Webhooks for both capabilities and programs fire as expected
- Tailored SSP export includes correct field values
- Functional roles can be deleted
- SSP scorecard renders correctly
- eMASS SCF export produces results that can be successfully imported into the eMASS system
[5.54.0] - 2024-06-13
Added
- Integrations listed in the Automation Manager (AlienVault, Azure Active Directory, Azure Intune, CrowdStrike, Qualys, Salesforce, Sicura)
[5.53.0] - 2024-06-11
Added
- "Description of How Information Type is Contained in System" field on Available Information Types data entry tab for an SSP
Changed
- List of control instances for the Evidence Mapping System is alphabetized
- SBOM export (JSON) for an asset is pretty-printed
Fixed
- eMASS SCF export guards against invalid users
- eMASS SCF export description fields are populated correctly
- Risk configuration updates propogate correctly
- eMASS SLCM export option only appears if all data exists to generate the report
- Export option availability works correctly when and SSP has no assets
- .xlsm file type is supported for SSP exports
- Ports and protocols boundaries for an SSP display as expected
[5.52.0] - 2024-06-10
Added
- Ability to create a new child issue from within the Issues tab on an SSP record
Changed
- Issues tab is always displayed for an SSP
Fixed
- Login banner appears after logging in
- New forms
- Evidence collection workspace displays correctly
- Step navigation works as expected for the Control Builder
- Forms for creating a new capability, program, risk, issue, component, or asset records only shows relevant tabs
- Organization field for a capabilities record populates correctly
- Tags can be added to RegScale-generated files in the Files subsystem
- Security Profiles chart view renders all charts as expected
- Creating a security control that is a child of a catalog works correctly
- All parts for a control implementation save as expected
- Creating a new risk record works correctly
- Security profile record validation works as expected
- Creation of new threat scenario and component records works correctly
- Files subsystem refreshes the view after an export is generated
- Navigating to a new-record URL when logged out navigates to the login page
- Mappings and Control Implementation tabs for an evidence record display correctly
- Deletion of an evidence record works as expected
- Implementing Roles can be deleted from a security control
- Validation for Status field when creating a new SSP works correctly
- Text for the export modal renders correctly in default and dark themes
- Objective options for a control can be archived
- Required field section of the new form cockpit shows the expand/collapse icon
[5.51.0] - 2024-06-07
Added
- Security Categorization Form (SCF) export
- eMASS System Level Continuous Monitoring (SLCM) Implementation Plan export
[5.50.0] - 2024-06-06
Added
- Endpoint to get all scan history records by parent filtered by date
Fixed
- Component mapping APIs work as expected
- Unsaved-changes check for Questionnaires works as expected
- Control implementations support soft-deleted controls
- Assessment Methods tab in the eMASS SAP/SAR export contains correct data
- Categorization tab (new forms) on an SSP displays correctly
- Inherited controls appear as Implemented in the SSP XML export
- RegML Extractor correctly lists the controls a policy satisfies
- FedRAMP Rev 5 SSP export's Leveraged Authorization section is correctly formatted
[5.49.3] - 2024-05-30
Changed
- List of system roles for an SSP automatically updates when a role is added, updated, or deleted
- Alert shown if assigning an external user to a system role on an SSP when there are no stakeholders in the subsystem
Removed
- Issues from the SSP scorecard
Fixed
- SSP scorecards
- Status icons show for inherited controls
- Correct status shown even if multiple SSPs inherit from the same profile
- Planned or In Remediation tile displays correctly in new forms design
- Exported documents do not contain a watermark
- Creating and saving a new workflow works as expected
- RegML chatbot feature restored that supports providing content from ReadMe and FedRAMP's website
- System roles created during an SSP import can be deleted
- Saving duplicate implementation objectives is prevented
[5.49.2] - 2024-05-23
Fixed
- Control Builder (Build Mode for a control implementation) works as expected
- Control Builder for one SSP only updates control implementations for that SSP even if other SSPs imported the same controls
[5.49.1] - 2024-05-23
Added
- Back button on the security controls options view for when there are no objectives
- New endpoint
POST /api/implementationObjectives/deleteDuplicates
to remove duplicate implementation objectives
Fixed
- Improved validation to prevent the creation of duplicate implementation objectives and parameters
- Control owner name in the Control Builder defaults to "Unknown" if the owner could not be found
[5.49.0] - 2024-05-23
Added
- Toggle for legacy and new forms design (shown on the record view/edit form)
- Ability to "deep link" to a specific form tab or form field; this feature is also used for Wayfinders
- Preventative Actions section on the Controls tab for a risk record
Changed
- Increased web accessibility with expanded keyboard navigation and screen reader support
- Tools for a given form moved to a new context menu dropdown for new forms design
- New features from the past several releases work correctly with the new forms design
- RBAC renamed to Security in the context menu dropdown
- Improved action button UI for the Files subsystem
- Added spacing to multi-select checkboxes
- Improved styling and UI for Wayfinders
Deprecated
- Feature flag for new forms design
Fixed
- Several minor defects in the new forms system have been corrected
- Email Configuration settings save as expected
- Enabling modules and features in the Admin panel works as expected
- Newly created links in the Links subsystems section of an SSP save as expected
- Record security modal window renders correctly
- Resetting custom fields works as expected
- Continuous monitoring exports generate correctly
- Tabs containing required fields for creating a new SSP are visible
- Exports generated to the Files subsystem appear as expected
- Correct hash type (MD5 or SHA-256) badges appear next to file names in the Files subsystem
- Help icon for a module's scorecard view directs the user to the documentation
- Creation and viewing of SSPs and security controls are no longer blocked by the progress spinner
- Recurrence Wizard is configured to handle recurrences for assessments
- Deleting a causal analysis record navigates the user back to the list view
- White buttons have a drop-shadow so they're easier to see on a white background
- Utility modal windows load correctly
[5.48.0] - 2024-05-22
Added
- New endpoint
GET /api/access/GetLevels/
that determines a user's access (i.e., None, Read, Update) to given entities - RegML learning and output can be performed over related documents for the current module
- RegML chatbot (Reggie) can be asked questions based on RegScale's ReadMe site and FedRAMP's website; responses include links to those information sources
Fixed
- Reggie fails gracefully if there are issues with storage or search
[5.47.0] - 2024-05-17
Added
- Parameter guidance is imported from OSCAL-based catalogs and displayed when users are populating parameters
Fixed
- Group permissions for child records are correctly inherited from parent records
- Updating catalog records works as expected
- Batch creation of issues correctly links parent record ID
- User retrieval APIs have the correct required fields
- Security Plan Users can view Evidence Locker records
- Workflow Approvers can approve workflow steps
- Viewing a workflow step from the Notifications panel works as expected
- Tenant list appears when the global admin logs in
- ID field is available in advanced search for both Programs and Capabilities modules
- Sort ID fields within catalogs are imported and used for listing security controls in that order
Security
- Global admin account has more restricted access
- Safeguards for account unlock function increased
[5.46.0] - 2024-05-17
Added
- OSCAL XML exports for Rev 5
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)
Changed
- Updated OSCAL XML SSP, SAP, SAR and POAM exports to include all required information to pass NIST OSCAL CLI validations
- Made additional updates to OSCAL XML SSP, SAP, SAR and POAM exports such that they validate correctly for file conformance, as well as the majority of FedRAMP Schematron validation requirements
- Creating and updating issues via the API support providing the Control ID
Fixed
- FedRAMP Rev 5 OSCAL XML SSP, SAP, SAR and POAM exports
- Back matter section does not include a non-displayable character
- Embedded base64-encoded images and other encoded characters are not included in the SSP XML export for description fields
- Control implementation options update API's validation check for duplicates works as expected
- SSPs can be saved without defining confidentiality, integrity, availability, and overall categorization
[5.45.0] - 2024-05-14
Added
- Web accessibility features for the Notifications menu
Changed
- Most exports are generated directly to the Files subsystem rather than via browser download
- Security control ID is listed in the Evidence Mapping System
Removed
- "View" button from system-level file tags in the File Tag Manager (Admin page)
Fixed
- Exports
- Categorization must be specified before the FedRAMP Test Case Procedure export option is enabled
- FedRAMP POA&M Export (OSCAL JSON) functionality works as expected
- FedRAMP POA&M Export (Excel) accounts for Rev 5 Configuration Findings
- Default control parameters are passed to the control implementation such that they appear as expected in an export
- Column P (SSP Implementation Differential?) in FedRAMP Test Case Procedures export is blank if there is no differential
- FedRAMP Integrated Inventory Workbook (Appendix M) export matches the template format
- API
POST
andPUT
for/api/securityplans
return a 400 status when required fields are missing or invalid field data is providedPOST
andPUT
for/api/profiles
return a 400 status when required fields are missing- Documentation for
POST
andPUT
for/api/issues
matches API behavior - Swagger page section for
GET /api/customFieldsData/{id}/{moduleID}
works as expected
- Minor UI corrections (e.g., typos, button content alignment, and tooltip text)
- "View" buttons support right-clicking (i.e., provide an option to open in a new browser tab)
- Compliance Visualizer modal is horizontally centered
- "% Complete" field labels for projects and tasks are customizable
- Child issues for a security plan that are designated as POA&Ms save as expected
- Metadata seeding (Admin page) works as expected
- Username fields populate correctly on page refresh
- Security control inheritance completes as expected
- Creating a standalone questionnaire from an existing questionnaire saves as expected
- Security plan scorecard shows the correct number of icons (with correct statuses) for each part of a given security control
- Advanced search fields for Assets are unique
- Control implementation part option edit modal is populated once opened
- Control implementation status remains set correctly after clicking "Auto-Score Overall Implementation"
- Catalogs can be edited by any user that has the appropriate permissions
- Copying a security control record works as expected
Security
- Removed an unsupported library
[5.44.0] - 2024-05-13
Added
- Two-way encryption for SAML single sign-on (SSO)
Fixed
- Ports and protocols that are either directly or indirectly related to an SSP are included in the FedRAMP Rev 5 SSP export
- Child and grandchild risks, issues, and assessments work correctly at the SSP level
[5.43.0] - 2024-05-09
Added
- Workflows
- Fields for SLA, duration (auto-calculated)
- Workflow SLA Performance report
Changed
- Default parameter type in the Control Builder is "string"
Removed
- Module selector from the Workflow
Fixed
- Workflows
- Clicking "Back" only alerts the user if there are unsaved changes
- Steps are sorted correctly
- Approval interface works as expected
- Module column in the workflow list populates correctly
- Assignments for owners and assignees appear correctly in users' notifications
- Workflow initiation and completion send email notifications
- Workflow slider list has higher visual contrast
- Workspace dropdown links render correctly in dark mode
- RegML response notifications have higher visual contrast
[5.42.0] - 2024-05-04
Added
- Cryptography tab on the security plan form to support FedRAMP Appendix Q export and cross-linking with Ports and Protocols tab
- Classification Configuration admin panel
- Family, identifier, and load fields
- Search capability
- Ability to export and import configurations
- Details modal for information types on an security plan's Categorization tab
- Ability to search/filter Classification subsystem items by family and identifier
- External Services tab to show existing interconnects and allow adding new interconnects
- Control Builder
- Ability to remove an implementation option
- Ability to link a control to a policy
- Additional Save button at the top of the Parts viewer
- Questionnaire tab on program form
Changed
- Security Plan form
- Names of fields and their "required" status on the Leveraged Authorization tab
- Cloud Info tab renamed to System Information
- System Owner, ISSM, ISSO, and AO moved to System Information tab
- "Required" fields for Ports and Protocols
- Classification fields moved to System Information tab
- Classification subsystem is visible when viewing the Categorization tab
- Bulk Editor on the Scorecard tab supports changing the Inheritable? field
- Categorization tab and Categorization subsystem have the UI for selecting information types
- Control Builder
- Responsible field renamed to Control Origin
- Levels for control implementation parts are auto-generated if they remain blank
- My Activity list has a more consistent and compact appearance
Deprecated
- Control Context Viewer; functionality is available via View Mode on the Requirements tab for a control implementation record
Removed
- FedRAMP tab on the Control Implementation form
- Key Dates tab on the Security Plan form
Fixed
- Leveraged Authorization dropdown in the Control Builder works as expected
- System Owner dropdown excludes service accounts
[5.41.0] - 2024-05-01
Added
- Automation Manager -- a new, centralized hub for configuring integrations and automations
[5.40.0] - 2024-04-30
Added
- Link to SAML documentation on its configuration panel
- Caching of frequently used tenant and configuration operations to improve application performance over time
- API endpoints to upload and delete Wayfinders
- API endpoint to get all assets by parent
Changed
- Save button on an Admin panel only saves settings for the active page
- Password rotation frequency and session length settings have defined upper limits
- Wayfinder selection dropdown is dynamically generated to support new Wayfinders being added
Fixed
- Save functionality for Modules and Features configuration page works as expected
- Back button on SAML Configuration modal works as expected
- SAML single sign-on redirect works as expected
- Catalog Importer works as expected
GET /api/config/indexLogs
works as expected- Reset Child Record Permissions button on a security plan set associated asset group access with the same access as the security plan
- Observations and Gaps columns on the Tests tab for an assessment exclude HTML tags
- RegML Extractor produces control objectives that include the name of the parent control
- Batch creation and update set record group access based on the parent record's access level
- Greater/less than or equal to operators in questionnaire rules work as expected
[5.39.0] - 2024-04-25
Added
- Control bulk editor -- shows everything on a single screen and allows reassigning owners in bulk
- Programs and Capabilities modules -- provide the ability to capture core processes and report on enterprise risk
- Control Builder Wizard -- streamlines the writing of control implementations via a guided experience
- File tagging -- gives the ability to organize and identify certain types of attachments
- Tenant export/import -- allows admins the ability to save and restore settings
- Classification subsystem
- Search bar
- Adjustable C/I/A values with adjustment rationale
- Webhooks for security control creation, link creation, and comment creation
- Managing Risk workspace for the SSP scorecard
- Risk Control Self-Assessment (RCSA)
- Analytics rollup
- Additional fields for Risk Treatments and Risk Assessments
- Count of risk treatments column for the Risks list view
- Ability to track due date slippage for tasks in the Kanban system
- Password rotation frequency configuration and enforcement
Changed
- Improved performance on batch operations (e.g., creation) and general query operations
- Updated validation for implementation option APIs
- FedRAMP tab values for a control implementation are set automatically based on how Parts are implemented
- Classification subsystem has a tabbed interface
- Improved description of the Builder utility for supply chain records
- Primary system role has a more prominent location on the Implementing Role tab for a control implementation
- Notification performance is optimized
- Group Manager admin panel shows the number of members for each group
- Risk records
- Residual Risk now called Current Risk
- Input fields for Threat Scenario tab fields support rich-text formatting
- Added new fields for Threat Scenario tab
- Validation rules relaxed for Inherent Probability, Inherent Consequence, Target Risk Score, and Inherent Risk score
- Improved performance for Compliance Visualizer
- Threat Model validation rules relaxed for Default Probability and Default Impact
- Threat scenarios are linked to risk created using the Risk Assessment Wizard via a threat model
- Improved image rendering performance
Deprecated
- Integrations that are now managed by the Automation Panel via the CLI
- Jira
- ServiceNow
Removed
- Title column from the My Activity graph drilldown in the Workbench
- Risk recommendation field
Fixed
- Classification fields on the SSP categorization tab have the correct labels
- Dismissing notifications for workflows works as expected
- Classification subsystem displays the selected classifications of the SSP and the justification that was previously defined
- SSP export option availability works as expected based on the SSP's child records
- Parts and Parameters tabs are visible in the scorecard view of an SSP
- Risk treatments associated with a risk are displayed in the Risk Assessment Wizard
- Requirements records display as expected
- Questionnaires created via API can be edited in the application as expected
- RegML icon is only used for AI-related features
- SSP scorecard filter for Planned or In Remediation works as expected
- Profile importer progress indicator message is more informative
- Wayfinder modal close button and Workspaces dropdown option appear correctly in both default and dark themes
- Control implementation IDs in the SSP scorecard render correctly
- Page footer
- Sandbox link points to the correct URL
- License edition shows correctly after login
- Copyright year is the current year
- Notification metadata is logged
- Risks can be deleted if they have child records from an assessment
Security
- Stronger hashing mechanism for Time Travel entries
- Hardened page caching rules
- Stricter GraphQL role-based access control
- Password reuse prevented
[5.38.0] - 2024-04-12
Added
- Wayfinders support links to content outside the RegScale platform
- Overall categorization (via Categorizion subsystem) values can be adjusted with justifications to support the eMASS Security Classification Form (SCF)
- Users can self-assign questionnaires using single sign-on (SSO)
Changed
- Vulnerability scan results for an asset are shown by scan date
- eMASS export options for a security plan are generally available (i.e., no longer in Beta)
Fixed
- Responsibility field on the Control Implementation tab for security plans is customizable
- Security controls can be copied for the same parent catalog
- Email icon is available in the top toolbar
- Hiding Control Implementations fields via the Custom System Labels feature works as expected
- Unsaved data alerts only appear when leaving the current page
- FedRAMP Rev5 SSP exports use items on the References tab
- Appendix B refers to Acroynm items
- Appendix C refers to Policy and Procedure items
- Appendix D refers to User Guide items
- Updating issues in batch via
PUT /api/issues/batchUpdate
works as expected - Actions involving catalogs (and their subparts such as controls) take into account whether or not records are archived
- Newly added users are immediately available as questionnaire owners
- Issue screening marks records as screened
- eMASS exports
- Hardware Software
- Includes assets at both the SSP and component level
- Includes FDQN as the device name (if specified); otherwise, the asset name is used
- PPSM includes POC phone number if defined; otherwise, the cell is highlighted
- POAM export is available if any issues marked as POA&M exist at any level within the security plan
- Hardware Software
- Various fixes to support test automation
Security
- Routine updates to packages/modules
[5.37.1] - 2024-04-10
Fixed
- Changes to tenant settings are limited to the specified settings within that tenant
[5.37.0] - 2024-04-09
Added
- Ability to set and enforce a session inactivity timeout
Changed
- Improved FedRAMP Rev5 OSCAL exports
- Catalogs, security controls, and categorization engines support soft-delete (i.e., archival)
Fixed
- NIST 800-53 Rev5 security profiles
[5.36.1] - 2024-03-29
Fixed
- Lightning Assessment test navigator dropdown shows all available tests, and test information changes appropriately when toggling between tests
- eMASS Hardware Software List Export (.xlsx) is available when an asset is in a security plan at any level (i.e., security plan, component) with only the minimum fields completed
- eMASS PPSM Export correctly shows the system owner phone number so long as it's defined in at least one of the phone number fields for that user
Security
- Critical security patches
[5.36.0] - 2024-03-29
Added
- Questionnaires
- Ability to grade and score questionnaires using the rules system
- Rule for enabling/disabling score display on the responder's view
- Validation messages for when rule conditions are invalid
- Further enhancements and improvements for Forms Redesign (BETA)
Fixed
- Questionnaires
- Save operation works correctly if no rules exist
- Import of a questionnaire (Excel) with multiple lines for single-answer questions works correctly
- Imports where sections are not correctly defined yield default sections
[5.35.0] - 2024-03-19
Added
- Initial implementation of the RegML chatbot (Reggie)
- Security Impact Assessment field on Change Request records
Changed
- FedRAMP Rev 5 Appendix A export...
- Lists all implementing roles for each control
- Orders parts under security controls and parts in alphabetical order
- FedRAMP Rev 5 Inventory export...
- Saves to the Files subsystem
- Includes assets directly linked to the SSP
- FedRAMP Rev 5 SSP export labels single parts of security controls correctly
- eMASS Ports and Protocols (PPSM) export works when any asset in the SSP or components in the SSP have assets that define ports and protocols
Fixed
- Activity tab of the News Feed workspace works as expected
- Save issues/errors for a new SSP record keep the user on the current form
- Warning alerts are shown if a user tries to navigate away from unsaved changes on a/an...
- Existing Risk record form
- New Profile record form
- RegML icon/button appears consistently when the feature is enabled
- Advanced Search works as expected
- Reloading questionnaires and profiles works as expected
- Adding privacy records under an SSP works as expected
- Questionnaire import and export work as expected
[5.34.2] - 2024-03-15
Fixed
- Files subsystem and Evidence Locker store contents correctly
[5.34.1] - 2024-03-14
Fixed
- Fixed issue validation rule with due dates
- Default tenant color theme is set correctly
[5.34.0] - 2024-03-14
Added
- Ability to create implementing roles from the Control Implementation form
- eMASS Hardware Software export is generated directly into the Files subsystem
- Deviation management system (in the Issues module as a utility)
- Common Vulnerability Scoring System (CVSS) as part of the deviation management system
- API to look up a vulnerability from NIST National Vulnerability Database (NVD) via
/api/vulnerability/lookupCVE/{cveId}
- White labeling support (i.e., custom logos) via tenant configuration in the Setup panel
- Ability to choose small or large RegScale page footer size via the tenant configuration in the Setup panel
- Email templating via the notifications configuration in the Setup panel
- New filters for assessment status in the Evidence Workspace
- Ability to resend an access token for a user via the User Management System
- Reports
- Issue by Security Plan and Deviation Status
- Evidence Freshness Report
Changed
- Tailored SSP export pulls control type from the Responsibility field in the control implementation
- Evidence Locker system now integrated with the Evidence workspace
- Evidence Workspace can launch Lightning Assessments
- Google Authenticator setup sends a user access token via e-mail that can be used to unlock a QR code in the RegScale app
- File upload progress bar auto-closes once the upload is complete
Removed
- Automation panel from the Setup page; now located in the User menu
Fixed
- Details from inherited controls from a different SSP appear in the SSP export
- Leveraged authorizations for an SSP save as expected
- Responsible roles populate correctly for all controls in the FedRAMP Rev 5 SSP Appendix A export
- Drilldown appears when clicking on the My Activity chart in the Workbench
- eMASS POA&M export
- POA&M comments appear as expected
- Each device has its own line in the Devices Affected cell
- Multiple milestones are listed chronologically on their own lines in the Milestone with Completion Dates cell
- Tenants with no defined risk matrix will have a standard matrix created automatically
- Search functionality in the Evidence workspace for an SSP scorecard works as expected
- Issues form loads without console errors
- Password generation functionality on the New User setup form updates password criteria validation
Security
- Updated packages for Angular, NgRx, Kendo, and other supporting packages
- New user workflow generates separate emails for username and temporary password
- Ability to disable password distribution via email (in Security Policies in the Setup panel)
- Changed password cannot be the same as the previous password
[5.33.0] - 2024-03-06
Added
- Wayfinder
- Saving progress
- Ability to enable/disable via the Modules and Features Configuration screen
Changed
- Wayfinder task buttons show only if there are activities to complete
- New security controls have a default control type of Stand-Alone
- Security controls created via catalog import have a default control type of Stand-Alone
- Exported catalog fields use empty strings to represent null values
- Hierarchy of facilities within the selection drop-down shows as expanded by default
Deprecated
- N/A
Removed
- Service accounts no longer receive emails, as those inboxes are often unattended
- Questionnaires module link from the User menu
Fixed
- Wayfinder
- Completed activity count updates correctly when tasks are marked as completed or incomplete
- Each SSP has its own Wayfinder
- NIST 800-53 Rev 4 catalog import completes as expected
- New security control records show as public
- New security control record form saves properly with non-required fields
- Security Controls tab for a catalog shows the control ID in the list view
- Navigating to the Security Controls tab on the new catalog form does not prompt the user about unsaved changes
- Chart view for Security Profiles renders correctly
- Exported date fields for Change records from the API and the web app both match
- GraphQL token link appears correctly upon dashboard refresh
- Risk treatments and mitigating control implementations both carry over during a risk assessment review
- Creating a child security control for a catalog works as expected
- Analyzing Risk task on a lightning assessment works as expected
Security
- N/A
[5.32.0] - 2024-02-28
Added
- NIST CSF 2.0 catalog
Changed
- eMASS Export Support
- DITPR ID field added to security plan records
- Network Approval and Last Date Allowed fields have DADMS prefix
- DADMS Last Date Allowed field loads correctly after form refresh
- Acronyms in the software inventory are not highlighted if they are defined
- PPSM export is available when Ports and Protocols exist on the security plan
- Devices Affected cell contents are delimited by line breaks
- Ports and Protocols tab on the Security Plan form supports selecting one or more listed boundaries
- Added verification of system owner before generating export
- Bug Fixes
- Drilldown modal for the Events chart under the Activity tab of the Newsfeed lists corresponding events
- Importing the FedRAMP Rev 5 High Baseline bundled catalog imports the correct revision
- Workflow emails are no longer sent to unattended service account inboxes (i.e.,
[email protected]
)
[5.31.0] - 2024-02-23
Added
- Evidence in the Evidence Locker can be mapped to multiple controls in the same component(s) or security plan(s)
- Evidence Locker record View button supports browser right-click context menus
Changed
- Policy scorecard no longer shows compliance score percentage
- Commas for checkbox-type questionnaire questions are disallowed (replaced by spaces)
- Bug Fixes
- Tasks dashboard graph shows correct y-axis label (status)
- Navigating lines of inquiry on an assessment only prompts to save if there are unsaved changes
- Components module link visibility is correctly controlled via the Modules and Features setup screen
- After reviewing and finalizing a risk assessment, the user is redirected to the Risks tab for the newly created risk
- Empty/incomplete profiles cannot be created
- Date Closed field is not required for Risks that are not Closed or Cancelled
- RegML Auditor modal has correct title
- Supply Chain records with a CAGE code display correctly
- API
PUT /api/securityplans/{id}
gives the correct response if the approval date is after the expiration date - Threat model export option displays correctly
- Threat model export process works as designed
- API
GET /api/accounts/getRolesByUser/{strUser}
returns the correct response if the user does not exist - Purhcase Date and End of Life Date fields for assets respect local time
- API
GET /api/securityPlans/getList
returns a smaller, more efficient set of data - When creating a new risk assessment, the default probability, consequence, and mitigation scores are
1
- Evidence record export process works as designed
- Catalog export works as designed
- Automation Manager loading spinner is deactivated once the page has loaded
- Asset record date pickers work as designed
[5.30.0] - 2024-02-13
Added
- Option to filter issues that are Closed and Cancelled for the Issues by Component and Issues by Security Plan reports
- Implementing Roles data for the MegaAPI call for an SSP
- Ability to import catalogs that are deployed with the application
- Automation Panel
- Ability to view/set keys
- Consolidated all automation functions into the automation panel
- RegML: Control parameters are now properly seen, formatted, and handled by the RegML Extractor
Changed
- Workbench - removed non-actionable items (i.e., have a defined due date, some action to be performed)
- Forms redesign (BETA) updated to new grid views
- Catalog import and export logic occurs on the backend (server) rather than the client
- Redesigned the UI for the Implementing Roles tab on the Control Implementations form
- Angular performance improvements (fewer unneeded look-ups)
- Bug fixes:
- Avatars load correctly
PUT /api/SecurityControls/{id}
returns a 404 if the security control's ID is not found- Software list in eMASS export no longer shows duplicates
GET /api/SecurityControls/findByUniqueID/{securityControlId}/{catalogId}
Swagger docs updated to reflect 204 response- User can create child records of different module types from Creation Wizard
- Addressed issue where user dropdown may sometimes be empty on initial page load
- Validation message for "Default Assessment Days" field on components and security plan forms is correct
- Updated tooltips for OSCAL exports to be more helpful as to why an export isn't available
- Continuous Monitoring tab on the Security Plans form correctly loads assessment data
- User can create a new assessment from the Continuous Monitoring tab on the Security Plans form
- Issue Screening utility is only available if that feature is enabled in the Modules and Features admin panel
- Evidence Locker record form populates the list of mapped records correctly
- Component Status Board correctly shows all status types for POA&Ms
- Assess Risks utility for Security Plans produces no errors when reviewing and finalizing
- SAML authentication redirects to the origin rather than host
- New assessments can be saved successfully when the assessment result is set
- Collecting Evidence workspace on a security plan's scorecard correctly displays controls
- Module names appear correctly in dropdowns
[5.29.0] - 2024-02-09
Added
- Automation Platform: Can schedule automation jobs directly from the RegScale Admin panel
- SBOM: Added a download button
- Workspaces: Improved the evidence workspace and analytics
- Feature flag for Automation portal
- BETA: Forms Redesign now optionally available
- BETA: List of available catalogs and installation status (display only; non-functional)
- Several new fields to support the eMASS Hardware/Software Export
Changed
- Automation:
- Required secrets are now checked before and during scheduling a job
- Fixed bug where required parameters weren't displaying correctly
- Removed SignalR from the application
- Performance:
- Optimized loading of nearly every Angular page on the client side to speed up RegScale page loading
- Improved performance of query selecting Time Travel subsystem data
- Catalog import page has a toggle to support future upload types
- Re-enabled AppInsights for the Angular app
- POAM export (column F is auto-fit, Column AC displays
N/A
instead of being blank) - Tech debt:
- Refactored the control objectives controller and business logic to match current conventions/standards
- Refactored the control parameters controller and business logic to match current conventions/standards
- Refactored the control test plans controller and business logic to match current conventions/standards
- Refactored the CCIs controller and business logic to match current conventions/standards
- Risk Matrix uses NgRx to retrieve and update colors and matrix data
- Catalog UUID is also returned as part of the
/api/catalogues/getList
endpoint - Bug fixes:
- Role deletion button appears correctly on the Implementing Roles tab for a control implementation
- Supply Chain Status Board status label is named correctly
- Addressed issues on form rendering with custom data labels
- API for getting all security controls by catalog returns the expected list
- Fixed copy button on SBOM
- User sees a warning about a missing (deleted/archived) parent security control for an implementation
- Security controls can be deleted without showing errors
/api/profiles/applyProfile
correctly respects tenant separation and has improved input validation- Questionnaire response completion progress displays correctly on the Responses tab
- Pagination on the Questionnaire Responses tab works correctly
- Security controls can be added at the same time a new policy is being created
- File uploads for an Evidence Locker record can be deleted via the Files Subsystem on that record
- Removed "routerLinks" on application navigation system to avoid duplicate page requests
- Validation of and clearer Swagger documentation about the
Originator
property for catalog creation and update - Tailored SSP export (section 3 control tables) has correct formatting
- Enabled modules are listed correctly in the Modules dropdown after logging in
- Risk matrix colors are correctly set on each new creation of risk matrix
- Threat Model events are available in the event topics list
- Reset Password email links are correctly formed
- Supported export file types are retrieved from the tenant configuration service
- Email service uses the correct domain
- Color theme is correctly set on login
- Outage dates/times on change records work as expected when accounting for local time
- Integrations images display with correct aspect ratios
- Manager is a required field when creating Organizations
- Policies with templates display properly
[5.28.4] - 2024-01-27
Added
- N/A
Changed
- Bug Fix: Addressed issue with form rendering from Custom System Labels
[5.28.3] - 2024-01-26
Added
- Single Sign On (SSO) login button for a Questionnaire instance
Changed
- N/A
[5.28.2] - 2024-01-24
Added
- N/A
Changed
- Bug Fix:
- Addressed issue with creating child records on a catalog
- New record forms no longer generate 404 (not found) errors
- SSP export options are disabled (with explanation tooltips) if there is insufficient information to generate a given export
- Changes made in the Risk Configuration setup screen are reflected when displaying a risk record afterward
[5.28.1] - 2024-01-19
Added
- N/A
Changed
- Performance: Optimized loading of nearly every Angular page on client side to speed up the RegScale page loading
- Bug fixes:
- When loading a form with tabs, the first non-hidden tab is selected
- Syncfusion license key is deployed properly so that no watermark text appears on exports
- Restored missing module and fixed seeding file so that Custom System Labels works correctly
- SSP exports save to the Files subsystem as expected
- New record forms no longer generate 404 (not found) errors
[5.28.0] - 2024-01-17
Added
- Wayfinder
- Ability to manually mark activities as complete
- Tracker display (per stage) of how many activities are complete vs. incomplete
- Dropdown to select a preconfigured Wayfinder to use
- Feature flag support for integrated catalogs
- Support for future catalog workflows (ability to create, read, and update download URL and default name values)
- Questionnaire API to create and return questionnaire instances for a given questionnaire
Changed
- Performance:
- Consolidated caching functions into a single client side store in NgRx
- Optimized form and list view loading code
- Optimized caching updates/refresh/deletes for improved performance
- Removed unused cache items from NgRx to reduce memory pressure
- Tech debt: Standardized naming of Wayfinder for the Angular app
- Moved catalog update button behind the integrated catalogs feature flag
- Questionnaire instance creation API supports setting a specific due date
- Bug fixes:
- Control implementation view (Requirements tab) shows all content when scrolling
- Pagination for Questionnaires list view works as expected
- Questionnaire export works as expected for all question types
- Addressed bug with loading Lightning Assessments
[5.27.2] - 2024-01-12
Added
- Security Controls tab is now available on the Catalog form
Changed
- Bug Fixes:
- Improved styling and input for security control test plans
- Default test results now load properly in Lightning Assessments
- Components tab on Assets is visible to the General User role
- QuestionnaireInstances API for getting an instance by ID returns the correct results
- Collecting Evidence workspace for SSP scorecards appears correctly in dark mode
- Controls on Policy scorecards render properly
- Setting a risk as Closed makes the Date Closed field required
[5.27.1] - 2024-01-11
Added
- Bring Your Own Risk Matrix Feature including defining the number of levels for Consequence/Probability, descriptions for each level, custom scoring, and ability to define custom colors and color ranges for matrix visualization
- Annual Loss Expectancy added to the Risk Scorecard
- FIPS Categorization - Categorization is no longer a required set of fields to create a SSP. Instead, you use the classification subsystem to pick your information types. There is a new engine that auto-calculates "system high" and then lets you override. Once you have picked all of your types, you can save the categorization which will update the SSP. The SSP fields are made read only.
- BREAKING CHANGES: If running IIS, will need to update the .NET Runtime to version 8 before upgrading to this version
- New Control Navigation: Replaced control strip with inline navigation in the Control Context Viewer
- File Subsystem: PDFs can now be previewed inside of RegScale like images
- Control Freshness - Assessment Frequency
- Can now set a default number of days by which controls must be assessed on a security plan
- Can now set a default number of days by which controls must be assessed on a component
- Control implementations now track assessment frequency desired and use it to auto-set the next assessment due date
- Builders updated to auto-set assessment frequency based on the parent security control or component
- Control Context Viewer now lets users view and set the desired assessment frequency for a given control (overriding the default at SSP level)
- Assessing a control auto-sets the next assessment due date for the control based on the desired assessment frequency
- Initial stages of the Wayfinder tool for SSPs (feature-flagged)
- Questionnaires: Instructions field content now included at the top of questionnaire assignment email to support instructions/introduction for that questionnaire
Changed
- Performance Enhancements:
- Risk matrix now pulls from cache in NGRX
- Organization and Facility picklists on forms now pulls from cache in NGRX
- Upgraded core platform technologies:
- Angular from Version 15 -> 17
- Node.js from Version 16 -> 20
- Telerik from Version 13 -> 14
- NgRx from Version 14 -> 17
- .NET Core from Version 7 -> 8
- Various NuGet package upgrades and security patching
- Packaging: Removed eCharts and all NPM-related dependencies from the project
- Removed heatmap visualization from the Status Boards (replaced by per Family view on the Scorecard)
- Swagger REST APIs now default to collapsed to provide a more concise list by object
- Issues API endpoint to remove a quality assurer
- Assessment Result module has custom labeling support
- Automatic creation of issues from assessment results also populates description, facility ID, org ID, date first detected, activities observed, and recommended actions
- Assets API endpoints to create and update assets in batches
- Relaxed validation on new risks to streamline data entry
- eMASS Ports and Protocols export:
- POC fields are now highlighted with a comment on how to populate these fields when System Owner isn't selected
- Optimized data fetching during export
- Added logic to fetch ports and protocols of child assets for the security plan
- Tech debt: Refactored the catalogs controller and business logic to match current conventions/standards
- Performance:
- Refactored Asset APIs to dramatically improve query performance
- Added list view saved reports to client side caching to eliminate server side calls
- Quality Improvements:
- Refactored the Catalogs controller and business logic to match current conventions/standards
- Refactored the Security Controls controller and business logic to match current conventions/standards
- Lightning assessments can now be edited
- Exports: Conditionally show and hide SSP and related exports based on completing the categorization step
- Bug Fixes:
- Corrected validation issue on the assessment POST API
- Addressed edge case issues with event driven notifications
- DOE SSP export has templated system security manager, highlights missing data, supports image tagging system, and uses correct categorization
- Issue process flow supports removing a quality assurer
- Threat Scenarios tab no longer shows until the Threat Model is saved
- Admin and service accounts are no longer available as choices in user dropdown menus
- Corrected formatting issues with Error Log table in the Admin panel
- Submit for Screening button for Issues works as expected
- Outage window start/end dates for Changes use local time
- Lightning Assessments: now correctly set initial status of the assessment to "In Progress" v/s "Draft"
- Lightning Assessments: addressed bug where duplicate assessments could be scheduled under some circumstances
- Addressed edge case issue with some status items not displaying correctly in list view
- Fixed intermittent failure on event webhook for Incident severity change
[5.26.1] - 2023-12-22
Added
- Changes - added ability to track testing information for a change
Changed
- Bug Fixes:
- Workbench and News Feed now properly show/hide based on configuration settings
- Fixed issue with the Asset Mapping API endpoint
- New Threats Models form cockpit correctly shows which required fields have values
- Questionnaire response Excel export formats cells with top vertical alignment
- Catalogs module
- List view shows new information to support UCF
- Detail view shows new information to support UCF
- Import functionality accounts for new information to support UCF
- Performance: Uses front-end caching to reduce the number of API calls to the
api/email/getDomain
endpoint
[5.26.0] - 2023-12-20
Added
- Re-imagined Scorecard for visualizing control status
- Evidence Workspace added to Scorecard
- Workflows use custom data labels
- File Subsystem now supports a preview mode for images
Changed
- Questionnaire status stepper was removed
- Code quality: Cleaner separation of RegML Explainer modal component and the accompanying service
- Performance: Replaced database calls for tenant and configuration data with NgRx caching
- Bug fixes
- Rejecting a submitted questionnaire instance shows a toast notification
- Questionnaire title heading updates after making changes to the title and saving
- Questionnaire response export (Excel) cells have word wrap enabled
- Export buttons for the questionnaire responses list are always visible
- RegML Extractor works with "flat" control implementation statements
- Progress spinner disables after a new tenant has been created
- "Upload Enabled" flag on questionnaire questions is supported for import and export
- Added validation when loading facilities on forms
[5.25.0] - 2023-12-13
Added
- Re-imagined Scorecard for visualizing control status
- Progress bar for completing control parts on a Control Implementation
- Progress bar for completing control parameters on a Control Implementation
- Button for auto-scoring a control implementation based on its parts
- SicuraId field to ScanHistory to support Sicura integration
- Financial Modeling for Risk
- New control implementation parts status: "Alternative Implementation"
- Server-side guards against deleting files within a module that originated from the Evidence Locker
- Accounts API endpoint to get the list of inactive users for the current tenant
- Control Tests: Now add the ability to provide default text per test to help prompt assessors during the lightning assessment
- "Other identifier" for issue records
- "Task Type" for task records
- API endpoint for Accounts to get all delegate users for a given user
- Performance: Optimized loading of tenant and license configuration information using NgRx; reduced backend calls
- Infrastructure: Resiliency for cache access (missing username, case sensitivity)
Changed
- Questionnaire response export format includes historical responses
- Single workflow step rejection cancels subsequent steps
- Deleting files from the Files Subsystem is only supported in the Evidence Locker module
- Removed beta tags from the following:
- SSP exports: FedRAMP Rev5, CMMC, More options
- Setup: Custom System Labels, Events & Webhooks
- Bug fixes
- Questionnaire instance endpoint
getAllByParent
returns 404 if the parent questionnaire doesn't exist - Event topic list in Event and Webhook Configuration Management populates correctly
- Import button is available for Security Profiles
- Workspaces now longer show in menu for the Global Admin account
- My Activity now longer shows in menu for the Global Admin account
- Copying an existing Continuous Monitoring Assessment works as designed
- Risk Strategy is a required field when creating a new Risk
- Custom labeling support for the Asset Mapping tab on the Component form
- Implemented paging, sorting, and filtering to Asset Mapping list view
- Time remaining (e.g., days overdue, days due) on Issues uses correct heading levels and colors
- Custom validation is limited to that field's module
- Child issues for an assessment are only created if one doesn't already exist
- Parent cause codes for causal analysis must have a value before being assigned
- Manual Detection ID field for Issue records saves as expected
- Dropdown menus have unique values on the Threats Scenarios tab for a Threat record
- Questionnaire instance endpoint
- Migrated README.md reference sections into separate files and updated docs on how to run locally via
localdev
[5.24.1] - 2023-11-28
Added
- N/A
Changed
- Bug Fixes:
- Prevent saving multiple duplicate tenants through rapid clicking
- Control Origination checkbox fixes
- Inherited from pre-existing FedRAMP Authorization option
- FedRAMP Tab prioritizing
- Security Plan delete now performs a NULL check
- Control Implementations: Planned Implementation Date and Steps to Implement are only required if the status is Planned
- Catalog count no longer includes archived controls
- Supply Chains module name is correct
[5.24.0] - 2023-11-27
Added
- Type of Service field on the Basic Info tab for Interconnections
- Tenable Nessus ID and Burp ID for Issues (Integration tab)
- Support for using a shared database server and shared storage account
- API endpoint to get all questionnaire instances for a given questionnaire
- Enterprise Risk
- Threat Model module
- Ability to generate a library of threat scenarios for a given threat model
- Risk Assessment Wizard on organizer now loads based on selected threat model
Changed
- Status boards use custom data labels
- Workbench uses custom data labels
- Swagger: Brought documentation for the Time Travel endpoints up to standard
- Error logging for questionnaire submission
- Type of Service column populated in FedRAMP SSP export (Table 7.1)
- Questionnaire list view by default sorts by ID (descending)
- Minor updates to FedRAMP Rev5 CIS/CRM export
- Tech Debt: Asset service read operations implement cleaner role-based access control
- Version bumps for GraphQL packages (Hot Chocolate and Strawberry Shake)
- Bug Fixes:
- Improved validation for bulk questionnaire assignment via Excel workbook upload
- Questionnaire option (e.g., multiple choice) text that has commas exports correctly
- For Issues, moved the Salesforce Case # field to the Case Management section under the Integration tab
- Risk field values and required fields function and save as expected
- Record selection dropdown when assigning questionnaires to a module appears correctly in dark mode
- Workspaces dropdown appears correctly in dark mode
- Asset PUT and POST APIs properly check for missing and whitespace-only fields
- Appendix A contains implementation statement overrides if present
- FedRAMP XML export logic properly handles a file with an empty filename in the attachments
[5.23.1] - 2023-11-14
Added
- Independent scroll to assessment Lines of Inquiry
- Using assessment workflow system now locks down form fields so they cannot be directly edited
Changed
- Bug Fixes:
- Converted token date check to UTC time
- Added more helpful error message for exports that use the Files subsystem in the case where a specific file type (e.g.,
.xml
) is not enabled for the RegScale instance - Entering questionnaire prompt data no longer produces console errors
- Added dirty form checks in the questionnaire builder
- Validation for MAC addresses on assets works correctly
- Validation for URLs works correctly
- Export logic updated to ensure the export button is responsive
- RegML features will not be enabled if the user chooses to cancel the enable action
[5.23.0] - 2023-11-12
Added
- Home page (dashboard) uses custom data labels
- Support for feature flags
- Ability to hide tabs and fields in forms via the Custom System Labels panel
- Infrastructure for automated UI testing with Playwright
- Record creation wizard uses custom data labels
- Questionnaire response scoring
- Improved User Profile to better display readonly fields for LDAP/SSO users
- Mapping of discrepancy fields in the SAR export
- Refresh button to Issue Status page to force update of lifecycle and workflow actions
- Questionnaire instances can have assigned reviewers
- Enterprise Risk
- Added Progress to Risk Scorecard
- During a risk assessment, risk assessment auto-calculates and defaults (user can still over-ride)
- Inherent Risk score now displays in the Risk Assessment table
- Consolidated treatments, preventive actions, and related controls into a single tab on the risk screen
Changed
- FedRAMP Appendix A export prioritizes information on the FedRAMP tab for a control implementation
- Infrastructure: Feature flag source is more explicit when running standalone vs. SaaS
- Inline view of questionnaire responses works correctly for all question types
- Security: Patching NPM vulnerabilities
- Bug fixes
- FedRAMP and eMASS exports do not contain encoded HTML characters (e.g.,
&
) - FedRAMP Rev 5 SSP export does not contain HTML tags
- FedRAMP Rev 5 SSP export does not have redundant placeholder text in Appendix E
- Updating an existing Change record no longer produces console errors
- RegML Extractor status bar shows completion even if errors occur
- When selecting a facility that has sub-facilities for an Issue, a sub-facility must be chosen
- Questionnaires module uses custom data labels correctly
- Resetting custom data labels correctly sets visible and editable states for labels
- Icons for Threats module corrected
- RegML Extractor supports PDFs with up to 100 pages
- General system description is available in the FedRAMP Rev 5 SSP export
- Can now create custom security controls properly using the record creation wizard
- Workflow for submitting an Issue for screening works as expected
- Added guard for an edge case concerning OSCAL export file creation
- New-form pages for Security Controls and Control Implementations are inaccessible via URL
- For OSCAL XML export of an SSP, the system-id and identifier-type URLs are correct whether or not a FedRAMP ID# is provided
- Questions in the questionnaire builder cannot be moved to a different section without a prompt
- Assigning a manager workflow now uses the correct Angular route
- Questionnaires cannot be resubmitted unless the questionnaire instance is reopened
- Profile import (file selection) process works as expected
- Validation for required signature question types in Questionnaires works as expected
- Questionnaire user registration shows the correct message about minimum password length
- Comment fields for questionnaire review are only visible when the Feedback toggle is set
- Dropdown tree controls (e.g., facility selection) can be cleared of their selection
- Child tasks appear correctly in the crumbcake nav and Compliance Visualizer
- Custom fields for the Profiles, Categorization, Questionnaires, and Control Implementations modules update as expected
- FedRAMP and eMASS exports do not contain encoded HTML characters (e.g.,
[5.22.0] - 2023-10-31
Added
- N/A
Changed
- Completion indicator for the required Status field works correctly for new components
- Creating questionnaires via an Excel worksheet correctly uses the "Required" column
- Improved readability of long answer fields in questionnaires for dark mode
- Process flow visual for Issues in the Status tab works correctly in dark mode
- Count of files in the Files subsystem for Control Implementations and Security Plans is correct
- Workspaces dropdown is only available if user is logged in
- More consistent user experience when creating relationships for a record
- Crumbcake navigation uses custom data labels
- Kanban subsystem works correctly with custom data labels
[5.21.0] - 2023-10-27
Added
- New Fields
- Other Identifier - added to the assessments and issues modules
- Org Code and External Identifier can now be assigned to an organization
- Risk Categorization added to Components
- Added Original Planned Finish date field to assessments (used for calculating date changes over time)
- New API endpoints (to support Nessus integration)
- Batch creation of assets
- Batch creation of vulnerabilities
- Questionnaire owners can make a questionnaire public so that users can self-assign to new responses/instances
- Utility: Due Date Extension - allows you to request and approve date extensions
- Workflow
- Implemented Close and Re-Open Issue Actions
- Workflow approval screen now shows information on any associated actions tied to the workflow
- Ability to create workflows for a specific manager or user
- Security
- Added ability to set and enforce max password retries and lockout period
Changed
- Refactored module metadata seeding procedure to make it simpler
- Replaced checkboxes on the Hardware Info tab in the Assets form with dropdowns (Yes/No/blank)
- Advanced Search for Asset records supports fields whose options are Yes/No/blank
- Questionnaire responses export includes email addresses for recipients that aren't RegScale users
- Action to show dashboards for questionnaires and questionnaire responses removed until proper dashboards are available
- Optimized field mapping for FedRAMP rev4 & rev5 excel exports
- Bug Fixes
- Evidence Locker: Evidence is linked to controls when mapping to controls
- Dismissing a workflow in the Notifications area leaves the workflow active in the Workbench
- Canceling license update now properly resets the form
- Control implementation forms render correctly
- Updated Assigned Instances function works for questionnaires assigned to non-RegScale users
- RegML icon only appears once on the Control Implementation form
- FedRAMP Rev 5 Appendix A export contains the correct implementation status, control origination, and solution implementation details
- Notification appears when a user reopens a questionnaire response instance
- Reordering questions within sections and between sections works correctly
- Required custom fields for new record forms display correctly after saving
- Advanced search works correctly with custom data labels
- FedRAMP R5 Inventory Fixes:
- Correctly maps Function (Column X) for hardware and software assets
- Added asset.Manufacturer to Make/Model Column (Column M)
- Hardware Assets with Software Inventory will be now have their software inventory mapped to the correct rows
- Required custom fields appear in the new-form cockpit
- Airflow DAG triggers work as expected
- Removed erroneous warning about custom fields being unavailable
- Workflow instance changes properly trigger webhooks
- Adjusted the save functionality in the questionnaire builder to prevent data loss
- Removed placeholder text in the FedRAMP Rev 5 SSP export (Table 3.1)
- Removed instruction boxes from the FedRAMP Rev 5 SSP export
- Removed duplicate alert when no manager is assigned for a user in the workflow system
[5.20.2] - 2023-10-18
Added
- N/A
Changed
- Custom Data Labeling
- Updated warning prompt for reset to be clearer
- UX
- Banner colors now match US Government classification standards
- Admin panel now listed in alphabetical order
- Bug Fixes
- Questionnaire assignee email address shows in the Responses list
- Questionnaire assignment via Excel workbook upload works as expected
[5.20.1] - 2023-10-18
Added
- N/A
Changed
- Hot Fix: Addressed issue with seeding on startup of container
[5.20.0] - 2023-10-18
Added
- Ability to reset all custom data labels in the Admin panel
- APIs
- Programmatically delete custom fields
- Retrieve workflow actions for a given parent record ID and module
- Pull all available metadata for a given module
- Facilities now support a hierarchy structure similar to the organization hierarchy
- FedRAMP
- Fields for Rev 5 SAP/SAR exports
- Rev 5 Inventory Export for Security Plans with Assets
- Lightning Assessment now auto-calculates Risk Exposure based on FedRAMP formula
- Logging
- Error logging to the database via Serilog
- Default level is Error and a scheduled task will remove entries older than 14 days every night at 1 and 3 am (limited to 5k records per run)
- RegML:
- Extractor to RegML Tools on a System Security Plan, allowing the automatic extraction of implementation statements from user-uploaded PDFs
- Auditor can use control objectives or control implementation statements
- Auditor shows links to open a control in a separate window
- Tasks: Description and results fields
- Unified Compliance Framework (UCF)
- Added integration to the Admin panel
- Web accessibility
- Support for 200% zoom
- Right-click support for top navigation menu dropdowns
Changed
- Architecture:
- Refactored how files are handled for standalone and SaaS versions
- Refactored and cleaned up APIs for Master Assessments
- Custom Data Labeling
- Support for changing field labels and basic module metadata
- Driven by the database rather than JSON files
- Custom Fields: Now allowed on tasks
- Email service refactor, with support for OAuth
- Evidence Locker
- Mapping evidence to Security Plans
- Improved mapping experience
- Display of all records mapped to an Evidence Locker record
- Ability to start Evidence Locker mapping from the Utilities widget
- Ability to navigate to Evidence Locker directly from a Security Plan
- FedRAMP exports: In Rev 4 and Rev 5, images and narratives are split for Authorization Boundary, Network Diagram, and Data Flow Diagram
- Gantt Chart: Security plans now show draft issues to work better with the Lightning Assessment system
- Issue Screening:
- Removed analysis step
- Default certain checkboxes to reduce clicks in the screening process
- Risk: Status Board now displays the Target and Residual Risk Scores from the new risk assessment engine
- Questionnaires
- Added back-end structure for scoring questionnaire instances
- Enhanced response Excel export readability and usability
- Owner receives an email when a questionnaire response is submitted
- Performance: Refactored all picklist module calls to use the new form service
- Risk Assessment: Multiple UX improvements based on customer feedback
- Security
- Can now only delete records if user is an Administrator or the user who created the record
- LDAP now records the last login date for the user
- SSO new user now records the last login date for the user when thin provisioning
- Deletion of records no longer cascade-deletes the audit logs or Time Travel records to provide improved forensic analysis
- Fixed various access control restrictions for consistency across roles
- User experience
- Improved child record creation experience
- Removed gradients on CISO Home Page
- Wiz CI/CD scan integration support
- Bug Fixes
- Accessing questionnaire instances produces no errors whether or not the user is logged into RegScale
- Fixed error when uploading SBOM during release publish
- Addressed issue with reseeding metadata
- Variable casing corrected so that module data loads correctly
- Evidence Locker: View and Delete buttons on mapped controls align correctly
- Adding a new assessment under Continuous Monitoring for a component brings up the new assessment form
- Module data seeding works correctly through both the application UI and the Swagger interface
- Severity Level by Date Identified chart in Issues module renders correctly
- Schedule recurrence options for questionnaire assignment renders properly in dark mode
- Dropdown to select number of rows for Supply Chain board works as designed
- Raised events are no longer case-sensitive
- Control origination checkboxes for FedRAMP Rev 4 or Rev 5 SSP exports match the RegScale SSP
- New assessment form loads correctly
- GraphQL code generator utility correctly accounts for the new Angular file structure
- RegML Extractor GraphQL queries are adjusted to address overfetching
- Master assessments dropdown selections are properly seeded on app startup
- Added input validation when updating an asset record
- RegML Controls Author uses the company name for the tenant
- Module data is correctly seeded on initial database creation
- RegML Extractor input is limited to 25 pages
- Vulnerability drilldown modal for assets displays correctly
- Questionnaires can be submitted for recipients that aren't RegScale users (i.e., only have an access code)
- Questionnaire section index changes correctly update assigned instances
- Viewing catalogs no longer produces console errors
- Generated export files correctly appear in the Files subsystem
- Webhook events for deletions fire for archival as well
- Webhook events for modifications fire as expected
- Status board row-count selector works correctly
- Change Management bar charts have tooltips and the drilldown modals render correctly
- Issues By Identification chart shows the N/A title where needed
- When adding a new record via the Compliance Visualizer, the modal now dismisses properly
- Addressed several issues with GraphQL queries
- Addressed issue with redirect after login for SSO
- Addressed issue with importing some catalogs
- Drilldowns for Exceptions dashboards display correct titles
- Reset All Custom Labels works as expected
- Fixed edge case issue with Lightning Assessment progress calculation
- Subheaders that use custom data labeling render correctly
- For interconnections, the external fully qualified domain name saves as expected
- For components, if the status is "Other" the explanation field is marked as required
- Fixed input validation checks that were being corrupted from dynamic loading
- Lightning assessments now load properly from the Scorecard
[5.19.0] - 2023-10-03
Added
- Risk: Improved initial risk scoring UI and functionality
- Risk: Added risk treatment effectiveness and direct link back to control implementations
- Risk: Added business impact to the risk assessment wizard
- Risk: Risk assessments now allow you to evaluate the effectiveness of each risk treatment
Changed
- Bug Fix: Properly show/hide links on the footer based on login status
- Bug Fix: Risk Scorecard now shows N/A for difference and residual risk if risk assessment has not yet been conducted
- Bug Fix: Questionnaire can be assigned without errors to a RegScale user
- Questionnaires: Progress feedback is shown when bulk-assigning questionnaires
- Bug Fix: Only asked questions are considered in the percent complete for a questionnaire instance
- Bug Fix: api/metadata/reseed correctly loads the seed file content
- Bug Fix: Removed Controls by Type options for the policy scorecard view
- Web accessibility: single-page application structure, dashboard percentages, alternate text for status icons and logos
- Bug Fix: Software inventory is displayed in the tailored SSP if software is within a hardware asset
- UX: Reorganized data entry form for Supply Chain to be more efficient
- Bug Fix: Addressed issues with Lightning Assessments on Supply Chain records
- UX: Scorecard now redirects to new lightning assessment form versus opening in a slider
[5.18.2] - 2023-09-29
Added
- Field for Assets under the Integrations tab: Sicura
Changed
- Bug Fix: Record addition, modification, and deletion events trigger properly
- Bug Fix: Addressed edge case where a user could bypass the login banner
[5.18.1] - 2023-09-29
Added
- Security: Added support for OAuth authentication for email security
Changed
- Policies: Parameters are now only required if the status is "Active"
- Removed CQRS from Assets module
- Added Assets Service to handle all business rules for the Assets controller and corrected Swagger documentation
- UX: Addressed spacing issues on password toggle
- Bug Fix: New risks created via the Risk Assessment Wizard do not require a target risk score
[5.18.0] - 2023-09-27
Added
- Components: Added external ID field and API for ease of integrating with outside tools/data
- FedRAMP: Added fields to support FedRAMP Rev 5 requirements for Leveraged Authorizations
- FedRAMP: Expanded interconnect module to support FedRAMP Rev 5 requirements
- FedRAMP: Added fields to support Risk Exposure Template export in Rev 5
- Lightning Assessment: Now shows parts and parameters on the left side view
- Lightning Assessment: Now shows the parent security control on the left side view
- Lightning Assessment: Left and right side are now independently scrollable
- Lightning Assessment: Now allows incremental progress (can save 1 control at a time)
- Lightning Assessment: Now allows editing assessments
- Lightning Assessment: Allows you to flag an issue as reportable and will auto-generate an issue
- Questionnaire Security: Added access control for both internal and external users
- Ability to export POA&MS from a Security Plan as FedRAMP Rev 5 Risk Exposure Excel workbook
- UX: Added persistent footer to the application
- Workflow: Added options for assigning workflows and building new ones using the subsystem
- Workflow: Added ability to assign and create workflows directly to a manager
- Issue Screening: Added quick action buttons to create Causal Analysis records
- UX: Workbench is now the default landing page
- FedRAMP Rev 5 SSP Appendix A export in Word format
- FedRAMP Rev 5 CIS export in Excel
- FedRAMP Rev 5 Test Case Procedure export in Excel at Security Plan level and Continuous Monitoring level
- Continuous Monitoring tab now has a "Create New" button
- Issues: new fields for manual issue detection
- Web accessibility attributes for the RegScale logo, notifications area, and page landmark regions
- Questionnaire question file upload support
- Workflow: Added a new API for creating custom workflows programmatically
Changed
- Performance: Optimized page loads for RegScale forms
- UX: Change list view fields for Privacy Impact Assessments
- UX: Consolidated dashboards into the List View system of modules
- UX: Removed sidebar from left side of the screen
- Performance: Improved indexing on Components
- Performance: Improved query speed when retrieving a Security Control or Control Implementation
- Context Viewer: Now shows the part description when creating a new option and auto-closes once option is completed
- Enhancement: Catalog error messages now persist on the page when uploading
- Bug Fix: Removed duplicate FedRAMP tab on Control Implementations
- Bug Fix: Risk scorecard now renders properly
- Added logic to ReadMe.io version update during release pipeline to parse the version from the environment first, then defaults to version # in package.json
- Bug Fix: Addressed issue where Control Context Viewer always returned to Parts when editing Parameters
- Bug Fix: Addressed you are already logged in bug when redirected to login page
- Bug Fix: Addressed various issues with maintaining questionnaire state
- Print: FedRAMP fields added to control implementation printable form
- Bug Fix: Global admin redirect now works properly
- Bug Fix: Editing tasks in the Kanban subsystem does not result in console errors
- Bug Fix: Ports and Protocols table is present in the FedRAMP SSP (Rev 4 and Rev 5) export
- Bug Fix: Supply Chain contract owner dropdown does not contain duplicated usernames
- Bug Fix: Issue ID is returned as part of the
api.issues.create
event - Bug Fix: Login banner must be acknowledged before using the application after login
- Security: Patching NPM vulnerabilities
- Updated the executive summary text for the FedRAMP SSP Rev 4 templates (Moderate and High)
- Bug Fix: Catalogue export as OSCAL JSON uses correct encoding
- Added 'deprecated' label for FedRAMP Rev 4 SSP and continuous monitoring exports
- Bug Fix: Leveraged authorizations appear in FedRAMP SSP export
- Questionnaire: Process questionnaire rules when dropdown answer changes
- Bug Fix: Validation in the policy form and policy template now apply together
- Bug Fix: Automation panel only shows DAG execution date-time
- Bug Fix: The api/Organizations/getList endpoint correctly displays organization managers and manager IDs
- Bug Fix: Saving a new questionnaire presents a single toast notification
- Bug Fix: Editing a questionnaire QUID doesn't automatically move the cursor to the end of the QUID
- Questionnaire instance comparison export (Excel) format is now one instance per row
- Questionnaire rich text editor control styling matches the rest of the application
- Updated SSP's MegaAPI result to include an asset's list of software inventories
- Bug Fix: Addressed issue with updating a Task within the Event system
- Lines of Inquiry: Now warns you if navigating forward or back without saving
[5.17.1] - 2023-09-13
Added
- UX: Can now create a new profile from the Builder Wizard
Changed
- Bug Fix: Custom fields dropdown list addresses issue with adding new items
- Bug Fix: Addressed SSO login issue for thin provisioning and logging in new SSO users
- Bug Fix: Addressed issue with launching Security Profile importer
- UX: Replaced Digital Signature with Electronic Signature labels
[5.17.0] - 2023-09-12
Added
- Questionnaire: Add execution constraint to rules to limit when certain rules are executed
Changed
- Cause Code Admin Panel for Causal Analysis
- Sonarqube integration for issues
- Updated CSP Name for FedRAMP Test Case Procedures export to use CSP Organization Name from the Preparation tab of the Security Plan
- Questionnaire: Allow various Action Functions to accept list of questions to change
- Questionnaire: Make Action Functions resilient to updating question (quid) that does not exist
- Questionnaire: Update rules of open instances when updating open instances
- Support: Improved logging for toasts to assist with testing and debugging
[5.16.3] - 2023-09-11
Added
- Ability to dynamically set fields to read-only based on record state
- List Views: Added ability to create a child record from the list view
- Security: Hardened JWT timeout checks for all Angular routes
- Reports: Improved FedRAMP export of the Risk Exposure Report
- Workflow: Now supports management approvals
- Workflow: Added functional role assignments
- Workflow: Added action system
- Workflow: Added comments, files, and links to the workflow record viewer
Changed
- UX: Catalog importer moved to the list view next to the "New" button
- UX: Improved formatting of the print screen
- Bug Fix: Removed FedRAMP tab from SSP
- Bug Fix: Added FedRAMP tab to control implementations
- Bug Fix: Navigation system not showing titles as links
- Bug Fix: Addressed error on Group retrieval
- UX: Improved formatting of the user list in the Admin panel
- Bug Fix: Manage risk visualization on home page updated
- Bug Fix: Issue screening now pulls the correct comments, files, and links
[5.16.2] - 2023-09-08
Added
- FedRAMP: Added risk fields to POA&M to support the Risk Exposure Template export
- Metadata: Added reseeding option to the Admin panel (accommodates new changes over time to picklist)
- Automation: Support for scheduling, pausing, and checking status of Airflow jobs
- RegML: Added license confirmation box allowing all SaaS customers to opt-in to AI/ML capabilities in RegScale
- Ability to export FedRAMP POAMs for Rev 5
Changed
- Enhancement: Refactored seed metadata method to be consistent across the application
- Bug Fix: Added SQL check to skip some specialized indexing for unsupported SQL Server versions
- Bug Fix: User activation API returns 400 when the request is empty
- Accessibility: Added more keyboard-based navigation and alternative text content
- Bug Fix: Required field count and completion percentage for new records works correctly
- Bug Fix: After making a change on a control implementation record, when navigating away and choosing "Cancel" no navigation occurs
[5.16.1] - 2023-09-07
Added
- N/A
Changed
- Bug Fix: CONMON display fix for progress report
- Bug Fix: Addressed issues looking up Security Plans on controls list view
- Performance: Database index tuning based on Azure recommendations
- Performance: Multiple query optimizations for fetching control implementations
- Performance: Refactored Navigation system query to be more performant
- Bug Fix: Addressed issue where subsystems would sometimes not show for a control implementation with related evidence
- Bug Fix: Setting a new task as Closed updates the percent complete to 100%
- Bug Fix: Phone number fields on questionnaires require a valid phone number before saving
- Bug Fix: Security Control Implementations list view Control ID sorting matches other Control ID sorting in the application
[5.16.0] - 2023-09-06
Added
- FedRAMP: POAMs now export as OSCAL
- FedRAMP: Added XML Export for OSCAL SSPs
- Security: All event logging is now performed server side
- Performance: Optimized the subsystem count query to be more performant
- Issue Status: Can now manage the full lifecycle with status gates and workflows
- Flag to dynamically set fields to readonly based on workflow
Changed
- Bug Fix: Added fix for multiple quick clicks of the login button
- Tech Debt: Forms now centrally driven by a single config (pre-requisite for enabling custom data labels in the future)
- Explanation for Other than Operational Status field is only required for FedRAMP SSPs now
- OAuth: Fixed login issue to improve Okta support
- Security: Now record date a user was deactivated
- 508 Compliance - added scope attribute to table headers
- DEPRECATED API: Removed all GetAll endpoints, now requires using filter methods or paging in GraphQL to avoid performance impacts
- Bug Fix: New Requirements form tab names match the cockpit section names
- Bug Fix: Added missing fields for advanced search in questionnaire
- Bug Fix: Counts in Risk by Trend chart on the main dashboard match the number of records in the drilldown modal
- Bug Fix: Moving a slider no longer reloads a tab's data
- Bug Fix: Changing a security plan's status updates the form to trigger validation rules
- Bug Fix: Scorecards, Status Boards, and Gantt charts now use the same query
- Bug Fix: System roles pulldown now provides a "blank" user since it is no longer required
- Bug Fix: Addressed many role-based authorization queries based on specialized roles
- UX: Fixed minor rendering issue with search bar on Status Boards
- UX: Added line breaks to Implementation Part statements
- UX: Fixed issue with comments tab sometimes rendering off screen in Lightning Assessments
- Bug Fix: Control Implementations and Requirements now require a parent ID and parent Module
- Bug Fix: Addressed issues with Security Plan not printing controls in Community Edition
- UX: Group manager now displays the group ID in the list
- Error Logs - now supports a back button
- Tech Debt - removed legacy SecurityPlanId field from Control Implementations
- Bug Fix: Changed questionnaire Rules field back from RichText to TextArea
- Made event topics more consistent
- Bug Fix: Source OSCAL URL field saves correctly when creating a new catalogue
- Removed event manager columns pertaining to Active status and updated list filtering
- Saving after adding a new questionnaire section works as expected when reloading the page
- Questionnaire: email question type supports validation before proceeding
- Questionnaire: Renders properly if the questionnaire only has instructional questions
[5.15.4] - 2023-08-31
Added
- Questionnaire: Export one or more responses to a single Excel worksheet
- Accessibility: Additional support for tab-key navigation, aria labels for icons
- Data Subsystem - Code Mirror added for editing raw XML and JSON in the platform
- FedRAMP: POAMs now export as OSCAL
- FedRAMP: SSPs now export as OSCAL
- FedRAMP: Added new fields to stakeholder system and flag to set if Individual or an Organization
- FedRAMP: Can now add external stakeholders to a system role assignment (previously was just internal users)
- FedRAMP: Added new features to support tracking Cryptographic modules
Changed
- Bug Fix: Addressed periodic issues in pulling Status Board data for Security Plans
- Tech Debt: Improved POST/PUT APIs for Facilities and Stakeholders
- Tech Debt: Improved OSCAL XML export code for SSPs to be more resilient
- Catalog MegaAPI for efficiently fetching a catalog with all related child data (controls, parameters, tests, options, etc.)
- Bug Fix: Text-based questionnaire answers are not accepted if they contain only whitespace
- Bug Fix: DOE SSP export matches new data and formatting requirements
- Bug Fix: Asset Type field only appears on the Basic Info tab for Assets
[5.15.3] - 2023-08-29
Added
- Logic to prevent duplicate file names when uploading a file to a record
- API endpoint to rename duplicate files for a provided record ID and module name
- FedRAMP: Lightning assessments now support Risk Analysis
- Mini-Subsystem - added to Lightning Assessments, can add files, comments, and links at the assessment test level along with assigning Quick Actions - Request Evidence or Create Issue
- RegML Auditor for control implementation evaluation (BETA)
- FedRAMP - added asset types to components
- Logic to prevent duplicate file names when uploading a file to a record
- API endpoint to rename duplicate files for a provided record ID and module name
- Swagger: Brought documentation for the Push Notifications endpoints up to standard
- Delegate System: Profile now allows you to set delegates for your approvals
- Create endpoint for Ports and Protocols available via Swagger
- Functional Roles: Ability for administrators to define functional roles and to add users to those roles
- "Create" endpoint for Ports and Protocols available via Swagger
- Event-based Architecture: Added events for questionnaire status changes
- System URL text field on the Basic Info tab in Security Plans
- API endpoint for creating a classified record
- Organization URL text field on the Organization Manager form
- FedRAMP: RegScale Assigned User is now an optional field on a System Role
Changed
- UX: Administration panel for system administrators now shows options in Alphabetical order
- Bug Fix: Changing SSP status to anything other than Operational sets Explanation for "Other than Operational Status" as required
- Bug Fix: Questionnaires module does not appear in the user menu when it has been disabled
- Bug Fix: Changing an asset's category updates the available tabs accordingly
- Bug Fix: Setting an incident's phase as "Closed" makes the Date Resolved field required
- Tech Debt: Optimized TypeScript library loading with Angular
- OSCAL: Objectives renamed to "Parts" throughout the UI to align with current NIST/FedRAMP terminology
- Removed drill-down from module record History charts
- Updated all exports generated from RegScale follows a naming convention that ends
_YYYYMMDD
- Several fixes for DOE template and SSP exports in general
- Bug Fix: Questionnaires required to have at least one section
- Analytics (dashboards) side nav only displays dashboards for which the current user can access with their roles
- Navigating via URL to a dashboard the current user doesn't have access to shows a toast notification and redirects to the home dashboard
- Bug Fix: Evidence Locker advanced search works correctly for Date Created and Evidence Owner fields
[5.15.2] - 2023-08-25
Added
- FedRAMP: Ability to assign multiple sources, origination, and status at the control implementation level
- Questionnaires: Ability to download the Excel import template
- Questionnaires: Ability to export questionnaire to Excel
- Questionnaires: Ability to export a questionnaire response to Excel
- Questionnaires: Ability to modify a questionnaire that has already been published
- Keyboard accessibility for the form menu (e.g., back, save)
Changed
- Bug Fix: Advanced search for a blank item in a picklist now works properly
- Bug Fix: Addressed validation logic on new Security Plans
- Bug Fix: Addressed issue deleting Lines of Inquiry
- Bug Fix: Removed roles from the workbench
- Tech Debt: Added missing IDs on links to support testing automation
- Tech Debt: Truncate strings for Excel exports to avoid corrupting the workbook
- Performance: Refactored required field validation to be more performant on the client side
- Infrastructure: Event topic names are pluralized
- Bug Fix: Webhook form saves successfully even with a misconfigured webhook
- Bug Fix: Marking a task as "completed" requires the user to enter a value for the Date Completed field
- Bug Fix: By Point of Contact chart on the Incident Response dashboard renders user names correctly
- Bug Fix: Required custom fields for a new Case Management record appear in the cockpit regardless of status change
- Bug Fix: Fixed issue with security profiles being unable to update
- After assigning a questionnaire the Responses tab is automatically updated to reflect the new assignment
- UX: Improved the display of the control in the Lightning Assessment and added deep link to view the parent control
- Bug Fix: When creating a new questionnaire form, the Builder, Assignment, and Responses tabs require saving the questionnaire first
[5.15.1] - 2023-08-24
Added
- Reporting: New report showing all comments on controls for a given Security Plan
- Loading spinner to Inheritance Engine to show progress as work is executing
- Keyboard accessibility for top nav bar and left nav bar (WCAG)
Changed
- Improved alerting and labeling when a parent security control is not found for a control implementation
- Bug Fix: Addressed issue with inheriting between Security Plans
- Bug Fix: Functional areas can now be searched for Assessment Plans
- Bug Fix: Server side auditing working properly for comments
- Bug Fix: Addressed console error when loading components for an SSP
- Bug Fix: Print Preview shows all pages
- Bug Fix: When creating a new task with a closed status, the cockpit correctly lists required fields completion
- Bug Fix: Questionnaires save correctly when the created-by and last-updated-by user are the same
[5.15.0] - 2023-08-23
Added
- FedRAMP: System Roles can now have multiple users assigned
- FedRAMP: Add button to auto-assign all FedRAMP defined system roles
- FedRAMP: Added explanation field if "Other" checked for Cloud Model
- FedRAMP: Added "Other" option for Cloud Deployment Model
- FedRAMP: Added Data Center tab to Security Plans
- FedRAMP: Expanded properties subsystem to add Label and Other Attributes fields (optional)
- Causal Analysis Role - restricts creating, updating, and deleting a Causal Analysis to users with this role (who normally have specialized training)
- Assessment Lines of Inquiry - multiple enhancements: Can dynamically add new lines of inquiry without a parent Assessment Plan and can apply multiple assessment plans
- FedRAMP: Added validation to the deployment option selections if a FedRAMP SSP (flag based on FedRAMP ID # not being empty)
- FedRAMP: Added "Under Major Modification" and "Other" status to components
- FedRAMP: Added Explanation for Other status to components
- FedRAMP: Expanded links to support external identifiers and attributes
- FedRAMP: Security Plans added field for explanation for Other than Operational status
- FedRAMP: Allows system role assignments at the Component and Control Implementation level (one to many)
- FedRAMP: References now support optional description field and UUIDs
- FedRAMP: Added Responsibility and Leveraged Authorization fields at the Control Objective level
- POA&M checkbox for Issues under POA&M Info tab to indicate if the issue is a POA&M item
- FedRAMP: Added all reference types allowed from FedRAMP to the References tab
- Metadata - added ability to define external keys for metadata (allows for mappings, i.e. to FedRAMP/OSCAL values), metadata is now editable
- Event Driven Architecture - added status changes and fixed several edge case bugs
Changed
- Tech Debt: APIs cleaned up to remove logging fields (Created By, Date Created, Last Updated By, Date Last Updated)
- Bug Fix: Improved validation for properties system on the server side
- Lines of Inquiry - added ability to remove a line of inquiry from a given assessment
- Tech Debt: Added many missing tables to the GraphQL layer
- Bug Fix: Export of DOE SSP fixes special character issues
- Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to it
- FedRAMP POAMs Export will now only export issues with the POA&M checkbox checked under POA&M Info tab
- Bug Fix: Marking a security plan as "operational" makes key date fields required
- Swagger: Brought documentation for the Threads endpoints up to standard
- Bug Fix: Marking an assessment as "complete" marks newly required fields as required
- Bug Fix: Marking a case as "complete" marks newly required fields as required
- Bug Fix: Marking a causal analysis as "complete" marks newly required fields as required
- Bug Fix: Marking a data call status as "complete" marks newly required fields as required
- Bug Fix: Marking an exception status as "complete" marks newly required fields as required
- Bug Fix: Marking an incident status as "complete" marks newly required fields as required
- Bug Fix: Marking an issue as "complete" marks newly required fields as required
- Bug Fix: Marking an interconnection status as "complete" marks newly required fields as required
- Bug Fix: Marking an project as "complete" marks newly required fields as required
- SECURITY: Hardened forgot password feature based on penetration testing recommendations
- Bug Fix: Marking a project as "complete" marks newly required fields as required
- Bug Fix: Marking a risk as "closed" marks newly required fields as required
- Bug Fix: Marking a threat as "mitigated" or "eliminated" marks newly required fields as required
- Bug Fix: Marking a policy as "active" marks newly required fields as required
- Added "Risk Accepted" status option for control implementations
- Change: "Partially Implemented" controls no longer require planned implementation date or steps to implement
- Changed the way team data is displayed SSP export (Word format)
- Moved SAP and SAR exports from Security Plans to Continuous Monitoring
- Event architecture: Added interceptor to handle status and severity changes
[5.14.1] - 2023-08-18
Added
- Org Chart Viewer - organization manager now lets you visually browse the org chart
- BETA: New version of DOE SSP export released
- SECURITY: Improved login experience for MFA and SSO users and hardened the process end to end (NOTE: Customers may want to test in DEV before rolling to PROD)
- Security Plans - added version field
- FedRAMP: Vulnerability system added to Continuous Monitoring
- FedRAMP: Added multiple new fields to support SAR exports (Actual Finish Date and flag for Date Adjustment for Corrections)
- Infrastructure to support unit testing
Changed
- Bug Fix: Paging now works properly for Service Accounts, improved layout of page formatting
- Security: NPM patching for vulnerabilities
- Security: Service account tokens now hidden in the UI, added copy button for ease of pasting with CLI and Swagger
- Improved RegML automated reviewer interaction with the control implementation form
- Bug Fix: Change validation for required fields now works properly on edits
- Bug Fix: Changing status to closed auto-sets % complete to 100 on saves and edits
- Updated CIS/CRM export to include Security Plan Name, CSP Name, and Security Plan's impact level to the Instructions tab
- Fixed incorrect logic for controls with an implementation status of "Not Applicable" in FedRAMP Test Case Procedures export
- Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to
- Bug Fix: Custom fields only populate after save operation completes
[5.14.0] - 2023-08-16
Added
- Risk Scorecard
- Data Subsystem - stores raw JSON, YAML, and XML data for integrations
- Questionnaire: Added electronic signature support
- Questionnaire: Added new field types for Dates, Phone Numbers, and Emails
- Process questionnaire rules after each question response and choice change
- Added Questionnaires tab to the following modules to make it easier to navigate to associated questionnaires: Components, Policies, Security Plans, Supply Chain
- Questionnaires: Added alerts for unanswered required questions within current section before leaving the current section
- Questionnaires: Added support for linking directly to a specific page of a questionnaire
- Questionnaires: Added updating browser's displayed to specific page of a questionnaire when user navigates with Next and Back buttons
- Check to ensure the user is on a supported browser (Edge or Chrome)
Changed
- SECURITY: Patching of core .NET packages
- Improved validation and error handling for Control Objectives, Tests, and Test Plans
- Bug Fix: Addressed issue where validation of control implementations did not match server and client side preventing being able to update a reecord in "Not Implemented" status
- Bug Fix: Misconfigured/unavailable webhook endpoints yield better logging
- Bug Fix: Drilldown links for the Fix Problems dashboard display a modal a list view with the same number of records as shown on the dashboard
- Bug Fix: Assess Program dashboard modal links have list views that match the record counts shown on the dashboard
- Bug Fix: Assessment-role users have access to the Tasks module
- Bug Fix: When creating a system administrator with break glass account, system now checks config to make sure email is enabled before trying to send the email
- Bug Fix: Questionnaires can be submitted without being logged in
- Questionnaires: Navigating between questionnaire pages returns to the top of the page
- Questionnaires: Responses now have a back button
- Questionnaires: Rules are processed after each question response and choice change
- Questionnaires: Assigned By and Block Layout toggle removed from assignee view of the questionnaire
- SUPPORT: Added a new environment variable, "EMAIL_NO_TLS", to allow customers to disable TLS for email in legacy environments where it is not supported
- Questionnaires: Submitter name for assignees outside of RegScale no longer required for submission
- Bug Fixes: Fixed multiple bugs causing the FedRAMP Test Case Procedures export generating a corrupt Excel workbook
[5.13.0] - 2023-08-05
Added
- Support for webhooks to listen for specific events in RegScale externally
- Application Insights for SaaS monitoring and troubleshooting for Customer Success
- Architecture implementation for event queues and distributed processing
- Chart views have a checkbox to toggle auto-fitting of charts to the viewing region
- Questionnaire instances can be reopened
- Added email validation to bulk questionnaire assignment
- Backend support for questionnaire instance history
- Questionnaires: consolidated assignment functionality into a single screen
- Questionnaires: responses now show as a tab under the questionnaire record
- Questionnaires: now auto-generate a security token to provide access control protection for external users
- (Beta) SSP export in Department of Energy (DOE) format
- Support for Salesforce integration with issues for Case Management
- (Beta) Admin tab for events to allow managing event topics and webhooks
Changed
- Bug Fix: RegML Author button appears correctly based on tenant state
- Bug Fix: Drilldown works correctly on the My Activity tab of the Workbench
- Questionnaires: Can now be attached to any parent module (removed hard coding to Security Plans)
- Questionnaires: Consolidated functionality into instance table (removed assignment table)
- Questionnaires: Share link now opens in a new tab, added "Copy" icon
- Bug Fix: Questionnaire response form no longer reports console errors
- Bug Fix: Toast notification dismisses properly in Lightning Assessments
- Bug Fix: Addressed console errors when viewing a continuous monitoring record
- Bug Fix: Addressed RegML loading infinite loop when connection not found
- Bug Fix: Analyze Risk functionality in Lightning Assessments creates a risk record
- Bug Fix: Controls Author timeout increased to handle longer control implementation statements
- Bug Fix: Causal Analysis Step 2 renders correctly in dark mode
- Bug Fix: Target Risk Score field is required when creating a new risk
- Bug Fix: Users can be readonly for some modules and have greater rights in other modules
- Bug Fix: Chart views render correctly
- Bug Fix: Swagger page loads correctly
- Bug Fix: Outage Summary field displays in the cockpit if an outage is required
- Bug Fix: Close button on Workflows slideout works correctly
- Bug Fix: Controls and Implementations cannot be created without a parent
- Improved user feedback for bulk-assignment of questionnaires via email
- Improved performance of the recurrence components in Tasks, Assessments, and Data Calls
[5.12.0] - 2023-08-02
Added
- Performance: Optimized all Angular queries to eliminate slowed performance over time and need to refresh the application
- Questionnaire system supports grouping questions into sections
- Questionnaire system supports creating rules that can show/hide questions and set/clear answers based on user-defined conditions
- Questionnaire system Excel import supports multiple question types, required flag, section IDs, and question IDs
- Questionnaire system sends emails to assigned recipients
- Questionnaire system allows bulk assignment via Excel worksheet of recipients
- Organization Hierarchy support
- Properties endpoint to support batch updates
- Ability to create a new Assessment Plan directly from the assessment record
- Ability to auto-generate an issue from a failed Line of Inquiry on an Assessment Plan
- FedRAMP: Added fields for "guidance" and "constraints" to parameters
- Reports: Added Date Last Updated to the SPRS 800-171 Report
Changed
- Dropdown lists are initialized from configurations and are populated through Angular caching (support work for dynamic data labeling)
- UX: Improved data validation warnings across 34 different screens
- Bug Fix: Questionnaire responses display information instead of a blank page
- Bug Fix: Templates for FedRAMP Moderate and High include additional placeholders for Table 6-1 and 6-2
- Bug Fix: Drilldown and Status board counts for issues on an SSP match
- Bug Fix: Due date validation messages for tasks is easier to understand
- Bug Fix: For interconnects, IP addresses are validated only if non-empty
- Bug Fix: Assessment Plans list view displays correctly
- Bug Fix: URL fields in Supply Chain records support automated testing
- Bug Fix: Improved target risk score label in the Required Fields section when creating a new risk
- Bug Fix: List of required fields for new issues works correctly when changing issue status
- Bug Fix: Updated the Policies Controller such that Swagger loads correctly
- Bug Fix: Outage Summary field for Change records is only required for completed changes
- Bug Fix: Saved contents on the Lookups tab for Supply Chain records persist after page refresh
- Bug Fix: Charts on Issues by Severity Level by Status report render correctly
- Bug Fix: Changes module loads correctly
- Bug Fix: Addressed task validation error with due dates in the past
- Bug Fix: Fix for module name to re-display questionnaire responses in list view
- Bug Fix: RegScale user list populates correctly on page refresh
- Bug Fix: Deleting a questionnaire marks it as inactive
- Bug Fix: Default question for a new questionnaire is auto-assigned a unique ID (QUID)
- Bug Fix: Addressed some HTML formatting issues in the control test preview
- Bug Fix: Questionnaire link in email points to the unique response
- Change: Request Evidence is now the first option on the Lightning Assessment buttons
- Change: User baseball cards now have a header and dismiss modal button
- Change: Scorecard now shows % of controls assessed and % passing in Overall Compliance section
- Change: Removed closed issues from the Status Boards
- Change: Improved ability to handle unencrypted email via SMTP
- Change: Component Status Board only shows components that are active
[5.11.1] - 2023-07-20
Added
- Architecture support for feature flags
- Update endpoint for the Scan History API
Changed
- Bug Fix: Button colors for the Policy Template editor match the rest of the application
- Bug Fix: Policy Template editor renders properly in dark mode
- Bug Fix: FedRAMP SSP export handles missing controls and suppresses unnecessary errors
- Bug Fix: Documents that are generated directly into the Files subsystem have the correct content format
- Bug Fix: Method in Questions controller marked ignorable to Swagger
[5.11.0] - 2023-07-19
Added
- Risk Assessment Wizard
- Security: Login banner now forces the user to acknowledge the banner before proceeding
- Scorecards are now the default view for existing records on organizers
- CMMC Export for Components (uses inheritance)
- Questionnaires support multiple choice, checkboxes, and dropdowns
- Questionnaire builder supports required fields and question IDs
- Continuous Monitoring - can add all controls with a single button click (supports initial authorization flow)
Changed
- Moved Delete button further away from the save button to avoid accidental clicks
- Removed Authorizing Official (AO), System Owner, and ISSO as required fields for SSPs
- Improved user experience for the questionnaire response form
- Bug Fix: Addressed data validation errors and labels throughout the application
- Bug Fix: Addressed issue on SAR export
- Bug Fix: Addressed issue where the clickable area of a button was sometimes too large
- Bug Fix: Addressed new issue validation bug
- Bug Fix: Addressed miscellaneous problems with issue counts between Status Boards, Scorecards, and Gantt charts
- Bug Fix: Delete button now works on Teams and Tools tabs
- Bug Fix: Removed duplicate close buttons on the dashboards
- Bug Fix: Analysis button removed from Vulnerabilities tab for an asset record
- Bug Fix: Questionnaires must have at least one question before being assigned
- Bug Fix: Addressed issue where new SSO user button was not showing
- Bug Fix: Security Profile module is available for users with Evidence, Projects, Policies, Security Plans, or Supply Chain
- Improved user experience for the questionnaire response form
- Remediated vulnerabilities from UBI build process
- Bug Fix: Corrected typo on logged in alert message
- Bug Fix: Password validation checks for new users show green and red appropriately
[5.10.0] - 2023-07-12
Added
- Enterprise Risk: Added Risk Treatment tab to the Risk module
- Enterprise Risk: Added Risk Action tab to the Risk Module
- Enterprise Risk: Added fields for tracking timelines for conducting risk assessments of a risk
Changed
- Reports: Added "All Time" as a filter to date ranges (pull last 10 years of data)
- Questionnaire system supports submitting a questionnaire response
- Questionnaire system allows assigning a questionnaire to a security plan
- Bug Fix: Addressed issue with "auto-login" for SSO users after logging out
- Bug Fix: Fixed edge case on login logic
- Bug Fix: Service accounts can be deleted
- Bug Fix: Addressed data validation issue on the client side for assessments
- Bug Fix: Personal Access Tokens (PATs) cannot be created if the service account user cannot be created
- Bug Fix: Fixed many validation issues on new records
- Bug Fix: Security Plan tabs are hidden if the user doesn't have access to view the contents
- Bug Fix: Corrected CSS errors and legacy code
- Bug Fix: Corrected classification count in the subsystem (paging bug)
- Issue Screening: Severity Level, Issue Owner, and Due Date lock after screening
- Bug Fix: OSCAL FedRAMP SAP and SAR export options for Continuous Monitoring work as designed
- Tech Debt: Reduced build warnings by 68%
- Bug Fix: FedRAMP Risk Exposure export for Security Plans has applicable threats and mitigating controls/factors
[5.9.0] - 2023-07-05
Added
- Issue Screening feature
- Ability to generate tenant specific service accounts
- Labels shown in dashboards are dynamic rather than hard-coded
- OSCAL: SSP export - controls now export using the sort-id
- FedRAMP: Control implementation now use the NIST Control ID v/s the RegScale primary key in the export
- FedRAMP: Added planned implementation date and steps to implement for a control implementation
- FedRAMP: SSP exports now support FedRAMP status settings and control originations
- FedRAMP: System Roles now export in OSCAL for control implementations
- FedRAMP: Control implementations now properly export statements (objectives) using the by-component OSCAL format
- OSCAL: Attachments, Links, and Comments now export into the OSCAL SSP
Changed
- Bug Fix: Corrected data validation problem on issues
- Bug Fix: FedRAMP SSP responsible role field is populated by role instead of the owner name
- Bug Fix: All required fields for SSP system roles are identified and validated
- Bug Fix: Threat identified date cannot be in the future
- Bug Fix: Policy preview works correctly when uploading a new template
- Bug Fix: Lookahead view works correctly upon direct navigation by URL
- Bug Fix: The spinner deactivates and a message is displayed if a list view query fails
- Security: Added the ability to delete/revoke Service Accounts
- Bug Fix: Validation errors message in Issues module appears correctly at the bottom of the page
- Bug Fix: Issues Workflows dropdown in the Workflows subsystems supports scrolling
- Bug Fix: Minor fixes in the FedRAMP Test Case Procedures export
- Bug Fix: Confirm Account button for a new account works correctly
- Enhancement: Scorecard font increased for table view
- Tech Debt: Removed legacy issue severity level service
- Security: Tightened up MFA login to only use the current code (removed the recent code grace period)
- Bug Fix: Addressed issue with count being off 1 on Time Travel subsystem
- Enhancement: Replaced colored shield icon with padlocks to indicate public vs access controlled records
- UX: Validation errors now render inside of the alert v/s below it
- Bug Fix: Long lists of user roles now properly render on the Workbench panel
- UX: Assess button on Scorecard no longer switches sides on the card when toggling into Edit mode
- Bug Fix: Addressed Mega-API error when exporting system roles for a control implementation
- Bug Fix: Fixed grand totals column on the issues by severity report
[5.8.1] - 2023-06-29
Added
- N/A
Changed
- Security: Improved route trimming for the Global Admin
- UX: Improved tenant setup experience for Community Edition customers
- Improved system setup wizard (differentiates between Global Admin and System Administrator now)
- Bug Fix: Lightning Assessment toggle for implementation and evidence has a default state
- Bug Fix: Replaced bad link for Community Edition license registration
- UX: Minor formatting and button alignment tweaks
- UX: Addressed formatting on the user confirmation page
[5.8.0] - 2023-06-28
Added
- Questionnaire system supports adding questions to a questionnaire
- Assessment Plan Module with Lines of Inquiry
- Lines of Inquiry experience for conducting checklist based audits using the Assessment Plan module
Changed
- Tech Debt: Removed unused files from two code projects
- Bug Fix: Added attribute to an API method so that Swagger loads successfully
- Enhancement: Added button route information to support automated testing
- Bug Fix: Security Plans' GET API returns a 404 response when there is no security plan by a given ID
- Bug Fix: Importing a policy template Word document completes without a 500 error
- Bug Fix: User is informed why a policy template preview is unavailable
- Security: Nuget patching for vulnerabilities
- Bug Fix: Homepage dashboards with little or no data render correctly
- Bug Fix: List view of risks on Risk Dashboard has correct title/header
- Bug Fix: Section headers for the Risk Score card on the Risk Status Board are aligned
- Bug Fix: Better contrast on Analytics sidebar slide-out
- Bug Fix: Organization page renders properly when navigating via direct URL
- Bug Fix: Facility form in the Setup panel validates input
- Bug Fix: Control Implementation form shows validation messages
- Bug Fix: Improved validation on Variables and Secrets section of the Admin panel
[5.7.1] - 2023-06-21
Added
- N/A
Changed
- Fixed bug in FedRAMP Test Case Procedure export button not displaying
- Security: Patching of Nuget packages for .NET
- Bug Fix: Policy editor tab is hidden until a new policy is saved
[5.7.0] - 2023-06-14
Added
- Basic questionnaire builder features (BETA)
- Basic RegScale ML features (BETA - SaaS only)
- FedRAMP: Added System Role to control implementations
- FedRAMP: Added overlays to OSCAL SSP export in system characteristics
- FedRAMP: Added new fields to assets for FedRAMP
- FedRAMP: Added FedRAMP overlays to the inventory section of the SSP export
- Gantt view now allows for adding issues directly from the UI
- Lightning Assessment: added the parent, title, and description to the left panel
- Ability to make an implementation option private so that it is not shared
- FedRAMP: Excel export of test case procedures
- Reporting: Adding Evidence Locker files to the Component & Security Plans Evidence Reports
Changed
- Performance: Refactored breadcrumb/navigation system lookup to be significantly faster
- Performance: Refactored subsystem lookup to be significantly faster
- Bug Fix: Page titles in the Changes module match the module name
- Bug Fix: Creating new configuration variables works as expected
- Bug Fix: Login works even if the login banner is not defined (or blank)
- Bug Fix: Addressed logout issue when session expires
- Bug Fix: User is prompted about unsaved changes when navigating away from a form
- Bug Fix: Crumbcake navigation dropdowns dismiss when clicking outside them
- Bug Fix: Crumbcake level links correctly navigate to their target records
- Bug Fix: Minor rendering issues on assets
- Bug Fix: Addressed validation error for assessments
- Bug Fix: Icon close window fixed
- Bug Fix: In evidence locker, delete button is now hidden in readonly mode
- Bug Fix: Addressed logo rendering issue on the Unauthorized page
- Bug Fix: Paging now works on the Tenant list for the global admin account
- Bug Fix: Addressed a date comparison issue in the Incident Response module
- Security: Trimmed access to missed routes based on authorization
- Security: Added route guards preventing the Admin account from accessing other admin pages they should not
- Bug Fix: System Administrator list on the global admin screen can now longer see service account users
- Bug Fix: Addressed edge case error on FedRAMP POAM exports
- Bug Fix: Time Travel count in subsystem menu is now correct
- Bug Fix: Control tests now sort by Test ID providing a better index for sorting
- Improved issue and task validation checks
[5.6.2] - 2023-06-09
Added
- Continuous Monitoring to Supply Chain
- FedRAMP - added FedRAMP System Roles to the SSP and OSCAL export
- FedRAMP - now auto-generates the default system component based on the SSP
- Questionnaires System supports uploading an Excel-based questionnaire
- Added functionality to highlight missing data in exports (currently only available with SAR export)
Changed
- Bug Fix: Comments will now prompt the user to confirm before allowing a delete
- Bug Fix: Addressed issues with assessing requirements using the Lightning Assessment
- Enhancement: You can now dynamically add tests to a Lightning Assessment as part of Continuous Monitoring
- Bug Fix: Calendar option removed from Modules and Features configuration screen
- Bug Fix: Fixed SSO auto-login after logout (now must take an overt action to SSO back in)
- Enhancement: Various improvements to login flow to reduce confusion and improve the UX
- Tech Debt: Removed Datadog monitoring code from SaaS
- Bug Fix: Addressed issue checking LDAP status for the 'admin' break glass account
- Bug Fix: Addressed dual logo rendering on the change password page
- Bug Fix: Fixed error with routing between pages for first time with the
admin
account login - Enhancement: Removed login link since the application auto-redirects the user if not logged in
- Security: QR code now emailed to setup MFA; further protecting the QR code secrets
- Security: Added a prefix for MFA to distinguish between multiple environments (DEV, QA, PROD, etc.)
- Bug Fix: Risks dashboard shows the correct number of open and closed risks
- Bug Fix: Files subsystem shows pagination controls
[5.6.1] - 2023-06-08
Added
- Software inventory feature for hardware assets
- Billing Utilization: Ability to pull daily access logs as an Admin on the Utilization panel
Changed
- Bug Fix: SSO now properly supports new user thin provisioning
- Bug Fix: Fixed validation checks on control implementations with a "Not Applicable" status
- Improved OSCAL SAP/SAR export for FedRAMP
- Security: Improved role checks with JWT tokens throughout user and RBAC service
- Fixed errors in UBI docker image
[5.6.0] - 2023-06-07
Added
- Multi-Factor Authentication (MFA) support for all local accounts using Google Authenticator
- FedRAMP Security: Now recording the date of the last password change
- FedRAMP Security: Now records the date a user account was de-activated
- FedRAMP Security: Re-organized the login experience to hide details and improve the authentication flow
- SSO flag to indicate whether user accounts are externally managed by a 3rd party SSO provider
- Kanban: Now tracks original due dates for tasks and any associated date slides
- Patching: UBI Docker image that has fewer vulnerabilities
- New export experience for transforming compliance artifacts
Changed
- Bug Fix: Selecting multiple options in Value to Search dropdown for advanced search works as designed
- Bug Fix: updated SBOM workflow to work on GitHub runners
- Bug Fix: Fixed legacy link to C2 Labs support email
- Bug Fix: Change password button works as designed
- Improved SAP/SAR exports for OSCAL - now version 1.04 compliant
- Tech Debt: Removed legacy
atlasity
ids throughout the application - Enhancement: Improved Asset endpoint comments for Swagger (getAll, GET, PUT)
- Removed duplicate asset tab on Components
- Enhancement: Improved button layout for integrations in the Admin panel
- Naming convention for Docker images has changed from
regscale:ubi-VERSION
toregscale-ubi:VERSION
as well asregscale-rocky:VERSION
[5.5.0] - 2023-05-31
Added
- Workflow to automatically update the CHANGELOG on ReadMe.io when a new release is created
- Workflow to automatically update the version on ReadMe.io when a new release is created
- FedRAMP: Added security policies to the Admin panel (BETA feature)
- Contingency Planning roles to cyber team responsibilities
- BETA: Added SAR export to Word
Changed
- Bug Fixes: Fixed console errors when loading the Context Viewer
- Bug Fix: OSCAL exporter now works properly on Security Plans
- Bug Fix: Evidence locker now accepts an update frequency of zero
- Bug Fix: Operational SSP key date validation works as designed
- Bug Fix: Continuous Monitoring instructions supports lengthier text
- Bug Fix: Corrected issues on the Home Page dashboard
- Bug Fix: Continuous Monitoring instructions can now handle long text
- Bug Fix: Various improvements to inheritance UI
- Bug Fix: Corrected date validation issues on the SSP
- Tech Debt: Corrected various namespace issues in the controllers
- Enhancement: Evidence locker now displays which controls are already selected
- Enhancement: Evidence locker now allows hitting enter to search v/s having to press the button
- Improved standards support for OAuth configuration of tokens
[5.4.0] - 2023-05-24
Added
- Controls, Issues, Risks, and Assets tabs added to organizers
- Refactored the Lightning Assessment experience within Continuous Monitoring
- Evidence Locker - added fields (Evidence Owner, Update Frequency, and Last Evidence Update)
- Evidence Locker now tracks owner and update frequency requirements - added to the Workbench for accountability tracking
- Evidence Locker - uploading new evidence now automatically updates the Last Evidence Update field
Changed
- Performance: Optimized indexing across modules to improve DB query performance
- Bug Fix: Fixed weird logo rendering when logging in with break glass account
- Re-arranged tabs on Security Plans for ease of data entry
- Bug Fix: SortId added to control implementation filter API
- Bug Fix: YAML upload works as designed
- Bug Fix: Child record drop-down in the crumbcake nav dismisses when the user clicks outside of it
- Bug Fix: Evidence Locker now looks up parent component in addition to parent security plan when doing bulk mapping
- Bug Fix: License check validation improved to do a "soft" cap on users
- Bug Fix: Lightning Assessments now validate that all tests have a valid result before saving
- Bug Fix: Lightning Assessment failed tests now require a gap to be identified
- Bug Fix: Manual assessments now correctly apply a compliance score
- Bug Fix: All fields now correctly set defaults when saving manual assessments
- Bug Fix: Addressed compliance calculation issues with Inherited controls
- GraphQL: Added the Reference table to the graph
[5.3.2] - 2023-05-19
Added
- FedRAMP: Added user logout alert
Changed
- Security: Patched all NUGET libraries for .NET
- Bug Fix: Addressed issue with CLI config API
- Bug Fix: Removed analytics sidebar for GlobalAdmin
- Performance: Optimized SBOM query to find all entries for an asset
- Bug Fix: Improved change detection and fixed errors on several Angular pages
- Bug Fix: Sort ID now properly set for a control on catalog import
- Bug Fix: Classification system paging now works properly
- Bug Fix: Evidence icon now renders properly in light mode
- Bug Fix: Addressed issue with trying to save an objective without selecting an option
[5.3.1] - 2023-05-18
Added
- Asset Cloud Identifiers for AWS, Azure, and GCP
Changed
- Labeling: Security Checklist visualization now says Risks Remediated v/s Risks Mitigated
- Added "Not Reviewed" to Security Checklist status options
- Bug Fix: "Today" button for the date picker works in dark mode
- Enhancement: "Dismiss" text for toast notifications is green
- Bug Fix: Control Implementation now displays correctly when no objectives or parameters
[5.3.0] - 2023-05-17
Added
- Improved UI for Inheritance and Control Mappings
- Added ability to better document controls at the Objective level
Changed
- Security: Performed some API hardening
- Tech Debt: API controller class/files names match endpoints visible in Swagger
- Bug Fix: Child records that are the same type as their parents render correctly in the crumbcake navigation
- Bug Fix: Toast notifications work correctly in the Evidence Mapping Wizard
- Bug Fix: Percent of issues closed on time is correctly computed on the Fix Problems dashboard
- Bug Fix: Save button for editing user profile works properly
- Bug Fix: "Other" status for security plans displays correctly in the status bar
- Bug Fix: Security Plans Dashboard drill-down modals display correctly
- Bug Fix: Security profile mapping renders correctly in dark mode
[5.2.2] - 2023-05-12
Added
- N/A
Changed
- SSO Bug Fix
[5.2.1] - 2023-05-12
Added
- N/A
Changed
- Privacy Impact Assessment (PIA) form streamlined based on customer input
- Bug Fix: Refresh now works properly with the counters on the Evidence Locker
- Buttons and badges are styled consistently
- Fixed styling of the Risk Status Board for dark mode
- Bug Fix: Added null-check before validating the CLI configuration
- Tech Debt: Project and solution files simplified to not compile unused code
[5.2.0] - 2023-05-10
Added
- FedRAMP System Roles added to the Security Plan
- Automation admin panel to allow the CLI configuration to be saved securely in the RegScale database
- Evidence Locker System
- Description (Requirement Text) added to tailored SSP template and parameters replaced in description
- If replaced, parameter is bold; if no parameter exists, parameter tag is highlighted
- Categorization Justification added to tailored SSP template
Changed
- Bug Fix: Fixed issues with usernames that have a capital letter in them
- Bug Fix: Print view for Security Plans shows correct child record counts; also displays spinner when loading security control implementations
- Bug Fix: The status bar has consistent arrow usage and a status indicator for active records
- Bug Fix: Assignment link within emails navigates to the correct URL
- Bug Fix: Usernames are not case-sensitive.
- Bug Fix: Redirecting to a page after login works correctly.
[5.1.2] - 2023-05-05
Added
- New risk scoring fields to the Risk module
Changed
- Renamed all Azure AD labels to OAuth SSO
- Bug Fix: Addressed Red Hat UBI build issue
- Added UPN support for SSO with Azure AD
[5.1.1] - 2023-05-04
Added
- New APIs for querying Supply Chain records
- Categorization justification to the Security Plan module
Changed
- Bug Fix: Fixed chart alignment for iPad
- Bug Fix: Errors when connecting to LDAP
- Big Fix: Pagination works correctly in the Files subsystem
[5.1.0] - 2023-05-03
Added
- Outage Summary field to the Change Management module
- Updated eMASS Software List sheet and mappings
- Control Source and Exclusion Justification to Control Implementations
- Home page sidebar is expandable/collapsable
- Issue Status by Owner and Security Plan and Issue Status by Owner and Component reports have charts; those reports also default to all dates
Changed
- Fixed warning on scope for renewing OAuth tokens
- Bug Fix: Search works properly for Security Control Implementation and Scorecard
- Tech Debt: Eliminated legacy calls to pre-load the old home page
- Bug Fix: Improved chart queries and fixed various errors
- Bug Fix: "Show More" button on the newsfeed is enabled/disabled properly
- Bug Fix: Custom color theme works properly for multi-tenancy
- Bug Fix: Form input left and right padding increased to accommodate scrollbars to prevent focus state border from being cut off
- Bug Fix: Top nav buttons stay present when going from dashboard to any other page
- Bug Fix: Overall status for Component dashboard calculates percentage correctly
- Bug Fix: Users can properly log in after access token expires
- Bug Fix: User Management System correctly shows added roles for a user
- Bug Fix: User Management System correctly shows existing roles for a user
- Big Fix: Drilldown modals from the dashboards show a close button
[5.0.1] - 2023-04-27
Added
- Improved Lightning Assessment formatting for Dark Mode
- Hover effects for My Activity and Notifications icons
Changed
- Bug Fix: Tweaks to home page
- Bug Fix: Technical POC on Exceptions now shows as a required field
- Bug Fix: Corrected problem where issues may not save correctly
- Bug Fix: Removed duplicate export option on SSPs
- Truncated Lightning Assessment scoring
- Removed console.logging on login
- Improved validation for Security Plan FedRAMP Authorization status
- Removed redundant "Close" buttons in modals
- Multiple minor tweaks to Dark Mode formatting
- Bug Fix: Addressed some issues with drilldown on Causal Analysis
[5.0.0] - 2023-04-26
Added
- OAuth Identity Provider Support for Bring Your Own Identity (BYOI) and SSO
- Ability to support sending unauthenticated SMTP email
- Redesigned Home Page
- Dark Mode
- Changed GraphQL timeout to 60 seconds; added Initialize on startup for faster first queries
- Redesigned the Lightning Assessment System
- Added eMASS Hardware and Software list to Security Plans
Changed
- Bug Fix: Organization Manager and Reports modules redirect to the login page if the user isn't authenticated
- Updated logic for eMASS POAMs Export on SSPs to populate the milestone columns when no milestones are associated with the issue
- Bug Fix: Policy Editor now hidden until the record is saved
- Bug Fix: Children of Change Management records now correctly inherit RBAC permissions
- Bug Fix: SecurityPlanId field for Issues is now properly assigned on creation
- Bug Fix: Workflow now allows for formatted content in the comments field
- Bug Fix: You can now create multiple custom fields with the same name if they are in a different tenant
- Multiple enhancements and bug fixes to the security checklists for assets
- Added warning on delay time for the Password Reset token
- Bug Fix: OSCAL SAP & OSCAL SAR exports are available for Continuous Monitoring
- Policy editor enhancements to utilize the Files subsystem for faster loading of large Word documents
- Bug Fix: Ports and protocols now properly map in the SSP export
[4.26.3] - 2023-04-20
Added
- FedRAMP: improved classification markup in OSCAL, added internal/external user counts
- FedRAMP: Added support for Leveraged Authorizations
- Security: Added SHA-256 Hashes to File Uploads
- Vulnerabilities can now be associated with Assets
- Asset Check Visualization
- Improved drilldown into charts along with performance improvements throughout the application
- Security control implementations have two independently scrollable content panes for Control Context and Configuration
Changed
- Bug Fix: Modal dialogs from within the dashboards and crumbcake navigation now dismiss when navigating to the home page, status boards, modules, reports, or notifications.
- Bug Fix: Fixed the SBOM pipeline
- Bug Fix: Fixed issue where eMASS POAMs export was not handling special characters in issue description during export
- Bug Fix: Modal for the file hash in the Files subsystem renders and closes correctly
- Bug Fix: Catalog - FindbyGUID API now works properly
- Bug Fix: RBAC inheritance now works properly throughout the application
- Updated the warning on Control Inheritance (supports external Leveraged Authorizations now)
- Bug Fix: Drilldown for some dashboard charts has been restored
- Bug Fix: Policies can now be properly saved
[4.25.0] - 2023-04-12
Added
- FedRAMP Automation overlays to SSP OSCAL export
- FedRAMP E-Authentication levels to the System Security Plan (SSP)
- FedRAMP Authorization Process flows
- Spinner when loading large Asset SBOM files or when pulling SSP Status Board issues
Changed
- Privacy Impact Assessment (PIA) data is now included in the SSP OSCAL export
- Bug Fix: Exceptions can now be added to issues and risks
- Bug Fix: Control tests now show properly as a Tab on assessments
- Bug Fix: Addressed issue where group manager sometimes would not refresh group name after a change
- Bug Fix: Addressed issue where Add User modal would not launch for a new user in a group
- Bug Fix: Addressed issue where validation message would sometimes be off the page for Privacy Impact Assessment
- Bug Fix: User avatar on side strip now navigate to user profile
- Bug Fix: Generic SSP export updated for edge case issues on export
[4.24.2] - 2023-04-06
Added
- Tenable ID field under integrations for Assets
Changed
- Both the implementation statement and cloud implementation statement are now written to the Implementation Overview of the tailored SSP export
- Bug Fix: Crumbcake navigation modal now closes when clicking on the app logo, My Activity, Notifications, and user profile menu
- Bug Fix: Changes to generic SSP export
[4.24.1] - 2023-04-05
Added
- N/A
Changed
- Bug Fix: Fixed periodic export issue with generic SSP in Word
- Bug Fix: Labels fixed on PIA Module
- Bug Fix: SBOM workflow uses the correct internal URL
- Bug Fix: Gantt charts now show for components
- Replaced Azure AD with OAuth integrations panel
- Provided a more friendly gnome graphic for control assessment failures
[4.24.0] - 2023-04-04
Added
- Privacy Impact Assessment (PIA) Module
- Security checklist queries via GraphQL
- Improved signaling on Gantt charts plus the ability to toggle between Gantt and List Views
- Importing policy templates from Word docs
- Export tailored (generic) SSP in Word format
- Qualys ID field for Assets under Integrations
- APIs for batch creation and update of Security Checklists
Changed
- Bug Fix: Gantt chart visualizations now sort by date and only show open issues
- Improved signaling on the Scorecards for control status
- Bug Fix: FedRAMP POAM export no longer highlights cells non-empty cells
- Bug Fix: Several minor enhancements to the new Change Management module
- Bug Fix: Gantt chart visualizations now sort by date
- Bug Fix: Print view no longer includes icons from left nav
- Bug Fix: Save button is available when creating a new supply chain
- Bug Fix: Compliance visualization modal now properly dismisses
[4.23.0] - 2023-03-29
Added
- Supply Chain Identifiers
- Change Management Module
- Endpoint to validate RegScale token
- CMMC: Added Information Owner role to Teams system and Management Type to Assets
- FedRAMP POAM Export
- FedRAMP Risk Exposure Export
- Asset Owner added to the MegaAPI for Security Plans
- CUI SSP Export in Word format for NIST 800-171 (security plans only)
Changed
- Increased size of toolbar options (e.g., save, delete)
- Bug Fix: Enterprise utilities now properly show/hide based on license
- Bug Fix: FedRAMP CIS/CRM Export - added FedRAMP High Template for Security Plans with a High overall categorization
- Removed TestTimeout API
- Fixed typos on eMASS SAP/SAR template
- Tech Debt: Organized FedRAMP and eMASS template files into better structure
- Added logging for SBOM workflow script
- Bug Fix: Pressing Enter in search no longer toggles form to readonly mode
- Bug Fix: Console errors no longer occur for custom fields
- Bug Fix: Components tab for Assets module now accessible for Asset Users
- Bug Fix: Gantt Chart tab correctly displays for Organizer modules
- Bug Fix: Fixed issue where sometimes a new asset could not be saved
- Increased button spacing on the toolbar to support touchscreens (e.g., iPad)
[4.22.0] - 2023-03-21
Added
- N/A
Changed
- Bug Fix/Tech Debt: Added many missing fields to search and consolidated search field lookup
- Bug Fix: Fixed styling on icons in Threats module
- Bug Fix: Validation messages now show properly in the Threats module
- Bug Fix: Addressed issues on time travel revert
- Bug Fix: Interconnects - fixed IP address validation issues
[4.21.2] - 2023-03-19
Added
- Enhancements to risk form and process flow indicators
Changed
- Bug Fix: Objective/Parameter Order Fixed
[4.21.1] - 2023-03-18
Added
- FedRAMP: Continued improvements to the handling of parameters
Changed
- Bug Fix: Addressed issues with modals
[4.21.0] - 2023-03-15
Added
- FedRAMP: Exported FedRAMP SSP now directly attaches to the file system for download
- Improved the overall Parameter user experience
Changed
- Bug Fix: Removed bad link to old registration form (broken during website migration)
[4.20.2] - 2023-03-09
Added
- FedRAMP: Address and company fields to the user profile
Changed
- Performance: Increased timeout to 5 minutes for long running jobs (i.e. FedRAMP SSP export)
- Performance: Refactored SSP Word export to reduce build times, improved document formatting
[4.20.1] - 2023-03-09
Added
- Assets: Added fields to fully support FedRAMP Inventory workbook
Changed
- Bug Fix: Code behind errors fixed on forms
- Bug Fix: Addressed styling issues on export buttons and added missing export options
- Security: Enhancement for email encryption
- FedRAMP SSP: Added more logging, interconnections, ports and protocols
[4.20.0] - 2023-03-08
Added
- New Home Page navigation bar on side panel and discrete routes for dashboard analytics
- New toolbar added to forms, utility UI consolidated into new design
- Tenant Id added to the JWT providing for more efficient API calls
- Security: Added support for TLS 1.2 for sending email using FIPS approved services
- Improved error handling and logging for all form saves/updates
- Fine grained access control per API call to accomodate Read Only use cases
- FedRAMP: Detailed logging to Mega API and FedRAMP exports to help troubleshoot environmental issues
- eMASS: SAP/SAR Export
Changed
- Bug Fix: Fixed bug showing option to create child security controls directly under security plans (forces through Builders)
- Security: Now refreshes the server side user cache after any change to a user role
- Bug Fix: Improved formatting on Personal Access Token
- Bug Fix: Formatting on Security Plan print improved
- Bug Fix: Addressed issue where sometimes RBAC editing would not be properly enabled
- Bug Fix: Addressed issues with readonly permissions throughout the application
- Bug Fix: Import catalogue parameter UUID if it exists when importing catalogues
- Performance: Fixed slow loading speed with large numbers of security controls
- CSS: Fixed deprecated style tags
- Enhancement: Ports and protocols data added to Interconnects in the MegaAPI
- Enhancement: Display catalogue date imported
- Enhancement: Import catalogue parameter default if it exists when importing catalogues
- Security: Container patching for Linux Alpine image
- Bug Fix: Addressed periodic date rendering issues throughout the application
- Improved completeness of FedRAMP SSP export
- Fixed rendering issues on Status Board spacing
- Bug Fix: Fixed import issues on UUID and default parameter values
[4.19.1] - 2023-03-03
Added
- Theming system selecting custom colors throughout the application
- Longer timeouts for doing FedRAMP exports to accomodate large jobs
Changed
- Bug Fix: Interconnects can now be created under Security Plans
- Scorecard now defaults to using the SortId field for ordering controls
- Bug Fix: Sort ID now used by default in profile mappings
[4.19.0] - 2023-03-01
Added
- Improved formatting of Catalog print page along with adding more information (parameters, objectives, and tests)
- Digitized the FedRAMP Low, Moderate, and High catalogs using FedRAMP resolved catalogs
- Additional filtering options to the scorecard controls (customer responsibility)
- Added rollup by control family to the Scorecard visualization
- Built out additional FedRAMP and eMASS automated exports
Changed
- Security: Red Hat UBI and Rocky Linux patching
- Catalog print now sorts by "sort-id"
- Security: Improved validation of user data when creating a new user
- Improved data validation in all back end controllers
- Improved export file names to include object title, module, and RegScale record ID
- Added indentation to the downloaded catalogues (JSON)
[4.18.2] - 2023-02-24
Added
- N/A
Changed
- Bug Fix: Corrected issue where sometimes eMASS exports can become corrupted in Excel files
- Bug Fix: Improved validation and error handling for FedRAMP exports
[4.18.1] - 2023-02-22
Added
- Cloud implementation field for Control Implementations - supports Hybrid cloud use cases
- Security Checks capability to Assets
- Parameters on security controls can now accept default values
- Support for eMASS POAM export
Changed
- Bug Fix: Fixed typo Security Plan Cloud tab
- Bug Fix: Options now refreshes objectives when a new one is created
- Bug Fix: Periodic issues with corrupting Word exports
- Tweaked CI/CD pipeline files and added GitHub templates
- Security: Fixed an issue related to Azure AD SSO deactivation
- Security: Last login now properly stored for SSO users
[4.18.0] - 2023-02-21
Added
- STIG fields to issues (Security Checks and Recommended Actions)
- Cloud fields added to SSP metadata to support FedRAMP
- FedRAMP fields added to Interconnect module
- Dynamic Policy Authoring Capability
- CMMC Enhancements - loaded 800-171A objectives and tests to the catalog
- Support for Australian ISM catalog (leveraging our OSCAL importer)
- Control status strip to the Scorecard
- Mega-API - added Teams and References
Changed
- Bug Fix: Addressed alignment issues in the compliance visualizer
- Bug Fix: Addressed issue where sometimes the vertical scrollbar on the page would not reach the last field
- Bug Fix: Close button now works properly on lightning assessments
- Bug Fix: Improved status coloring in the compliance cockpit
- Bug Fix: Creating components from SSPs now works properly
- Bug Fix: Security controls can now be edited without errors
- NPM security patching
- Refactored and consolidated the Continuous Monitoring experience in the application
- Rearranged the control implementation form to streamline data entry and intelligently render the UI based on objectives and parameters being available
[4.17.0] - 2023-02-15
Added
- API support in Readme.io with example code for testing API code in 20+ languages
- Control Context Viewer
- Interconnect information is now returned as part of the SecurityPlan Mega-API
- FedRAMP Preparation fields and tab to the Security Plans module
- Components and SSP Evidence reports
Changed
- Bug Fix: You can now properly search within Explorer list view tables
- Security: Patching of all NUGET packages for .NET
- Objectives now show parameters values for control implementations
- Bug Fix: OSCAL SSP now properly exports all control implementation data
- Improved layout and token explanation on the user profile page
- Simplified "My Profile" side panel text and display
- Added sorting and indexing to improve control display and retrieval
[4.16.1] - 2023-02-09
Added
- N/A
Changed
- Hot Fix: Issue page loading (missing migration)
[4.16.0] - 2023-02-08
Added
- Crumb Cake Navigation
- Added SortId to Security Controls (allows for custom sorting algorithms for catalogs such as NIST)
- Adverse Condition reporting to Issues Module
- Added ability to import and export Classification Types (published 800-60 options on the website)
- Continuous Monitoring records now have an editable form for metadata
- Ports and protocols to FedRAMP SSP Export
Changed
- Moved up Risk Dashboard toggle button
- Bug Fix: Duplicate components can no longer be added for an asset
- Bug Fix: Security Controls paging now works correctly in list views
- Bug Fix: Add New user button now works correctly
- Group names are now editable
- Tech Debt: Refactored group service and improved security
- Bug Fix: Fixed issue with loading Categorization profiles
- Bug Fix: Improved validation for creating implementation options on a security control
[4.15.1] - 2023-02-03
Added
- Control Owner added to Security Plan Mega API
- Improvements to subsystem intra-system navigation
- Support for linking issues to Microsoft Defender for Cloud
- Pagination to Classified Record Subsystem
- Added risk and issue drilldown to the Status Boards
Changed
- Tech Debt: Angular 15 upgrade along with multiple NPM package updates, security patching
- Bug Fix: Fixed issue where sometimes the spinner would not load or dismiss
- Bug Fix: Fixed periodic rendering issues with the Time Travel system
- Bug Fix: Removed Date Created column on Service Account queries
- Bug Fix: Back arrow now works on navigation strip for control implementations
- Bug Fix: FedRAMP and eMASS exports now only show on the appropriate modules
- Bug Fix: Security Plan print and Transformer now working properly
- Bug Fix: Paging now works properly on Classification
- Bug Fix: References field now properly displays on Security Controls
[4.15.0] - 2023-02-02
Added
- Support for Rocky Linux containers
- FedRAMP Export to Word SSP (BETA)
- "Archived" as a status for Control Implementations
- Unified Subsystem UI for easier navigation between systems
Changed
- Bug Fix: Fixed issues exporting OSCAL related to Time Travel
- Bug Fix: Added server side validation to the license key
- Bug Fix: Risk tabs now show the correct related modules
- Bug Fix: All related tabs now properly check for duplicates
- Bug Fix: All related tabs have been refactored to work with the Read Only toggle
- Security: Disabled password reset and password change for AD/LDAP users
- Implementation options are now set at the control level v/s the objective level
- Security: Removed Bearer token from the UI, no longer displays
- Bug Fix: Pagination now works properly with multiple grids on the same page
- Bug Fix: Fixed edge cases where Time Travel was not rendering properly
[4.14.0] - 2023-01-25
Added
- New Inheritance Engine supporting many to many architecture
Changed
- Bug Fix: Charts now format properly on the security plan print form
- Bug Fix: Recurrence engine now works properly for assessments
- Bug Fix: My Activity now formats and pulls data correctly
- Bug Fix: Expiration date now displays properly for Interconnects
- Bug Fix: Components mapping now shows valid security plans in the picklist
- Bug Fix: Lineage tab now properly pulls all Inheritance data
- Bug Fix: History system now properly records all view events
- Enhancement: Improved documentation linking system
- Enhancement: Explorer is now more resilient to data issues and renders properly
[4.13.0] - 2023-01-18
Added
- OSCAL - supports "by-component" markings on SSP controls now
- Refresh button for notifications
- Upgraded all .NET Core SDK and Nuget packages to .NET 7
- Completed major UI redesign
- Refactored forms and list views to reduce duplicate code and improve quality
- Added server side auditing to all records in RegScale
- Added support for Azure Key Vault for SaaS secrets
- Added higher performance Role Based Access Control (RBAC) on the server side
- Added Properties subsystem
- Added stricter validation to server side for ParentId and ParentModule to support API integrations
- Added method for purging logs (used by the CLI) and improved indexing on Log queries
- Expanded Exceptions module - added Technical POC, Risk Analysis, and Mitigations to the form
- Read-only views for all modules; ability to toggle into Edit view
- Expanded response plan fields/data in support of the Incident Response module
- New References system to support FedRAMP use cases
- Security Plans - added Purpose and Conditions of Approval
- New risk fields to support automated FedRAMP exports
- New threat fields to support automated FedRAMP exports
- FedRAMP methodology fields to Continuous Monitoring
- Significantly expanded the assessment module to support larger scale audit needs
- Team system for tracking teams and points of contacts for various applicable modules
- Milestone system added for tracking key dates on projects, assessments, issues, etc.
- Conditions system added for tracking assumptions, deviations, and constraints
- GraphQL system for dynamic data querying
- Tools system added for conducting assessments with automation (supports FedRAMP)
Changed
- Bug Fix: Modals on reports are now formatted properly
- Bug Fix: Catalogs no longer duplicate subsystems in the JSON export (50% file size reduction)
- Updated End User License Agreements (Enterprise and Community)
- Transformer feature is now hidden when no mappings exist
- Bug Fix: Transformer modal for mapping now properly maintains state, eliminated duplicate code
- Bug Fix: Transformer now properly renders on the Security Plan printable form
- Modal styling improved throughout the app
- Bug Fix: Risk Assessment Wizard now properly resets all fields when creating new
- Bug Fix: Component Mappings now checks for duplicates
- Bug Fix: Improved validation for the assessment result
- Bug Fix: Relationship modal issues are now fixed
- Bug Fix: Database seeding now properly timestamps tenant creation
- Bug Fix: Incident module now appropriately disables in the App menu without role
- Removed subscription/poller that updated notifications to improve application performance
- Removed support for Windows container builds, now Linux only
- Bug Fix: Fixed security setting blocking Azure AD SSO popup window
- Improved alert system styling while adding ability to dismiss
- Multiple performance optimizations for list views
- Bug Fix: Control Implementation API - QuickUpdate now works in Swagger
- Bug Fix: RBAC checks now enforced on Delete operations
- Dramatically improved performance for cascade delete operations
- Bug Fix: Improved the ability to delete (cascading) records throughout the system with higher efficiency
- Refactored print services for better quality of reporting
- Bug Fix: Fixed multiple errors with missing/incorrect links in emails
- Optimized dashboard rendering and toggling between years
- Expanded responsibility list for controls to meet FedRAMP requirements
- Cutover links to new documentation system at README.io
- Added warning when creating custom fields that they cannot be deleted
- Redesigned dashboard UI
- Improved performance of backend calls to minimize network traffic
- Security patching and upgrades of all .NET Nuget and NPM packages to the latest versions
- Updated process for publishing Helm charts
- Improved build times for CI/CD pipeline, cleaned up legacy code
- Improved logging and checks for startup environment variables
[4.12.2] - 2022-11-29
Added
- N/A
Changed
- Hot Fix: SSO login fix
[4.12.1] - 2022-11-11
Added
- Improve Azure Object storage support
- SBOM generation added to CI/CD pipeline
Changed
- Removed all legacy Sentry.io monitoring code (using Datadog for SaaS)
- Bug Fix: Resolved security control preventing OSCAL download
- Removed OSCAL validation from RegScale code, now done by CLI
- Updated Kubernetes managed service installation instructions
- Bug Fix: Causal analysis now displays properly in the Explorer
- Security: Patching of NPM vulnerabilities (fixed critical)
[4.12.0] - 2022-11-02
Added
- Added support for Microsoft Defender via CLI/APIs
- Software Inventory Tracking
- Many additional fields for asset tracking
- Added support Azure blob/object storage
- Added Datadog Application Performance Monitoring (APM) for SaaS
- API for filtering issues by integration type
- Added support for Software Bill of Materials (SBOM)
- PrettyJSON print functionality with dark mode
- Security.txt record for security researchers to contact RegScale for vulnerabilities (https://securitytxt.org/)
Changed
- Patched Kendo libraries, Angular, TypeScript, and other libraries
- Bug Fix: Fixed catalog spinner not disappearing when import is completed
- Security: restricted sensitive API calls
- Security: Enabled Content-Security-Policy
- Tech Debt: Stored CSS files locally to prevent need for internet access
- Removed Google Maps feature - now supported via external Business Intelligence reporting
- Refactored System Configuration UI
- Bug Fix: corrected issue where Tenant ID may not be properly set for a new user in a tenant
- Security: added server side checking for User Profile edits to prevent account spoofing
- Security: comment metadata is now set server side
- Security: Limited LDAP logging to avoid exposing sensitive information
- Performance: Improved indexing for returning logs in the admin panel
[4.11.0] - 2022-10-22
Added
- Increased logic, cascading, and logging for deleting security plans
- New APIs to support the Reminder CLI
- OSCAL: SSP Export upgraded to support 1.0.4 version
- OSCAL: Added support for exporting inventory
- OSCAL: Now exports all SSP properties
- OSCAL: Comments are now exported as remarks
- OSCAL: Attachments and links are now exported as links
- OSCAL: Objectives are now exported as statements
- OSCAL: Added generic method to export all properties of an object in OSCAL format, enriched data in the export
- OSCAL: Added specific validators to prevent errors in the export
Changed
- License check is now performed pre-login
- Bug Fix: Fixed legacy Atlasity tag on email notifications
- Improved performance of bulk deletes on subsystem records
- Bug Fix: Security profile importer now has the correct label
- Bug Fix: Categorization no longer shows the toolbar options (print, email, etc.)
- Security Patching: Nuget and NPM
[4.10.1] - 2022-10-16
Added
- N/A
Changed
- Bug Fix: Routing for risk assessment wizard
- Bug Fix: Parent linkage for risk assessment wizard
- Enhancement: Improved risks assessment UI when no controls are available
[4.10.0] - 2022-10-15
Added
- Risk Assessment Wizard
- Reminder APIs to support the CLI
- OSCAL Version 1.0.4 enriched for SSP model
Changed
- Patched Telerik libraries with latest upgrades and bug fixes.
- Added timer and progress spinner to catalog upload (useful for long uploads (i.e. for 800-53))
- Bug Fix: properly redirects after login
- Security: Password reset must always be done server side now.
[4.9.2] - 2022-10-02
Added
- Billing/Utilization system
- Improved error handling for file uploads
- Task reporting
Changed
- Added way to revert inherited controls back to a default status if done by mistake
- Archived controls can now be found when looking up a control implementation's parent security control
- Time Travel system now removes HTML tags and properly formats text for display to the user
- Bug Fix: Kanban now properly resets status when moving from "Closed" to "In Progress"
- Group list is now sorted alphabetically and permissions were relaxed for READ operations
- Workflow: Selecting a workflow now auto-closes the modal in the subsystem
[4.9.1] - 2022-09-26
Added
- New assessment reporting
Changed
- Bug Fix: Password buttons are now hidden for AD/LDAP users
- Bug Fix: Filter tasks now works properly on the list view
[4.9.0] - 2022-09-25
Added
- Access Logs added to User Admin Panel
- AD/LDAP Distinguished Name is now inferred v/s explicitly set on login (supporting a wider variety of configurations)
- Centralized Avatar component used throughout the application
- Security Plan Mega API to pull all details and pre-format for processing
- Additional details now print on the Security Plan:
- Objectives
- Parameters
- Attachments
- Comments
- Links
Changed
- Added ID tags to all home page elements to support automated E2E testing
- Added default alert if a user logs in without any roles assigned
- Bug Fix: Tweaked alerts for creating System Admininstrator in the Admin Panel
[4.8.3] - 2022-09-22
Added
- Password complexity component to centralize business logic
- New multi-tenant management experience
- Distinguished Name field for customizing AD/LDAP sync functionality
Changed
- Bug Fix: Tenant manager now redirects properly to the Admin form for new tenant setup
- Improved formatting/spacing for license info
[4.8.2] - 2022-09-19
Added
- Now able to enable/disable the email feature in RegScale
- Copy component - for easily copying and pasting info to the clipboard
Changed
- Improved error handling for detecting invalid or malformed JSON uploads for a catalog or profile
- Bug Fix: Now prevent Chrome autofills on Email form
- Security Enhancement: All email now requires authorization to send
- Bug Fix: Catalogs now correctly set the UUID
- Enhancement: Added fallback to try and find a control by ID when importing a profile (more resilient)
[4.8.1] - 2022-09-12
Added
- Ports and Protocols tab to Interconnects
- Increased SQL Timeout for Long Running Jobs
- Ability to edit links
- Refactored security plan print to pull more data
Changed
- Bug Fix: Fixed minor formatting issues on Look Ahead and New Form Cockpit
- Minor color and styling tweaks throughout the application for issues
- Enhancements: Inheritance now only displays security plans for selection with one or more inheritable controls
- Mnor improvements to fonts/styling throughout the application
- Bug Fix: Continuous Monitoring now logs properly to history
- Bug Fix: Login "admin" check is no longer case sensitive
- Tenant form now defaults to the User view in the IAM panel
[4.8.0] - 2022-09-05
Added
- Support for Exporting/Importing Profiles via OSCAL in RegScale
- Redesigned Master Assessment/Continuous Monitoring System
- Improved UX for managing Users
- Gantt Chart - now supports toggling for a List View
- Added new risk fields - Title/Unique ID and Risk Tier
- API for retrieving license info (used by RegScale-CLI)
- Login now captures history of logins by users
- Added a guided/interactive walkthrough for Admins to setup RegScale
- Added a Setup panel for Admins to guide progress for initial system setup
- Refactored catalog upload to be more performant and resilient for large catalogs (i.e. 800-53)
- Spinner added to Logs page when looking through large amounts of data
- AD/LDAP Sync now shows directory attributes to assist in mapping, refactored and improved UX
- Added ability to deactive/delete all AD/LDAP users for the Global Admin account
- Lightning assessments now prompt you to create tests if none exist
Changed
- Bug Fix: RMF mapping features are now properly locked to enterprise
- Bug Fix: Service accounts no longer show in the User Role assignment list
- Bug Fix: Bulk editing security controls now works properly
- Bug Fix: Inherited controls now properly show in the wizard for security plans
- Bug Fix: Added try/loopback logic on catalogs (avoids intermittent network errors on very large catalog uploads)
- Bug Fix: Master catalogs are now locked to Enterprise Edition
- Bug Fix: Mapping conversion panel now dismisses the modal
- Bug Fix: Notifications can now be properly disabled in the Admin panel
- Bug Fix: Modal for AD/LDAP sync now renders properly
- Bug Fix: Tested and fixed all catalog import/exports
- Bug Fix: OSCAL Profile exports now work properly
- Consolidated all export functionality to simplify code
- Added Excel export option to tables in reports
- Improved design of headers within the Admin panels
- Components can now use the Continuous Monitoring feature
[4.7.2] - 2022-08-28
Added
- Admins now have the ability to manually change a user's password
Changed
- Bug Fix: AD/LDAP sync now properly shows/hides based on enabling/disabling the feature
- Bug Fix: Administrators can no longer change other user's profile pictures
- Bug Fix: Several options for configuration now properly disabled for the Global Admin account
- Bug Fix: Categorization header on the modal now formats properly
[4.7.1] - 2022-08-24
Added
- N/A
Changed
- Inheritance engine now only allows inheritance of Security Plan controls that are flagged as inheritable
- Bug Fix: Navigation panel now properly pulls the correct controls in all situations
[4.7.0] - 2022-08-23
Added
- Inheritance Engine
- Lineage Tab now shows inheritance info
Changed
- User ID is now copyable to the clipboard on the User Profile
- Replaced Bootstrap Modals with Angular Material
- Multiple minor enhancements to reporting
- Fixed bug with strange characters sometimes showing in Kendo UI
- Added CISA KEV as a Threat Type
- Bug Fix: Project builder now properly links to profiles
- Bug Fix: CMMC fields now properly show/hide
- Bug Fix: Fixed periodic errors fetching a user ID
[4.6.1] - 2022-08-12
Added
- Ability to delete Custom Reports on List Views
- Added multiple new reports for Issues/POAMs
- Added support for Red Hat Universal Base Image (UBI) containers for RegScale
- Added support for publishing RegScale containers to Amazon Container Registry
- Redesigned Look Ahead system on the main dashboard
- Added Azure Sentinel SIEM/SOAR monitoring for managed service customers
Changed
- Issue Report by Date Range - can now show/hide details
- Refactored list views to remove unnecessary services
- Bug Fix: Drilldown for assessments, issues, and risks on the Status Boards now pulls all data regardless of what level it is stored
- Bug Fix: Categorizations can now be properly exported
- Refactored reports based on customer feedback, added minor new features
[4.6.0] - 2022-08-02
Added
- Categorization Engine MVP
- News Feed Redesign for the Main Dashboard
- eMASS Exports
Changed
- Added custom icons for the modules in the navigation menu
- Added missing module toggles for Components and Catalogues
- License check now trims whitespace to avoid copy/paste errors
- Bug Fix: Fixed issue with non-OSCAL naming convention not showing objectives
- Bug Fix: Made "Name" a database required field for Security Profiles
- Bug Fix: Icons now load correctly without a 3rd party pre-loading NPM package
- Bug Fix: Assessment charts now render correctly on list views
- Bug Fix: Supply Chain Status Board - chart rendering issue
- Bug Fix: Replatformed icons to remove NPM package and work with Angular 14
- Bug Fix: Fixed search on Requirements Navigation Bar
[4.5.1] - 2022-07-07
Added
- Improved Control Status visualization across Status Boards and Scorecard
- Ability to describe the mitigation type for a control for a risk (Key Control or Compensating Control)
- Master Assessment now allows the user to select specific controls to assess in support of continuous monitoring programs
- Status Boards now pull deep-linked issues and risks for a more complete compliance picture (matching the Scorecards)
- Optimized startup file configuration
- MVP of Risk Status Board
Changed
- Fixed coloring on Status Board aggregate view for control status
- Bug Fix: Security controls can now be edited
- Bug Fix: Wrapped Serilog in try/catch to ensure it doesn't block new installation startup
- Renamed Master Assessments to Continuous Monitoring
- Refactored status board logic to be more efficiently rendered, multiple minor bug fixes
- Consolidated SSP and Component status boards into one
- Consolidated compliance scoring for status boards and score cards
- Master Assessments now can be scheduled for components
- Added Draft as a Risk status
- Added Validation to do NULL checks on strings
[4.4.4] - 2022-06-22
Added
- Now supports dynamic OSCAL content authoriing for objectives and parameters
- Parameters now inherit from their parent catalog
- Added advanced logging support via Serilog
- Added support for parsing and dynamically updating OSCAL parameters in the control implementation module
- Added SignalR for real-time communications on notifications (removed polling)
- Added Route Titles in Angular
- Addded Logs tab to the Admin panel to improve Customer Support experience
- Added notification toast when classification options are saved/removed
- Added a new "toast" system for notifications using Angular Material
- Deep linking to Jira tickets for Issues/POAMs
- Component name now shows on control implementation list view
- Database rearchitecture in Entity Framework to allow multiple database support
- ServiceNow integration
- "Inherited" option for a Control Implementation status
Changed
- Bug Fix: Page now refreshes after editing license key
- Username and password are now trimmed of whitespace to avoid paste errors
- System service-account no longer shows in the user list
- Fixed CSS on user role tables
- Bug Fix: can now create a component from a SSP
- Implemented AsNoTracking on all read queries to improve query performance against the database
- Removed legacy logging system
- Removed blank status option for Requirements
- Bug Fix: Controls can no longer be added as children to Assets (only to their parent Components)
- Suppressed false errors on Angular build
- Removed legacy Jira code (now bulk processes in CLI)
- Refactored to fix FirstOrDefault inconsistency bug
- Assessment buttons now intelligently show/hide based on the state of the form (isDirty)
- Fixed critical alerts from Sonarqube
- Security Plan Status Board now properly reflects all status options for a Control
- Bug Fix: Progress calculation on control navigation strip now excludes NA and Inherited from total
[4.3.0] - 2022-06-05
Added
- Deep linking for Wiz.io issues in RegScale
- Enhanced container error logging for LDAP issues
- Control navigation bar in the Control Implementation and Requirements forms
- New Assessment and Naviations System UX for Controls/Requirements
- Added support for AWS Simple Email Service (SES)
- Added mouse hover effect for Status Board links
- Angular 14 upgrade
- Ugraded CI/CD deployment process - removed legacy pipeline files
- ServiceNow Integration for Incidents
Changed
- Improved signaling for Volpe integration (better handles errors on Volpe side)
- Improved threat data validation
- Security Plan Print - now shows additional parent control fields
- Security hardening, patching, and remediation from penetration tests
- Added a spinner to the Password Reset to visualize progress
- Bug Fix: Multiple drilldown issues fixed on Status Boards
- Bug Fix: Component to Asset mapping is now fully bi-directional
- Security: All Nuget .NET packages patched and updated
- Removed legacy/inefficient AI code
- Security: NPM upgrades/patching of packages
- Caching bug fixes on tenant form
- Bug Fix: Data Call - fixed missing toasts
- Bug Fix: Security Controls - Control ID is now sortable
[4.2.0] - 2022-05-30
Added
- Deep linking URLs to support SSO use cases
- eMASS fields added to the risk form
- Risks and Issues can now be tightly related for improved risk modeling
- Risks and Incidents can now be tightly related for improved risk modeling
- Risks and Threats can now be tightly related for improved risk modeling
- Modules now have a label tag in the Compliance Cockpit for ease of module identification
- Threats - now have a "Date Resolved" field
- Compliance cockpit now has a tooltip showing the full title for longer length titles
Changed
- Bug Fix: Interconnects modules now display correctly
- Interconnect form - conditionally shows red asterisks for date fields
- Security Plan form - conditionally shows red asterisks for date fields
- Risk from - conditionally shows red asterisks for date fields
- Security - Password reset token can now be used only once (formerly were good for 24 hours - now will expire in 24 hours or upon first use)
- Enhanced formatting of Compliance Cockpit
- Added a tooltip to Transformer to explain "Master" catalog
- Incidents module now has a new Forensic tab
- Threat module has a new Analysis and Mitigations tab
- Risks - "Mitigation Effectiveness" is now a required field
[4.1.2] - 2022-05-26
Added
- N/A
Changed
- Bug Fix: Objective options now save and refresh correctly
- Bug Fix: Avatars now can be changed without refreshing the page
[4.1.1] - 2022-05-25
Added
- Enhancements to Issue Reporting
Changed
- Bug Fix: Report page renders properly
- Bug Fix: SPRS drilldown on View link
[4.1.0] - 2022-05-23
Added
- Enhancements to Toast System
- Enhanced Custom Field validation
- Assets can now be mapped to many components
- Components can now be created stand-alone (not required to be a child of a security plan)
- Components can now be mapped to many security plans
- Can now load default tests from the catalog into control implementation tests (templates from the catalog to feed Lightning Assessments)
- Added spinners when building artifacts using the Builder Wizards to show progress
- Objectives tab on control implementations now shows/hides based on parent catalog
- New top navigation system to better organize modules
- Unit testing framework to support automated testing
- Wiz integration for Assets
- Report - Issues by Time Range - query and see status of closing issues/POAMs due in a given time range, grouped by issue owner
- Explorer now shows the Level flag for better visual indication of the tiering
- Added logging and spinners to better show progress when importing and deleting catalogs
Changed
- Bug Fix: Can now add Assets to Components
- Bug Fix: Asset mapping APIs are no longer hidden
- Profile mapping engine now shows IDs of the parent catalogue
- Bug Fix: Fixed intermittent bugs on Component and Project Builder Wizards
- Refactored assessment services for performance optimization
- Bug Fix: Fixed naming convention on Excel download files
- Trivy was added to the container build as a second vulnerability scanner for defense in depth
- Startup file was refactored to be more efficient on launching the application
- Improved logging to detect intermittent upload errors with catalogs
- Bug Fix: Avatars render properly on user admin forms
- Bug Fix: Added null check for custom fields on security control form
- Bug Fix: Subsystems now show properly on security control forms
- Bug Fix: Catalog export now excludes archived controls
[4.0.3] - 2022-05-11
Added
- N/A
Changed
- Bug Fix: Removed Avatars on Excel downloads
- Bug Fix: Improved error handling for catalog uploads
- Bug Fix: Corrected intermittent issues with custom fields
[4.0.2] - 2022-05-10
Added
- N/A
Changed
- Fixed POAM tab not showing
- Improved RBAC logging for access control issues
[4.0.1] - 2022-05-09
Added
- N/A
Changed
- Improved hide/close button on builders (always shows)
- Questionnaires now have a BETA tag
- Cleaned up legacy Print, Email, and Export code
- Bug Fix: Errors on Project Builder
- Build optimizations on backend
- Supply Chain tables now sort correctly by Title
- Create New stakeholder button now shows/hides when displaying the data entry form
- Updated SPRS Report CMMC Links
- Password confirmation now supports additional special characters
- OSCAL download now working correctly
- Bug Fix: Fixed error where numbers were sometimes converted to dates by the Time Travel system
[4.0.0] - 2022-05-08
Added
- Redesign of the Compliance Cockpit and RegScale form system
- NGRX for client side caching and extreme front-end performance improvements
- Updated Support Links to the new RegScale Hubspot system
- Component Builder
Changed
- Refactored all Builder code
- QA: Added validation to Supply Chain cost fields (contract value, funded amount, and actual costs)
- Reordered case management form to be more logical for data entry
- Fixed user button label
- Various minor bug fixes from Sonarqube
- Section 508 improvements
- Minor bug fixes and enhancements throughout the application
- Updated and improved icons and styling
- Date check bug fixes throughout the forms
[3.13.0] - 2022-04-25
Added
- Catalog import/export now include child tables
- API to retrieve a specific service account
- API to rename a system security plan
- Integrations for Security Plans with Wiz Projects, ServiceNow Assignment Groups, Jira Projects, and Tenable Asset Groups
Changed
- Bug Fix: Printable version of control implementation now works
- Updated verbiage in the Time Travel system
- Control tests can now be batch created
- Scorecards are now properly locked to Enterprise Edition customers
- CSS: Explorer now shows link cursor for child items
- Rebased to master to pickup CI/CD changes
- Bug Fix: Transformer mappings now work properly on the security plan print form
[3.12.0] - 2022-04-20
Added
- Added ability to exclude components from SPRS report
- Added account lockout features (5 bad passwords disables the account)
- Added a Close button for the Explorer modal
Changed
- Bug Fix: Subsystems now show correctly on control implementation form
- Bug Fix: Prevented API calls that were throwing errors when unauthenticated
- Bug Fix: Can now delete tasks from the Kanban board
- Bug Fix: Control Implementations now render properly for emails
- Bug Fix: Added validation for Draft issue status
- Bug Fix: Security Plan Print now works properly
[3.11.1] - 2022-04-19
Added
- N/A
Changed
- Hot Fix: License count now calculates correctly on login
[3.11.0] - 2022-04-18
Added
- SPRS Rollup Report available for NIST 800-171 (rolls up score for SSP and all child components)
- Control Implementation - Navigation buttons now check for changes before allowing navigation away from the page (Next and Previous buttons)
- Added Mediatr pattern for improved testability of C# code
- Catalog Import/Export now processes child records of the security control (objectives, parameters, tests, CCIs)
Changed
- Bug Fix: Fixed View Model for Control Implementations - dramatically reduced data query size
- Controller optimization for improved API performance at scale
- Bug Fix: Gantt chart queries now execute exponentially faster
- Bug Fix: Gantt chart hidden for new records
- Bug Fix: License key generator fixed after Node.js patch
- Bug Fix: System configuration now listens for license key changes and updates after saving
[3.10.0] - 2022-04-13
Added
- Added support for DISA CCIs to support STIG scanners
- Added support for classification banners in the header/footer of the application
Changed
- Bug Fix: Licensed user count no longer counts deactivated users
- Exceeding licensed user count no longer prevents login, just throws a warning
[3.9.0] - 2022-04-10
Added
- Added Cancel button when editing RegScale system configuration
- Added Parts to Objectives to support OSCAL modeling
- Added Parameter Types to Security Controls (extension to OSCAL for improved automation)
- Added Parent Parameter to Control Implementation parameters (allowing inheritance from a catalog's parameters to better align with OSCAL)
- Added API to retrieve all Objectives for a given catalog
Changed
- Bug Fix: Corrected issue with generating new license keys after patching CryptoES
- Bug Fix: "Other ID" on Control Objective is no longer required
- Bug Fix: Removed datetime checks on required fields in C#, removed compiler warnings
- Bug Fix: Fixed loop logic in ApplyProfile C# API
- Bug Fix: Security Control subsystems now listen for changes when navigating
- Improved formatting and labeling of security control objectives
[3.8.0] - 2022-04-06
Added
- API for applying Security Profiles via API
- Extended Issues/POAMs module to support all FedRAMP fields
- Added support for the CISO Known Vulnerability Exploits feed
Changed
- Bug Fix: Inheritance of objectives on the SPRS report is fixed
[3.7.4] - 2022-04-04
Added
- N/A
Changed
- Security Plans now hide Gantt Chart and Ports/Protocol tabs until the record is saved
- Refactored security plan builder to work more efficiently and consistently, removed redundant code
- Builders: View profile links now work properly and open in a new tab
- Builders: Now close consistently after clicking finish
- Added server side validation for Case management status/date resolved
[3.7.3] - 2022-04-02
Added
- N/A
Changed
- Bug Fix: Control implementations now search properly in the Relationship module
- Bug Fix: Multiple enhancements to the SPRS report
[3.7.2] - 2022-03-30
Added
- Security - forced patching of the base image prior to initial build
Changed
- Minor bug fixes to builders
- Changing an Implementation Option now changes the status of all related Objective option selections
- Bug Fix: Component Statusboard now pulls issues from all levels
- Tweaked CI/CD build and release files
- Minor Sonarqube bug fixes
[3.7.0] - 2022-03-28
Added
- New UX for builders for:
- Policies
- Security Plans
- Supply Chain
- Projects
- Added Sonarqube Cloud source code scanning
- Added additional fields to the user object:
- ExternalId - for syncing with external accounts (i.e. Active Directory)
- DateCreated
- LastLoginDate
- Read-Only Flag
- Improved User Experience for Scorecard
Changed
- Cleaned up CI/CD pipeline files
- Added API to pull a simple list of user accounts (with no sensitive data)
- Removed legacy Cypress testing to reduce file size of the build
- Added API to support bulk syncing of Azure AD groups
[3.6.2] - 2022-03-16
Added
- Views can now be toggled between SSP and Component on the SPRS Report for NIST 800-171
Changed
- Toggle now available to show objectives in a printable form for each control on the SPRS Report for NIST 800-171
[3.6.1] - 2022-03-14
Added
- SPRS Report - bug fixes and added logging to show missing objectives
Changed
- Created View/Create models to simplify the APIs for creating and updating Profile Mappings
- Bug Fixes: Minor tweaks to Component Dashboards and Gantt charts
- Bug Fixes: Profile mapping not showing in the API list
[3.6.0] - 2022-03-10
Added
- Subsystem redesign of the UX
- New SPRS scoring report for NIST 800-171
- Categorization functionality to RegScale to better support control selection for overlays
- Issue Gantt chart functionality for visualizing issues/corrective actions
- Component Dashboard
Changed
- Bug Fix: Fixed security plan builder issue where some controls improperly showed redundant
- Bug Fix: Comment alerts on delete are more intuitive.
- Bug Fix: Link alerts on delete are more intuitive.
- Bug Fix: Comment alerts now work on creating a new comment.
- Bug Fix: File system deletion alerts are now green v/s red on success.
- Bug Fix: Subsystem now hides until loaded.
- Bug Fix: Classified records now wrap properly in the subsystem.
- Fixed rebasing issues across branches
[3.5.0] - 2022-02-24
Added
- Aggregate APIs for pulling bulk data visualizations in external data visualization tools
- Explorer now auto-expands the current record and shows/hides the sneak peek if you are already on the record
- Requirement form now shows the parent control if it exists in the Regulations tab
- Component Status Board
- Lineage and deep linking added for Assessments and Risks (previously just on issues)
- Aggregate queries added for external data visualization
Changed
- Bug Fix: Main dashboard for security plans now loads with no data (checks for null first)
- Bug Fix: LGPL license now points to RegScale
- Bug Fix: Form labels now display correctly for change password, password reset, and confirmation pages
- Bug Fix: Added validation to prevent the maximum length of a Requirement title from being exceeded
- Requirement form reorganized to show/hide fields based on whether it has a parent control
- Bug Fix: Child issues and assessments now showing correctly on the Policy Status Board
[3.4.2] - 2022-02-17
Added
- Added UUID info for the user on the workbench
- Reformatted user profile page
Changed
- Hotfix: Issue External ID queries refactored for non-null set
- Bug Fix: Spinner updated for OSCAL export for security plans
- Bug Fix: CSS styling on Workbench
[3.4.1] - 2022-02-16
Added
- N/A
Changed
- Hotfix: Issue External ID queries refactored for null set
[3.4.0] - 2022-02-15
Added
- Improved user caching to make more consistent
- New dashboards/home page design
- Ability to link issues to multiple records/tiers for ease for querying and reporting
- Issues can now be related at multiple layers for ease of querying/reporting, to include:
- Control Implementations
- Assessments
- Requirements
- Security Plans
- Projects
- Supply Chain
- Policies
- Components
- Incidents
- Added a bulk processor API to issues to allow the RegScale CLI to do bulk conversions for customers with legacy data
- Project, Security Plan, Supply Chain, and Policy Status Boards redesigned and improved UX
Changed
- Subsystems - close button made smaller and moved to the top to avoid visual confusion with Save button
- Time Travel UX refactored to work better in a modal view
- All Find by "External ID" APIs on issues now return multiple records instead of a single (Prisma, Wiz, ServiceNow, and Jira)
- Added method to show plural name of modules in the Module Service
- Improved Login styling
- Bug Fix: Fixed issue where spinner would sometimes not dismiss on session timeout from the login page
- Bug Fix: Parent ID and Module now passes correctly to the new record creator
- Bug Fix: Editing security controls now works properly
- Bug Fix: Catalogs now corectly display metadata
- NPM package updates for vulnerabilities
- Fixed footer links to point to RegScale.com and updated EULAs and Privacy Policy
[3.3.1] - 2022-01-25
Added
- Kanban view optimized to be in a modal view
Changed
- Added configuration to slow down monitoring endpoints
- Removed legacy Cucumber testing tags on the List Views
- Bug Fix: Lightning Assessment sliders now work again
- Bug Fix: Kanban drag and drop now works correctly/consistently
[3.3.0] - 2022-01-23
Added
- Copy token button added to user profile
- Health monitoring system added for RegScale
- Add multiple new layers to the Security Control model for OSCAL to improve the UX:
- Implementation Options
- Test Plans
- Control Objectives/Enhancements
- Parameters
- Added spinner to Transformer to show that it is still processing for larger data loads
- Objectives can now be assessed at the control implementation level
- Added the ability to categorize risk through various lenses
- Added support for Risk Trending
- Added level of effort for Tasks and Issues to help with resource loading
- Added CMMC Asset category to components and assets
Changed
- Bug Fix: errors with date filters pulling on the dashboards
- All dashboards are now driven by a year selection
- Added more options for Security Plan and Control Implementation Status
- Bug Fix: Requirements and Security Controls now parsed correctly in Explorer
- Bug Fix: Subsystem Reload after Save
- Bug Fix: Health check stylesheet now served properly within a container deployment
- Classification levels can now be archived from the List View
- Ports and Protocols: default end port to be the same as the start port
- Changes to ports and protocols now are logged in history
- SSP OSCAL export now provides more control implementation metadata
[3.2.0] - 2022-01-04
Added
- TreeView visualization to Explorer - accordion expansion
- Volpe Threat Modeling Integration - MVP 1
Changed
- Bug Fix: Formatting on system configuration
- Changed favicon to new RegScale logo
- Optimized all images for faster browser loading
[3.1.1] - 2021-12-23
Changed
- Bug Fix: Fixed .NET Core bug with IIS 6
[3.1.0] - 2021-12-19
Added
- Added support for Volpe Risk Modeling integration
- History table is now sortable and filterable
- Drilldown is now available on all charts
Changed
- Bug Fix: Fixed formatting on Lightning Assessment Header
- Bug Fix: Eliminated security risk on password reset
- Improved visualization, sorting, and filtering on My Activity and the News Feed
- Improved button layout for user management
- Email service improved with better logging/validation
[3.0.6] - 2021-12-13
Changed
- Bug Fix: .NET Core Optimizations
[3.0.5] - 2021-12-10
Changed
- Bug Fix: Removed legacy
wait-for-it
script, made SQL startup more resilient
[3.0.4] - 2021-12-10
Changed
- Bug Fix: Bash optimization for multi-stage build
[3.0.3] - 2021-12-10
Changed
- Bug Fix: Added bash back to the Linux container
[3.0.2] - 2021-12-10
Changed
- Bug Fix: Permission error on
wait for it.sh
file
[3.0.1] - 2021-12-08
Changed
- .NET Core Version 6 upgrade including all Nuget packages
- Container hardening and upgrades
[3.0.0] - 2021-12-05
Added
- Rebranded from Atlasity -> RegScale
- New form system design with three columns and floating toolbar
- Tenable.sc integration
- Jira integration
- Ability to model control implementations by responsibility (i.e. provider, customer, shared)
- New Overall/Master dashboard for home page
- Requirements now support Lightning Assessments
- Scorecard now implemented for Projects, Supply Chain, Components, and Policies
- Angular 13 upgrade
- Loading spinnners added for sending emails
- Security Controls can now be exported
- Add labels to drill down charts on the List Views
- Added links to online documentation
- Header to dashboard
Changed
- Improved the loading spinner implementation when fetching data
- Dashboard filters can now be toggled on/off
- Security Plan status board now has tabs to toggle between individual and aggregate views
- Bug Fix: Fixed issue with incorrect lookup of catalog title on Transformer
- Bug Fix: Copying a requirement no longer copies last assessment result
- Bug Fix: Policy Status Board now calculates 'Not Assessed' status correctly
- Bug Fix: Service Accounts are now properly locked as an Enterprise feature
- Supply chain module can now track actual costs
- Project module can now track actual finish date
- All spinners are now consistently styled
- Removed legacy PWA code
- Refactored to remove a large amount of redundant code
- Profile mapping moved into a tab v/s subsystem
- History visualization now shows by default and has labels
- Cause Code Tree is now in its own tab
- Upgraded Kendo UI for Angular packages to the latest
- Security patching of NPM packages
- Bug fix on Requirement controller
- Updated routing to allow for more efficient copying
- Profile Mapping User Experience enhanced
- Fixed periodic rendering issues on history visualization
- Swagger API cutover to RegScale branding - no impact to customer integrations/routes
- Bug Fix: Fixed RBAC errors on default settings (parent inheritance working again)
- All Builders/Wizards have the UI/UX refactored
- Scorecard now defaults to showing open issues v/s total
- Bug Fix: eliminated double API calls to the subsystem
- Bug Fix: requirement module now correctly pulls control tests
[2.4.0] - 2021-10-11
Added
- Enriched data model for Catalog OSCAL export
- Supports namespaces for OSCAL
- Ports and protocol support added for Assets, Components, and Security Plans
- Azure Active Directory (AD) Single Sign On (SSO) Support
- Integration dashboard for improved ease in managing integrations
- Added ability to generate Personal Access Tokens (PATs) to support Service Accounts that can be leveraged for API automation
- Added integration with MITRE Security Automation Framework (SAF) via Inspec/STIG profiles using OSCAL
- Indicators to grids to better indicate sorting functionality
- Master assessments now allow you to visualize the individual assessments that make up the overall score
- Added support to generate OSCAL SAP/SAR documents from Atlasity assessments
- Improved dashboard visualizations including stacked bar charts
- Profiles now display info for Control Ids and and Catalogs
Changed
- Bug Fix: Check for null on Login Banner
- Bug Fix: OSCAL Security Plan export handles null dates
- Bug Fix: OSCAL Catalog export handles null dates
- Lightened N/A CSS on the Security Plan Scorecard
- Bug Fix: Fixed memory leak to unsubscribe on notifications
- Replaced Chart.js with Telerik Charts - improved UI
- Replaced eCharts pie charts with Telerik Charts - improved UI
- Improved UI for Security Plan Print - added Catalog data
- Improved UI for Security Scorecard - added Catalog data
- Added "Automation" fields to assessments to support OSCAL and integrations
- Improved labeling around risks
- Bug Fix: Control Id is now sortable
- Default styling changed for form focus
- Workbench impersonation renamed
- Custom fields now show a default view when no fields
- Bug Fix: Some fields were not sorting correctly and have been fixed
- Bug Fix: Copy security control did not copy control type
- Bug Fix: Deactivated users can no longer log in
- Moved custom fields to a tab on the component form
- Custom fields all moved into the tabbed interface
- Bug Fix: Copy security control did not copy control type
- Bug Fix: Catalog print now correctly displays all controls
- Back button only prompts warning if data has changed (form is dirty)
- Login now redirects to the dashboard as the Home page
- Bug Fix: Control implementation sorting now works in the grids
- Security: Added a flag to allow the warning banner to be bypassed for security scans
[2.3.0] - 2021-09-12
Added
- Validation to .NET controllers and simplified Create/Update APIs
- Security profiles can now be printed and emailed
- Added Login Banner capability that can be customized by tenant
- Added Privacy Police notice to the footer of the application
Changed
- Removed ElasticSearch integration
- Added ability to toggle on Sentry.io monitoring with an environment variable for .NET Core
- Removed Angular Sentry.io monitoring (not useful)
- Bug Fix: Workflow enabled for cases
- Bug Fix: Notification link now works for questionnaires
- Bug Fix: Pivot table visualization works for cases
- Bug Fix: Toasts now correct when creating a new organization
- Bug Fix: Component print and email now works
[2.2.3] - 2021-08-31
Added
- Integration fields for issues (JIRA, ServiceNow, Wiz, Prisma)
- Classification subsystem
- New tenant auto-seeds picklist metadata
- Indexing for Relationships module to improve performance
- Indexing for Classified Records to improve performance
- Indexing for Events/Timeline to improve performance
- Indexing for Workflow to improve performance
- Indexing for Cases to improve performance
- Additional features and functionality for OSCAL exports of Security Plans and Components
Changed
- Patched JWT Nuget package to address security vulnerability
- Updated Telerik PROD License Key
- Fixed legacy CSS issues with
/
and moved tomath.div
- Upgraded to Angular 12.2
- Added Step indicator to recurrence wizards
- Added server side data validation and API simplification for assessments and issues
- Custom fields now print
- Added warning when creating a custom field that data type cannot be changed
- Added properties to parameters for OSCAL
[2.2.2] - 2021-08-24
Added
- Scorecard now shows modal for open issues
Changed
- Added Control ID to show on the control implementation form
- JWT tokens now expire in 24 hours instead of 2
- ControlId added to Transform Mapper
- Transformer now refreshes controls when the base control changes
- Fixed duplicate IDs on the catalog form
- Fixed bug where child issues were not always pulling correctly on the Scorecard
- Fixed bug to default printable if security control type is undefined
- Security groups are now sorted for RBAC
- Lightning assessment always refreshes when closing the page now
- Fixed CSS styling on date picker controls
- Added CSS styling to show N/A controls are excluded from Scorecard calculations
- Fixed bug where control type was not being set properly when loading a new catalog
[2.2.1] - 2021-08-17
Added
- Security Plan Scorecard
- Added Wizard interface for Assessments, Data Calls, and Tasks Recurrence
Changed
- Bug Fix: All events on the status board are now processed correctly when hovering over the heat maps
- Uploading files now generates a toast to confirm the upload
- Softened colors on the Security Plan Status Board
- Bug Fix: Bulk edit of control implementations now works properly
- Bug Fix: Last Assessment hover fix
- Improved tooltips on the Status Boards
- Bug Fix: Updated date formatter based on NPM library update
[2.1.3] - 2021-08-06
Added
- Case Management Module
- Added mapping flag to catalogs as a visual indicator
- Enhanced date picker added throughout all modules
- Improved data validation prompts
- OSCAL: Inheritable flag added to control implementations (used for leveraged authorizations)
- Transformer feature now shows mappings in the UI
- Builders now track linkages between profiles and the records they create (OSCAL)
- Dashboards now have pageable/filterable grids
- Catalogs now have links to the source OSCAL file that generated them
- All modules have an API to be queried by custom fields
Changed
- Bug Fix: Catalog title is now a required field via the API
- Performance - rewrote the export JSON functionality
- Bug Fix: Logic was broken on show/hide mapping wizard
- Bug Fix: Confirmation email link now works
- Bug Fix: Registration link now works
- Bug Fix: Removed deprecated Service Account API
- Bug Fix: Can now delete catalogs and security controls with mapped controls
- Added warning when trying to map a catalog with no controls
- Risk matrix removed hard coded thresholds
- Bug Fix: Date picker popups now work in modal windows
- Catalog and security controls are now archived versus deleted
- Bug Fix: Setup now shows for Global Admin on Community Edition
- Bug Fix: Menu options now hidden from the Global Admin account
- Angular 12.1.4 minor upgrade and various npm package upgrades
- Bug Fix: Get all controls by security plan query was not always accurate, fixed lookup
- Bug Fix: Fixed sporadic bug where lightning assessments sometimes would not create for general users
- Bug Fix: Kanban not showing tasks on workbench
- Kanban button colors are now white
- Bug Fix: Tasks on workbench now reset correctly with impersonation
- Bug Fix: Kanban now shows profile pictures again
- OSCAL validation no longer prevents downloads - just throws warnings
[2.0.2] - 2021-07-19
Added
- Added Record Level access control to all modules
- OSCAL export functionality for Security Plans, Catalogs, Profiles, and Components with AJV schema validation
- Each Atlasity instance now has a unique GUID tied to its license for improved Software Assurance
- License is now checked on login and access is enforced based on license validity
- Upgraded WYSIWYG Editor
- Recurrence Engine - now allows preview and group assignments
- Performance - major improvements to query performance on list views
Changed
- License key management - Community Edition locks after 30 days and requires a license registration
- License now managed only at the Global Admin account, removed on Setup page
- Added support for Stored Procedures for SQL performance optimization on the backend
- Bug Fix: Org list not shown when creating users using the Global Admin account
- Added password validation when creating a new user
- Bug Fix: Domain now set properly on login
- Multiple backend performance improvements (query optimizations)
- Minor bug fixes and improvements
- AI for issues now driven by a button click instead of defaulted for performance reasons
- Bug Fix: All licensing now set from Admin panel versus environment variables
- Bug Fix: Catalog export now working
- Added Control ID to security control list view
[1.6.1] - 2021-06-06
Added
- Added Risk Mitigation module to map controls to risks they mitigate
- Added Control Mapping matrix visualization
- Component module with OSCAL export functionality
- Added builders to components and flowed down to assets (with visualizations)
- Date graphing throughout the application
- Kanban Task Board feature enabled for all modules
Changed
- Assets can now be mapped to many components
- Assets now have tabs to organize the form
- Provided a GUI for adding/managing control parameters
- Angular 12 upgrade
- Swapped crypto-js library for crypto-es (TypeScript friendly)
- Cleaned up NPM vulnerabilities
- Updated NPM dependencies, removed unneeded packages
- Bug Fix: Domain lookup now functions properly under all circumstances
[1.5.0] - 2021-05-07
Added
- Added Project Status Board
- Added Supply Chain Builder
- Added Project Builder
- Added Policy Builder
Changed
- BUG FIX: Security plan delete now works and removes control tests and results
[1.4.1] - 2021-04-30
Added
- Master Assessment feature (schedule many assessments at once)
- Relationship Manager for many to many linking of records
- Lightning assessments now support links, comments, and attachments
Changed
- Reformatted Quality system on control implementations
- Lightning Assessment feature now hidden when there are no tests created
- BUG FIX: Lightning Assessments works properly again for a single assessment
- BUG FIX: Delete button works again for assessments
- BUG FIX: Toggle off for Supply Chain and Policy now works
[1.3.0] - 2021-04-17
Added
- Questionnaire Module
- Added metadata fields to Control Implementations
- Added tabs to Control Implementations UX
- Added quality management to Control Implementations
- Added Risk Maturity Tier to Security Plans
- Added filters to the Calendar for user (default), facility, and org
- Google style search bar added to all modules
- Added Control Tests to each Control Implementation for Enterprise Customers
- Added Lightning Assessment Functionality
- Added a new API to pull all child records for a given security plan in a single call
Changed
- Controls now show in the preview box for the security plan builder
- Bug Fix: Search bar formatting improved for CSS
- Added reset to search on Security Plan Status Board
[1.2.0] - 2021-03-30
Added
- MD5 checks and enhancements for Time Travel
- AI Engine built for issue recurrence analysis
- Refactored reporting engine page
- Added summary info to the Security Plan module
- Enhanced pagination support for large data sets
- Added export functionality for all modules (JSON format)
Changed
- Bug Fix: Handled null records on Time Travel and improved formatting
- Bug Fix: Org pivot tables now work when visuallizing records in lists
- Fixed width of user table in the Admin panel
- API key merged into the User Profile versus a separate page
- Bug Fix: Corrected calculation error on the DOD 171 self-assessment scoring
- Added divider between catalog controls on printable form
- Re-organized catalog print page
- Bug Fix: Hide control implementations until save on security control form
- Enhancement: Moved action buttons on user form to the left to prevent scrolling off page
- Security Control weight now accepts decimals; not just integers
[1.1.1] - 2021-03-21
Added
- Persists login username in localStorage, uses it to remember username and to check LDAP status
Changed
- Bug Fix: AD/LDAP bug fixed
- Bug Fix: Creating new users
[1.1.0] - 2021-03-15
Added
- License key is now driven by the Admin panel versus an environmental variable
- Additional fields for risk modeling
- Added Organization module
- Added Questionnaire backend
- Added Reporting module with DoD 800-171 Self-Assessment Scoring
- Risk visualization to the risk form
- Greater visualization and interactivity to the Security Plan Status Board
- Added visualization for all control implemenations of a given security control
Changed
- Bug Fix: Security plan status board can now handle nulls when parsing data
- Bug Fix: Google Maps API now allows connections from any domain
- Updated licensing agreement
- Updated copyright date
- Bug Fix: Reset on search now resets the data
- Bug Fix: Login now resets the license type without a refresh
- Bug Fix: Can now add multiple users without refreshing, enhanced validation and logging
[1.0.2] - 2021-02-07
Added
- More options for risk categorization
- CMMC options to the policy module
- Added ability to handle multiple mapping options via the wizard
Changed
- Bug Fix: Controller fixed for Status Board
- Bug Fix: CMMC data was not printing on security plans or control implementations
- Bug Fix: Search bug fixes for .NET 5 (IndexOf -> Contains)
[1.0.1] - 2021-02-04
Added
- Mapping functionality now locked to Enterprise customers
Changed
- Bug Fix: Controller fixed for Status Board
[1.0.0] - 2021-02-02
Added
- Added catalogs and support for all baselines of NIST 800-53 Rev4
- Added catalogs and support for all FedRAMP baselines
- API for interacting with unique ControlIds for security controls
- Licensing info now shows on the tenant Admin panel
- Added ability to delete a workflow template step from the designer
- Added ability to delete workflow instances
- Added workflow ID to the workflow instance form
- Major dashboard refactoring and improvements
- Added Parent Slider to the Workflow Instance system
- Added Component module to support the OSCAL standard
- Added Parameter to the data model to support the OSCAL standard
- Added ability to print the full Catalog with all child controls
- Added NIST 800-171 Self-Assessment Report for DoD
Changed
- Bug Fix: Hot fix for DB migration issue
- Bug Fix: Workflow now passes ID properly to the instance page after creation
- Bug Fix: Worfklow system now auto-creates the "System" group if it doesn't exist
- Bug Fix: Supply chain system now handles null stock data
- Bug Fix: Catalog search now works properly
- Bug Fix: Security controls search now works properly
- Bug Fix: Security Plan status board explanation no longer interferes with My Activity slider
- Bug Fix: Time Travel "Revert" button now works
- Bug Fix: Sort order on custom fields now works properly under all circumstances
- Enhancement: Workflow notifications give a better indication of what is happening (Approval v/s Notification)
- Enhancement: Colors are now consistent on graphs relative to status
- Enhancement: Added advanced visualizations to the security plan status board
- Enhancment: Minor UX tweaks throughout the application
- Enhancement: Added a prompt before reverting Time Travel to a previous state
[0.9.8] - 2020-1-14
Added
- Added Control Mapping system to map controls from multiple catalogs into a single control mapping
- Added a unique Control ID to the security control module to allow a "business friendly" control name for easier searching and lookups
- Added AD/LDAP auto-sync job with the ability to map attributes for a deeper sync process with Atlasity
- Custom Fields can now be ordered with drag and drop on the Admin panel. Display consistently on the form.
- Can now view the related module on the workflow template designer
Changed
- Bug Fix: Now hides password related features if AD/LDAP sync is turned on
- Bug Fix: Broken icon on delete toasts fixed across the application
- Bug Fix: Navigation system now shows child security plans for a profile
- Improved data validation on the front and back end; better visual indicators and API protections
- Additional status options for interconnects added
- Bug Fix: Links in Sliders now close modals
- Bug Fix: Notifications now loads properly on login/logout
- Bug Fix: My Activity now loads properly on login/logout
[0.9.7] - 2020-1-07
Added
- Time Travel feature implemented
- Bulk editing of security control implementations
- Supply Chain Risk Status Board
- Supply Chain - configuration panel added for analyzing 3rd party risk
- Security Plan - now has form data for Authorization Boundary, Network Architecture, and Data Flow
- Security Plan Form - now implements tabs to make the form more compact with less scrolling
- Security Plan Print - UX improved to add dynamic charting and visualizations
- At a Glance Tags added to security plan for quick visual indication of key data
- User Groups - can now be viewed on the user profile
- Workflow - now tracks start and end times for the overall workflow and each step
- Upgrade to Angular 11 and .NET Core 5.0.1
- Performance Optimization - Supply Chain, Policy, and Security Plan Status Board refactor
Changed
- Bug Fix: Removed domain check since it is config driven.
- Bug Fix: News posts links for Supply Chain and Causal Analysis are now formatted correctly.
- Performance: Index optimization for frequently executed queries
- Packaging: Optimized build to decrease container size
- Security: Hardened the base image to eliminate vulnerabilities and reduce the attack surface
- Refactored News Posts to be more efficient
- Removed Catalog field from security control form (could cause data integrity issues)
- Added new status for Security Plans (Retired/Decommissioned)
- Bug Fix: Removed register new user link on the Forgot Password page
- Bug Fix: Fixed bug that would not allow adding Interconnects to a security plan
- Bug Fix: fixed broken breadcrumb links on the workflow modules
- Group Management - now disabled for Global Admin (god-mode account), must login with regular Administrator role to access group management
- Group Management - UI refactored to improve the user experience
- Workflow Designer - UX refactored to improve the user experience
- Bug Fix: Worflow notifications now go to all users in the group, not just to the first user
- Bug Fix: Added history events for workflow
- Added ability to toggle on/off bulk editing of security controls and added alerts for saves
- Bug Fix: fixed issue with Javascript changing numbers to dates under some circumstances
- Bug Fix: Removed index on control implementations to allow for large field sizes
- Bug Fix: Fixed back button when deleting a security plan
- Bug Fix: Fixed hidden elements from a bad DIV tag on the security plan print report
- Bug Fix: Supply Chain Risk parent ID is no longer nullable
- Bug Fix: If same parent type (i.e. nested security plans), child controls now render correctly
- Validation: Refactored for Security Plans
[0.9.6] - 2020-11-18
Added
- Base image changed to Linux Alpine for smaller size and improved security
- UUIDs added to all modules to improve machine to machine data interchange
- Added navigation to app menu to view My Activity in a slide out panel
- Added user "baseball cards" to display contact info for any user selected
- Added validation for all environmental variables on startup. Now throws errors in the container logs when validation fails.
Changed
- Applied phone masks for improved formatting
- Fixed duplicate IDs on HTML tags on the Catalog
- Fixed print error on security controls
- Assessments can now be added to assets
- Bug Fix: Can no longer view dashboard when module is disabled in setup
- Bug Fix: Can no longer 'Add Child' records when module is disabled in setup
[0.9.0] - 2020-10-30
Added
- Improved logging
- Added functionality to hard reset the
admin
password with an environment variable and restarting the app - OSCAL SSP Import
- Added Stakeholders subsystem
- All Home Page Dashboards completed
- Added System Owner to the Security Plan Module
- @Mention feature implemented for notifications (Comments Subsystem, Workflow, and News Feed)
- Added Policy Status Board
- Added Control Weight to Security Controls (used for risk calculations and DFARS Self-Assessments)
- Email Viewer
- Added Export for Security Plans and Control Implementations - used for external integrations
- Can now "opt in" to receive email notifications
- Notifications now issued for new record assignments (within Atlasity and via email if "opted in")
- Added "Slide out" feature to preview the parent record
- Base image changed to Linux Alpine for smaller size and improved security
- UUIDs added to all modules to improve machine to machine data interchange
- Added navigation to app menu to view My Activity in a slide out panel
- Added user "baseball cards" to display contact info for any user selected
Changed
- Bug Fix: No longer shows option to add a Control Implementation to the Security Plan using the Add Child button (must use the builder)
- Refactored Security Plan report to allow for more customization in reporting
- Can now delete comments
- Improved signaling on navigation links
- FIPS and System Type and now configurable as Metadata
- Refactored notification system UI for performance
- Group manager now displays a default of 25 records
- Fixed email viewer bug, now displays all sent emails correctly
- Fixed bug for 'Create New' on Supply Chain Status Board
- Date Last Assessed and Last Assessment Result are now labels - must be set via assessment
- NIST 800-171 now available as a catalog
- Increased length of security control titles
- Changed the cursor on the navigation tab
- Added more discrete validation to the tenant configuration form
- Fixed blank password bug for email configuration
- Improved validation for AD/LDAP settings
- Bug Fix: Exception lookup now working correctly
- Add Child button now hidden until a module is selected
- Cleaned up divider lines based on permissions in the Navigation bar
- All logins now redirect to the workbench as the standard home page
- Bug Fix: System Owner now displays properly in the list view
- Added ability to enable/disable email SSL by tenant
- Applied phone masks for improved formatting
[0.8.0] - 2020-10-2
Added
- OSCAL Security Plan Export
- Performance Tuning - Lazy Loading in Angular, Bundle Size Optimization
- Added Cypress Front End Testing (rebased with testing branch)
- MITRE Heimdall Integration for Assessment
- Added Help system for all modules
- Metadata seeding re-factored for each module
- Refactored global admin workflow
- Control owner visualization for security plans
- Added the Maintainer role
- Users default to activated
- Facility Status Board now handles offline gracefully
Changed
- Added ability to show/hide CMMC fields based on Admin Config
- Fixed bug where Atlasity would not accept complex email addresses with multiple periods
- Bug Fix: Fixed route on creating a new user
- Added "Last Assessment Result" graph to the Security Plan Visualizer
- Bug Fix: Recurring assessment route fixed
- Bug Fix: Fixed "Create New" route for projects
- Bug Fix: Cause codes now load defaults on new installations
- Bug Fix: Supply Chain picklists now configurable
- Bug Fix: License now displays properly when not logged in
- Bug Fix: Fixed date validation errors from the testing harness
- Bug Fix: User profile system bug fixed, can now upload photos
- Cache now clears on logout and when adding a user
- SMTP Email Password is no longer required (for non-authenticated use cases)
- Bug Fix: Notification count reset to zero on logout
- Bug Fix: Non-admins can now access their User Profile
[0.7.0] - 2020-08-28
Added
- Added Supply Chain Module
- New landing page with dashboards
- Custom fields can now be ordered via drag and drop
- Angular 10 upgrade
- FontAwesome now installed locally v/s CDN include
- Calendar now supports Angular 10
- Facility Status Board MVP 1
Changed
- Added currency formatting to the Project input controls
- Renamed Atlasity export files
- Workbench component now properly named
- Fixed bug on AD sync
- Added Post-Incident Evaluation field to the Incident Response module
- Email alerts now indicate that it was sent to you
- Hides ID field on Security Control Implementations
- Refactored Facility Status Board for efficiency
[0.6.0] - 2020-07-31
Added
- Added support for email CC
- Activew user toggle added for the user list
- Fixed max filesize setting on Startup
- Fixed bug on test email, made code more resilient
- Help/Support now points to Atlasity.io
- Added the Facilities module to the Admin panel
- Printable reports now have clickable headers
- Added causal analysis module
- Added event module for timeline
- Custom fields are editable
Changed
- User search now shows by default
- File size limit now in MBs
- Admin email now updates when saving a new email in the Admin panel
- Cache now refreshes when new user is created or AD is synced
- Improved security of account creation when doing an AD/LDAP sync
- Facilities added to all forms/searches
- ListView buttons are always formatted on the right now
- Fixed 'Setup' link for non-Enterprise installs
- Required fields properly marked on the user form
- Email now saves to the database before sending and throws error prompt when it has issues sending
- Many multi-tenant user flow bug fixes
- Fixed routes to profiles and catalogs (no longer have to be an administrator to view)
- Domain stored locally to reduce API traffic
- Fixed back icon on Control Implementation form
- Domain name now adds '/' character to the end if not provided
- Link to CMMC added throughout security plans
- Save button now disabled until Save events complete (prevents multiple saves of the same record when clicking quickly)
- Facility name must now be unique for a given tenant
- Added test button for Slack/Teams
- Prevents duplicate cause codes
- Added cause type to causal analysis
- Fixed bug when copying security plans
- Auto-adds controls to plan using Security Plan builder without having to click an add button
- Added link icon to compliance navigator
- Removed Apparent Cause and minor UI tweaks
- Email configuration labels and validation improved
[0.5.0] - 2020-05-29
Added
- Custom Reporting and Dynamic Searching
- Expanded test coverage and integrated with CI/CD
- ELK stack expanded for enterprise monitoring and reporting
- User-defined fields implemented
- Added Email GUI
- Rebranded to ATLASITY
- App configuration now driven by license key
- Licensing info now displayed for global admin users
- FSSC Catalog import functional
- One step import/export now for a catalog and all child controls
- Custom fields are now tenant specific
- Added test button for SMTP email configuration
- Service Account now displays the current token
- Tooltips and instructions now provided on the AD/LDAP admin panel
- Custom fields now allows a choice list
- AD/LDAP now allows test/sync on the Admin panel, searches nested accounts
Changed
- IAM flow improved along with UI
- Fixed various security authorization bugs
- Fixed email bug in the ATLAS container
- Fixed various container deployment bugs and improved documentation
- Fixed bugs in the build process, sped up build times significantly
- My Activity moved under user profile and user form for Admins
- Calendar now graphs assessments across days
- Worked through Sonarqube bug fixes and Angular build bug fixes
- Removed cyber specific fields where possible (can add via Custom Fields for a customer)
- Fixed validation errors where form was not resetting
- Fixed bugs on workbench and adding items, moved config to a service
- Various multi-tenancy fixes
- Recurring bug fix - bi-annually now calculates correctly
- Custom fields now hidden for Community Edition
- Clearing security controls no longer throws an error toast message (warning instead)
- Fixed AD/LDAP bug on login
- Logout now in red and moved to bottom to be easier to find
- Create security plan now shows a spinner while building the plan with controls
- Fixed registration bug for users
[0.4.0] - 2020-03-27
Added
- Tenant and User services now cache results to improve performance
- Combined IAM modules into one config panel and re-factored
- Custom monitoring solution for K8s, APM, SQL Server, and Containers built using ELK
- Refactored user group by queries - improving query performance
Changed
- Fixed password reset bug
- Added show/hide fields to all password fields (default hides)
- Refactored service accounts for multi-tenancy
- Files are now searchable/sortable and show the MD5 hash
- Bug Fix - News Feed and My Activity filters now work for over time visualization
- Bug Fix - URL now updates after saving a record, fixing issues with the Back button
[0.3.0] - 2020-03-13
Added
- Created Admin panel for configuration
- Enabled AD/LDAP authentication
- Added deploy instructions for catalogues
- Added AES-256 encryption for secrets in the DB
- Added Group Management functionality for users
- Added System Integration tests with Cucumber/Selenium
- Angular now caches lookup fields
- Added ability to create and manage User Groups
Changed
- Updated deployment instructions for persistent storage on local installs
- Bug fixes on redirects after Catalogues and Security Plans are built
- Sorted/updated regulations on the Splash page
- Removed workflow trigger from new forms
- Made max number of file uploads configurable
- Can now enable/disable Microsoft Teams, Slack, and AD/LDAP authentication
- Bug Fix: Only activated users show in the user list
[0.2.0] - 2020-02-28
Added
- CMMC fully implemented
- Avatars now stored in the DB
- Workflow now supports drag and drop
- Added Print/Email capability for Catalogues and Security Controls
- Added ability to mount storage in K8s for file storage
- Catalogues now allow for JSON import and export
- Angular Unit Testing
- Added LGPL license to ATLAS
- Added Compliance Status Board for Security Plans
- Added Slack and Microsoft Teams integration
- Added multi-tenancy
Changed
- Minor icon bug fixes on the News Feed
- Re-factored dashboards to use the list view
- Add CMMC filters to security plans and control implementations
- Tuned SonarQube rules to filter out false positives
- Allows multiple file uploads
- Shows counter for number of catalogues on the Splash page
- Added C# unit tests and new folder structure
- Fixed bugs and legacy alerts
- Can now tie issues to assets
Changelog
[0.1.10] - 2020-01-31
Added
- Basic workflow system engine
- Re-factored News Feed, comments on the news now flow down to the record
- Update API for Links
- Replaced all Alerts with Toasts for a modern UI experience
- Security Plan Builder Wizard implemented
- Pipelines updated and SendGrid bug fixed
- Upgrade to .NET Core 3.1
- Added the DoD CMMC into ATLAS
Changed
- Deletions via API now remove all child/related objects
- Improved form validation across all modules
- Removed version history, moved to the change log
- Improvements to file upload
- Replace Feather icons with Font Awesome - reduced build size
- Metadata manager now hides modules with no fields to customize
- File upload now throws an error if no file provided
- Cleaned up instructions for recurring records
[0.1.9] - 2020-01-10
Added
- Added search capability to all subsystem tabs
- Added a list view for security control implementations
- Added Kubernetes configuration files for ease of automated deployments
- Built Windows DEV environment
- Added GUI for creating service accounts
- Added loading spinners
- Added profile owner to security profiles
- CI/CD now handles DB changes
- Added search to history
- Added logic to "Show/Hide" the Show More button on the News Feed and My Activity
- Added URL encoding to search
- Added end of life, status, and purchase date to Assets
Changed
- New navigation system implemented
- Performance improvments for the navigation system
- Removed legacy breadcrumb system
- Removed sensitive user data from API calls
- Fixed bug on "add child" wizard in the navigation system
- Fixed Docker build error with new Angular update
[0.1.8] - 2019-12-06
Added
- Added error checking on all forms for 'Record Not Found'
- Added a requirements module
- Created a wizard interface for building security plans
- Created a wizard interface for managing compliance requirements
- Added a view of all implementations for a given control
- Added event type filter to the News Feed
- Added Select All and Remove All buttons to the security profile
- Added toggle to show/hide search filters on the list view
Changed
- Multiple data validation bug fixes
- Re-factored assessment API to support automated DevOps testing
- Re-factored UX for all forms
- Improved formatting of the Splash page
- Improved density of the UI on all subsystem tabs
[0.1.7] - 2019-10-30
Added
- All APIs compliant with Swagger/OpenAPI format
- Added initial Swagger API documentation page
- All APIs have Swagger documentation
- Added recurring assessment feature
- Added recurring data call feature
- Added recurring task feature
- Comments are now integrated with the News Feed and History
- File upload/download is now integrated with the News Feed and History
- Links are now integrated with the News Feed and History
- Added Swagger documentation to the ATLAS models
- Added High Value Asset toggle to the Security Plan module
- Required fields are now marked on the forms
- Added Refresh button to the News Feed
- Added catalogue to the News Feed and My Activity
- CSA CCM controls uploaded
- Assessments auto-update control implementations
- Added control implementation details to the dashboards
Changed
- Fixed workflow step bug on the News Feed
- Fixed bug with blank avatars on the News Feed
- Fixed issues on the Catalogue Form
- Updated the Security Controls data model
- Security profile refactoring
- My Activity now shows unique records
- Refactored the Workbench UI
- Updated Splash page - compliance frameworks + Star Wars
[0.1.6] - 2019-09-30
Added
- Added click-through license agreement
- Added printer dialogue button
- Added validation to the RBAC manager
Changed
- Fixed checkbox indent
- Made blob storage private - validated encryption of files and privacy of URLs
[0.1.5] - 2019-09-06
Added
- Added email notification for new account creation
- Added a password reset feature
- Improved validation for login processes
- Added support for Markdown files in ATLAS
- Added initial Help system with Markdown support
- Added progress bar, totals, and legend to the calendar
Changed
- Upgraded to Angular 8
- Fixed NPM package vulnerabilities
[0.1.4] - 2019-08-26
Added
- Tested new navigation menu on mobile, Mac, and Windows
- Added a warning banner for ALPHA testing
- Enhanced data validation logic across all modules
- Improved formatting of date picker controls
Changed
- Moved all navigation to the top to allow more screen real-estate on small screens
- Fixed navigation bug on mobile with dropdown menus
- Fixed login/logout flow
- Fixed status check logic for tasks
- Removed max/min controls
- Fixed a rare show/hide bug in the navigator
[0.1.3] - 2019-08-10
Added
Changed
- Fixed card height issues on the splash screen
- Fixed login/logout issues with showing/hiding content
[0.1.2] - 2019-07-27
Added
- Added data validation to new user account creation
- Added vanity URL for the ATLAS sandbox: atlas.c2labs.com
- Added default image
Changed
- Fixed width issues on mobile platforms for logins
- Improved password management features on new user creation
- Fixed data validation when updating the user profile
- Updated format of the unauthorized access page and footer
[0.1.1] - 2019-07-10
Added
Changed
- Updated readme.md file to better describe the modules and build process
- Various fixes to improve support on Windows (IE and Edge)
- Disabled service worker code (throwing errors and not being used right now)
- Removed xlsexport, incompatible with latest Angular framework
- Fixed duplicate tags on the home page
- Fixed logic on login/logout/user creation