Provides details on all changes to the RegScale-CLI over time.
[6.16.1.0] - 2025-03-21
Added
Option to disable cache flag for all RegScale models by setting disableCache: true in the init.yaml file
InheritedControls model to regscale_models
Changed
Logging statements when using the ScannerIntegration class
Logging statements during Flat File imports
Updated Vulnerability's plugInId attribute to match the RegScale data type using the RegScale server version
Fixed
tenableGroupByPlugin variable set to true was breaking Aqua and other ScannerIntegrations
Wiz Sync Compliance command not working as expected
Tenable SC findings and asset count should work as expected
[6.16.0.0] - 2025-03-13
Added
New jobs in Automation Manager for the new commands in the Sicura integration
Qualys Total Cloud Integration
Parsing environment variables for AWS_REGION and AWS_SESSION_TOKEN during AWS integrations
Option to provide --aws_session_token during AWS integrations
ComplianceSettings API support for docx imports
complianceSettingsId to security_plan RegScale model
Changed
Merged aws and awsv2 integrations into aws integration
Improved logging during aws inventory command
Warning messages about invalid data types or missing mappings to debug statements to allow for better debugging
Fixed
Missing pandas import when using Model editor command
Console logs not using the full width of the console
Progress bars during Tenable SAP sync_assets and sync_findings commands
Removed
Setting issue b fields at the control level in DocX, appendix A and OSCAL imports
[6.15.0.0] - 2025-03-06
Added
Updated Sicura integration to use ScannerIntegration
Trivy and Grype scans will extract and set the asset name to the sha256 hash if found in the filename
Option to define vulnerabilityMappingDefault in the init.yaml file to specify the default for Tenable, Trivy and Grype
Please use one of the following values:
"0 - Critical - Critical Deficiency"
"I - High - Significant Deficiency"
"II - Moderate - Reportable Condition"
"III - Low - Other Weakness"
"IV - Not Assigned"
Changed
Consolidated logic for flatfile imports
UNKNOWN and NEGLIGIBLE severities to High severities during Trivy & Grype imports
Default severity mappings for Tenable, Trivy, OpenText, and Grype imports to default to use the vulnerabilityMappingDefault when not parsed
Fixed
Assets not being associated to the provided Security Plan during regscale defender sync_cloud_resources
Errors experienced during the fedramp import_inventory command
Bugs during IBM AppScan import
Typo in import_all command for Snyk imports
Prompting for file path during flat file imports when using --s3-bucket or --s3-prefix options
Failed import on Trivy files with no vulnerabilities
Missing keys adClientId and adClientSecret for Azure Active Directory jobs in Automation Manager
[6.14.0.0] - 2025-02-25
Added
homePageUrl to user RegScale model
Option to set the config using regscale --config when running the CLI, it can be a dictionary as a string or a filepath to an init.yaml file
New Module and FormFieldValue models to RegScale models
Additional methods to the Group, SupplyChain and UserGroup RegScale models
Changed
Application class prematurely being initialized no matter the command, causing unnecessary overhead
Logging when running jobs via Automation Manager
Simplified all jobs in Automation Manager
APIHandler attribute in RegScale Models to use _get_api_handler(), this minimizes overhead in CLI for better performance
Fixed
Multiple errors spanning different jobs in Automation Manager
sslVerify not correctly updating the API session when set to False in init.yaml or an environment variable
Character limit issues when parsing IP Addresses and Mac Addresses during Tenable integration
[6.13.0.1] - 2025-02-24
Fixed
Errors in FlatFileImporter when no asset count or vulnerability count is 0
Errors during regscale servicenow sync_changes command
[6.13.0.0] - 2025-02-21
Added
Assets connector type to support ingesting assets from multiple integrations like Armis Centrix, Nozomi Vantage, ServiceNow and future integrations via regscale assets
Ability to populate boolean fields when using regscale model commands
Command to sync Change Requests from ServiceNow into RegScale as Changes via regscale servicenow sync_changes
Method fetch_all_changes to the Change RegScale model
Supply Chain model to RegScale models
"viewable_by": "everyone" during Label entry creation in the ServiceNow issues_and_attachments command
issues_and_attachments job to the Automation Manager for ServiceNow integration
Changed
Improved error handling in the Application class
Fixed
Improper formatting on string during Xray import
Bug causing Application class not honoring provided config during initialization
Various other bugs, unintended behavior, and possibles errors within the Application class
Boolean fields being set to false during regscale model command
Removed
Unused methods in Application class
[6.12.1.0] - 2025-02-14
Added
Grype, Trivy, and OpenText WebInspect imports to regscale import_all command
Fixed
Fixed critical vulnerability severity level on all scan imports
Supported by adding 0 - Critical - Critical Deficiency to the SeverityLevel via the Issues Form Builder in RegScale
Missing vulnerability and asset count when importing OpenText WebInspect scans
Errors when matching assets when ipAddress is 0.0.0.0 during import
[6.12.0.1] - 2025-02-12
Fixed
Prompt for DuroSuite variable when not running DuroSuite integration
[6.12.0.0] - 2025-02-11
Added
Automated DuroSuite STIG Scanning Integration
Added AWS inventory
Vulnerabilities connector type to support multiple vulnerability integrations like Tenable Cloud, CrowdStrike, Qualys Cloud, Tanium Cloud, Rapid7 Insight Cloud, Nucleus and future integrations via regscale vulnerabilities
Default attribute to param model to match RegScale model
return_passed option to ThreadManager.execute_and_verify to return only successful thread results
Changed
Standardized flat file imports to use the same logic and use the same parameters
All Issues now map directly to their Security Plan, removing the need to reference lower-level objects (e.g., Assets/Control Implementations) as direct parents.
Failing checklists create or update Issues under the plan. Passing checklists do not immediately close Issues; closure is handled later in a “stale item” clean-up phase.
Errors experienced during FedRAMP .XML SSP import when processing control parts
regscale emass populate_controls to support the revised template and date format from eMASS
FedRAMP CIS/CRM import:
Improved mapping file
Improved progress tracking
Parts are now properly created
Improved logic when processing Control Implementations
Skipping files in processed folder during regscale import_all run command
Errors experienced during FedRAMP .XML SSP import when processing control parts
Fixed
Handling headers during API calls when using the Api class
Errors during regscale control_editor load command
Possible errors when building software inventory during Aqua import
Parsing multiple IP addresses during FedRAMP inventory import
Loading CISA KEV data from the RegScale CLI package if the API call fails
Issue with FedRAMP 5 docx importer where some Parameters where not being imported.
Fixed Issue with internal control mapping during FedRAMP 5 docx importer
Removed
regscale emass get_template command
[6.11.2.0] - 2025-01-09
Added
Intune integration now creates CycloneDX SBOM records in RegScale at the asset level
Ability to override the asset identifier to use ip address instead of FQDN name
Tag filters are now supported with Tenable IO sync_assets and sync_vulns commands
Airflow Tenable IO supports the --tags parameter.
ImportValidator to validate Nessus files during import
Capability to pass multiple controls in IntegrationFinding.control_labels (This will map an issue to multiple control implementations and add control test results for each)
get_all_by_master method to the Assessment model to fetch assessments from a Master Assessment/ConMon record in RegScale
FedRAMP POAM import:
Ability to automatically increment POAM IDs
ScannerIntegration logic to import
Changed
Replaced the https://graph.microsoft.com/v1.0/devices intune endpoint with the more frequently updated https://graph.microsoft.com/v1.0/deviceManagement/managedDevices endpoint
Due date calculation pulls from the init settings if available, if not fall back to ScannerIntegration defaults
Intune integration now uses ScannerIntegration to process findings and assets
Fixed
Issue with ScannerIntegration where an issue could be closed outside the current scan tool
Missing mapping files used during FedRAMP rev5 docx import
Incorrect formatting in summary email when using regscale admin_actions send_reminders
Date parsing errors when using cisa ingest_cisa_alerts command
SAP Concur missing entry for Tenable
A possible bug in application.py, where artifacts folder could be missing before attempting to save a file there
[6.11.1.2] - 2024-12-20
Fixed
Issues being created as closed issues during flat file imports
[6.11.1.1] - 2024-12-19
Fixed
Incorrect path when loading scan_file_fingerprints.json during regscale import_all run command
[6.11.1.0] - 2024-12-19
Added
Support to bulk import scan result files by folder via regscale import_all run
Caching KEV list after fetching it once
Fixed
FedRAMP POAM import mappings
FedRAMP DRF import mappings
FedRAMP XML import errors
[6.11.0.0] - 2024-12-17
Added
Lazy loading for all possible commands to speed up CLI start up performance by 900%
Integration Override class to handle finding overrides for remediation, title or description
ImportValidater to FedRAMP inventory import to validate the import of files into RegScale before processing the data and custom mappings for headers
Rev4 support to regscale fedramp import_inventory command
Updating issue.changes field when closing an issue using the ScannerIntegration class
Logic to update issue.KEVList during issue creation or updates during ScannerIntegration class
get_list_by_catalog method to the SecurityControl model to fetch controls by catalog id
get_all_by_parent method to the ControlImplementation model to fetch controls by parent id and module
New RegScale Models: Email, Evidence, EvidenceMapping, Threat, Project, Case, Change, RBAC, LinesOfInquiry, AssessmentPlan, and Workflow
Property creation of POC data during FedRAMP POAM import on the importer POAM
Changed
regscale evidence & regscale oscal commands to leverage RegScale models, better coding practices, and faster performance
Parsing data from FedRAMP DRF form to be more accurate and consistent
ScannerIntegration to use Integration Override values when available
Application class to make available default values for findingFromMapping
Parameter model to use custom get_all_by_parent specific to the parameter model correcting an issue on param lookups
FedRAMP 5 docx importer to maintain individual part formatting from the document same as the overall implementation statement
Localized all major imports to improve speed and performance
Consolidated FedRAMP docx import into 1 command for rev4 and rev5 via regscale import_docx
Standardized commands, params and shorthands in FedRAMP module
Fixed
System Roles import now imports correctly during FedRAMP Rev5 .docx import and assigns role to control implementation
Missing scan_date during ECR import
Errors when running Flask application via regscale-rest
Errors during regscale fedramp import_drf
IP Address not being set during FedRAMP inventory import
Removed
Deprecated data models
Deprecated
Old methods that use direct API calls instead of RegScale models
Security
Updated packages to the latest versions
[6.10.0.1] - 2024-12-04
Fixed
Missing dependency causing import errors during FedRAMP Rev5 docx import
[6.10.0.0] - 2024-12-04
Added
Ticketing connector type to support multiple ticketing integrations like Jira, ServiceNow, Torq, PagerDuty and future integrations via regscale ticketing
Short hands for parameters durring regscale fedramp load-fedramp-docx to match the rev5 docx import
Removing HTML elements when parsing control IDs during regscale fedramp load-fedramp-appendix-a
Handling blank issue.dateFirstDetected field on manually created issues to prevent closures
Fixed
Updated regscale_model matching code to ignore empty strings in addition to None
Error messages during RegScale CLI Application validation
Issues not importing during regscale fedramp import-poam
OSCAL SSP NIST Validation inconsistencies during import
UUIDs not being populated during import
Missing assignedUserId during SystemRole creation
Errors during implentation_option creation when duplicates found
[6.9.1.0] - 2024-11-27
Added
incrementPoamIdentifier option to increment POAM otherIdentifier by 1 during POAM creation
Changed
Due date calculation pulls from the init settings if available, if not fall back to ScannerIntegration defaults
Fixed
Updated regscale_model matching code to ignore empty strings in addition to None types
Control ID mismatch during FedRAMP import
[6.9.0.0] - 2024-11-21
Added
Parsed FQDN name to the description for the software assets parsed during regscale defender sync_cloud_resources
Fixed
Fetching more than 1000 records from Microsoft Defender for Cloud when syncing resources to RegScale
Error when parsing ipAddress for assets from Microsoft Defender for Cloud
Command prompts when creating custom mapping files for flat file imports if required fields are missing
Changed
Improved error handling during the import of files into RegScale
Fixed
Numerous bugs during the import of files into RegScale
[6.0.0] - 2024-10-24
Added
id attribute to Link RegScale model
Python 3.13 support
Changed
Updated response handling during catalog import
Updated internal testing suite
Error message when failed to parse userId from token in parse_user_id_from_jwt()
Fixed
CISA Alert ingestion
Errors when processing vulnerabilities in ScannerIntegration
URLs to use new forms in RegScale
Issue with asset_mapping mappingId to id
Issue with questionnaire and questionnaireInstance creation due to renaming properties
Removed
fitz dependency
[5.82.0] - 2024-10-22
Changed
Set default values for IssueCreation=Consolidated and VulnerabilityCreation=PoamCreation
[5.81.1] - 2024-10-18
Fixed
tenableMinimumSeverityFilter not being used during Tenable SC integration
_get_vulns_by_scan logic and returned datatype updated to properly return a list of tool_vulns
[5.81.0] - 2024-10-14
Added
Option for FedRAMP rev4 SSP docx import to allow for RegScale security profile id or name
Missing field riskCategorization to Component model
Several missing fields from Privacy model
User model:
Added roles attribute
get_by_user_id method to find a user by their user id
assign_role method to assign a role to a user
Changed
Updated Question and Questionnaire models to include default values
Token parsing logic during login
Fixed
Typing of app config to default to dict instead of _SpecialForm
Bug in questionnaire create_instance_from_questionnaire method
FedRAMP rev4 SSP docx import:
Bug causing import to freeze when checking for specific text in the document
Missing ports and protocols during import
Handling of content control elements in the document when parsing text
Removed
Duplicate name attribute on the User model
[5.80.1] - 2024-10-14
Fixed
Missing dependency causing import errors
[5.80.0] - 2024-10-14
Added
Filtering vulnerabilities by scanner in ScannerIntegration
Changed
Closing vulnerability mappings that are no longer reported by a scan
Fixed
Possible error when checking against scanningTool when no vulnerabilities are found
[5.79.0] - 2024-10-14
Added
SAP Concur support for SysDig and Tenable flat files
Object level locking to prevent duplicate creation during multithreading
[5.78.0] - 2024-10-07
Added
Optional support for grouping by Tenable Plugin inside ScannerIntegration
RegScale ID and RegScale Module parameters to Microsoft Defender jobs in Automation Manager
Threading utilities for better performance throughout the CLI
Fixed
Errors when running Wiz integrations in Automation Manager
[5.77.0] - 2024-10-03
Added
drNumber field to the Deviation model
Changed
Update Deviation model to support the new get_by_security_plan endpoint
Fixed
Error in qualys sync_qualys when the Qualys instance has < 100 vulnerabilities
[5.76.0] - 2024-09-29
Added
ipv4 as an option when retrieving the name of a Tenable IO asset
ability to process Nessus files from s3
Pagination to Qualys integration to fetch Assets when there are more than 1000 assets
Section 8 from section 3 (table 3.1) descriptions during FedRAMP SSP import
Info message when no Tenable SC data is found
Changed
Optimized Qualys integration to use RegScale models and only fetch necessary data while avoiding rate limits
Fixed
Improved POAM import process and error handling
Enhanced date parsing and CVE validation
Implemented more robust error handling and logging
False positives on Jobs running in Automation Manager
Not using urljoin when concatenating qualysUrl from init.yaml to call Qualys APIs
[5.75.0] - 2024-09-23
Added
STIG support for Tenable
Changed
Method on running jobs in Automation Manager
Security Check field during Burp flat file import to use hex identifier per Burp documentation
[5.74.1] - 2024-09-21
Added
Resilience to POA&M importer when parsing status from sheet names
Fixed
Error during Aqua import when description not provided, it will now be skipped and warn the user
[5.74.0] - 2024-09-19
Added
Privacy model used during parsing privacy data while importing FedRAMP .docx System Security Plan
otherIdentifier field for deviations model
Populating otherIdentifier during the deviation importer
Caching mixin for RegScale models to cache object by plan id
Ability to import eMASS SLCM .xlsm files into RegScale via regscale emass import_slcm
Support for OSCAL versions 1.1.1 and 1.1.2 catalog imports
Fix a Nessus break on invalid cache object in the parent cache
Added criticality updater for security controls in a catalog for eMASS via regscale criticality_updater import
Automation Manager jobs for Wiz integration commands: vulnerabilities, attach_sbom and add_report_evidence
Option to sync Microsoft Defender for Cloud and Microsoft Defender 365 to a provided regscale_id and regscale_module
Changed
Improved integrations import speed using new caching mixin
Changed issue.sourceReport to Burp Suite during Burp file import
Wiz command options to use --regscale_ssp_id or -id to specify the System Security Plan ID
Improved the speed and reliability of Microsoft Defender for Cloud and Microsoft Defender 365
Fixed
First seen and last seen dates not being set during Tenable SC and flat file imports
Error handling when unable to find profile during FedRAMP Rev5 .docx import
Improved Wiz issue import to prevent timeouts
Fixed Not importing Column Q (Vendor Last Check In Date) of POAM spreadsheet
FedRAMP Inventory: Handle end of life missing and populate if present
[5.73.1] - 2024-09-11
Fixed
Updated imports to optimize performance during FedRAMP Rev5 inventory workbook import
Software inventory now saving to assets properly during Aqua import
Whitespaces in part statements when importing FedRAMP Rev 5 SSP Appendix A
[5.73.0] - 2024-09-10
Added
Added Stig Mapping Engine to Scanner Integration
Added Stig Mapping json Config
Added Sbom importer from wiz sbom report into ssp
Support for Python 3.12
Added option for poamTitleType, Cve (default) or pluginId during POAM creation
RiskAdjustment field to Issue model
Changed
Updated Jira integration to add a comment to the Jira issue when creating it containing populated RegScale issue fields & link to the issue in RegScale
ScannerIntegration to use new IntegrationFindingId field in RegScale
Risk Adjustment column (Column U) logic for POAM importer to use the new RiskAdjustment field in Issues
Fixed
Fixed Duplicate Components being created in scanner integration
Delayed import of pandas
Fixed STIG Integration mappings
Fixed Model caching bug
Fixed authentication error in Okta integration
Fixed Wiz Inventory filter param
Missing F String during header error handling during flat file imports
Software inventory version datatype during Aqua import
Make sure artifacts directory exists, before trying to write files to it during Tenable integration
FedRAMP Rev5 Appendix A .docx importer:
Precedence for Not Applicable when multiple control imp statuses are selected.
"Implementation Pending" to "Planned"
[5.72.0] - 2024-08-30
Added
Aqua flat file Import:
Support for excel file types
Capabilities for extra columns
Move files routine to Nessus import
Fixed
Errors during scan file imports
Handling errors or bad data during Aqua import
Error during Nessus file import
Removed
Unused methods for Snyk, Nexpose and Prisma file imports
[5.71.0] - 2024-08-29
Added
Added Wiz report to RegScale Evidence locker via regscale wiz add_report_evidence
Option to filter work notes to update in RegScale via regscale_id and regscale_module during ServiceNow integration
Option to filter incidents from ServiceNow by adding --all False to the regscale servicenow issues_and_attachments command
find_by_service_now_id method to the Issue model to find issues with a ServiceNow Incident ID
Changed
import-fedramp-ssp-xml-rev4 command to import-fedramp-ssp-xml
Updated column logic for POAM Importer
Fixed
SystemName parsing during FedRAMP import
RegScale platform Version check
Fixed bug causing errors around object caching in the RegScale CLI
Much better performance for Tenable IO Assets and Vulnerability imports
ServiceNow integration sync_work_notes
Errors during bulk excel editor commands
[5.70.2] - 2024-08-27
Fixed
Error in check_text function during FedRAMP importer
POAM importer starting row number
Bug causing errors around object caching in the RegScale CLI
Extra spaces appearing in fields during FedRAMP Rev5 Appendix A import
Original detection date not importing during POAM import
[5.70.1] - 2024-08-23
Fixed
Handle invalid create API returns from RegScale when it returns id as 0
Update justification on RA deviations
Added
Add AdjustedRiskRating to POAM importer
[5.69.0] - 2024-08-21
Added
Durosuite Integration via regscale durosuite
Fixed
Bug causing issues to close during import
Bug preventing Wiz cli from using the project id passed
[5.68.1] - 2024-08-20
Fixed
Bug in Burp integration when assigning IPAddress
Asset identifiers not mapping correctly during Tenable Nessus integration
FileTag model to Tag to match RegScale
Error during tag creation when uploading files to RegScale via CLI
[5.68.0] - 2024-08-19
Added
Tagging model used in Files and Properties classes
TagMapping model used for mapping tags to Files or Properties
Deviation Request Forms can now be imported and saved as RegScale deviation via regscale fedramp import-drf
POAM import field mappings are improved
Added ScannerIntegration to the Tenable SC integration
New command to ServiceNow integration to sync RegScale and ServiceNow Incidents as well as their attachments via regscale servicenow issues_and_attachments
RegScale object validation to XRay import
Changed
Added ScannerIntegration to the Tenable SC integration
Updated logging for an issue breakdown before saving it to RegScale
Renamed tag model to filetag and update codebase
Made issueCreation and vulnerabilityCreation variables required and to be set by the user
Fixed
Update pluginIds for Tenable SC findings
make sure flat file integrations create poams, setting the ScannerVariable
Plugin Id added to Tenable SC
regscale version check during ScannerIntegration
issueOwnerId not being set to current CLI user in Issue data model
Use a more simple and faster hashing algorhythm for unique otherIdentifier naming
Removed
Unused and deprecated create_issue() method used in flat file integrations
[5.67.0] - 2024-08-09
Added
Defender flat-file import, based on ScannerIntegration class via regscale defender import_alerts
otherId to the ControlParameter model to support Rev5 OSCAL compliant catalogs
vulnerabilityCreation options
Added missing fields to ControlImplementation model
Add support for IBM AppScan CSV ingestion via regscale ibm import_appscan
Changed
FedRAMP Rev 5 SSP import to use the new otherId field in the ControlParameter model
Tenable SC integration to use ScannerIntegration class for unified parsing and record creation throughout the CLI
Fixed
Error during Jira integration when creating issues in Jira
TypeError during regscale tenable sc query_vuln command
Use IP address for nessus scan asset identifiers
Parameter names showing non-human readable format during FedRAMP Rev5 .docx import
Removed
tenable sc trend_vuln command
__eq__ and hash methods from Issue model
[5.66.1] - 2024-07-31
Fixed
Fixed broken generator and typo in IntegrationFinding for the FlatFileImporter
[5.66.0] - 2024-07-31
Added
Bulk excel editor for RegScale assessments, controls, issues, components and assets via regscale model
Changed
Burp Integration will now use ScannerIntegration
Set finding vulnerability type correctly for Flat File scans
System name parsing during FedRAMP import will now use System Name from Table 1.1, if not found, it will use the System Name from the title page
.XML import to use new otherId field, if available, to support changes in Rev 5 Catalogs
Fixed
FedRAMP appendix A import not setting control responsibility or control source
Fixed Wiz bug caused by not having preset full pull limit variable in init.yaml
[5.65.0] - 2024-07-30
Added
ScannerIntegration to the FlatFileImporter for unified parsing and record creation throughout the CLI
Changed
Renamed the ContainerScan class to FlatFileImporter
[5.64.0] - 2024-07-30
Added
Progress bars when using batch_update method in RegScale models
Changed
Improved CLI performance
Fixed
Progress bars when using batch_create method in RegScale models
Typo in burp integration
Ensure we create vulnerabilities for Wiz GHSA vulnerabilities
[5.63.1] - 2024-07-24
Fixed
Progress bars not displaying correctly
[5.63.0] - 2024-07-24
Fixed
Incorrect url in Vulnerability creation method
[5.62.0] - 2024-07-23
Changed
Updated Wiz Vulnerability and Asset integrations for new vulnerability workflow.
Fixed
FedRAMP Import Fixes:
Parameters during FedRAMP Rev4 SSP .docx import not getting created or updated
FedRAMP Rev5 .docx importer parts not importing properly
[5.61.0] - 2024-07-19
Added
Proper vulnerability and scan history creation with the Tenable SC integration
Logic to close vulnerabilities that are no longer found for any assets
Changed
Details for running active user report in Automation Manager
Improved Tenable integration code structure and optimization
Fixed
FedRAMP .docx Import:
Required fields not having a default value when not found during import
Responsible role parsing
Leveraged authorization parsing
[5.60.0] - 2024-07-16
Added
User Email report CLI functionality via regscale admin_actions user_report
Added Wiz Sbom integration to ingest Wiz SBoM data into RegScale
Ability to parse Veracode XLSX files via regscale veracode import_veracode
Support for ingesting Qualys scan artifacts into RegScale via regscale qualys import_scans
Changed
Updated Docs dockerfile
Error message when unable to login to remove false statement of missing MFA Token
Fixed
Updated errors during login to gracefully exit instead of having exceptions on failed login
FedRAMP Rev 5 Import:
Parameters not being imported
Control Parts not populating correctly
Creating links when importing flat files
[5.59.0] - 2024-07-03
Added
Syncing JIRA tasks as RegScale tasks. Tasks will create and update in RegScale based on JIRA information
Added terraform to build RegScale CLI Lambda
Added S3 compatibility for STIG checklist processing
[5.58.0] - 2024-06-28
Added
ECR CSV and JSON file Scan ingestion via regscale ecr import_ecr
Updating catalogs via the platform regscale catalog update_via_platform
Checking the platform for updatable catalogs via regscale catalog check_for_updates
Fixed
Deprecation warnings in AirFlow container to prevent future issues
[5.57.0] - 2024-06-25
Added
FedRAMP Imports:
MultiSelect on word docx Appendix A Control implementation status if multi-selected set to "Not Implemented"
Importing of control-implementation status boolean status values as well as multi-select on control-origination values
Warning if control-implementation status does not match FedRAMP Approved values
[5.56.0] - 2024-06-24
Added
Support for ingesting AWS Inspector scan artifacts into RegScale via regscale aws inspector import_scans
Fixed
Sync Vulns error in Tenable IO
[5.55.0] - 2024-06-15
Changed
Endpoint used during validate_token
[5.54.0] - 2024-06-15
Added
Checking RegScale ID and module provided before running POAM import
Additional mappings during FedRAMP POAM Import
Changed
Stig Mapper to the CLI to map STIGs to RegScale Assets added property field to match on any field of asset model
Fixed
Issue will now close if the vulnerability that created it isn't located in the nessus scan
Duplicate Vulnerabilities being created in RegScale
Fixed issue where formulas were reported as values during POAM import
[5.53.0] - 2024-06-12
Added
Added Stig Mapper to the CLI to map STIGs to RegScale Assets
Fixed
Parsing identification from Excel workbook during regscale issues load command
Error during stig integration when parsing Vulnerabilities
[5.52.0] - 2024-06-11
Changed
AttributeError during tenable io sync_assets command
Updated consistency in CVE and Title mapping during flat file imports
Controls with no data during FedRAMP .docx import are now set to "Not Implemented" instead of "NA"
Fixed
Fixed date time string parsing during tenable io sync_vulns command
Parts not being mapped even though they are in the FedRAMP .docx document
Various bugs parsing CVE when creating CVEs during regscale wiz vulnerabilities command
[5.51.0] - 2024-06-10
Changed
Updated Tenable IO to use delta loads to follow Tenable integration standards
Fixed
Email subject sent to users with upcoming items when using admin_actions send_reminders
Timing warnings will only be displayed if logger level is set to DEBUG
Logic using Aqua, Burp, ECR, Nexpose, Prisma, Snyk, & XRay flat file imports to close issues in RegScale if they are not found in subsequent flat file imports
[5.50.0] - 2024-06-06
Added
STIG integration for importing assets, creating Issues and setting Control Status from STIG files.
[BETA] FedRAMP Rev5 CIS/CRM import via regscale fedramp import-cis-crm
[BETA] FedRAMP POAM worksheet import to RegScale issues via regscale fedramp import-poam
File tags during FedRAMP XML import
Link creation during Prisma and Snyk flat file imports on issues if a link is available during parsing
Logic to close issues in RegScale if they are not found in subsequent flat file imports (Aqua, Burp, ECR, Nexpose, Prisma, Snyk, & XRay)
Wiz Cloud Configuration, Host and Data Findings
Fixed
Fixed issues of missing parts on FedRAMP Docx importer
Error during regscale wiz issues command
Fixed issues of missing params on FedRAMP Docx importer
Updated Tenable SC to not use the now deprecated api.update_server method
KeyError experienced during prisma import_prisma
Mapping asset.find_os if no operating system is provided
Possible AttributeError during ecr import_ecr
Reduced import time to speed up commands
Changed
Updated Tenable IO asset fetch to cache on disk instead of memory
Removed
regscale stig command, replaced with regscale stigv2
[5.49.0] - 2024-05-24
Changed
When uploading a FedRAMP Rev5 .docx SSP when using regscale-rest, you will be redirected to the created SSP in RegScale upon completion
Logging for missing controls during FedRAMP .xml import
Fixed
Param and objective mappings now parse correctly during FedRAMP Rev5 .docx import
Importing FedRAMP Rev5 .docx SSPs with Appendix A .docx file now works correctly in the flask application when using regscale-rest
Parsing and importing components during .xml import in the flask application when using regscale-rest
[5.48.0] - 2024-05-22
Added
Command to import a FedRAMP Rev5 appendix a to an existing SSP in RegScale via fedramp load-fedramp-appendix-a
Option to import Rev 4 .docx SSPs with Appendix A .docx file in the flask application when using regscale-rest
Fixed
FedRAMP command to execute correctly: fedramp import-fedramp-ssp-xml-rev4
Styling issue on counts on the FedRAMP import SSP results page
[5.47.0] - 2024-05-21
Added
Feedback on the page during the SSP import process when using regscale-rest and uploading a FedRAMP .XML System Security Plan
Changed
Updated UI in the file import process when using regscale-rest
When clicking the view SSP during a FedRAMP import, the SSP will now open in a new tab
[5.46.0] - 2024-05-17
Added
More integrations and jobs to populate Automation Manager in RegScale
Vulnerability information during wiz issues command
Fixed
Error when creating issues in tenable sc query_vuln
[5.45.0] - 2024-05-15
Added
NessusReport.close_issues method to handle automatically closing issues based on scans
ReportGenerator class to easily generate simple .csv reports from a list of changed objects which can be uploaded to RegScale and/or saved locally
Changed
Updated Tenable IO integration to use the Exports API for asset downloading
[5.44.0] - 2024-05-13
Added
A --server flag to the regscale version command to pull down the RegScale server version, if available
Log file uploaded to SSP when importing FedRAMP documents via CLI
Fixed
Date parsing in CISA integration
[5.43.0] - 2024-05-09
Added
Visual feedback when creating data in RegScale during regscale wiz issues command
Vulnerabilities that are not in subsequent scans are closed as well as issues related to those vulnerabilities
Changed
Removed Vulnerability ID from the expected headers for the regscale prisma import
Updated regscale nexpose import to map the IP Address using the IP Address column
Improved speed during regscale wiz issues command
Fixed
Error when uploading a .PDF file via regscale upload_file, the file preview was not displaying
FedRAMP Rev5 Importer:
Errors during Implementation Options
Required fields for parameters
Leveraged Authorization parsing
[5.42.0] - 2024-05-07
Added
Internal testing for the flask application
Fixed
Flask application not starting when running regscale-rest command
[5.41.1] - 2024-05-06
Fixed
Error during the Nessus import functionality
[5.41.0] - 2024-05-03
Added
FedRAMP Rev5 Imports:
Inventory .xlsx importer
Appendix A .docx importer
Added Catalog Sync Security Plan to sync a security plan with an updated catalog
Changed
Updated Catalog Updater to work with newer catalogs
Changed
get_all_by_parent on Assets to use the new get_all_by_search API endpoint
[5.40.0] - 2024-05-01
Added
Wiz vulnerability integration to ingest Wiz vulnerability data into RegScale
processStatus to Asset model which maps to NSA-Approved Process Status
Fixed
KeyError when parsing # of days from init.yaml if it wasn't populated during flat file vulnerability imports
Security
Updated dependencies
[5.39.0] - 2024-04-26
Added
Amazon ECR container scan support to the CLI
Change
Updated approach on fetching vulnerability data from Qualys to prevent timeout errors
Fixed
Wiz issues integration not being able to create/update issues in RegScale
Date parsing during Cisa integration
Error during Intune integration when a device has never logged in
Burp ingest error on NoneType response data
Multiple possible errors during the Qualys integration
Parsing users during FedRAMP Rev5 XML import
Error when parsing components with no implementation statements during oscal component
Security
Reworked the RegScale-CLI container build process
[5.38.0] - 2024-04-15
Fixed
Date parsing bug that would fail on oddly formatted date strings during Aqua import
Help text within the Aqua integration.
Wiz issues integration not being able to create/update issues in RegScale
Errors during Oscal component import
[5.37.0] - 2024-04-09
Security
Updated dependency versions
Added
Functionality for FedRAMP XML import to support rev4 and rev 5 OSCAL XML as they are all 1.x.x versions of OSCAL
New registry file for catalog downloads
Fixed
Multiple errors during the Intune integration
FedRAMP rev5 OSCAL XML Import:
Responsible parties not being correctly parsed
Added parameter parsing for inclusion of odp parameters
FedRAMP rev4 OSCAL XML Import:
Address FedRAMP default system role import assignments
Parts parsing for implementationObjectives
Optimization for security control lookups
[5.36.0] - 2024-03-29
Added
Option to add assets under components for scanner integration
--scan_date option to flat file imports: Aqua, Prisma, Nexpose, and Snyk
Changed
Improved logging messages and outputs during the Jira integration
Fixed
Duplicating issues in Jira and RegScale during Jira integration
Email message sent from admin_actions send_reminders now uses the correct styling
Bug that could cause a Scan creation to fail in the Tenable Nessus integration
Bug in GCP Integrations where it didn't match control ids in a case-insensitive manner
Missing mapping files during the Crowdstrike integration
Added a catalog import function to the catalog cli. This will use the new RegScale Catalog import API.
FedRAMP rev4 .docx importer:
Controls not being imported
Incorrect parsing of system roles
Changed
Wiz issues:
Now utilizes graphql client
Improved issue data mapping
[5.35.0] - 2024-03-20
Added
XRay integration to ingest .json files into RegScale as assets, issues, vulnerabilities and scans to a Security Plan in RegScale
Logic to handle additional columns than required during Nexpose, Snyk & Prisma imports
Prepared By and Prepared For tables to the FedRAMP Rev4 .docx importer
FedRAMP Rev4 .docx Importer:
Version from title page
Prepared By and Prepared For tables
Fixed
Inventory Asset Mapping for Wiz integration
Additional endpoints to Issue model to support batch_update & batch_create
Fixed
GCP Integration: Fixed issue with asset import and component mappings
[5.34.0] - 2024-03-14
Added
Stigv2 integration for importing assets from STIG files.
Fixed
Failed issue creation during AWS integration
Error finding unique object during GCP integration
Errors during Prisma flat file import
Errors during Snyk flat file import
Errors during Aqua flat file import
Errors during Nexpose flat file import
[5.33.1] - 2024-03-08
Added
Profile data object to match RegScale data model
Changed
FedRAMP Rev4 .docx importer
Improved logging for controls and leveraged authorizations
Sped up SystemRole processing
Fixed
FedRAMP Rev4 .docx importer
Prematurely ending the import process when parsed controls > base profile controls
Parsing port numbers and protocols
Incorrect number of controls imported displayed on SSP Import Results Summary
[5.33.0] - 2024-03-07
Added
crowdstrikeBaseUrl to the init.yaml file
Changed
Updated regscale emass populate_controls to use CCIs instead of control IDs when mapping assessment results
Fixed AttributeError during GCP integration and Prisma flat file import
[5.32.0] - 2024-02-29
Added
Cloud service fields and cloud deployment fields when parsing FedRAMP .docx during import
Purpose statement during FedRAMP document import
Changed
Updated Cryptography version to 42.0.0 to remove security vulnerabilities
Fixed bug causing System Description not being populated during FedRAMP document import
AutoCompress large files, warn user when a file is too large to post to RegScale
Added testing for file uploads and deletion in RegScale
[5.31.0] - 2024-02-24
Added
Added GraphQL client and handler for GraphQL queries
Stigv2 integration for importing assets from STIG files.
Changed
Refactored Wiz Inventory integration to use GraphQL client and handler
Fixed issue during Burp integration when creating issues in RegScale
Separated Nexpose and Prisma flat file ingest into two separate integrations
ServiceNow's data fetching and issue/incident syncing to be more consistent and reliable
Improved control editor file not found error to gracefully exit
Modified System Roles to populate correctly during regscale fedramp doc imports
[5.30.2] - 2024-02-16
Added
N/A
Changed
Fixed System Role and Leveraged Authorization errors during creation and updating experienced in the FedRAMP integration
[5.30.1] - 2024-02-16
Added
N/A
Changed
Improved healthcheck to fail gracefully when no domain is set
Bugfixes:
Corrected incorrect mapping control assessments during regscale emass populate_controls
Added logic to handle instances with no facilities and/or organizations correctly in regscale assessments integration
Incorrect hash when downloading attachments from RegScale during Jira integration
False 401 error during regscale login when expired token in init.yaml
Fixed Wiz and Tenable Nessus bugs when creating Assets and Issues
Fixed bug with CatalogCompare, now it will increment Tests, objectives and parameters correctly
[5.30.0] - 2024-02-14
Added
Summary report to inform user what was updated in RegScale when syncing vulnerabilities in Tenable IO integration
Changed
Fixed various bugs experienced during Wiz integration
Updated AWS integration by removing deprecated functions and improved internal testing
Fixed Issue with CrowdStrike integration while fetching existing incidents from RegScale
[5.29.0] - 2024-02-09
Added
N/A
Changed
Updated Tenable IO to cache vulnerability results from Tenable to disk, instead of memory.
Use the tenableMinimumSeverityFilter config value as a filter for Tenable vulnerabilities
Fixed issue in application.save_config not updating config in API_Handler or API classes
API_Handler is now an extension of the Application class
API object no longer needs Application class to be instantiated
Improved internal testing for supported versions of Python
[5.28.4] - 2024-02-02
Added
Additional columns to wrap text in Control Editor workbooks
Changed
Fixed methods in Assessment, Catalog and CustomField models
[5.28.3] - 2024-02-01
Added
Aqua integration to ingest Aqua .csv exports into RegScale via regscale aqua
Changed
Enhanced Wiz inventory report processing
Crowdstrike model parsing to better align to RegScale data models
Fixed issue in GCP integration where duplicate assessments were created
Updated models to use the newest version of Pydantic
Updated Airflow to version 2.8.1
[5.28.2] - 2024-01-25
Added
GCP Features: Added passing controls, create issues for findings and ability to scan on a project or organization level
Changed
Bugfix: Fixed issue in tenable io integration causing incorrect vulnerability counts & possible KeyErrors
[5.28.1] - 2024-01-24
Added
Snyk CLI Integration added to ingest Snyk .xlsx exports as assets, issues, vulnerabilities and scans to a Security Plan in RegScale
Changed
Fixed multiple issues during FedRAMP XML and .DOCx imports
Updated dependencies to latest versions
Hardened docker container image
[5.28.0] - 2024-01-17
Added
Logic during the setup process to prevent installation of the CLI if the user is not using a supported version of Python
Google Cloud Platform integration to pull assets and findings from GCP into RegScale via regscale gcp
Changed
Improved memory usage by leveraging pickling instead of passing large objects between methods
Improved batch insert and update methods for Issue model
Updated batch insert and update methods with improved batch functionality to Asset model
Batch issue (still defaulting to threading) is not enabled yet, but will in a subsequent release
[5.27.0] - 2024-01-13
Added
Palo Alto/Prisma integration to ingest .csv files into RegScale as assets, issues, vulnerabilities and scans to a Security Plan in RegScale
Rapid7/Nexpose integration to ingest .csv files into RegScale as assets, issues, vulnerabilities and scans to a Security Plan in RegScale
Logic to wiz integration to add assessments to implementations from the data returned from Wiz
Changed
Bugfixes:
Compliance report could have passing and failing control ids for the same control
Added logic to prevent crashes during Crowdstrike integration when unable to find techniques
Issue not allowing you to run the regscale-cli container as a flask api server with regscale-rest entry point
Improved testing for Sicura integration
KeyError with tag_values in the Nessus integration when no tag key is present
Update batch insert and update methods with improved batch functionality to Asset model
Refactored DAGs to match expected format for RegScale Automation panel
Refactored CLI to allow pulling config from platform if running in an Airflow container
[5.26.0] - 2023-12-20
Added
N/A
Changed
Bugfixes:
Error during asset creation in the STIG integration
regscale sicura sync_nodes only worked with a record that had existing assets
False negative during regscale validate_token when the user was not an administrator
regscale sicura sync_nodes didn't verify provided regscale_module before proceeding
False positive of differences.txt being created when no differences found during regscale assessments
Updated error message when using a CLI command with an invalid token in the init.yaml
[5.25.0] - 2023-12-15
Added
Support for ingesting Burp Suite scan results into RegScale using regscale burp
Ability to sync compliance posture for Crowdstrike with CSF and NIST 800-53R5 frameworks via regscale crowdstrike sync_compliance
Sicura integration to sync nodes and scans into RegScale as Assets and Security Checks via regscale sicura
Changed
Refactored regscale assessments for better performance and maintainability
Bugfix: Changed approach on concatenating urls in regscale catalog update
Bugfix: Incorrectly parsing userId from service account token when using regscale login --token
Bugfix: Ensure the compliance score data is populating correctly regscale tenable io sync_compliance_controls
[5.24.0] - 2023-11-29
Added
Total Available Ram to the env_info command
TenableNessusId and BurpId to the Issues data model
Internal notification during release workflow
Changed
Fixed Bug causing control implementations to error during creation whilst using FedRAMP docx import
Added progress bars to the regscale catalog update command for real time feedback during the process
[5.23.1] - 2023-11-14
Added
regscale env_info command to display the current environment information running the RegScale CLI
Changed
Optimized CISA integration and data presentation
Rewrote the update catalog command to be more efficient and granular
Bugfixes:
Added default timeout of 60 for all API requests
Add scan file as artifact to SSP
Fixed issue in Plugin integration model with a non Optional field
Improved error handling during the Wiz integration
[5.23.0] - 2023-11-08
Added
tenable nessus Tenable Nessus support added to RegScale. Imports Nessus scans and assets to RegScale and creates issues if significant vulnerabilities are found
Changed
Bugfixes:
Code cleanup during Wiz integration that caused GraphQL errors and inconsistencies
Added more checks when analyzing data from Wiz to prevent duplicate issues in RegScale
[5.22.0] - 2023-11-01
Added
N/A
Changed
Bugfixes:
Fixed issue where uploaded files to RegScale via CLI was missing the Upload Date
Fixed issue causing FedRAMP docx not working until a version selection was made
[5.21.1] - 2023-10-31
Added
regscale-dev make-docs command to create Sphinx documentation for the RegScale CLI
Changed
Bugfix: Fixed issue causing FedRAMP docx import to fail during system role parsing
[5.21.0] - 2023-10-24
Added
regscale-dev analyze command to analyze the maintainability, tech debt, and other metrics of the RegScale-CLI codebase
send reminders dag in airflow to sends reminder email for any Assessments, Issues, Tasks, Data Calls, Security Plans, and Workflows for the users that have email notifications enabled
Changed
Color for regscale control_editor to gray
regscale-dev calculate-start-time now defaults to a 0 instead of a None if the regex is not met
Wiz issues are now merged by the issue type, the individual Wiz ID's will show up in the issue description
[5.20.2] - 2023-10-18
Added
Added two new fields to asset data model to match RegScale asset data model
Diagram Level
Location
Changed
N/A
[5.20.1] - 2023-10-12
Added
Ability to add Control Owner during regscale control_editor
Highlighted columns in Excel workbook indicating editable data when using regscale control_editor
Changed
Bugfix: Fixed errors causing Wiz to crash when fetching all items
[5.20.0] - 2023-10-10
Added
Logic to parse date during license validation to support different date formats
Changed
regscale init now defaults to passed domain and will also log in with a token if passed and skip-prompts is passed
Updated Airflow to version 2.7
Bugfix: Fixed issue with regscale-dev calculate-start-time on different linux distributions
Bugfix: Improved error handling when using regscale-rest uploader pages
[BETA] Regscale-CLI REST Server Docker image
Bugfix: Fixed console log during Jira integration always showing a 0 when updaing issues in RegScale
[5.19.0] - 2023-10-02
Added
STIG Uploader page that supports single .ckl and .zip file uploads in regscale-rest
FedRAMP Rev4 .docx SSP uploader in regscale-rest
Changed
Bugfix: Fixed issue causing regscale-rest not to load .html templates
Bugfix: Fixed issues in Tenable integration causing unexpected crashes
Bugfix: STIG crashes, optimization and ability to recursively search directory for .ckl files if not found at provided parent directory
Bugfix: Fixed multiple crash points experienced during FedRAMP Rev 4 .docx SSP import in fedramp load-fedramp-docx
[5.18.2] - 2023-09-26
Added
Support for Tenable.io to existing Tenable integration
New data model for Risks
regscale-dev Click command for testing the speed and performance of the RegScale CLI
regscale[airflow-sqlserver] extra to allow for SQL Server integration with Airflow, while not requiring it for airflow
Changed
Bugfix: Removed bugs causing regscale migrations to fail while optimizing the workflow
Improved AWS integration performance
Bugfix: Removed creation of duplicate assets and checklists
[5.18.1] - 2023-09-21
Added
N/A
Changed
Removed | operator to prevent crashes while using the CLI with Python 3.9
[5.18.0] - 2023-09-20
Added
Add [airflow-azure] extra for managing Azure Airflow deployments
Logic to nist sort_control_ids command to retry failed controls
Changed
Optimized: regscale nist sort_control_ids command to iterate all controls one time while sorting the control ids instead of multiple loops
Enhancement: Save wiz json data to RegScale properties instead of dumping to description field
Wiz Enhancements:
Save wiz json data to RegScale properties instead of dumping to description field
Refactoring code for readability and bugfixes
GitHub Workflows related to airflow
Bugfix: Fixed issue while processing system roles in regscale fedramp load-fedramp-docx
[5.17.1] - 2023-09-13
Added
Description for the regscale upload_file command
[BETA] Added Crowdstrike integration to pull incidents from Crowdstrike as incidents and assets in RegScale
Changed
Removed remaining getAll calls from STIG integration
Bugfixes in STIG integration
Bugfix in the FedRAMP parse .docx command
[5.17.0] - 2023-09-13
Added
Added regscale upload_file to upload a file to RegScale that will parse embedded base64 tags and upload them as well
Added functionality to SecurityPlan class to create new ssp from an SSP model
Added ability to upload files via requests to RegScale-CLI REST API
Added a File Upload GUI to the RegScale-CLI REST API
Added log message when validating token
Changed
Improved url normalizing to support domain without trailing slash in init.yaml
Replaced all getAll calls in the CLI because of their removal in RegScale
Bugfix: Fixed errors encountered during FedRAMP .docx importing to RegScale
Bugfix: Unable to authenticate with Wiz
[5.15.0] - 2023-08-22
Added
Airflow DAG to reset init.yaml if needed
Changed
Updated DAG setup method to correct for a bug
Streamlined Airflow Dockerfile for cloud deployment
Fixed a merge error artifact in Dockerfile.ironbank
Added handling in airflow_init.sh to create database if it does not exist
DAG docstring updates for knowing required params on platform
Expanded DAG timeout execution to 3 hours
regscale init modified to properly set domain from env or if passed
Added helpful console outputs and instructions when running API client via regscale-rest
Refactored regscale catalog update for a better and faster user experience
Bugfixes: updated multiple bugs encountered during the catalog update
[5.14.1] - 2023-08-18
Added
Better error handling when logging into RegScale
Parsing userId from the token when logging in with a token and now saves it to init.yaml
Added mfa_token parameter to the regscale init command
Changed
Bugfix: If using regscale login with environment variables, the domain will now be saved to init.yaml to prevent future errors during a workflow
Removed REGSCALE_USERNAME occurrences to use REGSCALE_USER instead
[5.14.0] - 2023-08-15
Added
Added SonarCloud integration along with Airflow DAG to pull in SonarCloud issues
Changed
Fixed issue for Airflow DAGs that were not running due to incorrect config template
Various bugfixes for catalog updater
[5.13.1] - 2023-08-10
Added
Additional logging for interactions with Salesforce when uploading attachments
Airflow DAGs to separate CISA operations into separate DAGs
Added Dependabot to scan GitHub repo via CLI, DAGs, and REST API
Changed
Bugfix: corrected issue in ReadMe.io version workflow that preventing the version to be updated during release
Temporarily removed SQL Server integration until dependency conflict is resolved
Bugfix: Fixed issue in Salesforce integration causing duplicate attachments in Salesforce & updated console outputs during task
[5.13.0] - 2023-08-08
Added
[BETA] Functionality to update existing catalogs in RegScale via CLI command
[BETA] Added Salesforce integration to sync Cases in Salesforce and Issues in RegScale along with attachments
Airflow DAGs to pull in Recommendations, Alerts from Microsoft Defender 365 and Alerts from Defender for Cloud
Added sql server integration
Added workflow model and workflow helper functions
Changed
Bugfix: fixed dags that were experiencing issues during execution
Updated FedRAMP integration to include more information in SSP in RegScale
Refactored data models of RegScale objects to use Pydantic
[5.12.1] - 2023-08-02
Added
N/A
Changed
Removed duplicate workflow that updates changelog in ReadMe.io
Bugfix: Jira workflow now uploads attachments when creating new issues in RegScale
Refactored delete_file function in regscale assessments integration to prevent trying to delete an entire directory
[5.12.0] - 2023-08-02
Added
Added the ability to pull REGSCALE_USERNAME, REGSCALE_PASSWORD and REGSCALE_DOMAIN from the environment variables to streamline regscale login and regscale init commands
Added an optional param to regscale login: domain
if the environment or param options are not populated for --domain or REGSCALE_DOMAIN, regscale login will parse domain from init.yaml
If REGSCALE_USERNAME, REGSCALE_PASSWORD environment variables are not populated, the regscale login will revert back to prompting the user for username & password
Added Wiz issues and inventory Dags for running wiz through the airflow pipeline
Added attachment syncing in the Jira integration to sync issue's attachments between RegScale and Jira
Changed
Updated Dockerfile to install all dependencies unless --build-arg="EXTRA=<extra>" is specified, this allows the container to run AirFlow, Flask API Server and defaults to the CLI
Changed the flask server to run on port "0.0.0.0" instead of "localhost"/"127.0.0.1" so it can be bound to a local port while running in a Docker container
Refactored CLI to use the RegScaleAuth pydantic class for Platform authentication
Refactored login command to check provided token's validity before saving to init.yaml
Fix Typo in servicenow integration.
Bugfix: fixed keyError possibility with wizIssuesReportId
Bugfix: None properties causing index error in Wiz integration
Removed dynamically created dags from Airflow
Updated Jira integration to be bidirectional, issues can be created in RegScale from a Jira board
[5.11.0] - 2023-07-19
Added
Airflow Documentation and default configurations as well as a yesterday() function for scheduling yesterday
Airflow image is pushed to Dockerhub
Airflow DAGs for Tenable, GitLab & Wiz integrations
Changed
Bugfix: fixed issue when trying to login with a token instead of username & password
Bugfix: fixed error when trying to run CLI flask application
Hotfix: fixed authentication with RegScale 5.11 or higher. MFAToken is sometimes required.
[5.10.0] - 2023-07-12
Added
regscale version command to quickly print the version of RegScale-CLI installed
File monitoring tools for development, along with watchdog dev dependency and a dev submodule for development help
Added file utilities to print contents
Changed
[BETA] regscale-rest command now invokes a simple server, with one thread and no concurrency to prevent overwriting of init yaml
Fixed issue with GitLab url variable naming
Bugfix: Implemented logic to fix AWS integration
[5.9.0] - 2023-07-05
Added
N/A
Changed
Fixed missing commands for GitLab integration
Added support for the new DOD catalog
Fixed bug with SSP level option id's not being set properly in STIG integration
Replaced click.argument with click.option in regscale oscal component
[5.8.0] - 2023-06-27
Added
regscale[server] extra capable of running regscale-server, which launches a REST API
this is dynamically generated via the click infrastructure, and if params are passed, it is assigned POST method
if no params on the command, then GET method is assumed.
This will work with the current init.yaml if ran in the same directory
This can also work with the future AppConfig.
POAM/ Issues CLI feature to edit and update existing issues in RegScale via CLI
Evidence Build_Package Command for FEDRamp go to market audit process
GitLab integration to pull issues into RegSCale with or without links from description
Changed
Updated error handling for Wiz when invalid credentials provided
Fixed bug in Tenable integration when creating issues in RegScale when Tenable returned zero results
Refactored catalog utils, replaced export verbiage to download
Refactored and fixed bugs in test_poam_editor.py for better test execution
[5.7.0] - 2023-06-21
Added
jwt-token parameter for regscale login command
Timeout parameter for get_all_from_module function in regscale.core.utils.app_utils.py
Changed
regscale login command to use a jwt-token parameter
Updated and refactored Control Editor CLI feature that includes minor bug fix and testing coverage
Updated and refactored Assessment Editor CLI feature and testing coverage
Changed starlette version from 0.26.1 to 0.27.0
Updated the UBI.Dockerfile to have fewer vulnerabilities while being 500+ MB smaller
Fixed bug for OSCAL components being updating in RegScale
[5.6.1] - 2023-06-07
Added
N/A
Changed
Fixed bug with Wiz issues and assets
[5.6.0] - 2023-06-07
Added
Worfklow to automatically push RegScalse-CLI+Airflow to ACR and deploy airflow containerapp
Azure Intune Support
Query devices from Intune and sync with RegScale
If a device is not compliant, a RegScale issue will be created
Added Azure tests
Changed
Removed duplicate workflow for updating changelog in ReadMe.io
Fixed issue with Intune integration where assets and issues could be duplicated.
Fixed incorrect string on click parent id description.
Fixed bug with STIG issue data type, it was using the asdict() method on a Pydantic dataclass.
Fixed bug in STIG objective status counter that was causing erroneous implmentation status updates.
[5.5.0] - 2023-05-31
Added
AppConfig class example with basic auth
Workflow to automatically update the CHANGELOG (CLI) on ReadMe.io when a new release is created
Workflow to automatically update the version on ReadMe.io when a new release is created
Changed
N/A
[5.X.X] - 2023-07-XX
Added
Airflow Documentation and default configurations as well as a yesterday() function for scheduling yesterday
Airflow image is pushed to Dockerhub
Airflow DAGs for Tenable, GitLab & Wiz integrations
Changed
Bugfix: fixed issue when trying to login with a token instead of username & password
Bugfix: fixed error when trying to run CLI flask application
Hotfix: fixed authentication with RegScale 5.11 or higher. MFAToken is sometimes required.
[5.10.0] - 2023-07-12
Added
regscale version command to quickly print the version of RegScale-CLI installed
File monitoring tools for development, along with watchdog dev dependency and a dev submodule for development help
Added file utilities to print contents
Changed
[BETA] regscale-rest command now invokes a simple server, with one thread and no concurrency to prevent overwriting of init yaml
Fixed issue with GitLab url variable naming
Bugfix: Implemented logic to fix AWS integration
[5.9.0] - 2023-07-05
Added
N/A
Changed
Fixed missing commands for GitLab integration
Added support for the new DOD catalog
Fixed bug with SSP level option id's not being set properly in STIG integration
Replaced click.argument with click.option in regscale oscal component
[5.8.0] - 2023-06-27
Added
regscale[server] extra capable of running regscale-server, which launches a REST API
this is dynamically generated via the click infrastructure, and if params are passed, it is assigned POST method
if no params on the command, then GET method is assumed.
This will work with the current init.yaml if ran in the same directory
This can also work with the future AppConfig.
POAM/ Issues CLI feature to edit and update existing issues in RegScale via CLI
Evidence Build_Package Command for FEDRamp go to market audit process
GitLab integration to pull issues into RegSCale with or without links from description
Changed
Updated error handling for Wiz when invalid credentials provided
Fixed bug in Tenable integration when creating issues in RegScale when Tenable returned zero results
Refactored catalog utils, replaced export verbiage to download
Refactored and fixed bugs in test_poam_editor.py for better test execution
[5.7.0] - 2023-06-21
Added
jwt-token parameter for regscale login command
Timeout parameter for get_all_from_module function in regscale.core.utils.app_utils.py
Changed
regscale login command to use a jwt-token parameter
Updated and refactored Control Editor CLI feature that includes minor bug fix and testing coverage
Updated and refactored Assessment Editor CLI feature and testing coverage
Changed starlette version from 0.26.1 to 0.27.0
Updated the UBI.Dockerfile to have fewer vulnerabilities while being 500+ MB smaller
Fixed bug for OSCAL components being updating in RegScale
[5.6.1] - 2023-06-07
Added
N/A
Changed
Fixed bug with Wiz issues and assets
[5.6.0] - 2023-06-07
Added
Worfklow to automatically push RegScalse-CLI+Airflow to ACR and deploy airflow containerapp
Azure Intune Support
Query devices from Intune and sync with RegScale
If a device is not compliant, a RegScale issue will be created
Added Azure tests
Changed
Removed duplicate workflow for updating changelog in ReadMe.io
Fixed issue with Intune integration where assets and issues could be duplicated.
Fixed incorrect string on click parent id description.
Fixed bug with STIG issue data type, it was using the asdict() method on a Pydantic dataclass.
Fixed bug in STIG objective status counter that was causing erroneous implmentation status updates.
[5.5.0] - 2023-05-31
Added
AppConfig class example with basic auth
Workflow to automatically update the CHANGELOG (CLI) on ReadMe.io when a new release is created
Workflow to automatically update the version on ReadMe.io when a new release is created
Changed
N/A
[5.4.0] - 2023-05-25
Added
AppConfig and Providers class to be implemented with new platform config endpoint
RegScaleAuth class that can be used with RegScaleAuth.authenticate() to return a RegScaleAuth object authenticated via env vars.
includes .refresh() to refresh a new token
.token property returns auth_token secret value, .username is RegScale user and .password is RegScale password as a SecretStr.
domain is retrieved from REGSCALE_DOMAIN and it can be 'dev' for dev.regscale.io or 'yourcompany.regscale.io'
generate_regscale_domain_url(domain: str) will generate an f-string to {REGSCALE_DOMAIN}.regscale.io with no default it raises an error
regscale.core.static.regex <- precompiled regexes for use elsewhere
Bug fix: Enforce Path type for input and output in oscal cli wrapper
Bug fix: Update Tenable integration
Refactor assessment editor
[4.20.1] - 2023-03-11
Added
New standalone CLI to export, import, and migrate Control Implementations and Parameters between Security Plans
Added generation of Red Hat Universal Baseline Image (UBI) dockerfile
Changed
Update build process to also generate Red Hat Universal Baseline Image (UBI)
[4.20.0] - 2023-03-07
Added
New standalone CLI to export, import, and migrate Control Implementations and Parameters between Security Plans
[4.20.0] - 2023-03-08
Changed
Provide helpful Alien Vault error on failed API key
Revised populating eMASS SSP spreadsheet assessment fields to highlight cells missing data and adding comments of what
needed to be done by the user
Updated Wiz integration: import SecurityChecks and Recommended Actions to RegScale Issues; concatenate imported
securityChecks with updated Wiz control IDs; update default Wiz report age
Updated missing docstrings and missing function typing
[4.19.2] - 2023-03-03
Changed
Bug Fix: Implemented logic to get the correct sort id for older catalogs in nist sort_control_ids
[4.19.0] - 2023-03-01
Added
New [BETA] Alien Vault OTX threat integration to pull pulse information into RegScale
New [BETA] Update an eMASS controls formatted workbook with controls with assessments from RegScale with the provided
SSP ID
Changed
Security: Removed credentials used for testing integrations replacing with GitHub action secrets
Bug Fix: Control Editor problem preventing spreadsheet generation
Refactored Control Editor to use GraphQL
[4.18.2] - 2023-02-24
Changed
Bug Fix: Improve FedRAMP import with better handling of exceptions.
[4.18.1] - 2023-02-23
Changed
Bug Fix: Correct parsing of FedRAMP OSCAL catalogues
Updated GraphQL query and logic for send_reminders function
Updated docstrings for reformat_str_date function
Corrected typo in CHANGELOG
[4.18.0] - 2023-02-22
Added
New support for OSCAL 1.0.4 and the Austrailian ISM catalog
New support for editing assessments in a spreadsheet external to RegScale
Add --obj_to_control option to oscal command to convert 800-53 objectives to controls during catalogue import
Add --new_catalog_name option to oscal command to define catalogue name during import
Changed
Bug Fix: Correct parsing of NIST 800-53 Rev 5 objectives and parameters
Improve outputs of OSCAL import to be clearer and more concise during the workflow
Update package testing instructions in README
Update docker tag to "latest"
[4.17.2] - 2023-02-20
Changed
Revised order of Python libraries
[4.17.0] - 2023-02-15
Changed
Bug Fix: Updated logs & console output for encrypt/decrypt and fixed bug causing user to set their password twice for
the first time
[4.16.2] - 2023-02-09
Changed
Bug Fix: Fixed bug in GraphQL function when normalizing the provided URL
[4.16.1] - 2023-02-09
Changed
Bug Fix: Refactored evidence CLI to prevent code from executing prematurely
[4.16.0] - 2023-02-08
Added
New Microsoft 365 Defender to pull alerts from Microsoft 365 into RegScale
New GitHub NPM audit scan integration to create assessments and related issues in RegScale from NPM audit scan of main
branch
New sort CLI to batch sort in natural order NIST controls
Added better error handling to api.graph
Added additional links to readme.io docs
Added links to internal CLI developer standards and GraphQL documentation
Changed
Bug Fix: Fix failed jiraId keyError
Bug Fix: Fix OSCAL import test
Bug Fix: Change click sequence to fix broken test_evidence imports
Improve OSCAL CLI to load Australian ISM catalog
Change threaded process terminal output to prevent excessive threaded pool warnings
Improve testing of evidence CLI
Update cryptography library
[4.15.2] - 2023-02-3
Changed
Changed default mapping of control status from imported FedRAMP SSP to Not Implemented
[4.15.1] - 2023-02-1
Changed
Bug Fix: Fix the CLI looking for file dump path that does not exist
Bug Fix: Fix the list of acceptable file types was too limited for FedRAMP documents
Bug Fix: Update build script to properly handle all sections of version
[4.15.0] - 2023-01-31
Added
Added check for maxThreads to prevent users from being IP-banned by CISA
Fixed typos throughout the application and duplicate periods within console
Improved Wiz integration to prevent duplicate record creation and other enhancements
[4.14.0] - 2023-01-24
Added
New GitHub Dependabot integration to import Depandabot found package vulnerabilities into RegScale
Added special data migration script to support many to may inheritance
Changed
Bug Fix: Errors between RegScale-CLI and RegScale with Tenable methods
Bug Fix: Cognito log in error
[4.13.0] - 2023-01-19
RegScale-CLI 4.13.0 adds new integrations, and refactors the application
for greater long term extensibility
The big leap in version number synchronizes RegScale-CLI version with RegScale version.
IMPORTANT: init.yaml parameter names changed in 4.13.0.
Certain init.yaml parameters changed in 4.13.0 to standardize parameter names to camelCase.
RegScale-CLI automatically adds in new and missing parameters and leaves existing parameters in place.
Be sure to check and update your existing init.yaml parameters.
Method 1 – move, generate, diff, and manually edit
# move init.yaml to backup
mv init.yaml init-bak.yaml
# generate fresh init.yaml
regscale init
# diff backup to fresh to see changes
diff init-bak.yaml init.yaml
# manually edit init.yaml to copy values from params back up to new params in fresh init.yaml
Method 2 – add new and manually edit
# run regscale to add in new/missing params
regscale about
# manually edit init.yaml to copy values around from old params into new params
Added
New Okta integration to pull different users from Okta core API
New FedRAMP SSP docx import to RegScale support
New Azure Microsoft Defender for Cloud to pull alerts from Azure into RegScale
New initialization workflow for setting up RegScale CLI
Added workflows to reminder command
Added bulk control editing via Excel
Added persistent CHANGELOG file for releases
Added Microsoft Defender for Cloud (DFC) integration that will create issues in RegScale for DFC alerts
Changed
Removed support for Python 3.8 to support Python typing
Bug Fix: Include missing requirements
Bug Fix: Replaced built in tuple for Python 3.8 crashes
Bug Fix: Minor bug fixes for functions throughout the application
Bug Fix: Standardize to Python Yaml "pyaml" package to correct packaging issue
Lines of Inquiry Files Mini-Subsystem saves correctly
Server-side timestamps are in UTC
Comment dates render correctly
Set default SortId for Security Controls
"Not Applicable" selection within Control Settings works correctly
Continuous Monitoring test creation works correctly
SaaS auto-issued temporary passwords for new users work correctly
Task closed date can be modified
Evidence frequency changes correctly change the Next Update Due Date field
Assessment results can be changed
Security
Applied routine dependency upgrades to enhance security and stability
[6.15.2.0] - 2025-03-12
Changed
RegML Extractor file upload uses standard file input
Improved RegML Extractor experience
Fixed
"Extract All" option restored in RegML Extractor
Custom fields work correctly after upgrade.
[6.15.1.0] - 2025-03-11
Added
"Copy Link" button for easier access to Questionnaire Self-Assign URL
Validation messages for invalid LOI Assessments
Warning message displayed on the page if a record could not be deleted due to dependencies
Changed
Platform Deviation Form evidence attachments now return to a rich text field
Make user wait to download another catalog when one is already being added to RegScale
"Catalogues - Control Framework Gap Report" renamed to "Control Framework Gap Report (RegScale)"
"Catalogues - UCF Control Overlap Report" renamed to "Control Framework Gap Report (UCF)"
Removed
Import Profile button on a Security Profile record
New Profile button on the Security Plan Builder
Fixed
Evidence Owner field is set correctly for evidence workflows
Evidence collection mapping system displays the control ID and the parent ID
Uploading files to a Kanban task works as expected
DOE SSP export works as expected
FedRAMP Appendix A export works as expected
FedRAMP Deviation Request export works as expected
FedRAMP Inventory export works as expected
FedRAMP POAMs export works as expected
FedRAMP SSP export works as expected, including Tables 7.1, 8.1, 10.1, and Inventory discrepancies
Control test plan creation displays validation warnings for missing information
Leveraged Authorization field on a security plan can be unset
Previous and next navigation buttons in the Control Builder load the correct control information
Advanced search works correctly when searching by organization membership or facility
Advanced search works correctly for fields with multi-select dropdowns
Kanban tasks can be due on the current date
Selecting a control for a questionnaire question works as expected
Built-in reports appear correctly in on-prem instances
Evidence module can be accessed with the following roles: SecurityPlanUser, AssessmentUser, SupplyChainUser
Lines of Inquiry test results of "Not Applicable" are excluded from the compliant calculation
Lines of Inquiry validation messages are displayed
Lines of Inquiry gauge colors are no longer hardcoded
Dropdown lists render correctly in dark mode
Duplicate dropdown values removed from Assets and other modules
Sorting by date or user in GridView works correctly
White space bug preventing full scrolling fixed
Swagger loads correctly in all environments
File uploads in Subsystem Kanban no longer disappear on refresh
Tailored Export evidence on Controls is correctly represented
Tailored Export missing data location issue addressed
Control Implementation status updates correctly and does not cache on first save
Incident and Threat addition in Risks functions as expected
Change Record - Outages Start and End Dates save correctly
Security
Routine hardening and patching
[6.15.0.0] - 2025-03-09
Added
Report Builder
Support for pie charts and line charts
Done button on the preview step which returns the user to the report list view
My Organization option when filtering by organization
Ability to sort reports by column in view mode and on dashboards
Ability to delete a report
Changed
Report Builder: report names must be unique
Removed
Report Builder: ID-based fields for facility, organization, and user
Fixed
Report Builder
Drill-in functionality for charts grouped by organization, facility, or user works as expected
Custom system labels render correctly
[6.14.2.1] - 2025-03-06
Fixed
Upgrade to .NET 9
[6.14.2.0] - 2025-03-03
Added
PUT /api/compliance/migrate/ to support migrating existing security plans (including controls and parts) to a new compliance setting
FedRAMP Exports support the FedRAMP Compliance Setting
Pass and fail scanner integration fields added to Compliance Settings
Changed
FedRAMP exports align with the FedRAMP compliance settings
POST /api/securityplans will use the default compliance settings when a compliance setting is not defined in the request
Navigating to /dashboard redirects users to /my-dashboard
Fixed
Save buttons work as expected when using the control builder on a security plan record
Compliance Setting APIs no longer return data recursively
Components inheritance works as expected
[6.14.1.0] - 2025-02-25
Removed
Validation for Basis for Adjustment for an issue in a deviation summary (handled in the deviation utility)
Fixed
Compliance setting values are unique
Available Information Types and Selected Types tab for a security plan's categorization section render correctly
Custom fields marked as "Not Required" save correctly
Navigation panel
Deleting records updates the panel entries with the new record count
Clicking links only updates parts of the page that have new information
Item counts do not include soft-deleted records
Navigating between different security plans shows the expected data
Module selection on the News Feed works correctly
Deviation Summary tab fields for an issue are readonly
CVSS Score field on the Vulnerabilities tab for a security plan displays correctly
Data Entry fields have single scrollbar
Compliance Settings migration works correctly
Migrated fields display correctly
Clicking the RegScale logo returns user to their default homepage
Changes module respect ITIL Force Changes Through Workflow setting
CVSS Score displays correctly in CVE List
Custom fields work correctly on Exceptions form
[6.14.0.0] - 2025-02-20
Added
RegML
Functionality for exposing vectorized supporting documentation to AI language models
Extractor
Ability to export RegML Extractor results to Excel
WYSIWYG editor and AI-supported pop-out text editor when reviewing resulting recommended statements
Dashboard Manager - Build and Share Your Own Dashboards
List of dashboards with the ability to add new dashboards and edit, preview, and delete existing dashboards
Ability to share dashboards with a group
Tabs to search/filter by widget, reports, or module
Ability to favorite a dashboard
Fully integrated with Report Builder
Questionnaires and workflows
Questionnaires tab available across most RegScale modules
Ability to assign a reviewer at the module level
Streamlined Group Management
Users with GeneralUser, Maintainer, or Manager roles can create and manage groups (located in the user profile menu)
Add and manage groups without the need for administrator support
Links subsystem has file share (e.g., OneDrive) URL support and works with Evidence Locker
Audit Info option under a record's More Tools menu to display additional audit information (date created, date last updated, UUID, created by, and last updated by)
Description field available in Kanban for tasks
Workflow History tab on workflow records
Warning about unsaved changes in both the Classifications and Data subsystems
Changed
RegML
Extractor
User interface updated to be more consistent with the rest of the application
Faster response times
Workflow failures (such as from missing environment variables) are handled gracefully
Auto-generates control level statements
Allows for discretely saving or discarding generated statements
Chatbot
Improved efficiency and robustness of integration with the AI language model
Author
Generating suggested implementation statements is now in the More Actions menu of the Control Implementation page
Improved consistency of results
Improved efficiency and robustness of integration with AI the language model
Explainer
Translating complex control requirements into simple, accessible language is now in the More Actions menu of the Control Implementation page which is more easily accessible
Admin and configuration
Utilization admin panel
User can specify a reporting date range
Access Logs tab contains email address and admin status
Evidence Locker workflows can be enabled/disabled (Admin > Modules and Features)
Improved toggle for enablement in the Organization Manager
UI and layout enhancements
Improved styling via a "more options" style menu
Lines of Inquiry checklist view on an assessment
Continuous Monitoring Controls in Scope list
Condensed layout and improved iconography for the Files subsystem
Improved tab look and feel throughout the application
Improved readability for issue status workflow progress steps
Streamlined layout for the Fix Issues tab scorecard on a security plan
Tile scorecard layout for the Utilization admin panel
Smaller screen support
Auto-calculate button changed to an icon button in the Control Builder
Improved Kanban layout
Improved look and feel for lightning assessments
Assessment tab for a control implementation uses a tabbed layout for increased readability
Performance and optimization
Optimized database access for improved performance
Improved catalog filtering performance
Simplified API models to improve application and Swagger performance
Control Scorecard loads significantly faster
Improved performance for quick search in list views across the application
Export list now loads nearly instantly
Subsystems
Files subsystem: improved readability/contrast for JSON/XML/YAML preview mode
Added validation for file types to the Data subsystem
Business impact analysis has instructions and more helpful validation errors
Risk assessment
Financial Modeling step updates/runs automatically once enough information has been provided
Trend Analysis field is not required for completion
Target Risk field moved to the top of the form
Improved overall flow and click path
Treatments, Controls, and Issues are available on the Risk Scorecard
Removed
Dashboards
Dashboards tab on the Issues module list view (widgets are now available in the Dashboard Manager)
CISO Dashboard workspace (can be recreated and better customized using the Dashboard Manager)
Risk
Risk record Inherent Risk and Business Impact Assessment tabs (part of the risk assessment wizard)
Publish Results button for risk assessments (performed automatically by advancing to the next step)
Pie charts from the risk scorecard
Risk Score Details tab from the supply chain status board
From column on the user admin page that shows email activity
Schemas section of Swagger page
Fixed
Navigation and UI
Relationships subsystem entries correctly navigate to the related records in other modules
Assessment tab for a control implementation renders correctly
Navigating through controls in the Control Builder clears the search field
YAML preview pane in the Data subsystem renders correctly
Issues tab on the Mitigations section for a risk's scorecard renders correctly
Fields and validation
Date validation logic for Assessment, Change, and Exception records works as expected
Risk Assessment form validation errors match the field names used on the form
Exception records can have a submission date from a previous year
Audit data is set correctly for custom fields
Applying a threat model to a component creates risk records with an inherent risk that's explicitly undefined
When creating a new risk, inherent properties (e.g., probability, frequency, impact) are hidden until initial risk assessment is performed
Evidence Locker
Only the Evidence Approver role can approve evidence
Evidence Owner and Evidence Approver cannot be the same user
Links within Evidence Locker records correctly map to a control
Rejecting evidence correctly sets the evidence record status
User roles
Modules menu only displays options that are available based on the user's role(s)
Maintainer can...
Create new categorization engine records
View security control records
IssueScreener can view causal analysis and issues records
ProgramUser can access the Programs, Capabilities, and Questionnaires modules
Risk assessment and controls
Advanced search for Annual Loss Expectancy (ALE) in the Risks module works correctly
Performing a risk assessment properly sets the Initial Risk Assessment and Next Assessment Date fields and updates the risk trend
Not Applicable scorecard tile in the Attest to Controls scorecard for a security plan filters as expected
Control Status by Owner widget works as expected
Control implementation options for parts render correctly
Lightning assessment view for a control implementation with parts renders correctly
Causal analysis step for issue screening works as expected
Adding steps to a workflow template works as expected
Tasks created within a record regardless of the source (e.g., Kanban subsystem, issue screening, risk assessment, child record) all roll up into the same place
api/assessments/complianceTrendsByParent works correctly
eMASS Hardware Software List export option shows the correct file extension
Questionnaire import process completes as expected
Security
Security patching and API hardening
[6.13.0.0] - 2025-02-10
Added
Compliance settings (see the Compliance Settings admin panel)
Preconfigured implementation statuses and control origin selections
RegScale default
FedRAMP
PCI
Ability to associate a wayfinder and/or profile(s) to a compliance setting
Compliance rollup (see the Compliance Settings admin panel)
Ability to associate one or more compliance settings to a single customizable value
Ability to map a compliance setting value to a performance status color
Changed
Control implementations with parts have an aggregate status (i.e., the combination of their parts' statuses)
Creating a new security plan prompts the user to select a compliance setting as well as an optional wayfinder and profile
CISO dashboard supports compliance settings and rollup colors
Performance statuses (see the Theming admin panel) support configurable colors and icons
[6.12.0.0] - 2025-02-07
Added
Report Builder
Bar chart type
Aggregation by field count (as well as sum and average for numeric values)
Drill-in functionality for a given bar
Grouping by a single field
Date picker for date filters
Support for organizations and facilities
Date filter: Within the Next number of days
Ability to add bar chart report widgets on My Dashboard
Report subscriptions (email) based on frequency (daily, weekly, monthly, quarterly)
Changed
Report Builder
Drop-down selections are sorted alphabetically
Date fields render only the date portion (i.e., without the time portion)
Removed
Date Between filter for dates (accomplished by using two filters: Date Before, Date After)
Fixed
Report Builder
Fields that support rich-text render as plain text in the report
Control field (in the Control Implementations module) displays the control's name
Grouping and aggregation settings display correctly when editing the configuration for an existing custom report
Filter operators work as expected
My Dashboard renders correctly
[6.11.3.0] - 2025-02-06
Added
Customer-specific customizations for SAR and SAP exports
Templated exports
/api/ExportOrchestration/GetList to return the list of export records
Ability to replace data in tables with non-repeating data
Ability to preserve text formatting of placeholders and paragraphs with sections
FedRAMP Appendix M support for multiple IP addresses in Column C
Changed
Improved logging for templated export generation
Fixed
eMASS CYBERSAFE export
Shows correct success message
eMASS ID derived from system field
Date validation logic (i.e., approval, submitted, expiration) for Exception records works as expected
Global admin has correct creation date for initial seeding
Data for several Assessments and Control Implementation webhooks is populated as expected
[6.11.2.1] - 2025-02-01
Fixed
Auth token expiration works as expected
Startup process ensures form field names, tab names, and dropdown choices are unique
[6.11.2.0] - 2025-01-29
Added
eMASS POA&M export: support for handling issues that impact multiple control implementations
Changed
GET api/issues/{intId} includes a list of related control implementations
Fixed
Inherited tile on the Control Status scorecard of a security plan shows the correct count
Issues of a control implementation have the expected parent/child relationship
Security controls in the eMASS POA&M export have a .1 suffix
PUT api/issues/batchUpdate correctly accounts for related control implementations
[6.11.1.0] - 2025-01-24
Changed
Security plan Expiration Date is now called Authorization Termination Date
Fixed
Navigating away from the Lines of Inquiry tab on an assessment prompts the user only if there are unsaved changes
User avatar renders as expected after logging in
Control mappings appear in the Mappings tab of a security control after using the Control Transformer tool
SAR export (Rev4 and Rev5) references the correct data for deviations
Dashboard widget titles appear correctly in dark mode
Drill-down works as expected for the Security Plan Status Board (Aggregate View)
A user can log in after a successful password reset
Data subsystem works as expected when switching between records
Navigating to the Control Implementations module displays the list view as expected
Labs SSP export contains the expected content
Clicking the logo in the upper left corner navigates to the user's preferred home page
Tailored SSP export
Fonts are consistent
Implementation statement and responsibilities honor inherited controls
Regulations tab of a requirement record displays as expected
Tenant creation view supports dark mode
Creating a new security plan from the Security Plan Status Board works correctly
Security plan scorecards update correctly when navigating to other security plans
Outage window fields save correctly on a change record
Security
Routine dependency upgrades
Stronger restrictions around password reset and rotation frequency
[6.11.0.1] - 2025-01-21
Changed
RegML Extractor
Progress is shown via a single progress bar
Next actions are more clearly defined once processing has completed
Fixed
RegML Extractor uses batch processing for increased responsiveness
Lines of inquiry work as expected
Assessment tab on a control implementation renders correctly
[6.11.0.0] - 2025-01-17
Added
Left panel that gives users the ability to use a Wayfinder in context, easily access the Workbench, and see the full data structure of the parent record
Right panel that lists all of the tabs and utilities for the current record
Form Builder (via a new admin panel) that provides the ability to add/edit fields and configure the form layout
Removed
Wayfinder modal (replaced by the new left panel)
Form tabs (replaced by the new right panel)
Metadata, Custom Fields, and Custom System Labels admin panels (replaced by the new Form Builder admin panel)
[6.10.0.0] - 2025-01-13
Added
/api/SecurityControls/get/{id} has an option to resolve security control parameter values
Ability to forward history events to the syslog to support third-party monitoring
RegML Auditor (in a security plan's Assess Controls workspace)
Completeness checks by control
Quality checks by control with explanations
Ability to auto-generate issues for controls below the completeness or quality thresholds
Auto-generated audit / assessment record
Security plan Assess Controls workspace
Scorecard filters for completeness/grade
Excel export of the audit report
Audits view that lists audits and their statuses
AI Assistant text editor modal for text area fields throughout the app
Ability to create new or refine existing text content
Visualization of what refinements the AI Assistant made and the ability to undo them
Assessment print view: summary statement, tests, lines of inquiry, colored status badges
Assessment form: Compliance Score field
Issues can have child issues
Catalogs available to install
Cybersecurity Maturity Model Certification (CMMC) 2.0
Nuclear Regulatory Commission (NRC) 5.71
Preview of assessment results as the last step of a lightning assessment
Busy indicator that displays while the issues scorecard is loading
Assessment preview (last and next) for a control implementation
Compliance History over Time chart on the Assessment tab of a control implementation
Lines of inquiry on an assessment: Toggle between Data Collection and Audit Results view
Ability to remove a control from a scheduled audit
Inherent Risk Score column on the Risks module list view
Changed
Input fields for control implementation parts support rich text format
Controls can be added to an existing continuous monitoring (CONMON) scheduled assessment
Request Evidence button on a lightning assessment moved next to existing buttons (Comments, Files, Links)
Improved performance for features that can be enabled/disabled
Completing the business impact assessment (BIA) auto-publishes the assessment
More Info button in the classification subsystem replaced with a smaller icon
Removed
Audit section on the Continuous Monitoring tab for a security plan (moved to the Assess Controls workspace)
RegML Explainer feature toggle (replaced by the broader RegML feature toggle)
Fixed
Tests grid and Conduct Assessment button appear after starting a lightning assessment
Security Profiles module is available for the GeneralUser role
Security Controls and Categorization modules are available for the Maintainer role
Create New button for each module is only available if the user role is not ReadOnly
AI features are only available when the RegML - Enable AI for the RegScale Platform feature is enabled
Batch-updating assessments (API) correctly updates the parent control or requirement
Count of assessments due soon matches in the Workbench and the dashboard widget
New Risk Assessment option under More Tools is only available for risk records
Threat model print view displays the Print and Back buttons
Audit progress report displays correctly when the start and finish date are the same
Mini-subsystems (Links, Files, Comments) for evidence on a control display contents correctly
Lightning assessment test information updates as expected when there are multiple tests
Reverting a time travel record works as expected
Assessment form loads correctly
Publishing a risk assessment sets the current risk to the new high water mark
Lines of inquiry
Type is required
Manually creating lines of inquiry works as expected
Scorecard tiles show the correct counts
Date types save correctly
Assessments with lines of inquiry can be deleted
Validation errors display (when needed) and prevent further progress until addressed
Header for the modal shown from classification subsystem records has the correct color contrast
Finalize Risk Assessment button works as expected
Questionnaire instance webhook payload includes parent ID and parent module fields
Risk models load consistently
Financial Modeling section of a risk assessment is available only if the Financial Risk Modeling feature toggle is enabled
Date field values on forms match before and after each reload/save
Security
Reduced visibility to account management APIs
Increased logging for unauthorized access
[6.9.8.0] - 2025-01-07
Changed
eMASS PPSM export
Updated to the latest version required by eMASS
Enhanced error logging
Removed
Footer link to deprecated RegScale University
Fixed
eMASS exports
SLCM export content is generated as expected
Control test plans
Values in columns C, H, K, and L
PPSM and USN PPSM exports have unique filenames
USN PPSM has numbers preceding the name of the boundary being crossed
.xlsm files are generated correctly
Hardware/Software (HW/SW) export includes the SSP's child assets
[6.9.7.0] - 2025-01-06
Fixed
Filters work correctly on the Issues/POAMs tab of a security plan
[6.9.6.0] - 2024-12-31
Added
Ability to assign an existing questionnaire to an asset
[6.9.5.1] - 2024-12-17
Added
60-second timeout on the APIs page (Swagger)
Fixed
Questionnaires sent to recipients without a RegScale account can be saved and submitted
[6.9.5.0] - 2024-12-16
Changed
FedRAMP POA&M Export includes point of contact (column H) information if available
Illegal filesystem characters (<>:/\|?*";) are removed from export names
Fixed
Filter operators in Report Builder match the type of data being filtered
[6.9.4.0] - 2024-12-13
Added
Ability to update an existing SBOM record via the API PUT /api/sbom/{id}
Ability for an unparented issue to have a parent asset assigned
Fully qualified domain name (FDQN) field is available for software assets
Relative date filter (i.e., within the last N days) when building reports
Changed
Vendor Name is a required field if a POA&M issue has a vendor dependency
When creating a deviation for an issue where the types are either Risk Adjustments or OR & RA...
Adjusted risk cannot be more than one level above/below the original risk
Requested risk adjustment cannot be the same as the severity level
In the Automation Manager, selecting a job for an integration displays only the keys required to perform that job
Fixed
Continuous monitoring link in a security plan's wayfinder works correctly
Questionnaires: File Access question type supports marking a question as answered once the user uploads a file
api/deviations/getAllBySecurityPlan/{sspId}/{includeDrNumber} returns the correct response
FedRAMP POAMs export's Supporting Documents column matches the FedRAMP Deviation Request export's List of Evidence Attachments column
FedRAMP Deviation Request export's columns A and B are populated correctly
Issues/POAMs tab on a security plan shows issues that belong to assets tied to the SSP
Custom date fields can be marked as required
Unset custom fields render correctly for records
Navigating to child records works as expected
Security
Dependency updates
[6.9.3.0] - 2024-12-10
Added
Risk
More ways to conduct a risk assessment
Button below a risk's scorecard
Option in the More Tools menu
Risk visualizations
Trend chart of annual loss expectancy (ALE) of a risk over time
Spider charts of inherent and current risk
Ability for risks to have child issues
Endpoints
Business impact assessment by risk and type (api/business-impact-assessments/getAllRiskAndType/{intRiskId}/{strType})
Risks by threat scenario (/api/threatScenarios/getAllRisksByScenario/{intScenarioId})
Risk rollup data for a threat model (/api/threatModels/riskRollup/{intThreatModelId})
Risk Assessment Wizard
Header with back button and information about previous assessment
Ability to view threat scenario information (if the risk is based on a threat model)
Issues tab for the Review Controls section
Business Impact Assessment section
Current Risk section
Trends & Impacts section scorecard
Threat model
Risk rollup table, including drilldowns and Excel export
Print view
Administration
Scoped roles for service accounts
Database usage statistics
/api/logging/getSqlStorageStats (limited to Administrators)
SQL Storage tab on the Utilization admin panel
Ability to unlock administrator accounts that were locked because of inactivity (limited to Global Admin)
Changed
Risk
Date Closed is required when a risk's status is Cancelled
Risk scorecard and visualizations use the term inherent rather than current
Heatmap on the risk scorecard shows the highest score in the top-right corner
Risk Assessment Wizard sections
Review Controls section of a risk assessment uses the term Actions rather than Preventative Actions
Improved layout for Status Update section
Utilization admin panel uses a tabbed layout
Administration
Email Test button is hidden on the Email admin panel if email is disabled
Time Travel functionality can be enabled/disabled (enabled by default)
Selecting a different admin panel scrolls to the top of the screen
Removed
Requirements tab on control implementations (duplicate of the Control Builder tab)
My Workbench workspace
My Activity tab (duplicate of activity icon in the header)
Profile panel (duplicate of user menu in the header)
Fixed
api/securityplans/megaAPI/{indId} returns control implementation responsibility
api/authentication/changePassword returns correct reponse for invalid requests
Warning notifications are shown when email is disabled
Emailing a questionnaire
Creating a new user
Control implementations
Tabs show as expected
Justification for Exclusion field works as expected
Responsibility field shows correctly
Planned Implementation Date and Steps to Implement are required if the status is Planned
Risk records created from a risk assessment can be deleted
Risks Remediated scorecard tile for an asset displays the correct format
Print view displays correctly for catalogs
Evidence Locker correctly maps evidence when there are multiple controls
Default session length values are set correctly
Tabs in the My Workbench workspace display as expected
Expiration Date in service accounts grid view is formatted correctly
Test descriptions on a security control's Test Plan grid support HTML content
Security
Email and print events captured in the History subsystem
Passwords cannot be reset for inactive accounts
Visibility to some account endpoints restricted
[6.9.2.0] - 2024-12-10
Added
Questionnaire export includes rules, descriptions, and instructions
eMASS ID field added to an asset's Basic Info tab
Changed
eMASS Hardware/Software export matches the new format required for later import
[6.9.1.0] - 2024-12-03
Added
Support for the CRI (Cyber Risk Institute) Profile v2.0
Ability for security controls to have external mappings
Support for catalog import and export
Listing of external mappings on the Control Builder
Map Across Frameworks workspace on a security plan
Chart to show the status of controls across frameworks
Chart to show percent compliant by framework
Grid of controls that are not fully implemented to help prioritize high impact areas
Large modal window for editing text-based Control Builder fields
Changed
Control Builder
Evidence Summary section shows the counts of comments, files, and links
Tiles can be collapsed/expanded
Roles is the first tile
Control title truncated to the control ID if the title is lengthy
Updated labels for role-based fields
Clearer user experience for saving a part for reuse
Removed
Auto-save functionality when editing control settings and parts in the Control Builder
Fixed
RegML Extractor instructions have consistent formatting
Validation error message appears when required control settings are missing in the Control Builder
Security
Implemented refresh tokens
Added concurrent session limits
Enhanced logging
[6.9.0.3] - 2024-11-27
Fixed
Improved performance
Module grid views
Issues/POAMs tab for SSPs
View button on dashboard widgets that display user-centric lists (e.g., My Tasks Due Soon) navigates correctly
[6.9.0.2] - 2024-11-19
Changed
Change record's Date Change Approved and Date Work Completed are set automatically via workflow
Fixed
Default change record status is Draft
[6.9.0.1] - 2024-11-18
Note: Starting 2024-11-18 versions will use the Major.Feature.Minor.Hotfix format.
Fixed
Users with GeneralUser role can create a security plan
[6.9.0] - 2024-11-17
Added
Support for templated exports in Microsoft Word format
Quick filters (open, all, recently added, recently closed) when viewing a security plan's issues
POST /api/regml/query endpoint
Gantt chart on the scorecards' Fix Issues workspace for security plans, components, and policies
Change record statuses (assess, schedule, implement, review)
Ability to make status fields readonly so that they are only changed via workflows
Changed
List of vulnerability scans for a security plan is sorted by scan date (descending)
Files subsystem is initially sorted by date uploaded (newest to oldest)
Fixed
Policy editor
Changes save as expected
Busy indicator deactivates when operations complete
Deviation Summary tab for issues displays correctly
GET /issues/getAllByParent/{id} returns an empty list if there are no child issues
JSON Preview tab works correctly in the Data subsystem
ProgramUser role has correct module access
Searching for issues by parent module works as expected
List of vulnerability scans for a security plan contains the correct number of entries
Gantt chart on a security plan's Issues/POAMs tab uses the first detected date as the start date
Querying assets via GraphQL works as expected
Grid views
Columns better accommodate long text
Pagination, row count, and sorting work correctly
[6.8.0] - 2024-11-14
Added
Soft-delete support for primary record types
Fixed
Webhooks event data payloads work correctly
Data from triggered webhooks is populated as expected
Addressed technical debt areas such as data models and unused functionality
Various link routes navigate to the correct from
Evidence files can be previewed in the Evidence Locker and when mapped to a control
Search functionality for components that show file uploads works as expected
Policy option can be de-selected on a control implementation record
Viewing a lineage record on a security plan navigates to the correct profile
Assets can be unlinked from a component
Tailored SSP export honors rich-text formatting
Files subsystem upload functionality works as expected
Security
Routine dependency upgrades
[6.7.0] - 2024-11-11
Added
Ability to add user reports as widgets on My Dashboard
Changed
My Dashboard
Enhanced usability when rearranging widgets
Custom labeling is honored
Report Builder
Editing a custom report navigates to the report builder screen
Certain fields are marked as required before saving
Fixed
System reports show in the reports list when no user reports exist
All modules are supported for creating custom reports
[6.6.1] - 2024-11-06
Fixed
Red Hat UBI container contains the expected catalogs
Question responses save correctly for questionnaires assigned via the process of self-assigning to a non-RegScale user (i.e., authenticated by access code)
[6.6.0] - 2024-11-06
Changed
Control implementation statements are displayed from inherited controls within the auto-calculated control implementation summary
Fixed
Standardized button labels for grid views
Labs SSP export document is populated correctly
FedRAMP SSP export
Placeholder is provided for the user to insert an Appendix Q reference
Table K.1 populates correctly
Links within questionnaires work as expected
Due Date for Next Update is auto-calculated after creating an evidence record
Asset SBOM copy and export/download operations work correctly
[6.5.1] - 2024-11-04
Fixed
Control parts appear as expected in the control builder
[6.5.0] - 2024-11-02
Added
Deviation Summary tab for issues that displays relevant information from a deviation request
Deviation Rationale
Known Exploitable Vulnerability
False Positive?
Operational Requirements?
Auto-Approved
Adjusted Risk Rating
Risk Adjustment?
Basis for Adjustment
[6.4.0] - 2024-11-01
Changed
CCIs are hidden from the control parts view for a given control
eMASS POA&M export is updated to reflect the most recent format
[6.3.0] - 2024-10-31
Added
Support for Wiz commands
wiz vulnerabilities
wiz add_report_evidence
wiz attach_sbom
Sampling methodology field for lines of inquiry
Lightning Assessment
Evidence tab that lists associated files and provides file previews
Navigator dropdown that allows the user to select a control to assess
Assess Controls workspace for the security plan dashboard
Tiles to show assessment status counts
Predefined filters (e.g., assessment status, due next 30 days)
Search by control ID or title
Continuous monitoring (CONMON)
View Evidence option for CONMON records
Busy spinner while the progress report is loading
File preview capability for Deliverables tab
Clickable control titles for the Controls In Scope progress report
Changed
Automation Manager
When viewing previously run jobs, the secrets are hidden by default
Available badge shows the number of total integrations rather than number of integrated products
"DAG", a term specific to the implementation, is replaced with "job"
Page load time improved
Return button on the Lightning Assessment tool navigates to previous page in the workflow
Improved usability for the workspaces on a policy's scorecard view
Status and owner fields are adjacent on the requirement record form
Fixed
Automation Manager
UCF integration appears as expected
Jobs names can contain spaces
Fetch Names button for the Tenable integration allows selection of an SSP for a parameter
Running jobs appear as expected
Job parameters match the CLI job parameters
Performance is improved
Lightning Assessment content fully displays on the page
All required fields for creating a new requirement show a red asterisk
Control titles render correctly in the Collect Evidence workspace for a policy's scorecard
[6.2.0] - 2024-10-29
Changed
Improved styling for menu slide-outs on form tabs and user input controls
Addressed technical debt around color theming
Fixed
Switching between list view and dashboard view for Security Plans works correctly
User avatar appears in the header
Dark mode legibility works as expected
Security plan dashboards
Input fields in the Links subsystem
User's API token is set correctly after logging in
Warning prompt is shown if the user has unsaved input when creating a line of inquiry
Scan history and scan results charts have matching color schemes
[6.1.0] - 2024-10-28
Added
Report builder (Phase 1) that allows users to build and view reports for one level of data (i.e., a single module)
Changed
Browser inactivity timeout is configurable from the Security Policies admin panel
Improved performance when loading large lists of security controls or control implementations
[6.0.0] - 2024-10-22
Changed
Major version release to 6.0.0
Added/Updated
Advanced Workflow Automation Manager
New User Experience
Streamlined Workflows
Enhanced, compliance-trained AI
450+ integrations
Wayfinders, predefined, step by step guide for most common tasks
[5.82.1] - 2024-10-14
Fixed
File Access question type for questionnaires works as expected
[5.82.0] - 2024-10-14
Added
Ability to assign a specific questionnaire to a RegScale user from the Questionnaires tab on a Security Plan, Project, Program, Supply Chain, Capability, and Policy
Questionnaire responses (when tied to a specific control implementation) show on that control implementation
Submitting a questionnaire assigned from an SSP saves the questions and answers in the Properties subsystem to that SSP (API support only)
Fixed
Deviation requests require a Requested Risk Rating only if the Deviation Type is Risk Adjustment or Exception Request.
Auto-approved? field for POA&M issues only supports Yes or No values
Setting the security profile for a questionnaire works as expected
[5.81.0] - 2024-10-13
Changed
eMASS export auto-populated fields
eMASS ID (SAP/SAR and SCF)
Lab Environment Testing (SAP/SAR)
Fixed
eMASS-specific fields are hidden if the eMASS Fields setting (Modules and Features admin panel) is disabled
Security
Package/dependency updates
[5.80.0] - 2024-10-10
Changed
Questionnaire rules textbox displays more lines/rows
Fixed
Dropdown selections are unique
FedRAMP Deviation Request export contains the CSP name, system name, impact level, and submission date
Editing a categorization works as expected
Workflow created after uploading evidence to the Evidence Locker functions correctly
Saving an advanced search as a report works as expected
Readability improved for the RegML Extractor results form
Overall CIA categorization is dynamically updated to reflect the highest watermark value of the selected information types, including when a lower watermarked information type is chosen to override
[5.79.0] - 2024-10-10
Added
Initial API support for creating and updating export configurations for Excel-based templated exports
[5.78.1] - 2024-10-08
Fixed
eMASS SLCM report exports successfully
[5.78.0] - 2024-10-03
Added
Questionnaires
Ability to link one or more security controls to a question
Ability to resolve comments on a response; resolution is also shown on the Feedback tab
Badge (reviewer side) that indicates questionnaire status
Access code within the assignment email body
Ability to delete a comment
Changed
Scoring columns are hidden if a given questionnaire doesn't have scoring enabled
Increased spacing between the page header and the list view header/content
Fixed
Page header for reports and questionnaire module fonts are consistent with the rest of the application
Electronic signature images for questionnaires render correctly in the Feedback tab
Selections for Inherent Probability/Frequency and Inherent Impact/Consequence/Severity appear correctly
[5.77.0] - 2024-10-02
Added
Column mappings for the eMASS SLCM export
Column mappings for the eMASS SAP/SAR export
Support for Criticality in eMASS SLCM export
Changed
eMASS CYBERSAFE export uses questionnaire data from the Files subsystem
Fixed
eMASS SLCM export shows custom fields as expected
eMASS SCF export displays the Info Type Identifier correctly
[5.76.1] - 2024-10-01
Fixed
Large white-label images are resized to 300x50 px
[5.76.0] - 2024-09-28
Added
Description column on the Controls tab for a risk record
Questionnaires
Multi-factor authentication (MFA) support for questionnaire login
Analytics tiles on the Scoring tab for a response
Ability to email an assignee to request updates
Ability for an assignee to only see questions/responses deemed unsatisfactory on a reopened questionnaire
Overall percentage score/grade on Scoring tab
Changed
Questionnaires
Questionnaire input form page
Consolidated layout
Submit button added at the bottom of the page
Submit button is always available even if the form isn't complete
Response view is streamlined via tabs (Feedback, Scoring, Response)
Login page uses the new design
Back button on the response view navigates to the Responses list
Assignment view is redesigned
Bulk assignment option shows instructions
Assignees can re-open questionnaires
Rejecting a questionnaire also emails the assignee
Comments subsystem uses the new design
Improved design for assigning mitigating controls during a risk assessment
Fixed
Questionnaires
Assignee name shows on the input form page if they are a RegScale user
Feedback column works as expected on the Scoring tab
QuestionnaireUser role works correctly
Updating the title works as expected
Show/hide question rules work as expected
Submitting a questionnaire sets the state correctly
Sending feedback via email to external users works as expected
Access code check trims whitespace before validation
Multi-answer question types are scored correctly
Scoring row is hidden if the maximum score is zero
Time Travel subsystem correctly includes the most recent change
Managing Risk workspace on a security plan's scorecard has a list of risks that scrolls correctly
Inherent and Current Risk Scoring utilize the override values defined in the Advanced configuration of the Risk Configuration model
Risk matrix tooltips show current information after updating titles and guidance
Risk assessment
Business impact assessment displays correct risk titles
Updated business impact assessment values carry through to the final step of the risk assessment
Mitigating controls are unique
Security
Improved logging around questionnaire access
Questionnaire access code is not shown in cleartext on the Responses view (replaced by Copy button)
Hour and minute resolution for Timeline subsystem entries
"Risk Accepted" status for security controls
Changed
Updated styling
Dropdown menus
Modules
Workspaces
Status Boards
User Profile
Notifications
Menu and header section
Classification banner
Page frame and header for all status boards
Dropdown menus are sorted alphabetically
Fixed
Calendar button color on date picker matches the UI theme
Links the Links subsystem navigate as expected
RegML Extractor results for objectives include the name of the parent control
ReadOnly user has access to Catalogues, Categorization Engines, and Security Controls modules
Areas render correctly in dark mode
Navigation visualizer tab
SSP Utilities tab icons
Set My Home Page at Login fields appears as expected on the user profile screen
Pending status is accurate for several dropdowns in the Issues module
Metadata values for each tenant load only when they are marked as active
Long module names (i.e., when customized) are truncated with an ellipsis
[5.74.0] - 2024-09-20
Added
OSCAL XML
Ability to export with multiple implementation statuses and control origins
Support (on import and export) for OtherId field from catalogs and security controls
Changed
SSPs can have multiple selections for implementation status and control origin
Removed
Support for OSCAL v1.0.4
[5.73.0] - 2024-09-19
Added
Informative alert that scheduled questionnaires are sent at 2am
Changed
Tailored SSP export also includes any evidence mapped via the Evidence Locker
FedRAMP Rev5 SSP (Word document) Table 11.1 refers the reader to a separate appendix
Removed
Validation rule that requires current risk score to be equal or greater to the target risk score
Fixed
Questionnaire template upload process is more resilient with regard to section numbers
My Activity section on the Identity & Access Management admin panel correctly shows a user's activity
Scheduling continuous monitoring for an SSP from a UCF catalog works as expected
RegML Extractor
Process successfully runs to completion
Results show control descriptions for controls without objectives
Edits to control statements generated by the RegML Extractor save correctly
Inline parameter references display correctly in the Control Implementation form
Exports
CMMC SSP export includes implementation statement and implementation status as expected
eMASS export options are disabled when viewing a component
eMASS SLCM export generates correctly
FedRAMP Test Case Procedures export is enabled when viewing an SSP
Control Implementation list display performance improved
Navigational arrows for controls in an SSP work as expected
Visualization/charts in the History subsystem render correctly for each event type
Cancelling from the delete confirmation alert immediately returns the user to the page
Security
Routine package/dependency updates
[5.72.0] - 2024-09-18
Added
Ability to make an existing RegScale file accessible for download to a questionnaire responder/assignee
Ability to add tags to properties that enables users to categorize or mark properties as needed
Changed
SSP export satisfies the recommendations per SP 800-18 Rev1 (Guide for Developing Security Plans for Federal Information Systems)
Fixed
DOE SSP export Table 3 (Security Categorization of Management and Support Information) shows the correct information types, their CIA values, high watermarks, and information system categorization
[5.71.1] - 2024-09-12
Fixed
Risk Adjustment? value in the FedRAMP Rev5 POAM export works correctly
Inactive account cleanup task is scheduled to run daily at 3AM
[5.71.0] - 2024-09-11
Added
API endpoints
POST /api/systemRoles/batchCreate to create multiple system roles
POST /api/assessments/batchRecurringPreview/ to preview recurring assessments that would be created
Risk and compliance hygiene
Ability to select a risk model in the Risk Assessment Wizard
Ability to add a control in a risk assessment
Spider chart for business impact assessment on the Risk Scorecard
Ability to build and run financial models in the Risk Assessment Wizard
Transfer as a risk strategy option
Software Bill of Materials (SBOM) is available at the component and SSP level
Description field for threat scenarios
RegML license acknowledgement prompt when enabling RegML from the Modules and Features admin panel
User interface enhancements (e.g., layout, style, typography)
Lines of inquiry for an assessment
Citation and Line Type columns for grid view
Support for collecting data based for various data types
Admin panel (and My Dashboard) widgets
Error count by month
User logins by month
Activity by month
Risk assessments are enabled for programs and capabilities
Recurring questionnaire scheduling
Changed
Increased resiliency around missing data for catalogs list and update functionality
Each line of inquiry for an assessment can have its own attachment
Continuous monitoring Progress Report tiles can be selected to filter the list view based on the selected tile
FIPS Impact Level, Strategic Tier, and Contract Type are now optional fields on a supply chain record
Updated the Risk Assessment Wizard to work with Bring Your Own Risk Matrix feature
Default tests (if they exist) load automatically for a control implementation test plan
Lines of inquiry without the scoring flag set are ignored in the scorecard
When navigating to an audit in the CONMON view of a SSP, the progress report is the default
Yellow and other dark colors for informational alerts are softened to a lighter gray and use a different icon
Risk scorecard: trend lines are above heat maps
Redesigned Control Builder
Always shows control
Uses custom system labels
Has more prominent progress visualization
Provides clickable steps
Fields auto-save after moving to another field
News Feed layout and styling are more cohesive
Removed
Transformer capability when printing a security plan
Risk Status Board
Default probabilities and default impact fields from Threat Scenarios
Inherent risk step from the Risk Assessment Wizard
Toggle to switch between previous and new forms layouts
FedRAMP Rev4 exports
Fixed
Export availability conditions work as expected
Control Builder
Only shows fields marked as visible in the Custom System Labels admin panel
Progress panel is updated as items are defined
New tenant setup Storylane works as expected
Continuous monitoring assessment records save successfully after being edited
Names of export format options display correctly
Importing a policy template and saving parameter defaults works as expected
Labeling and descriptions in the Project Builder match the functionality shown
PDF and Office document previews in the Files subsystem display correctly
Lines of inquiry
List view shows titles without HTML tags
Adding a new entry resets previous text input
Planned Finish and Actual Finish can be the same date
Risk
Annual loss expectancy (from a risk's Financial Modeling tab) appears correctly in the Risk Workspace scorecard
Ad hoc lines of inquiry for an assessment display in the right-hand panel
Risk treatment titles are required
Risk status label renders correctly
Inactive user deactivation job runs correctly
Global admin account is excluded from account inactivity deactivation rules
Lightning Assessment
Assessment Result, Differences, and Risk Model are required fields
Implementation & Evidence section values are correctly mapped
Classification subsystem grouping works correctly if there is no family defined
Sorting catalogs by Catalog Date works correctly
Exception records can have the same value for Date Approved, Expiration Date, and Date Submitted
Recurring assessments work as expected
Service Level Agreement field is required for a workflow template
Custom systems label list displays as expected
New user login works correctly
Controls for the default control assessment schedule match the default assessment schedule set at the SSP
Assigning an embedded Wayfinder to an SSP works as expected
Deleting a risk configuration from the admin panel works correctly
Audit log entries for comments and links are created as expected
Programs and capabilities can be deleted if they have child records
Policy editor parameter editing works as expected
GeneralUser role has access to Categorization Engines and Security Controls modules
Milestone dates on programs update and display correctly
FedRAMP Rev5 Risk Exposure export is based off issues
Multiple consistency issues with New Forms
Security
Applied routine framework and package updates
Improved server-side model validation
Tightened role authorization for some APIs
[5.70.5] - 2024-09-10
Added
Risk Adjustment? field to the issues form to support POA&M export
IntegrationFindingId on issue records to support CLI integration (API only)
Fixed
Email settings are available if the RegScale instance is not hosted by RegScale (i.e., regscale.somecompany.com)
Exports correctly represent assets linked or related to other records
eMASS Hardware/Software List
FedRAMP Rev5 Inventory Workbook
Components shared by multiple SSPs display and export as expected
[5.70.4] - 2024-09-06
Fixed
Functionality (e.g., POA&M/issues export, Gantt chart view of POA&Ms/issues) that involves issue records correctly accounts for lineage (i.e., issues being child records of various other records such as security plans or components)
Efficiency of determining available exports is improved
FedRAMP Rev5 inventory report generates as expected
[5.70.3] - 2024-08-30
Added
Improvements to the FedRAMP Deviation Request export
Evidence list
Other Identifier field to track FedRAMP DR numbers of imported deviation requests
Fixed
FedRAMP Deviation Request export
Null dates are handled correctly
Mappings of Deviation Request calculator values for Availability, Confidentiality, Integrity, Attack Vector, Remediation Level, and Initial Risk Rating are correct
[5.70.2] - 2024-08-29
Security
Applied security updates to components
[5.70.1] - 2024-08-26
Fixed
FedRAMP Rev 5 POA&M export shows closed POA&Ms and expected values in columns A, E, F, H, J, U, and V
POST /api/data/ returns the ID of the created data record
[5.70.0] - 2024-08-21
Removed
NIST 800-60 identifier for Associated Information Type column in Section 6 of the tailored SSP export
Action column in the Related User Information table for groups on the My Profile admin panel
General access to GET api/securityplans/exportFedRAMPPoams/{intId}/{version} as it's not needed as part of the public API
Fixed
Deep links in a Wayfinder correctly place the input focus on the desired form field
Catalog category dropdown has unique entries
Fields in advanced search for catalogs have unique entries
A validation warning appears (Ports and Protocols tab for an SSP) if the start port is greater than the end port
GET api/securityplans/export/{intId} returns a 404 response if the given ID cannot be found
PUT /api/files/renameDuplicateFileName/{parentId}/{parentModule} generates a display name if its previous value was empty or null
RegML Chatbot icon appears correctly
FedRAMP POA&M export completes for large numbers of POA&Ms
Job to check for inactive accounts runs as expected
All action tiles in the upper right of the CISO dashboard appear correctly
Program record and capability record (JSON) exports work as expected
Dashboards link above list views is disabled if there are no dashboards to view
List of vulnerabilities under an SSP only shows open vulnerabilities
Updated control parameter values appear correctly in the FedRAMP Rev 5 Appendix A and OSCAL XML (SSP) exports
[5.69.0] - 2024-08-21
Changed
Menu items for data entry, subsystems, and utilities for a given record's form are sorted alphabetically
Grid views where it's possible to create new records show a Create New button
Fixed
Numerous fixes (e.g., validation, consistency, console errors) for new forms
Descriptions for parts of a security control do not contain HTML tags
Files (subsystem) list refreshes after an upload finishes
New programs created under the Supported Programs tab for a capability are correctly linked to that capability
User avatars (i.e., generic avatar, user initials, photo) display consistently in grid views
Risk financial modeling shows the correct number of decimal places for financial values
[5.68.0] - 2024-08-17
Added
Support for API endpoint versions (both directly and in Swagger)
Control Framework Gap Report that explains how a current framework satisfies other frameworks within RegScale
[5.67.0] - 2024-08-09
Added
Automation Manager provides the ability to...
View logs of executed jobs
View the configuration used to trigger a job
Changed
Webhooks and Message Queue are listed separately in the Automation Manager
Fixed
Automation Manager
SAML integration tile shows as expected
Job names can only contain alphanumeric characters, periods, underscores, tildes, colons, plus signs, and hyphens
Available integration tiles render correctly
Catalog list displays correctly even if UCF authentication fails
[5.66.0] - 2024-07-30
Added
Ability to check for and apply updates to installed UCF catalogs, which includes a update preview report
[5.65.0] - 2024-07-30
Added
Ability to disable Certificate Revocation List (CRL) checks in MailKit
Changed
FedRAMP POA&M export has default column values and handles missing data
FedRAMP Rev 5 SSP Appendix A includes the full control implementation statement
List of system roles for an SSP automatically updates when a role is added, updated, or deleted
Alert shown if assigning an external user to a system role on an SSP when there are no stakeholders in the subsystem
Removed
Issues from the SSP scorecard
Fixed
SSP scorecards
Status icons show for inherited controls
Correct status shown even if multiple SSPs inherit from the same profile
Planned or In Remediation tile displays correctly in new forms design
Exported documents do not contain a watermark
Creating and saving a new workflow works as expected
RegML chatbot feature restored that supports providing content from ReadMe and FedRAMP's website
System roles created during an SSP import can be deleted
Saving duplicate implementation objectives is prevented
[5.49.2] - 2024-05-23
Fixed
Control Builder (Build Mode for a control implementation) works as expected
Control Builder for one SSP only updates control implementations for that SSP even if other SSPs imported the same controls
[5.49.1] - 2024-05-23
Added
Back button on the security controls options view for when there are no objectives
New endpoint POST /api/implementationObjectives/deleteDuplicates to remove duplicate implementation objectives
Fixed
Improved validation to prevent the creation of duplicate implementation objectives and parameters
Control owner name in the Control Builder defaults to "Unknown" if the owner could not be found
[5.49.0] - 2024-05-23
Added
Toggle for legacy and new forms design (shown on the record view/edit form)
Ability to "deep link" to a specific form tab or form field; this feature is also used for Wayfinders
Preventative Actions section on the Controls tab for a risk record
Changed
Increased web accessibility with expanded keyboard navigation and screen reader support
Tools for a given form moved to a new context menu dropdown for new forms design
New features from the past several releases work correctly with the new forms design
RBAC renamed to Security in the context menu dropdown
Improved action button UI for the Files subsystem
Added spacing to multi-select checkboxes
Improved styling and UI for Wayfinders
Deprecated
Feature flag for new forms design
Fixed
Several minor defects in the new forms system have been corrected
Email Configuration settings save as expected
Enabling modules and features in the Admin panel works as expected
Newly created links in the Links subsystems section of an SSP save as expected
Record security modal window renders correctly
Resetting custom fields works as expected
Continuous monitoring exports generate correctly
Tabs containing required fields for creating a new SSP are visible
Exports generated to the Files subsystem appear as expected
Correct hash type (MD5 or SHA-256) badges appear next to file names in the Files subsystem
Help icon for a module's scorecard view directs the user to the documentation
Creation and viewing of SSPs and security controls are no longer blocked by the progress spinner
Recurrence Wizard is configured to handle recurrences for assessments
Deleting a causal analysis record navigates the user back to the list view
White buttons have a drop-shadow so they're easier to see on a white background
Utility modal windows load correctly
[5.48.0] - 2024-05-22
Added
New endpoint GET /api/access/GetLevels/ that determines a user's access (i.e., None, Read, Update) to given entities
RegML learning and output can be performed over related documents for the current module
RegML chatbot (Reggie) can be asked questions based on RegScale's ReadMe site and FedRAMP's website; responses include links to those information sources
Fixed
Reggie fails gracefully if there are issues with storage or search
[5.47.0] - 2024-05-17
Added
Parameter guidance is imported from OSCAL-based catalogs and displayed when users are populating parameters
Fixed
Group permissions for child records are correctly inherited from parent records
Updating catalog records works as expected
Batch creation of issues correctly links parent record ID
User retrieval APIs have the correct required fields
Security Plan Users can view Evidence Locker records
Workflow Approvers can approve workflow steps
Viewing a workflow step from the Notifications panel works as expected
Tenant list appears when the global admin logs in
ID field is available in advanced search for both Programs and Capabilities modules
Sort ID fields within catalogs are imported and used for listing security controls in that order
Security
Global admin account has more restricted access
Safeguards for account unlock function increased
[5.46.0] - 2024-05-17
Added
OSCAL XML exports for Rev 5
System Security Plan (SSP)
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of Action and Milestones (POA&M)
Changed
Updated OSCAL XML SSP, SAP, SAR and POAM exports to include all required information to pass NIST OSCAL CLI validations
Made additional updates to OSCAL XML SSP, SAP, SAR and POAM exports such that they validate correctly for file conformance, as well as the majority of FedRAMP Schematron validation requirements
Creating and updating issues via the API support providing the Control ID
Fixed
FedRAMP Rev 5 OSCAL XML SSP, SAP, SAR and POAM exports
Back matter section does not include a non-displayable character
Embedded base64-encoded images and other encoded characters are not included in the SSP XML export for description fields
Control implementation options update API's validation check for duplicates works as expected
SSPs can be saved without defining confidentiality, integrity, availability, and overall categorization
[5.45.0] - 2024-05-14
Added
Web accessibility features for the Notifications menu
Changed
Most exports are generated directly to the Files subsystem rather than via browser download
Security control ID is listed in the Evidence Mapping System
Removed
"View" button from system-level file tags in the File Tag Manager (Admin page)
Fixed
Exports
Categorization must be specified before the FedRAMP Test Case Procedure export option is enabled
FedRAMP POA&M Export (OSCAL JSON) functionality works as expected
FedRAMP POA&M Export (Excel) accounts for Rev 5 Configuration Findings
Default control parameters are passed to the control implementation such that they appear as expected in an export
Column P (SSP Implementation Differential?) in FedRAMP Test Case Procedures export is blank if there is no differential
FedRAMP Integrated Inventory Workbook (Appendix M) export matches the template format
API
POST and PUT for /api/securityplans return a 400 status when required fields are missing or invalid field data is provided
POST and PUT for /api/profiles return a 400 status when required fields are missing
Documentation for POST and PUT for /api/issues matches API behavior
Swagger page section for GET /api/customFieldsData/{id}/{moduleID} works as expected
Minor UI corrections (e.g., typos, button content alignment, and tooltip text)
"View" buttons support right-clicking (i.e., provide an option to open in a new browser tab)
Compliance Visualizer modal is horizontally centered
"% Complete" field labels for projects and tasks are customizable
Child issues for a security plan that are designated as POA&Ms save as expected
Metadata seeding (Admin page) works as expected
Username fields populate correctly on page refresh
Security control inheritance completes as expected
Creating a standalone questionnaire from an existing questionnaire saves as expected
Security plan scorecard shows the correct number of icons (with correct statuses) for each part of a given security control
Advanced search fields for Assets are unique
Control implementation part option edit modal is populated once opened
Control implementation status remains set correctly after clicking "Auto-Score Overall Implementation"
Catalogs can be edited by any user that has the appropriate permissions
Copying a security control record works as expected
Security
Removed an unsupported library
[5.44.0] - 2024-05-13
Added
Two-way encryption for SAML single sign-on (SSO)
Fixed
Ports and protocols that are either directly or indirectly related to an SSP are included in the FedRAMP Rev 5 SSP export
Child and grandchild risks, issues, and assessments work correctly at the SSP level
[5.43.0] - 2024-05-09
Added
Workflows
Fields for SLA, duration (auto-calculated)
Workflow SLA Performance report
Changed
Default parameter type in the Control Builder is "string"
Removed
Module selector from the Workflow
Fixed
Workflows
Clicking "Back" only alerts the user if there are unsaved changes
Steps are sorted correctly
Approval interface works as expected
Module column in the workflow list populates correctly
Assignments for owners and assignees appear correctly in users' notifications
Workflow initiation and completion send email notifications
Workflow slider list has higher visual contrast
Workspace dropdown links render correctly in dark mode
RegML response notifications have higher visual contrast
[5.42.0] - 2024-05-04
Added
Cryptography tab on the security plan form to support FedRAMP Appendix Q export and cross-linking with Ports and Protocols tab
Classification Configuration admin panel
Family, identifier, and load fields
Search capability
Ability to export and import configurations
Details modal for information types on an security plan's Categorization tab
Ability to search/filter Classification subsystem items by family and identifier
External Services tab to show existing interconnects and allow adding new interconnects
Control Builder
Ability to remove an implementation option
Ability to link a control to a policy
Additional Save button at the top of the Parts viewer
Questionnaire tab on program form
Changed
Security Plan form
Names of fields and their "required" status on the Leveraged Authorization tab
Cloud Info tab renamed to System Information
System Owner, ISSM, ISSO, and AO moved to System Information tab
"Required" fields for Ports and Protocols
Classification fields moved to System Information tab
Classification subsystem is visible when viewing the Categorization tab
Bulk Editor on the Scorecard tab supports changing the Inheritable? field
Categorization tab and Categorization subsystem have the UI for selecting information types
Control Builder
Responsible field renamed to Control Origin
Levels for control implementation parts are auto-generated if they remain blank
My Activity list has a more consistent and compact appearance
Deprecated
Control Context Viewer; functionality is available via View Mode on the Requirements tab for a control implementation record
Removed
FedRAMP tab on the Control Implementation form
Key Dates tab on the Security Plan form
Fixed
Leveraged Authorization dropdown in the Control Builder works as expected
System Owner dropdown excludes service accounts
[5.41.0] - 2024-05-01
Added
Automation Manager -- a new, centralized hub for configuring integrations and automations
[5.40.0] - 2024-04-30
Added
Link to SAML documentation on its configuration panel
Caching of frequently used tenant and configuration operations to improve application performance over time
API endpoints to upload and delete Wayfinders
API endpoint to get all assets by parent
Changed
Save button on an Admin panel only saves settings for the active page
Password rotation frequency and session length settings have defined upper limits
Wayfinder selection dropdown is dynamically generated to support new Wayfinders being added
Fixed
Save functionality for Modules and Features configuration page works as expected
Back button on SAML Configuration modal works as expected
SAML single sign-on redirect works as expected
Catalog Importer works as expected
GET /api/config/indexLogs works as expected
Reset Child Record Permissions button on a security plan set associated asset group access with the same access as the security plan
Observations and Gaps columns on the Tests tab for an assessment exclude HTML tags
RegML Extractor produces control objectives that include the name of the parent control
Batch creation and update set record group access based on the parent record's access level
Greater/less than or equal to operators in questionnaire rules work as expected
[5.39.0] - 2024-04-25
Added
Control bulk editor -- shows everything on a single screen and allows reassigning owners in bulk
Programs and Capabilities modules -- provide the ability to capture core processes and report on enterprise risk
Control Builder Wizard -- streamlines the writing of control implementations via a guided experience
File tagging -- gives the ability to organize and identify certain types of attachments
Tenant export/import -- allows admins the ability to save and restore settings
Classification subsystem
Search bar
Adjustable C/I/A values with adjustment rationale
Webhooks for security control creation, link creation, and comment creation
Managing Risk workspace for the SSP scorecard
Risk Control Self-Assessment (RCSA)
Analytics rollup
Additional fields for Risk Treatments and Risk Assessments
Count of risk treatments column for the Risks list view
Ability to track due date slippage for tasks in the Kanban system
Password rotation frequency configuration and enforcement
Changed
Improved performance on batch operations (e.g., creation) and general query operations
Updated validation for implementation option APIs
FedRAMP tab values for a control implementation are set automatically based on how Parts are implemented
Classification subsystem has a tabbed interface
Improved description of the Builder utility for supply chain records
Primary system role has a more prominent location on the Implementing Role tab for a control implementation
Notification performance is optimized
Group Manager admin panel shows the number of members for each group
Risk records
Residual Risk now called Current Risk
Input fields for Threat Scenario tab fields support rich-text formatting
Added new fields for Threat Scenario tab
Validation rules relaxed for Inherent Probability, Inherent Consequence, Target Risk Score, and Inherent Risk score
Improved performance for Compliance Visualizer
Threat Model validation rules relaxed for Default Probability and Default Impact
Threat scenarios are linked to risk created using the Risk Assessment Wizard via a threat model
Improved image rendering performance
Deprecated
Integrations that are now managed by the Automation Panel via the CLI
Jira
ServiceNow
Removed
Title column from the My Activity graph drilldown in the Workbench
Risk recommendation field
Fixed
Classification fields on the SSP categorization tab have the correct labels
Dismissing notifications for workflows works as expected
Classification subsystem displays the selected classifications of the SSP and the justification that was previously defined
SSP export option availability works as expected based on the SSP's child records
Parts and Parameters tabs are visible in the scorecard view of an SSP
Risk treatments associated with a risk are displayed in the Risk Assessment Wizard
Requirements records display as expected
Questionnaires created via API can be edited in the application as expected
RegML icon is only used for AI-related features
SSP scorecard filter for Planned or In Remediation works as expected
Profile importer progress indicator message is more informative
Wayfinder modal close button and Workspaces dropdown option appear correctly in both default and dark themes
Control implementation IDs in the SSP scorecard render correctly
Page footer
Sandbox link points to the correct URL
License edition shows correctly after login
Copyright year is the current year
Notification metadata is logged
Risks can be deleted if they have child records from an assessment
Security
Stronger hashing mechanism for Time Travel entries
Hardened page caching rules
Stricter GraphQL role-based access control
Password reuse prevented
[5.38.0] - 2024-04-12
Added
Wayfinders support links to content outside the RegScale platform
Overall categorization (via Categorizion subsystem) values can be adjusted with justifications to support the eMASS Security Classification Form (SCF)
Users can self-assign questionnaires using single sign-on (SSO)
Changed
Vulnerability scan results for an asset are shown by scan date
eMASS export options for a security plan are generally available (i.e., no longer in Beta)
Fixed
Responsibility field on the Control Implementation tab for security plans is customizable
Security controls can be copied for the same parent catalog
Email icon is available in the top toolbar
Hiding Control Implementations fields via the Custom System Labels feature works as expected
Unsaved data alerts only appear when leaving the current page
FedRAMP Rev5 SSP exports use items on the References tab
Appendix B refers to Acroynm items
Appendix C refers to Policy and Procedure items
Appendix D refers to User Guide items
Updating issues in batch via PUT /api/issues/batchUpdate works as expected
Actions involving catalogs (and their subparts such as controls) take into account whether or not records are archived
Newly added users are immediately available as questionnaire owners
Issue screening marks records as screened
eMASS exports
Hardware Software
Includes assets at both the SSP and component level
Includes FDQN as the device name (if specified); otherwise, the asset name is used
PPSM includes POC phone number if defined; otherwise, the cell is highlighted
POAM export is available if any issues marked as POA&M exist at any level within the security plan
Various fixes to support test automation
Security
Routine updates to packages/modules
[5.37.1] - 2024-04-10
Fixed
Changes to tenant settings are limited to the specified settings within that tenant
[5.37.0] - 2024-04-09
Added
Ability to set and enforce a session inactivity timeout
Changed
Improved FedRAMP Rev5 OSCAL exports
Catalogs, security controls, and categorization engines support soft-delete (i.e., archival)
Fixed
NIST 800-53 Rev5 security profiles
[5.36.1] - 2024-03-29
Fixed
Lightning Assessment test navigator dropdown shows all available tests, and test information changes appropriately when toggling between tests
eMASS Hardware Software List Export (.xlsx) is available when an asset is in a security plan at any level (i.e., security plan, component) with only the minimum fields completed
eMASS PPSM Export correctly shows the system owner phone number so long as it's defined in at least one of the phone number fields for that user
Security
Critical security patches
[5.36.0] - 2024-03-29
Added
Questionnaires
Ability to grade and score questionnaires using the rules system
Rule for enabling/disabling score display on the responder's view
Validation messages for when rule conditions are invalid
Further enhancements and improvements for Forms Redesign (BETA)
Fixed
Questionnaires
Save operation works correctly if no rules exist
Import of a questionnaire (Excel) with multiple lines for single-answer questions works correctly
Imports where sections are not correctly defined yield default sections
[5.35.0] - 2024-03-19
Added
Initial implementation of the RegML chatbot (Reggie)
Security Impact Assessment field on Change Request records
Changed
FedRAMP Rev 5 Appendix A export...
Lists all implementing roles for each control
Orders parts under security controls and parts in alphabetical order
FedRAMP Rev 5 Inventory export...
Saves to the Files subsystem
Includes assets directly linked to the SSP
FedRAMP Rev 5 SSP export labels single parts of security controls correctly
eMASS Ports and Protocols (PPSM) export works when any asset in the SSP or components in the SSP have assets that define ports and protocols
Fixed
Activity tab of the News Feed workspace works as expected
Save issues/errors for a new SSP record keep the user on the current form
Warning alerts are shown if a user tries to navigate away from unsaved changes on a/an...
Existing Risk record form
New Profile record form
RegML icon/button appears consistently when the feature is enabled
Advanced Search works as expected
Reloading questionnaires and profiles works as expected
Adding privacy records under an SSP works as expected
Questionnaire import and export work as expected
[5.34.2] - 2024-03-15
Fixed
Files subsystem and Evidence Locker store contents correctly
[5.34.1] - 2024-03-14
Fixed
Fixed issue validation rule with due dates
Default tenant color theme is set correctly
[5.34.0] - 2024-03-14
Added
Ability to create implementing roles from the Control Implementation form
eMASS Hardware Software export is generated directly into the Files subsystem
Deviation management system (in the Issues module as a utility)
Common Vulnerability Scoring System (CVSS) as part of the deviation management system
API to look up a vulnerability from NIST National Vulnerability Database (NVD) via /api/vulnerability/lookupCVE/{cveId}
White labeling support (i.e., custom logos) via tenant configuration in the Setup panel
Ability to choose small or large RegScale page footer size via the tenant configuration in the Setup panel
Email templating via the notifications configuration in the Setup panel
New filters for assessment status in the Evidence Workspace
Ability to resend an access token for a user via the User Management System
Reports
Issue by Security Plan and Deviation Status
Evidence Freshness Report
Changed
Tailored SSP export pulls control type from the Responsibility field in the control implementation
Evidence Locker system now integrated with the Evidence workspace
Evidence Workspace can launch Lightning Assessments
Google Authenticator setup sends a user access token via e-mail that can be used to unlock a QR code in the RegScale app
File upload progress bar auto-closes once the upload is complete
Removed
Automation panel from the Setup page; now located in the User menu
Fixed
Details from inherited controls from a different SSP appear in the SSP export
Leveraged authorizations for an SSP save as expected
Responsible roles populate correctly for all controls in the FedRAMP Rev 5 SSP Appendix A export
Drilldown appears when clicking on the My Activity chart in the Workbench
eMASS POA&M export
POA&M comments appear as expected
Each device has its own line in the Devices Affected cell
Multiple milestones are listed chronologically on their own lines in the Milestone with Completion Dates cell
Tenants with no defined risk matrix will have a standard matrix created automatically
Search functionality in the Evidence workspace for an SSP scorecard works as expected
Issues form loads without console errors
Password generation functionality on the New User setup form updates password criteria validation
Security
Updated packages for Angular, NgRx, Kendo, and other supporting packages
New user workflow generates separate emails for username and temporary password
Ability to disable password distribution via email (in Security Policies in the Setup panel)
Changed password cannot be the same as the previous password
[5.33.0] - 2024-03-06
Added
Wayfinder
Saving progress
Ability to enable/disable via the Modules and Features Configuration screen
Changed
Wayfinder task buttons show only if there are activities to complete
New security controls have a default control type of Stand-Alone
Security controls created via catalog import have a default control type of Stand-Alone
Exported catalog fields use empty strings to represent null values
Hierarchy of facilities within the selection drop-down shows as expanded by default
Deprecated
N/A
Removed
Service accounts no longer receive emails, as those inboxes are often unattended
Questionnaires module link from the User menu
Fixed
Wayfinder
Completed activity count updates correctly when tasks are marked as completed or incomplete
Each SSP has its own Wayfinder
NIST 800-53 Rev 4 catalog import completes as expected
New security control records show as public
New security control record form saves properly with non-required fields
Security Controls tab for a catalog shows the control ID in the list view
Navigating to the Security Controls tab on the new catalog form does not prompt the user about unsaved changes
Chart view for Security Profiles renders correctly
Exported date fields for Change records from the API and the web app both match
GraphQL token link appears correctly upon dashboard refresh
Risk treatments and mitigating control implementations both carry over during a risk assessment review
Creating a child security control for a catalog works as expected
Analyzing Risk task on a lightning assessment works as expected
Security
N/A
[5.32.0] - 2024-02-28
Added
NIST CSF 2.0 catalog
Changed
eMASS Export Support
DITPR ID field added to security plan records
Network Approval and Last Date Allowed fields have DADMS prefix
DADMS Last Date Allowed field loads correctly after form refresh
Acronyms in the software inventory are not highlighted if they are defined
PPSM export is available when Ports and Protocols exist on the security plan
Devices Affected cell contents are delimited by line breaks
Ports and Protocols tab on the Security Plan form supports selecting one or more listed boundaries
Added verification of system owner before generating export
Bug Fixes
Drilldown modal for the Events chart under the Activity tab of the Newsfeed lists corresponding events
Importing the FedRAMP Rev 5 High Baseline bundled catalog imports the correct revision
Workflow emails are no longer sent to unattended service account inboxes (i.e., [email protected])
[5.31.0] - 2024-02-23
Added
Evidence in the Evidence Locker can be mapped to multiple controls in the same component(s) or security plan(s)
Evidence Locker record View button supports browser right-click context menus
Changed
Policy scorecard no longer shows compliance score percentage
Commas for checkbox-type questionnaire questions are disallowed (replaced by spaces)
PUT /api/SecurityControls/{id} returns a 404 if the security control's ID is not found
Software list in eMASS export no longer shows duplicates
GET /api/SecurityControls/findByUniqueID/{securityControlId}/{catalogId} Swagger docs updated to reflect 204 response
User can create child records of different module types from Creation Wizard
Addressed issue where user dropdown may sometimes be empty on initial page load
Validation message for "Default Assessment Days" field on components and security plan forms is correct
Updated tooltips for OSCAL exports to be more helpful as to why an export isn't available
Continuous Monitoring tab on the Security Plans form correctly loads assessment data
User can create a new assessment from the Continuous Monitoring tab on the Security Plans form
Issue Screening utility is only available if that feature is enabled in the Modules and Features admin panel
Evidence Locker record form populates the list of mapped records correctly
Component Status Board correctly shows all status types for POA&Ms
Assess Risks utility for Security Plans produces no errors when reviewing and finalizing
SAML authentication redirects to the origin rather than host
New assessments can be saved successfully when the assessment result is set
Collecting Evidence workspace on a security plan's scorecard correctly displays controls
Module names appear correctly in dropdowns
[5.29.0] - 2024-02-09
Added
Automation Platform: Can schedule automation jobs directly from the RegScale Admin panel
SBOM: Added a download button
Workspaces: Improved the evidence workspace and analytics
Feature flag for Automation portal
BETA: Forms Redesign now optionally available
BETA: List of available catalogs and installation status (display only; non-functional)
Several new fields to support the eMASS Hardware/Software Export
Changed
Automation:
Required secrets are now checked before and during scheduling a job
Fixed bug where required parameters weren't displaying correctly
Removed SignalR from the application
Performance:
Optimized loading of nearly every Angular page on the client side to speed up RegScale page loading
Improved performance of query selecting Time Travel subsystem data
Catalog import page has a toggle to support future upload types
Re-enabled AppInsights for the Angular app
POAM export (column F is auto-fit, Column AC displays N/A instead of being blank)
Tech debt:
Refactored the control objectives controller and business logic to match current conventions/standards
Refactored the control parameters controller and business logic to match current conventions/standards
Refactored the control test plans controller and business logic to match current conventions/standards
Refactored the CCIs controller and business logic to match current conventions/standards
Risk Matrix uses NgRx to retrieve and update colors and matrix data
Catalog UUID is also returned as part of the /api/catalogues/getList endpoint
Bug fixes:
Role deletion button appears correctly on the Implementing Roles tab for a control implementation
Supply Chain Status Board status label is named correctly
Addressed issues on form rendering with custom data labels
API for getting all security controls by catalog returns the expected list
Fixed copy button on SBOM
User sees a warning about a missing (deleted/archived) parent security control for an implementation
Security controls can be deleted without showing errors
/api/profiles/applyProfile correctly respects tenant separation and has improved input validation
Questionnaire response completion progress displays correctly on the Responses tab
Pagination on the Questionnaire Responses tab works correctly
Security controls can be added at the same time a new policy is being created
File uploads for an Evidence Locker record can be deleted via the Files Subsystem on that record
Removed "routerLinks" on application navigation system to avoid duplicate page requests
Validation of and clearer Swagger documentation about the Originator property for catalog creation and update
Tailored SSP export (section 3 control tables) has correct formatting
Enabled modules are listed correctly in the Modules dropdown after logging in
Risk matrix colors are correctly set on each new creation of risk matrix
Threat Model events are available in the event topics list
Reset Password email links are correctly formed
Supported export file types are retrieved from the tenant configuration service
Email service uses the correct domain
Color theme is correctly set on login
Outage dates/times on change records work as expected when accounting for local time
Integrations images display with correct aspect ratios
Manager is a required field when creating Organizations
Policies with templates display properly
[5.28.4] - 2024-01-27
Added
N/A
Changed
Bug Fix: Addressed issue with form rendering from Custom System Labels
[5.28.3] - 2024-01-26
Added
Single Sign On (SSO) login button for a Questionnaire instance
Changed
N/A
[5.28.2] - 2024-01-24
Added
N/A
Changed
Bug Fix:
Addressed issue with creating child records on a catalog
New record forms no longer generate 404 (not found) errors
SSP export options are disabled (with explanation tooltips) if there is insufficient information to generate a given export
Changes made in the Risk Configuration setup screen are reflected when displaying a risk record afterward
[5.28.1] - 2024-01-19
Added
N/A
Changed
Performance: Optimized loading of nearly every Angular page on client side to speed up the RegScale page loading
Bug fixes:
When loading a form with tabs, the first non-hidden tab is selected
Syncfusion license key is deployed properly so that no watermark text appears on exports
Restored missing module and fixed seeding file so that Custom System Labels works correctly
SSP exports save to the Files subsystem as expected
New record forms no longer generate 404 (not found) errors
[5.28.0] - 2024-01-17
Added
Wayfinder
Ability to manually mark activities as complete
Tracker display (per stage) of how many activities are complete vs. incomplete
Dropdown to select a preconfigured Wayfinder to use
Feature flag support for integrated catalogs
Support for future catalog workflows (ability to create, read, and update download URL and default name values)
Questionnaire API to create and return questionnaire instances for a given questionnaire
Changed
Performance:
Consolidated caching functions into a single client side store in NgRx
Optimized form and list view loading code
Optimized caching updates/refresh/deletes for improved performance
Removed unused cache items from NgRx to reduce memory pressure
Tech debt: Standardized naming of Wayfinder for the Angular app
Moved catalog update button behind the integrated catalogs feature flag
Questionnaire instance creation API supports setting a specific due date
Bug fixes:
Control implementation view (Requirements tab) shows all content when scrolling
Pagination for Questionnaires list view works as expected
Questionnaire export works as expected for all question types
Addressed bug with loading Lightning Assessments
[5.27.2] - 2024-01-12
Added
Security Controls tab is now available on the Catalog form
Changed
Bug Fixes:
Improved styling and input for security control test plans
Default test results now load properly in Lightning Assessments
Components tab on Assets is visible to the General User role
QuestionnaireInstances API for getting an instance by ID returns the correct results
Collecting Evidence workspace for SSP scorecards appears correctly in dark mode
Controls on Policy scorecards render properly
Setting a risk as Closed makes the Date Closed field required
[5.27.1] - 2024-01-11
Added
Bring Your Own Risk Matrix Feature including defining the number of levels for Consequence/Probability, descriptions for each level, custom scoring, and ability to define custom colors and color ranges for matrix visualization
Annual Loss Expectancy added to the Risk Scorecard
FIPS Categorization - Categorization is no longer a required set of fields to create a SSP. Instead, you use the classification subsystem to pick your information types. There is a new engine that auto-calculates "system high" and then lets you override. Once you have picked all of your types, you can save the categorization which will update the SSP. The SSP fields are made read only.
BREAKING CHANGES: If running IIS, will need to update the .NET Runtime to version 8 before upgrading to this version
New Control Navigation: Replaced control strip with inline navigation in the Control Context Viewer
File Subsystem: PDFs can now be previewed inside of RegScale like images
Control Freshness - Assessment Frequency
Can now set a default number of days by which controls must be assessed on a security plan
Can now set a default number of days by which controls must be assessed on a component
Control implementations now track assessment frequency desired and use it to auto-set the next assessment due date
Builders updated to auto-set assessment frequency based on the parent security control or component
Control Context Viewer now lets users view and set the desired assessment frequency for a given control (overriding the default at SSP level)
Assessing a control auto-sets the next assessment due date for the control based on the desired assessment frequency
Initial stages of the Wayfinder tool for SSPs (feature-flagged)
Questionnaires: Instructions field content now included at the top of questionnaire assignment email to support instructions/introduction for that questionnaire
Changed
Performance Enhancements:
Risk matrix now pulls from cache in NGRX
Organization and Facility picklists on forms now pulls from cache in NGRX
Upgraded core platform technologies:
Angular from Version 15 -> 17
Node.js from Version 16 -> 20
Telerik from Version 13 -> 14
NgRx from Version 14 -> 17
.NET Core from Version 7 -> 8
Various NuGet package upgrades and security patching
Packaging: Removed eCharts and all NPM-related dependencies from the project
Removed heatmap visualization from the Status Boards (replaced by per Family view on the Scorecard)
Swagger REST APIs now default to collapsed to provide a more concise list by object
Issues API endpoint to remove a quality assurer
Assessment Result module has custom labeling support
Automatic creation of issues from assessment results also populates description, facility ID, org ID, date first detected, activities observed, and recommended actions
Assets API endpoints to create and update assets in batches
Relaxed validation on new risks to streamline data entry
eMASS Ports and Protocols export:
POC fields are now highlighted with a comment on how to populate these fields when System Owner isn't selected
Optimized data fetching during export
Added logic to fetch ports and protocols of child assets for the security plan
Tech debt: Refactored the catalogs controller and business logic to match current conventions/standards
Performance:
Refactored Asset APIs to dramatically improve query performance
Added list view saved reports to client side caching to eliminate server side calls
Quality Improvements:
Refactored the Catalogs controller and business logic to match current conventions/standards
Refactored the Security Controls controller and business logic to match current conventions/standards
Lightning assessments can now be edited
Exports: Conditionally show and hide SSP and related exports based on completing the categorization step
Bug Fixes:
Corrected validation issue on the assessment POST API
Addressed edge case issues with event driven notifications
DOE SSP export has templated system security manager, highlights missing data, supports image tagging system, and uses correct categorization
Issue process flow supports removing a quality assurer
Threat Scenarios tab no longer shows until the Threat Model is saved
Admin and service accounts are no longer available as choices in user dropdown menus
Corrected formatting issues with Error Log table in the Admin panel
Submit for Screening button for Issues works as expected
Outage window start/end dates for Changes use local time
Lightning Assessments: now correctly set initial status of the assessment to "In Progress" v/s "Draft"
Lightning Assessments: addressed bug where duplicate assessments could be scheduled under some circumstances
Addressed edge case issue with some status items not displaying correctly in list view
Fixed intermittent failure on event webhook for Incident severity change
[5.26.1] - 2023-12-22
Added
Changes - added ability to track testing information for a change
Changed
Bug Fixes:
Workbench and News Feed now properly show/hide based on configuration settings
Fixed issue with the Asset Mapping API endpoint
New Threats Models form cockpit correctly shows which required fields have values
Questionnaire response Excel export formats cells with top vertical alignment
Catalogs module
List view shows new information to support UCF
Detail view shows new information to support UCF
Import functionality accounts for new information to support UCF
Performance: Uses front-end caching to reduce the number of API calls to the api/email/getDomain endpoint
[5.26.0] - 2023-12-20
Added
Re-imagined Scorecard for visualizing control status
Evidence Workspace added to Scorecard
Workflows use custom data labels
File Subsystem now supports a preview mode for images
Changed
Questionnaire status stepper was removed
Code quality: Cleaner separation of RegML Explainer modal component and the accompanying service
Performance: Replaced database calls for tenant and configuration data with NgRx caching
Bug fixes
Rejecting a submitted questionnaire instance shows a toast notification
Questionnaire title heading updates after making changes to the title and saving
Questionnaire response export (Excel) cells have word wrap enabled
Export buttons for the questionnaire responses list are always visible
RegML Extractor works with "flat" control implementation statements
Progress spinner disables after a new tenant has been created
"Upload Enabled" flag on questionnaire questions is supported for import and export
Added validation when loading facilities on forms
[5.25.0] - 2023-12-13
Added
Re-imagined Scorecard for visualizing control status
Progress bar for completing control parts on a Control Implementation
Progress bar for completing control parameters on a Control Implementation
Button for auto-scoring a control implementation based on its parts
SicuraId field to ScanHistory to support Sicura integration
Financial Modeling for Risk
New control implementation parts status: "Alternative Implementation"
Server-side guards against deleting files within a module that originated from the Evidence Locker
Accounts API endpoint to get the list of inactive users for the current tenant
Control Tests: Now add the ability to provide default text per test to help prompt assessors during the lightning assessment
"Other identifier" for issue records
"Task Type" for task records
API endpoint for Accounts to get all delegate users for a given user
Performance: Optimized loading of tenant and license configuration information using NgRx; reduced backend calls
Infrastructure: Resiliency for cache access (missing username, case sensitivity)
Changed
Questionnaire response export format includes historical responses
Single workflow step rejection cancels subsequent steps
Deleting files from the Files Subsystem is only supported in the Evidence Locker module
Removed beta tags from the following:
SSP exports: FedRAMP Rev5, CMMC, More options
Setup: Custom System Labels, Events & Webhooks
Bug fixes
Questionnaire instance endpoint getAllByParent returns 404 if the parent questionnaire doesn't exist
Event topic list in Event and Webhook Configuration Management populates correctly
Import button is available for Security Profiles
Workspaces now longer show in menu for the Global Admin account
My Activity now longer shows in menu for the Global Admin account
Copying an existing Continuous Monitoring Assessment works as designed
Risk Strategy is a required field when creating a new Risk
Custom labeling support for the Asset Mapping tab on the Component form
Implemented paging, sorting, and filtering to Asset Mapping list view
Time remaining (e.g., days overdue, days due) on Issues uses correct heading levels and colors
Custom validation is limited to that field's module
Child issues for an assessment are only created if one doesn't already exist
Parent cause codes for causal analysis must have a value before being assigned
Manual Detection ID field for Issue records saves as expected
Dropdown menus have unique values on the Threats Scenarios tab for a Threat record
Migrated README.md reference sections into separate files and updated docs on how to run locally via localdev
[5.24.1] - 2023-11-28
Added
N/A
Changed
Bug Fixes:
Prevent saving multiple duplicate tenants through rapid clicking
Control Origination checkbox fixes
Inherited from pre-existing FedRAMP Authorization option
FedRAMP Tab prioritizing
Security Plan delete now performs a NULL check
Control Implementations: Planned Implementation Date and Steps to Implement are only required if the status is Planned
Catalog count no longer includes archived controls
Supply Chains module name is correct
[5.24.0] - 2023-11-27
Added
Type of Service field on the Basic Info tab for Interconnections
Tenable Nessus ID and Burp ID for Issues (Integration tab)
Support for using a shared database server and shared storage account
API endpoint to get all questionnaire instances for a given questionnaire
Enterprise Risk
Threat Model module
Ability to generate a library of threat scenarios for a given threat model
Risk Assessment Wizard on organizer now loads based on selected threat model
Changed
Status boards use custom data labels
Workbench uses custom data labels
Swagger: Brought documentation for the Time Travel endpoints up to standard
Error logging for questionnaire submission
Type of Service column populated in FedRAMP SSP export (Table 7.1)
Questionnaire list view by default sorts by ID (descending)
Minor updates to FedRAMP Rev5 CIS/CRM export
Tech Debt: Asset service read operations implement cleaner role-based access control
Version bumps for GraphQL packages (Hot Chocolate and Strawberry Shake)
Bug Fixes:
Improved validation for bulk questionnaire assignment via Excel workbook upload
Questionnaire option (e.g., multiple choice) text that has commas exports correctly
For Issues, moved the Salesforce Case # field to the Case Management section under the Integration tab
Risk field values and required fields function and save as expected
Record selection dropdown when assigning questionnaires to a module appears correctly in dark mode
Workspaces dropdown appears correctly in dark mode
Asset PUT and POST APIs properly check for missing and whitespace-only fields
Appendix A contains implementation statement overrides if present
FedRAMP XML export logic properly handles a file with an empty filename in the attachments
[5.23.1] - 2023-11-14
Added
Independent scroll to assessment Lines of Inquiry
Using assessment workflow system now locks down form fields so they cannot be directly edited
Changed
Bug Fixes:
Converted token date check to UTC time
Added more helpful error message for exports that use the Files subsystem in the case where a specific file type (e.g., .xml) is not enabled for the RegScale instance
Entering questionnaire prompt data no longer produces console errors
Added dirty form checks in the questionnaire builder
Validation for MAC addresses on assets works correctly
Validation for URLs works correctly
Export logic updated to ensure the export button is responsive
RegML features will not be enabled if the user chooses to cancel the enable action
[5.23.0] - 2023-11-12
Added
Home page (dashboard) uses custom data labels
Support for feature flags
Ability to hide tabs and fields in forms via the Custom System Labels panel
Infrastructure for automated UI testing with Playwright
Record creation wizard uses custom data labels
Questionnaire response scoring
Improved User Profile to better display readonly fields for LDAP/SSO users
Mapping of discrepancy fields in the SAR export
Refresh button to Issue Status page to force update of lifecycle and workflow actions
Questionnaire instances can have assigned reviewers
Enterprise Risk
Added Progress to Risk Scorecard
During a risk assessment, risk assessment auto-calculates and defaults (user can still over-ride)
Inherent Risk score now displays in the Risk Assessment table
Consolidated treatments, preventive actions, and related controls into a single tab on the risk screen
Changed
FedRAMP Appendix A export prioritizes information on the FedRAMP tab for a control implementation
Infrastructure: Feature flag source is more explicit when running standalone vs. SaaS
Inline view of questionnaire responses works correctly for all question types
Security: Patching NPM vulnerabilities
Bug fixes
FedRAMP and eMASS exports do not contain encoded HTML characters (e.g., &)
FedRAMP Rev 5 SSP export does not contain HTML tags
FedRAMP Rev 5 SSP export does not have redundant placeholder text in Appendix E
Updating an existing Change record no longer produces console errors
RegML Extractor status bar shows completion even if errors occur
When selecting a facility that has sub-facilities for an Issue, a sub-facility must be chosen
Questionnaires module uses custom data labels correctly
Resetting custom data labels correctly sets visible and editable states for labels
Icons for Threats module corrected
RegML Extractor supports PDFs with up to 100 pages
General system description is available in the FedRAMP Rev 5 SSP export
Can now create custom security controls properly using the record creation wizard
Workflow for submitting an Issue for screening works as expected
Added guard for an edge case concerning OSCAL export file creation
New-form pages for Security Controls and Control Implementations are inaccessible via URL
For OSCAL XML export of an SSP, the system-id and identifier-type URLs are correct whether or not a FedRAMP ID# is provided
Questions in the questionnaire builder cannot be moved to a different section without a prompt
Assigning a manager workflow now uses the correct Angular route
Questionnaires cannot be resubmitted unless the questionnaire instance is reopened
Profile import (file selection) process works as expected
Validation for required signature question types in Questionnaires works as expected
Questionnaire user registration shows the correct message about minimum password length
Comment fields for questionnaire review are only visible when the Feedback toggle is set
Dropdown tree controls (e.g., facility selection) can be cleared of their selection
Child tasks appear correctly in the crumbcake nav and Compliance Visualizer
Custom fields for the Profiles, Categorization, Questionnaires, and Control Implementations modules update as expected
[5.22.0] - 2023-10-31
Added
N/A
Changed
Completion indicator for the required Status field works correctly for new components
Creating questionnaires via an Excel worksheet correctly uses the "Required" column
Improved readability of long answer fields in questionnaires for dark mode
Process flow visual for Issues in the Status tab works correctly in dark mode
Count of files in the Files subsystem for Control Implementations and Security Plans is correct
Workspaces dropdown is only available if user is logged in
More consistent user experience when creating relationships for a record
Crumbcake navigation uses custom data labels
Kanban subsystem works correctly with custom data labels
[5.21.0] - 2023-10-27
Added
New Fields
Other Identifier - added to the assessments and issues modules
Org Code and External Identifier can now be assigned to an organization
Risk Categorization added to Components
Added Original Planned Finish date field to assessments (used for calculating date changes over time)
New API endpoints (to support Nessus integration)
Batch creation of assets
Batch creation of vulnerabilities
Questionnaire owners can make a questionnaire public so that users can self-assign to new responses/instances
Utility: Due Date Extension - allows you to request and approve date extensions
Workflow
Implemented Close and Re-Open Issue Actions
Workflow approval screen now shows information on any associated actions tied to the workflow
Ability to create workflows for a specific manager or user
Security
Added ability to set and enforce max password retries and lockout period
Changed
Refactored module metadata seeding procedure to make it simpler
Replaced checkboxes on the Hardware Info tab in the Assets form with dropdowns (Yes/No/blank)
Advanced Search for Asset records supports fields whose options are Yes/No/blank
Questionnaire responses export includes email addresses for recipients that aren't RegScale users
Action to show dashboards for questionnaires and questionnaire responses removed until proper dashboards are available
Optimized field mapping for FedRAMP rev4 & rev5 excel exports
Bug Fixes
Evidence Locker: Evidence is linked to controls when mapping to controls
Dismissing a workflow in the Notifications area leaves the workflow active in the Workbench
Canceling license update now properly resets the form
Control implementation forms render correctly
Updated Assigned Instances function works for questionnaires assigned to non-RegScale users
RegML icon only appears once on the Control Implementation form
FedRAMP Rev 5 Appendix A export contains the correct implementation status, control origination, and solution implementation details
Notification appears when a user reopens a questionnaire response instance
Reordering questions within sections and between sections works correctly
Required custom fields for new record forms display correctly after saving
Advanced search works correctly with custom data labels
FedRAMP R5 Inventory Fixes:
Correctly maps Function (Column X) for hardware and software assets
Added asset.Manufacturer to Make/Model Column (Column M)
Hardware Assets with Software Inventory will be now have their software inventory mapped to the correct rows
Required custom fields appear in the new-form cockpit
Airflow DAG triggers work as expected
Removed erroneous warning about custom fields being unavailable
Adjusted the save functionality in the questionnaire builder to prevent data loss
Removed placeholder text in the FedRAMP Rev 5 SSP export (Table 3.1)
Removed instruction boxes from the FedRAMP Rev 5 SSP export
Removed duplicate alert when no manager is assigned for a user in the workflow system
[5.20.2] - 2023-10-18
Added
N/A
Changed
Custom Data Labeling
Updated warning prompt for reset to be clearer
UX
Banner colors now match US Government classification standards
Admin panel now listed in alphabetical order
Bug Fixes
Questionnaire assignee email address shows in the Responses list
Questionnaire assignment via Excel workbook upload works as expected
[5.20.1] - 2023-10-18
Added
N/A
Changed
Hot Fix: Addressed issue with seeding on startup of container
[5.20.0] - 2023-10-18
Added
Ability to reset all custom data labels in the Admin panel
APIs
Programmatically delete custom fields
Retrieve workflow actions for a given parent record ID and module
Pull all available metadata for a given module
Facilities now support a hierarchy structure similar to the organization hierarchy
FedRAMP
Fields for Rev 5 SAP/SAR exports
Rev 5 Inventory Export for Security Plans with Assets
Lightning Assessment now auto-calculates Risk Exposure based on FedRAMP formula
Logging
Error logging to the database via Serilog
Default level is Error and a scheduled task will remove entries older than 14 days every night at 1 and 3 am (limited to 5k records per run)
RegML:
Extractor to RegML Tools on a System Security Plan, allowing the automatic extraction of implementation statements from user-uploaded PDFs
Auditor can use control objectives or control implementation statements
Auditor shows links to open a control in a separate window
Tasks: Description and results fields
Unified Compliance Framework (UCF)
Added integration to the Admin panel
Web accessibility
Support for 200% zoom
Right-click support for top navigation menu dropdowns
Changed
Architecture:
Refactored how files are handled for standalone and SaaS versions
Refactored and cleaned up APIs for Master Assessments
Custom Data Labeling
Support for changing field labels and basic module metadata
Driven by the database rather than JSON files
Custom Fields: Now allowed on tasks
Email service refactor, with support for OAuth
Evidence Locker
Mapping evidence to Security Plans
Improved mapping experience
Display of all records mapped to an Evidence Locker record
Ability to start Evidence Locker mapping from the Utilities widget
Ability to navigate to Evidence Locker directly from a Security Plan
FedRAMP exports: In Rev 4 and Rev 5, images and narratives are split for Authorization Boundary, Network Diagram, and Data Flow Diagram
Gantt Chart: Security plans now show draft issues to work better with the Lightning Assessment system
Issue Screening:
Removed analysis step
Default certain checkboxes to reduce clicks in the screening process
Risk: Status Board now displays the Target and Residual Risk Scores from the new risk assessment engine
Questionnaires
Added back-end structure for scoring questionnaire instances
Enhanced response Excel export readability and usability
Owner receives an email when a questionnaire response is submitted
Performance: Refactored all picklist module calls to use the new form service
Risk Assessment: Multiple UX improvements based on customer feedback
Security
Can now only delete records if user is an Administrator or the user who created the record
LDAP now records the last login date for the user
SSO new user now records the last login date for the user when thin provisioning
Deletion of records no longer cascade-deletes the audit logs or Time Travel records to provide improved forensic analysis
Fixed various access control restrictions for consistency across roles
User experience
Improved child record creation experience
Removed gradients on CISO Home Page
Wiz CI/CD scan integration support
Bug Fixes
Accessing questionnaire instances produces no errors whether or not the user is logged into RegScale
Fixed error when uploading SBOM during release publish
Addressed issue with reseeding metadata
Variable casing corrected so that module data loads correctly
Evidence Locker: View and Delete buttons on mapped controls align correctly
Adding a new assessment under Continuous Monitoring for a component brings up the new assessment form
Module data seeding works correctly through both the application UI and the Swagger interface
Severity Level by Date Identified chart in Issues module renders correctly
Schedule recurrence options for questionnaire assignment renders properly in dark mode
Dropdown to select number of rows for Supply Chain board works as designed
Raised events are no longer case-sensitive
Control origination checkboxes for FedRAMP Rev 4 or Rev 5 SSP exports match the RegScale SSP
New assessment form loads correctly
GraphQL code generator utility correctly accounts for the new Angular file structure
RegML Extractor GraphQL queries are adjusted to address overfetching
Master assessments dropdown selections are properly seeded on app startup
Added input validation when updating an asset record
RegML Controls Author uses the company name for the tenant
Module data is correctly seeded on initial database creation
RegML Extractor input is limited to 25 pages
Vulnerability drilldown modal for assets displays correctly
Questionnaires can be submitted for recipients that aren't RegScale users (i.e., only have an access code)
Questionnaire section index changes correctly update assigned instances
Viewing catalogs no longer produces console errors
Generated export files correctly appear in the Files subsystem
Webhook events for deletions fire for archival as well
Webhook events for modifications fire as expected
Status board row-count selector works correctly
Change Management bar charts have tooltips and the drilldown modals render correctly
Issues By Identification chart shows the N/A title where needed
When adding a new record via the Compliance Visualizer, the modal now dismisses properly
Addressed several issues with GraphQL queries
Addressed issue with redirect after login for SSO
Addressed issue with importing some catalogs
Drilldowns for Exceptions dashboards display correct titles
Reset All Custom Labels works as expected
Fixed edge case issue with Lightning Assessment progress calculation
Subheaders that use custom data labeling render correctly
For interconnections, the external fully qualified domain name saves as expected
For components, if the status is "Other" the explanation field is marked as required
Fixed input validation checks that were being corrupted from dynamic loading
Lightning assessments now load properly from the Scorecard
[5.19.0] - 2023-10-03
Added
Risk: Improved initial risk scoring UI and functionality
Risk: Added risk treatment effectiveness and direct link back to control implementations
Risk: Added business impact to the risk assessment wizard
Risk: Risk assessments now allow you to evaluate the effectiveness of each risk treatment
Changed
Bug Fix: Properly show/hide links on the footer based on login status
Bug Fix: Risk Scorecard now shows N/A for difference and residual risk if risk assessment has not yet been conducted
Bug Fix: Questionnaire can be assigned without errors to a RegScale user
Questionnaires: Progress feedback is shown when bulk-assigning questionnaires
Bug Fix: Only asked questions are considered in the percent complete for a questionnaire instance
Bug Fix: api/metadata/reseed correctly loads the seed file content
Bug Fix: Removed Controls by Type options for the policy scorecard view
Web accessibility: single-page application structure, dashboard percentages, alternate text for status icons and logos
Bug Fix: Software inventory is displayed in the tailored SSP if software is within a hardware asset
UX: Reorganized data entry form for Supply Chain to be more efficient
Bug Fix: Addressed issues with Lightning Assessments on Supply Chain records
UX: Scorecard now redirects to new lightning assessment form versus opening in a slider
[5.18.2] - 2023-09-29
Added
Field for Assets under the Integrations tab: Sicura
Changed
Bug Fix: Record addition, modification, and deletion events trigger properly
Bug Fix: Addressed edge case where a user could bypass the login banner
[5.18.1] - 2023-09-29
Added
Security: Added support for OAuth authentication for email security
Changed
Policies: Parameters are now only required if the status is "Active"
Removed CQRS from Assets module
Added Assets Service to handle all business rules for the Assets controller and corrected Swagger documentation
UX: Addressed spacing issues on password toggle
Bug Fix: New risks created via the Risk Assessment Wizard do not require a target risk score
[5.18.0] - 2023-09-27
Added
Components: Added external ID field and API for ease of integrating with outside tools/data
FedRAMP: Added fields to support FedRAMP Rev 5 requirements for Leveraged Authorizations
FedRAMP: Expanded interconnect module to support FedRAMP Rev 5 requirements
FedRAMP: Added fields to support Risk Exposure Template export in Rev 5
Lightning Assessment: Now shows parts and parameters on the left side view
Lightning Assessment: Now shows the parent security control on the left side view
Lightning Assessment: Left and right side are now independently scrollable
Lightning Assessment: Now allows incremental progress (can save 1 control at a time)
Lightning Assessment: Now allows editing assessments
Lightning Assessment: Allows you to flag an issue as reportable and will auto-generate an issue
Questionnaire Security: Added access control for both internal and external users
Ability to export POA&MS from a Security Plan as FedRAMP Rev 5 Risk Exposure Excel workbook
UX: Added persistent footer to the application
Workflow: Added options for assigning workflows and building new ones using the subsystem
Workflow: Added ability to assign and create workflows directly to a manager
Issue Screening: Added quick action buttons to create Causal Analysis records
UX: Workbench is now the default landing page
FedRAMP Rev 5 SSP Appendix A export in Word format
FedRAMP Rev 5 CIS export in Excel
FedRAMP Rev 5 Test Case Procedure export in Excel at Security Plan level and Continuous Monitoring level
Continuous Monitoring tab now has a "Create New" button
Issues: new fields for manual issue detection
Web accessibility attributes for the RegScale logo, notifications area, and page landmark regions
Questionnaire question file upload support
Workflow: Added a new API for creating custom workflows programmatically
Changed
Performance: Optimized page loads for RegScale forms
UX: Change list view fields for Privacy Impact Assessments
UX: Consolidated dashboards into the List View system of modules
UX: Removed sidebar from left side of the screen
Performance: Improved indexing on Components
Performance: Improved query speed when retrieving a Security Control or Control Implementation
Context Viewer: Now shows the part description when creating a new option and auto-closes once option is completed
Enhancement: Catalog error messages now persist on the page when uploading
Bug Fix: Removed duplicate FedRAMP tab on Control Implementations
Bug Fix: Risk scorecard now renders properly
Added logic to ReadMe.io version update during release pipeline to parse the version from the environment first, then defaults to version # in package.json
Bug Fix: Addressed issue where Control Context Viewer always returned to Parts when editing Parameters
Bug Fix: Addressed you are already logged in bug when redirected to login page
Bug Fix: Addressed various issues with maintaining questionnaire state
Print: FedRAMP fields added to control implementation printable form
Bug Fix: Global admin redirect now works properly
Bug Fix: Editing tasks in the Kanban subsystem does not result in console errors
Bug Fix: Ports and Protocols table is present in the FedRAMP SSP (Rev 4 and Rev 5) export
Bug Fix: Supply Chain contract owner dropdown does not contain duplicated usernames
Bug Fix: Issue ID is returned as part of the api.issues.create event
Bug Fix: Login banner must be acknowledged before using the application after login
Security: Patching NPM vulnerabilities
Updated the executive summary text for the FedRAMP SSP Rev 4 templates (Moderate and High)
Bug Fix: Catalogue export as OSCAL JSON uses correct encoding
Added 'deprecated' label for FedRAMP Rev 4 SSP and continuous monitoring exports
Bug Fix: Leveraged authorizations appear in FedRAMP SSP export
Questionnaire: Process questionnaire rules when dropdown answer changes
Bug Fix: Validation in the policy form and policy template now apply together
Bug Fix: Automation panel only shows DAG execution date-time
Bug Fix: The api/Organizations/getList endpoint correctly displays organization managers and manager IDs
Bug Fix: Saving a new questionnaire presents a single toast notification
Bug Fix: Editing a questionnaire QUID doesn't automatically move the cursor to the end of the QUID
Questionnaire instance comparison export (Excel) format is now one instance per row
Questionnaire rich text editor control styling matches the rest of the application
Updated SSP's MegaAPI result to include an asset's list of software inventories
Bug Fix: Addressed issue with updating a Task within the Event system
Lines of Inquiry: Now warns you if navigating forward or back without saving
[5.17.1] - 2023-09-13
Added
UX: Can now create a new profile from the Builder Wizard
Changed
Bug Fix: Custom fields dropdown list addresses issue with adding new items
Bug Fix: Addressed SSO login issue for thin provisioning and logging in new SSO users
Bug Fix: Addressed issue with launching Security Profile importer
UX: Replaced Digital Signature with Electronic Signature labels
[5.17.0] - 2023-09-12
Added
Questionnaire: Add execution constraint to rules to limit when certain rules are executed
Changed
Cause Code Admin Panel for Causal Analysis
Sonarqube integration for issues
Updated CSP Name for FedRAMP Test Case Procedures export to use CSP Organization Name from the Preparation tab of the Security Plan
Questionnaire: Allow various Action Functions to accept list of questions to change
Questionnaire: Make Action Functions resilient to updating question (quid) that does not exist
Questionnaire: Update rules of open instances when updating open instances
Support: Improved logging for toasts to assist with testing and debugging
[5.16.3] - 2023-09-11
Added
Ability to dynamically set fields to read-only based on record state
List Views: Added ability to create a child record from the list view
Security: Hardened JWT timeout checks for all Angular routes
Reports: Improved FedRAMP export of the Risk Exposure Report
Workflow: Now supports management approvals
Workflow: Added functional role assignments
Workflow: Added action system
Workflow: Added comments, files, and links to the workflow record viewer
Changed
UX: Catalog importer moved to the list view next to the "New" button
UX: Improved formatting of the print screen
Bug Fix: Removed FedRAMP tab from SSP
Bug Fix: Added FedRAMP tab to control implementations
Bug Fix: Navigation system not showing titles as links
Bug Fix: Addressed error on Group retrieval
UX: Improved formatting of the user list in the Admin panel
Bug Fix: Manage risk visualization on home page updated
Bug Fix: Issue screening now pulls the correct comments, files, and links
[5.16.2] - 2023-09-08
Added
FedRAMP: Added risk fields to POA&M to support the Risk Exposure Template export
Metadata: Added reseeding option to the Admin panel (accommodates new changes over time to picklist)
Automation: Support for scheduling, pausing, and checking status of Airflow jobs
RegML: Added license confirmation box allowing all SaaS customers to opt-in to AI/ML capabilities in RegScale
Ability to export FedRAMP POAMs for Rev 5
Changed
Enhancement: Refactored seed metadata method to be consistent across the application
Bug Fix: Added SQL check to skip some specialized indexing for unsupported SQL Server versions
Bug Fix: User activation API returns 400 when the request is empty
Accessibility: Added more keyboard-based navigation and alternative text content
Bug Fix: Required field count and completion percentage for new records works correctly
Bug Fix: After making a change on a control implementation record, when navigating away and choosing "Cancel" no navigation occurs
[5.16.1] - 2023-09-07
Added
N/A
Changed
Bug Fix: CONMON display fix for progress report
Bug Fix: Addressed issues looking up Security Plans on controls list view
Performance: Database index tuning based on Azure recommendations
Performance: Multiple query optimizations for fetching control implementations
Performance: Refactored Navigation system query to be more performant
Bug Fix: Addressed issue where subsystems would sometimes not show for a control implementation with related evidence
Bug Fix: Setting a new task as Closed updates the percent complete to 100%
Bug Fix: Phone number fields on questionnaires require a valid phone number before saving
Bug Fix: Security Control Implementations list view Control ID sorting matches other Control ID sorting in the application
[5.16.0] - 2023-09-06
Added
FedRAMP: POAMs now export as OSCAL
FedRAMP: Added XML Export for OSCAL SSPs
Security: All event logging is now performed server side
Performance: Optimized the subsystem count query to be more performant
Issue Status: Can now manage the full lifecycle with status gates and workflows
Flag to dynamically set fields to readonly based on workflow
Changed
Bug Fix: Added fix for multiple quick clicks of the login button
Tech Debt: Forms now centrally driven by a single config (pre-requisite for enabling custom data labels in the future)
Explanation for Other than Operational Status field is only required for FedRAMP SSPs now
OAuth: Fixed login issue to improve Okta support
Security: Now record date a user was deactivated
508 Compliance - added scope attribute to table headers
DEPRECATED API: Removed all GetAll endpoints, now requires using filter methods or paging in GraphQL to avoid performance impacts
Bug Fix: New Requirements form tab names match the cockpit section names
Bug Fix: Added missing fields for advanced search in questionnaire
Bug Fix: Counts in Risk by Trend chart on the main dashboard match the number of records in the drilldown modal
Bug Fix: Moving a slider no longer reloads a tab's data
Bug Fix: Changing a security plan's status updates the form to trigger validation rules
Bug Fix: Scorecards, Status Boards, and Gantt charts now use the same query
Bug Fix: System roles pulldown now provides a "blank" user since it is no longer required
Bug Fix: Addressed many role-based authorization queries based on specialized roles
UX: Fixed minor rendering issue with search bar on Status Boards
UX: Added line breaks to Implementation Part statements
UX: Fixed issue with comments tab sometimes rendering off screen in Lightning Assessments
Bug Fix: Control Implementations and Requirements now require a parent ID and parent Module
Bug Fix: Addressed issues with Security Plan not printing controls in Community Edition
UX: Group manager now displays the group ID in the list
Error Logs - now supports a back button
Tech Debt - removed legacy SecurityPlanId field from Control Implementations
Bug Fix: Changed questionnaire Rules field back from RichText to TextArea
Made event topics more consistent
Bug Fix: Source OSCAL URL field saves correctly when creating a new catalogue
Removed event manager columns pertaining to Active status and updated list filtering
Saving after adding a new questionnaire section works as expected when reloading the page
Questionnaire: email question type supports validation before proceeding
Questionnaire: Renders properly if the questionnaire only has instructional questions
[5.15.4] - 2023-08-31
Added
Questionnaire: Export one or more responses to a single Excel worksheet
Accessibility: Additional support for tab-key navigation, aria labels for icons
Data Subsystem - Code Mirror added for editing raw XML and JSON in the platform
FedRAMP: POAMs now export as OSCAL
FedRAMP: SSPs now export as OSCAL
FedRAMP: Added new fields to stakeholder system and flag to set if Individual or an Organization
FedRAMP: Can now add external stakeholders to a system role assignment (previously was just internal users)
FedRAMP: Added new features to support tracking Cryptographic modules
Changed
Bug Fix: Addressed periodic issues in pulling Status Board data for Security Plans
Tech Debt: Improved POST/PUT APIs for Facilities and Stakeholders
Tech Debt: Improved OSCAL XML export code for SSPs to be more resilient
Catalog MegaAPI for efficiently fetching a catalog with all related child data (controls, parameters, tests, options, etc.)
Bug Fix: Text-based questionnaire answers are not accepted if they contain only whitespace
Bug Fix: DOE SSP export matches new data and formatting requirements
Bug Fix: Asset Type field only appears on the Basic Info tab for Assets
[5.15.3] - 2023-08-29
Added
Logic to prevent duplicate file names when uploading a file to a record
API endpoint to rename duplicate files for a provided record ID and module name
FedRAMP: Lightning assessments now support Risk Analysis
Mini-Subsystem - added to Lightning Assessments, can add files, comments, and links at the assessment test level along with assigning Quick Actions - Request Evidence or Create Issue
RegML Auditor for control implementation evaluation (BETA)
FedRAMP - added asset types to components
Logic to prevent duplicate file names when uploading a file to a record
API endpoint to rename duplicate files for a provided record ID and module name
Swagger: Brought documentation for the Push Notifications endpoints up to standard
Delegate System: Profile now allows you to set delegates for your approvals
Create endpoint for Ports and Protocols available via Swagger
Functional Roles: Ability for administrators to define functional roles and to add users to those roles
"Create" endpoint for Ports and Protocols available via Swagger
Event-based Architecture: Added events for questionnaire status changes
System URL text field on the Basic Info tab in Security Plans
API endpoint for creating a classified record
Organization URL text field on the Organization Manager form
FedRAMP: RegScale Assigned User is now an optional field on a System Role
Changed
UX: Administration panel for system administrators now shows options in Alphabetical order
Bug Fix: Changing SSP status to anything other than Operational sets Explanation for "Other than Operational Status" as required
Bug Fix: Questionnaires module does not appear in the user menu when it has been disabled
Bug Fix: Changing an asset's category updates the available tabs accordingly
Bug Fix: Setting an incident's phase as "Closed" makes the Date Resolved field required
Tech Debt: Optimized TypeScript library loading with Angular
OSCAL: Objectives renamed to "Parts" throughout the UI to align with current NIST/FedRAMP terminology
Removed drill-down from module record History charts
Updated all exports generated from RegScale follows a naming convention that ends _YYYYMMDD
Several fixes for DOE template and SSP exports in general
Bug Fix: Questionnaires required to have at least one section
Analytics (dashboards) side nav only displays dashboards for which the current user can access with their roles
Navigating via URL to a dashboard the current user doesn't have access to shows a toast notification and redirects to the home dashboard
Bug Fix: Evidence Locker advanced search works correctly for Date Created and Evidence Owner fields
[5.15.2] - 2023-08-25
Added
FedRAMP: Ability to assign multiple sources, origination, and status at the control implementation level
Questionnaires: Ability to download the Excel import template
Questionnaires: Ability to export questionnaire to Excel
Questionnaires: Ability to export a questionnaire response to Excel
Questionnaires: Ability to modify a questionnaire that has already been published
Keyboard accessibility for the form menu (e.g., back, save)
Changed
Bug Fix: Advanced search for a blank item in a picklist now works properly
Bug Fix: Addressed validation logic on new Security Plans
Bug Fix: Addressed issue deleting Lines of Inquiry
Bug Fix: Removed roles from the workbench
Tech Debt: Added missing IDs on links to support testing automation
Tech Debt: Truncate strings for Excel exports to avoid corrupting the workbook
Performance: Refactored required field validation to be more performant on the client side
Infrastructure: Event topic names are pluralized
Bug Fix: Webhook form saves successfully even with a misconfigured webhook
Bug Fix: Marking a task as "completed" requires the user to enter a value for the Date Completed field
Bug Fix: By Point of Contact chart on the Incident Response dashboard renders user names correctly
Bug Fix: Required custom fields for a new Case Management record appear in the cockpit regardless of status change
Bug Fix: Fixed issue with security profiles being unable to update
After assigning a questionnaire the Responses tab is automatically updated to reflect the new assignment
UX: Improved the display of the control in the Lightning Assessment and added deep link to view the parent control
Bug Fix: When creating a new questionnaire form, the Builder, Assignment, and Responses tabs require saving the questionnaire first
[5.15.1] - 2023-08-24
Added
Reporting: New report showing all comments on controls for a given Security Plan
Loading spinner to Inheritance Engine to show progress as work is executing
Keyboard accessibility for top nav bar and left nav bar (WCAG)
Changed
Improved alerting and labeling when a parent security control is not found for a control implementation
Bug Fix: Addressed issue with inheriting between Security Plans
Bug Fix: Functional areas can now be searched for Assessment Plans
Bug Fix: Server side auditing working properly for comments
Bug Fix: Addressed console error when loading components for an SSP
Bug Fix: Print Preview shows all pages
Bug Fix: When creating a new task with a closed status, the cockpit correctly lists required fields completion
Bug Fix: Questionnaires save correctly when the created-by and last-updated-by user are the same
[5.15.0] - 2023-08-23
Added
FedRAMP: System Roles can now have multiple users assigned
FedRAMP: Add button to auto-assign all FedRAMP defined system roles
FedRAMP: Added explanation field if "Other" checked for Cloud Model
FedRAMP: Added "Other" option for Cloud Deployment Model
FedRAMP: Added Data Center tab to Security Plans
FedRAMP: Expanded properties subsystem to add Label and Other Attributes fields (optional)
Causal Analysis Role - restricts creating, updating, and deleting a Causal Analysis to users with this role (who normally have specialized training)
Assessment Lines of Inquiry - multiple enhancements: Can dynamically add new lines of inquiry without a parent Assessment Plan and can apply multiple assessment plans
FedRAMP: Added validation to the deployment option selections if a FedRAMP SSP (flag based on FedRAMP ID # not being empty)
FedRAMP: Added "Under Major Modification" and "Other" status to components
FedRAMP: Added Explanation for Other status to components
FedRAMP: Expanded links to support external identifiers and attributes
FedRAMP: Security Plans added field for explanation for Other than Operational status
FedRAMP: Allows system role assignments at the Component and Control Implementation level (one to many)
FedRAMP: References now support optional description field and UUIDs
FedRAMP: Added Responsibility and Leveraged Authorization fields at the Control Objective level
POA&M checkbox for Issues under POA&M Info tab to indicate if the issue is a POA&M item
FedRAMP: Added all reference types allowed from FedRAMP to the References tab
Metadata - added ability to define external keys for metadata (allows for mappings, i.e. to FedRAMP/OSCAL values), metadata is now editable
Event Driven Architecture - added status changes and fixed several edge case bugs
Changed
Tech Debt: APIs cleaned up to remove logging fields (Created By, Date Created, Last Updated By, Date Last Updated)
Bug Fix: Improved validation for properties system on the server side
Lines of Inquiry - added ability to remove a line of inquiry from a given assessment
Tech Debt: Added many missing tables to the GraphQL layer
Bug Fix: Export of DOE SSP fixes special character issues
Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to it
FedRAMP POAMs Export will now only export issues with the POA&M checkbox checked under POA&M Info tab
Bug Fix: Marking a security plan as "operational" makes key date fields required
Swagger: Brought documentation for the Threads endpoints up to standard
Bug Fix: Marking an assessment as "complete" marks newly required fields as required
Bug Fix: Marking a case as "complete" marks newly required fields as required
Bug Fix: Marking a causal analysis as "complete" marks newly required fields as required
Bug Fix: Marking a data call status as "complete" marks newly required fields as required
Bug Fix: Marking an exception status as "complete" marks newly required fields as required
Bug Fix: Marking an incident status as "complete" marks newly required fields as required
Bug Fix: Marking an issue as "complete" marks newly required fields as required
Bug Fix: Marking an interconnection status as "complete" marks newly required fields as required
Bug Fix: Marking an project as "complete" marks newly required fields as required
SECURITY: Hardened forgot password feature based on penetration testing recommendations
Bug Fix: Marking a project as "complete" marks newly required fields as required
Bug Fix: Marking a risk as "closed" marks newly required fields as required
Bug Fix: Marking a threat as "mitigated" or "eliminated" marks newly required fields as required
Bug Fix: Marking a policy as "active" marks newly required fields as required
Added "Risk Accepted" status option for control implementations
Change: "Partially Implemented" controls no longer require planned implementation date or steps to implement
Changed the way team data is displayed SSP export (Word format)
Moved SAP and SAR exports from Security Plans to Continuous Monitoring
Event architecture: Added interceptor to handle status and severity changes
[5.14.1] - 2023-08-18
Added
Org Chart Viewer - organization manager now lets you visually browse the org chart
BETA: New version of DOE SSP export released
SECURITY: Improved login experience for MFA and SSO users and hardened the process end to end (NOTE: Customers may want to test in DEV before rolling to PROD)
Security Plans - added version field
FedRAMP: Vulnerability system added to Continuous Monitoring
FedRAMP: Added multiple new fields to support SAR exports (Actual Finish Date and flag for Date Adjustment for Corrections)
Infrastructure to support unit testing
Changed
Bug Fix: Paging now works properly for Service Accounts, improved layout of page formatting
Security: NPM patching for vulnerabilities
Security: Service account tokens now hidden in the UI, added copy button for ease of pasting with CLI and Swagger
Improved RegML automated reviewer interaction with the control implementation form
Bug Fix: Change validation for required fields now works properly on edits
Bug Fix: Changing status to closed auto-sets % complete to 100 on saves and edits
Updated CIS/CRM export to include Security Plan Name, CSP Name, and Security Plan's impact level to the Instructions tab
Fixed incorrect logic for controls with an implementation status of "Not Applicable" in FedRAMP Test Case Procedures export
Bug Fix: FedRAMP Risk Exposure export will now display if any child items of the Security Plan has a risk associated to
Bug Fix: Custom fields only populate after save operation completes
[5.14.0] - 2023-08-16
Added
Risk Scorecard
Data Subsystem - stores raw JSON, YAML, and XML data for integrations
Questionnaire: Added electronic signature support
Questionnaire: Added new field types for Dates, Phone Numbers, and Emails
Process questionnaire rules after each question response and choice change
Added Questionnaires tab to the following modules to make it easier to navigate to associated questionnaires: Components, Policies, Security Plans, Supply Chain
Questionnaires: Added alerts for unanswered required questions within current section before leaving the current section
Questionnaires: Added support for linking directly to a specific page of a questionnaire
Questionnaires: Added updating browser's displayed to specific page of a questionnaire when user navigates with Next and Back buttons
Check to ensure the user is on a supported browser (Edge or Chrome)
Changed
SECURITY: Patching of core .NET packages
Improved validation and error handling for Control Objectives, Tests, and Test Plans
Bug Fix: Addressed issue where validation of control implementations did not match server and client side preventing being able to update a reecord in "Not Implemented" status
Bug Fix: Drilldown links for the Fix Problems dashboard display a modal a list view with the same number of records as shown on the dashboard
Bug Fix: Assess Program dashboard modal links have list views that match the record counts shown on the dashboard
Bug Fix: Assessment-role users have access to the Tasks module
Bug Fix: When creating a system administrator with break glass account, system now checks config to make sure email is enabled before trying to send the email
Bug Fix: Questionnaires can be submitted without being logged in
Questionnaires: Navigating between questionnaire pages returns to the top of the page
Questionnaires: Responses now have a back button
Questionnaires: Rules are processed after each question response and choice change
Questionnaires: Assigned By and Block Layout toggle removed from assignee view of the questionnaire
SUPPORT: Added a new environment variable, "EMAIL_NO_TLS", to allow customers to disable TLS for email in legacy environments where it is not supported
Questionnaires: Submitter name for assignees outside of RegScale no longer required for submission
Bug Fixes: Fixed multiple bugs causing the FedRAMP Test Case Procedures export generating a corrupt Excel workbook
[5.13.0] - 2023-08-05
Added
Support for webhooks to listen for specific events in RegScale externally
Application Insights for SaaS monitoring and troubleshooting for Customer Success
Architecture implementation for event queues and distributed processing
Chart views have a checkbox to toggle auto-fitting of charts to the viewing region
Questionnaire instances can be reopened
Added email validation to bulk questionnaire assignment
Backend support for questionnaire instance history
Questionnaires: consolidated assignment functionality into a single screen
Questionnaires: responses now show as a tab under the questionnaire record
Questionnaires: now auto-generate a security token to provide access control protection for external users
(Beta) SSP export in Department of Energy (DOE) format
Support for Salesforce integration with issues for Case Management
(Beta) Admin tab for events to allow managing event topics and webhooks
Changed
Bug Fix: RegML Author button appears correctly based on tenant state
Bug Fix: Drilldown works correctly on the My Activity tab of the Workbench
Questionnaires: Can now be attached to any parent module (removed hard coding to Security Plans)
Questionnaires: Consolidated functionality into instance table (removed assignment table)
Questionnaires: Share link now opens in a new tab, added "Copy" icon
Bug Fix: Questionnaire response form no longer reports console errors
Bug Fix: Toast notification dismisses properly in Lightning Assessments
Bug Fix: Addressed console errors when viewing a continuous monitoring record
Bug Fix: Addressed RegML loading infinite loop when connection not found
Bug Fix: Analyze Risk functionality in Lightning Assessments creates a risk record
Bug Fix: Controls Author timeout increased to handle longer control implementation statements
Bug Fix: Causal Analysis Step 2 renders correctly in dark mode
Bug Fix: Target Risk Score field is required when creating a new risk
Bug Fix: Users can be readonly for some modules and have greater rights in other modules
Bug Fix: Chart views render correctly
Bug Fix: Swagger page loads correctly
Bug Fix: Outage Summary field displays in the cockpit if an outage is required
Bug Fix: Close button on Workflows slideout works correctly
Bug Fix: Controls and Implementations cannot be created without a parent
Improved user feedback for bulk-assignment of questionnaires via email
Improved performance of the recurrence components in Tasks, Assessments, and Data Calls
[5.12.0] - 2023-08-02
Added
Performance: Optimized all Angular queries to eliminate slowed performance over time and need to refresh the application
Questionnaire system supports grouping questions into sections
Questionnaire system supports creating rules that can show/hide questions and set/clear answers based on user-defined conditions
Questionnaire system Excel import supports multiple question types, required flag, section IDs, and question IDs
Questionnaire system sends emails to assigned recipients
Questionnaire system allows bulk assignment via Excel worksheet of recipients
Organization Hierarchy support
Properties endpoint to support batch updates
Ability to create a new Assessment Plan directly from the assessment record
Ability to auto-generate an issue from a failed Line of Inquiry on an Assessment Plan
FedRAMP: Added fields for "guidance" and "constraints" to parameters
Reports: Added Date Last Updated to the SPRS 800-171 Report
Changed
Dropdown lists are initialized from configurations and are populated through Angular caching (support work for dynamic data labeling)
UX: Improved data validation warnings across 34 different screens
Bug Fix: Questionnaire responses display information instead of a blank page
Bug Fix: Templates for FedRAMP Moderate and High include additional placeholders for Table 6-1 and 6-2
Bug Fix: Drilldown and Status board counts for issues on an SSP match
Bug Fix: Due date validation messages for tasks is easier to understand
Bug Fix: For interconnects, IP addresses are validated only if non-empty
Bug Fix: Assessment Plans list view displays correctly
Bug Fix: URL fields in Supply Chain records support automated testing
Bug Fix: Improved target risk score label in the Required Fields section when creating a new risk
Bug Fix: List of required fields for new issues works correctly when changing issue status
Bug Fix: Updated the Policies Controller such that Swagger loads correctly
Bug Fix: Outage Summary field for Change records is only required for completed changes
Bug Fix: Saved contents on the Lookups tab for Supply Chain records persist after page refresh
Bug Fix: Charts on Issues by Severity Level by Status report render correctly
Bug Fix: Changes module loads correctly
Bug Fix: Addressed task validation error with due dates in the past
Bug Fix: Fix for module name to re-display questionnaire responses in list view
Bug Fix: RegScale user list populates correctly on page refresh
Bug Fix: Deleting a questionnaire marks it as inactive
Bug Fix: Default question for a new questionnaire is auto-assigned a unique ID (QUID)
Bug Fix: Addressed some HTML formatting issues in the control test preview
Bug Fix: Questionnaire link in email points to the unique response
Change: Request Evidence is now the first option on the Lightning Assessment buttons
Change: User baseball cards now have a header and dismiss modal button
Change: Scorecard now shows % of controls assessed and % passing in Overall Compliance section
Change: Removed closed issues from the Status Boards
Change: Improved ability to handle unencrypted email via SMTP
Change: Component Status Board only shows components that are active
[5.11.1] - 2023-07-20
Added
Architecture support for feature flags
Update endpoint for the Scan History API
Changed
Bug Fix: Button colors for the Policy Template editor match the rest of the application
Bug Fix: Policy Template editor renders properly in dark mode
Bug Fix: Security profile mapping renders correctly in dark mode
[5.2.2] - 2023-05-12
Added
N/A
Changed
SSO Bug Fix
[5.2.1] - 2023-05-12
Added
N/A
Changed
Privacy Impact Assessment (PIA) form streamlined based on customer input
Bug Fix: Refresh now works properly with the counters on the Evidence Locker
Buttons and badges are styled consistently
Fixed styling of the Risk Status Board for dark mode
Bug Fix: Added null-check before validating the CLI configuration
Tech Debt: Project and solution files simplified to not compile unused code
[5.2.0] - 2023-05-10
Added
FedRAMP System Roles added to the Security Plan
Automation admin panel to allow the CLI configuration to be saved securely in the RegScale database
Evidence Locker System
Description (Requirement Text) added to tailored SSP template and parameters replaced in description
If replaced, parameter is bold; if no parameter exists, parameter tag is highlighted
Categorization Justification added to tailored SSP template
Changed
Bug Fix: Fixed issues with usernames that have a capital letter in them
Bug Fix: Print view for Security Plans shows correct child record counts; also displays spinner when loading security control implementations
Bug Fix: The status bar has consistent arrow usage and a status indicator for active records
Bug Fix: Assignment link within emails navigates to the correct URL
Bug Fix: Usernames are not case-sensitive.
Bug Fix: Redirecting to a page after login works correctly.
[5.1.2] - 2023-05-05
Added
New risk scoring fields to the Risk module
Changed
Renamed all Azure AD labels to OAuth SSO
Bug Fix: Addressed Red Hat UBI build issue
Added UPN support for SSO with Azure AD
[5.1.1] - 2023-05-04
Added
New APIs for querying Supply Chain records
Categorization justification to the Security Plan module
Changed
Bug Fix: Fixed chart alignment for iPad
Bug Fix: Errors when connecting to LDAP
Big Fix: Pagination works correctly in the Files subsystem
[5.1.0] - 2023-05-03
Added
Outage Summary field to the Change Management module
Updated eMASS Software List sheet and mappings
Control Source and Exclusion Justification to Control Implementations
Home page sidebar is expandable/collapsable
Issue Status by Owner and Security Plan and Issue Status by Owner and Component reports have charts; those reports also default to all dates
Changed
Fixed warning on scope for renewing OAuth tokens
Bug Fix: Search works properly for Security Control Implementation and Scorecard
Tech Debt: Eliminated legacy calls to pre-load the old home page
Bug Fix: Improved chart queries and fixed various errors
Bug Fix: "Show More" button on the newsfeed is enabled/disabled properly
Bug Fix: Custom color theme works properly for multi-tenancy
Bug Fix: Form input left and right padding increased to accommodate scrollbars to prevent focus state border from being cut off
Bug Fix: Top nav buttons stay present when going from dashboard to any other page
Bug Fix: Overall status for Component dashboard calculates percentage correctly
Bug Fix: Users can properly log in after access token expires
Bug Fix: User Management System correctly shows added roles for a user
Bug Fix: User Management System correctly shows existing roles for a user
Big Fix: Drilldown modals from the dashboards show a close button
[5.0.1] - 2023-04-27
Added
Improved Lightning Assessment formatting for Dark Mode
Hover effects for My Activity and Notifications icons
Changed
Bug Fix: Tweaks to home page
Bug Fix: Technical POC on Exceptions now shows as a required field
Bug Fix: Corrected problem where issues may not save correctly
Bug Fix: Removed duplicate export option on SSPs
Truncated Lightning Assessment scoring
Removed console.logging on login
Improved validation for Security Plan FedRAMP Authorization status
Removed redundant "Close" buttons in modals
Multiple minor tweaks to Dark Mode formatting
Bug Fix: Addressed some issues with drilldown on Causal Analysis
[5.0.0] - 2023-04-26
Added
OAuth Identity Provider Support for Bring Your Own Identity (BYOI) and SSO
Ability to support sending unauthenticated SMTP email
Redesigned Home Page
Dark Mode
Changed GraphQL timeout to 60 seconds; added Initialize on startup for faster first queries
Redesigned the Lightning Assessment System
Added eMASS Hardware and Software list to Security Plans
Changed
Bug Fix: Organization Manager and Reports modules redirect to the login page if the user isn't authenticated
Updated logic for eMASS POAMs Export on SSPs to populate the milestone columns when no milestones are associated with the issue
Bug Fix: Policy Editor now hidden until the record is saved
Bug Fix: Children of Change Management records now correctly inherit RBAC permissions
Bug Fix: SecurityPlanId field for Issues is now properly assigned on creation
Bug Fix: Workflow now allows for formatted content in the comments field
Bug Fix: You can now create multiple custom fields with the same name if they are in a different tenant
Multiple enhancements and bug fixes to the security checklists for assets
Added warning on delay time for the Password Reset token
Bug Fix: OSCAL SAP & OSCAL SAR exports are available for Continuous Monitoring
Policy editor enhancements to utilize the Files subsystem for faster loading of large Word documents
Bug Fix: Ports and protocols now properly map in the SSP export
[4.26.3] - 2023-04-20
Added
FedRAMP: improved classification markup in OSCAL, added internal/external user counts
FedRAMP: Added support for Leveraged Authorizations
Security: Added SHA-256 Hashes to File Uploads
Vulnerabilities can now be associated with Assets
Asset Check Visualization
Improved drilldown into charts along with performance improvements throughout the application
Security control implementations have two independently scrollable content panes for Control Context and Configuration
Changed
Bug Fix: Modal dialogs from within the dashboards and crumbcake navigation now dismiss when navigating to the home page, status boards, modules, reports, or notifications.
Bug Fix: Fixed the SBOM pipeline
Bug Fix: Fixed issue where eMASS POAMs export was not handling special characters in issue description during export
Bug Fix: Modal for the file hash in the Files subsystem renders and closes correctly
Bug Fix: Catalog - FindbyGUID API now works properly
Bug Fix: RBAC inheritance now works properly throughout the application
Updated the warning on Control Inheritance (supports external Leveraged Authorizations now)
Bug Fix: Drilldown for some dashboard charts has been restored
Bug Fix: Policies can now be properly saved
[4.25.0] - 2023-04-12
Added
FedRAMP Automation overlays to SSP OSCAL export
FedRAMP E-Authentication levels to the System Security Plan (SSP)
FedRAMP Authorization Process flows
Spinner when loading large Asset SBOM files or when pulling SSP Status Board issues
Changed
Privacy Impact Assessment (PIA) data is now included in the SSP OSCAL export
Bug Fix: Exceptions can now be added to issues and risks
Bug Fix: Control tests now show properly as a Tab on assessments
Bug Fix: Addressed issue where group manager sometimes would not refresh group name after a change
Bug Fix: Addressed issue where Add User modal would not launch for a new user in a group
Bug Fix: Addressed issue where validation message would sometimes be off the page for Privacy Impact Assessment
Bug Fix: User avatar on side strip now navigate to user profile
Bug Fix: Generic SSP export updated for edge case issues on export
[4.24.2] - 2023-04-06
Added
Tenable ID field under integrations for Assets
Changed
Both the implementation statement and cloud implementation statement are now written to the Implementation Overview of the tailored SSP export
Bug Fix: Crumbcake navigation modal now closes when clicking on the app logo, My Activity, Notifications, and user profile menu
Bug Fix: Changes to generic SSP export
[4.24.1] - 2023-04-05
Added
N/A
Changed
Bug Fix: Fixed periodic export issue with generic SSP in Word
Bug Fix: Labels fixed on PIA Module
Bug Fix: SBOM workflow uses the correct internal URL
Bug Fix: Gantt charts now show for components
Replaced Azure AD with OAuth integrations panel
Provided a more friendly gnome graphic for control assessment failures
[4.24.0] - 2023-04-04
Added
Privacy Impact Assessment (PIA) Module
Security checklist queries via GraphQL
Improved signaling on Gantt charts plus the ability to toggle between Gantt and List Views
Importing policy templates from Word docs
Export tailored (generic) SSP in Word format
Qualys ID field for Assets under Integrations
APIs for batch creation and update of Security Checklists
Changed
Bug Fix: Gantt chart visualizations now sort by date and only show open issues
Improved signaling on the Scorecards for control status
