= Functionality development complete and ready for release

= Functionality development incomplete, but on the short-term roadmap


FUTURE RELEASES (Last Updated 1/10/2023):


Q1 2024 Planned Updates

  • Risk Assessment Extra: Add a Risk Assessment Proxy functionality for the Risk Assessment Extra


Q2 2024 Planned Updates

  • Updates to the SimpleRisk UI
  • Enhance the Graphical Risk Analysis report
  • Notification Extra: Add customizable reports to automatically send via email


Q3 2024 Planned Updates

  • Add the ability to take reports saved from the Graphical Risk Analysis report and apply them to a custom dashboard.
  • Incident Management Extra: Add a Dynamic Incident Report
  • Incident Management Extra: Add an action menu allowing you to "Escalate", "Close" or "Reopen" an incident.
  • Incident Management Extra: Set the time along with the date for the start date and detection date.


PAST RELEASES:



January 5, 2024

  • Notification Extra: Add the Team to the 'Who To Notify' section for Notify on Audit Status Change
  • Notification Extra: Add the Team to the 'Who To Notify' section for Notify on Audit Comment
  • Notification Extra: Add the Team to the 'Who To Notify' section for 'Automated Notifications of Audits'
  • Team-Based Separation Extra: Add separation of frameworks and controls based on teams.


October 13, 2022

  • Added the ability to associate a Framework with an exception. Choosing a framework will limit the controls you can select to ones belonging to that framework.
  • Began changes required to bring PHP 8 compatibility. This effort is not complete and will complete on the following release.
  • Added selectize.js via Composer
  • Removed the old js/selectize.js file
  • Removed the unused HighCharts adapters under js/adapters
  • Removed the unused jquery.tree library
  • Removed the unused js/angular files
  •  Removed the unused files under js/old
  • Removed the unused jquery.tablesorter.js library
  • Removed the unused jquery.ba-throttle-debounce.min.js library
  • Removed unused controller files under js/controller
  • Moved a number of SimpleRisk javascript files under js/simplerisk for easier tracking and updated the files linking to them
  • Updated the Content Security Policy to include a missing entry for connections to olbat.github.io
  • Updated the submission logic for the Document Program. Users tab selection will be remembered after submitting a form.
  • Updated the default state for "Check Case Sensitivity for Usernames" to false.
  • Updated failed login error message to use the language set for SimpleRisk.
  • Fixed an issue where column filters would not be shown on the Dynamic Risk Report
  • Fixed an issue where tags would not be displayed while editing assets.
  • Aligned the define exceptions edit and delete buttons.
  • Fixed an issue preventing the Dynamic Risk Report functioning on MySQL 5.7.
  • Fixed an issue where users with a risk matrix smaller than 5x5 would receive an error when viewing risk details.
  • Fixed an issue where the associated risks field would not display all entries when there was a high volume of risks present.
  • Fixed an issue where the printable view of a risk would show fields that customization has currently disabled. 


September 9, 2022

  • Fixed an issue when creating an Exception in the Governance module risks would not show up in the associated risks dropdown if any mitigation information was associated with the risk.
  • Fixed an issue where pulling new assessments and frameworks from the Content page in the Configure menu would not function properly.
  • Fixed an issue where users could not import risks that were closed without importing close-out information.
  • Fixed an issue where updating an asset via import would cause an error if all columns were not mapped.
  • Added the ability to import control tests.
  • Added the ability to import control tests.
  • Updated the SCF to 2022.2.1.
  • Resolved an issue where the Supplemental Guidance field would store “#Name?” for compliance forge controls.
  • Fixed an issue where risk details could not be viewed if the template that risk used was deleted.


August 23, 2022

  • Updated the audit log to reflect the specific values that are changed when a risk is updated. 
  • Updated the Risks and Issues report to only show open risks.
  • Renamed "Available Assessments" to "Self Assessments" and moved "Pending Risks" under it.
  • Fixed a XSS issue for Risk Assessment and Additional Notes fields in Risks and Issues report.
  • Fixed a stored XSS on the Assessments/Questionnaire Templates page when editing a template.
  • Removed the inclusion of Box\Spout via Composer.
  • Fixed a bug where the Risk Scoring pie chart on the Overview report would count risks scored with Contributing Risks scoring method toward the unassigned label.
  • Fixed the column filtering configurations in the Risk Management module for Plan Mitigations, Perform Reviews, and Review Regularly. All fields listed available should display as intended now.
  • Fixed an issue where lists of tags on the Review Regularly page would display items separated by a pipe.
  • Fixed an issue in the Reporting section where charts with a “Download as” function would generate output files in black and white.
  • Fixed an issue where the Compliance Past Audits page would not actually restrict table contents based on filter selections.
  • Resolved an issue where mouseover pop ups did not display as intended on charts in the Reporting module.
  • Fixed an issue where values not mapped on a risk import update could be cleared or emptied.
  • Added the ability to change the Template Group a risk displays with via import update.
  • Added Asset ID to asset exports and made it available to map during import. Asset names can now be updated without losing their associations.
  • Updated Import Export to support XLS/XLSX/CSV. All should work interchangeably. All exports will be XLSX from now on except where directly noted such as the Dynamic Risk Report which remains XLS for now.
  • Unified all separators of list items for all mappable columns. Expectations will now always be “Item 1”, “Item 2”...
  • Fixed an issue where schedule reports would not properly filter based on the configuration selection for that report resulting in users receiving unintended messages.
  • Updated Notification Extra to show custom fields properly.
  • Fixed an issue where editing tables in a notifications template could result in a field adjacent to the edited cell to no longer display the value in the e-mail.
  • Fixed an issue where imports with a mapped field but no update to be made would still report to the audit log the risk was updated. This is also further mitigated by verbose auditing addition also on this release.
  • Fixed issues regarding Import triggering notifications that should not otherwise be generated.
  • Fixed an instance where an import could trigger a notification that would send a blank message.
  • Updated the Pending Risk Additional Notes field to TEXT type. It should now correctly record any amount of details the additional notes field will display will save to the generated risk correctly now.
  • Fixed an issue that prevented editing the order of questions on a template via the UI or Import/Export.
  • Updated the Summary field so it can no longer be edited and emptied.
  • Updated incident saving logic so updates only affect the related risks and assets the users have access to.
  • Fixed an issue where deleting evidence would not return you to the incident properly.
  • Fixed an issue where Incidents did not display all the related incidents and risks selected.
  • Updated the tabs on the response UI to be able to link to specific tabs and activate those tabs on page load.
  • Updated logic so Evidence could be added without actually attaching a file.
  • Updated error reporting so file upload failures will now display a red error message to indicate the reason for the failure.


July 1, 2022

  • Introduced the ability to use tags with Audit tests. This allows you to set pre-determined tags to be associated with a given audit test. This also allows users to assign a tag while initiating groups of audit tests and assign a tag or tags to be associated with all tests being ran in that batch. Once a test is completed tags can no longer be edited.
  • Changed the Site/Location field for assets into a multi-select dropdown so multiple locations can be associated with a single asset.
  • Added multi-lingual support for the Graphic Risk Analysis Report
  •  Fixed an XSS in Plan Projects.
  • Migrated the moment.js library to PHP Composer and updated it to the latest version.
  • Added a fix to prevent an admin user from being able to save an invalid SimpleRisk Base URL.
  • Fixed a bug where newly completed audits were affecting the test date of the test and currently active audit tests.
  • If there was only one mapped control framework left on a control, it could not be removed. This has been fixed.
  • Fixed an issue where new backups run by the scheduled backups were not showing in the UI but were still saved to the machine.
  • Fixed an issue where custom risk level names did not display in the Graphical Risk Analysis.
  • Fixed an issue where some error messages would display “Unabled” instead of “Unable”.
  • Fixed an “implode” function call whose format was obsoleted in PHP 8. (Note: PHP 8 is not yet fully supported and we will continue to make updates to bring PHP 8 compatibility to SimpleRisk in line with the EOL of PHP 7.)
  • Fixed an issue where CSVs were not forcibly converted to UTF8. This will most likely be the last update to the CSV style imports as we transition to XLS for import/export completely.
  • Added a new column to be exported/imported called Mapped Control Numbers. When this field is populated, apply each entry (separated by commas) to each entry in the Control Frameworks field (also separated by commas).
  • When generating a template from Compliance Forge when choosing standard risks are not being created only pass/fail status. It will now also generate risks on "no"s.


May 27, 2022

  • Introduced a new report called Risks and Issues in the reporting section.
  • Updated file extensions and file types to no longer be case sensitive.
  • Adjusted how often the cron job checks if it has run.
  • Made the Control Gap Analysis chart larger.
  • The system now converts imports to UTF8 and ensures all data currently in the database is in UTF8 to prevent issues where characters that did not exist in UTF8 would cause reports and pages to not load correctly.
  • Increased the size of an audit's test name field from 100 to 1000 characters.
  • Added more basic information about the server on the Healthcheck summary.
  • Text boxes should no longer resize without input and will now allow full control over both height and width where applicable.
  • Fixed an XSS in Assessments
  • Added additional parameter enforcement on the SQLi filter function
  • Fixed 2 SQLi found in functions.
  • Fixed an issue where the delete file function would always return false whether it was successful or not.
  • Fixed an issue where the Dynamic Risk Report would take too long to complete the query resulting in infinite processing.
  • Fixed an issue where if a user deleted all threats from the threat catalog they were unable to add new threats.
  • Fixed an issue where uploading supporting documentation while submitting a risk on any other template than the default would apply the supporting documentation to the default template anyway.
  • Fixed an issue where creating a new project would create a duplicate.
  • Fixed an issue where Mgmt Reviews were duplicated when submitted.
  • Fixed an issue where Submitted risks by date report actually displays in order of ID
  • Added a new flag for ignoring column statistics when doing a mysqldump for MySQL instances that require it.
  • Fixed an issue where users can update documents outside their team even with Team-Based Separation on.
  • Fixed an issue where the Current Comment Report does not work properly when using Team-Based Separation Extra. 
  • Remove the requirement for a phone number on assessment contacts
  • Updated Questionnaire logic to strip tags to prevent situations where it would appear no answer was given on a completed questionnaire.
  • Fixed an issue where risk analysis would no longer show results.
  • Status is no longer updated during import unless the status column is mapped and updated closed risks being updated will remain closed.
  • Added Control-Type to the mappable values.


April 1, 2022

  • We have now incorporated the SimpleRisk installer into the SimpleRisk Core code. No longer will it be necessary to download a second archive containing the installation code and stock database schema. 
  • Added the following columns for selection to the Dynamic Risk Report: Closed by, Close Reason, Close-out Information. 
  • The Dynamic Risk Report column filter search fields will now be case insensitive. This change also applies to filters on the Define Controls, Define Exceptions, Initiate Audit, and Submit/Update Risk pages. 
  • Added a check for if the SimpleRisk MySQL user has the References and Indexes privileges when attempting an upgrade. If these permissions are not present the upgrade will not execute. 
  • Fixed an information disclosure vulnerability. 
  • Fixed a vulnerability where users could view another user’s Graphical Risk Analysis saved report graphics. 
  • Moved phpspreadsheet for the Risk Assessments Extra to composer to update and patch a vulnerability with the old version, this change also applies to Import/Export as well. 
  • Fixed an XSS in the Incident Management Extra. 
  • Fixed an issue where a user could modify The Notification Extra configuration without permission to do so. 
  • Fixed an issue where users could not sort by Planned Mitigation Date on the Dynamic Risk Report. 
  • We now suppress dumping GTIDs during backups. This will prevent the notice generally seen in the Apache log after a backup.
  • Updated the query ran during the automated backup to correct a situation where this functionality would not operate as intended due to a lack of privilege on the MySQL user.
  • Fixed an issue where attempting to filter on the Risk Mapping column in the Dynamic Risk Report would always return no results, even when selected from the filters dropdown.
  • Vulnerability Management: Fixed an issue where accepting a risk from the Triage menu would add the incorrect risk from the list. 
  • Customization: Multi-Select Dropdown field entries can now be deleted as intended. 
  • Customization: When restoring a risk template the threat mapping field will now also be restored 
  • Customization: The Submission Date of risks will no longer be updated upon every update of a risk when the risk uses a template other than the default. 
  • Customization: Risk Mapping should no longer be doubled when activating Customization for the first time. 
  • Incident Management: Fixed an issue where Incidents don’t display the Affected Assets dropdown on editing an incident when the Team-Based Separation extra is deactivated. 
  • Incident Management: Fixed an exploit where users could view risk titles by linking them to incidents. 
  • Incident Management: Added logic for related risks/assets so users who can edit the incidents can only edit the risks/assets they have access to. 
  • Incident Management: Fixed an XSS in the Incident Management extra on the reporting page. 
  • Incident Management: Fixed an issue where newly created playbooks could not be deleted without refreshing the page. 
  • Impore-Export: Fixed an issue where Management Review data would not import unless the status was mapped to “Mgmt Reviewed”. 
  • Encryption: Assessment Sharing will now work with the Encryption Extra on. 
  • Encryption: When sharing assessments with the Encryption Extra on users will no longer see encrypted names in audit entries for usernames 
  • Encryption: The print button will now function as intended when the Dynamic Risk Report is grouped by project. Users will no longer see encrypted data on the resulting printable version of the report. 


March 6, 2022

  • Added the ability to use the Controls "Filter by Text" field to find control numbers associated with mapped frameworks.
  • Updated the Control Gap Analysis report to use the Reference Name rather than the Control Number so it displays the number for the selected framework.
  • Added a new error message for instances where SimpleRisk cannot communicate with the database.
  • Changed the limitation on the number of characters for an upload file type from 50 to 250.
  • Fixed several SQL injection vulnerabilities through the SimpleRisk Extras in a new initiative to ensure we are taking every precaution to secure SimpleRisk.
  • Fixed an XSS vulnerability in the Risk Assessments module.
  • Fixed an issue where Project Due Date does not respect the selected date format. Users were required to use 0000-00-00. This is no longer the case and the date format selected for the account will now work for saved due dates.
  • Fixed an issue where saving a review and assigning a new project would not create the new project or assign the risk to it.
  • Fixed an issue where controls would display with the word “top” in front of the control short name.
  • Fixed an issue where the Review Regularly page in the Risk Management module risk ID field could not be filtered or searched properly.
  • Fixed an issue where the "Control Status" field displayed when you go to Governance and select the "Controls" tab shows a value of 0 or 1 instead of "Pass" or "Fail".
  • Vulnerability Management Extra: Fixed a number of issues in the tenable.io implementation.
  • Vulnerability Management Extra: Fixed a bug in the tenable.io connectivity test.
  • Vulnerability Management Extra: Updated the tenable.io integration to ignore scans that are  older than 35 days and have been archived.
  • Vulnerability Management Extra: Updated tenable.io to only pull active sites.
  • Vulnerability Management Extra: Updated the "Triage Vulnerabilities" page to display the number of vulnerabilities to triage.
  • Vulnerability Management Extra: Updated the "View Risks" page to display the number of vulnerabilities that have been triaged into risks.
  • Vulnerability Management Extra: Updated the "Triage Vulnerabilities" and "View Risks" pages to limit the initial description displayed to 500 characters and provide a "Read More" option to expand.
  • Vulnerability Management Extra: Added a "platform" tag to risks created from Tenable.io.
  • Vulnerability Management Extra: Added a log to show when the last run of Vulnerability Management was.
  • Vulnerability Management Extra: Support for asset import from the Rapid7 InsightVM Cloud API.
  • Customization Extra: Fixed an issue where custom fields would not be displayed when editing a risk.
  • Team-Based Separation Extra: Added a suite of new permissions controls for different situations regarding the Document Program. You can now specify what attributes will give a user access to a given document including: User, Team, Stakeholders.Team-Based Separation Extra: Fixed an issue where non-admin users could not edit documents when the Team-Based Separation extra was active.
  • Email Notification Extra: Added an Action notification to send an email when a new document is added.
  • Email Notification Extra: Added an Action notification to send an email when a document has been edited.
  • Incident Management Extra: Fixed an XSS present in the IM Extra.
  • Incident Management Extra: Fixed an issue where users could not delete a newly added playbook.
  • Incident Management Extra: Fixed an issue where older versions of MySQL and MariaDB could not enable the extra successfully due to a renamed field.
  • Import-Export Extra: Fixed an issue where the Next Review Date  column is not populated when exporting the Dynamic Risk Report.
  • Import-Export Extra: Fixed an issue where the characters “‘“ and “&” would not be exported properly.
  • ComplianceForge SCF Extra: Fixed an issue where the following Frameworks did not associate with their controls successfully:
    • ISO__27018 v2014
    • MPA__Content Security Program v4.07
    • NIST__800-161 [partial]
    • NIST__800-171 rev 2
    • US__IRS 1075
    • US SSA__EIESR v8.0.
  • Encrypted Database Extra: Add a configuration to enable the Encrypted Database Extra debug logging so it does not fill up the debug log file by default.


January 22, 2022

  • Updated the file content type field max character length so long file type names will no longer be truncated when they are saved.
  • Updated the term Desired Frequency to the Test Frequency and all places you would have seen Desired Frequency previously will now pull the “Test Frequency”.
  • Added the ability to search the “Owner” and “Owner’s Manager” fields during risk submission and editing the details of a risk.
  • Added a default risk grouping entry that is assigned to all the risk categories without a group creating
  • Added a check SSL certificate option to enforce SSL certificate verification. This option is found in the “Settings” menu in the “Configure” module at the top in the “Security” tab.
  • Fixed 2 possible SQL injection vulnerabilities in the Risk Assessment Extra.
  • Added the Threat Grouping field to Add and Remove Values.
  • Fixed an issue where users could not upgrade when the table engine converting logic did not perform as expected.
  • Fixed a bug where the supporting documentation in risk details was not displayed as intended.
  • Risk Assessment Extra: Updated the design of the answers displayed on completed questionnaires, results, shared results and the compare results pages
  • Vulnerability Management Extra: Fixed an issue where the cron would not run as intended due to looking for a session cookie that did not exist.
  • Vulnerability Management Extra: Fixed an issue where the migration from Import-Export to Vulnerability management neglected to rename the asset_id field in the vulnmgmt_assets table.
  • Vulnerability Management Extra: Fixed a bug that could cause Tenable.io integration to not work properly.


December 30, 2021

  • Admin users can now manage and see saved user reports from other users for the Dynamic Risk Report. These will be displayed along with the Admin’s saved selections in the Dynamic Risk Report.
  • Reworked the Dynamic Risk Report to better handle large queries or databases with a large number of risks. Load times have been improved greatly for these situations.
  • Fixed a SQL injection vulnerability in the Risk Assessments extra. This was only possible by a user who had direct access to SimpleRisk and was not related to any pages that were sent third party via the risk assessment extra.
  • Fixed a SQL injection vulnerability in the Reporting section.
  • Fixed a SQL injection vulnerability in the Risk Management section.
  • Fixed a broken access control on a mitigation function.
  • Fixed an issue where a user could delete another user’s saved selection in the Dynamic Risk Report.
  • Fixed an issue where users could receive a 500 error when deleting a framework.
  • Fixed an issue where users could not immediately use a new Saved Selection on the Dynamic Risk Report without refreshing the page.
  • Fixed an issue where users could see duplicates of risks on the High Risk Report.
  • Fixed an issue where the correct framework controls would not always be displayed after filtering frameworks on and off in the Governance Controls tab.
  • Risk Assessment Extra: Updated the Risk Assessment Extra to allow for tabular assessments with multiple pages.
  • Risk Assessment Extra: Updated The Risk Assessment Extra to support templates.
  • Risk Assessment Extra: Updated the design of the answers displayed on completed questionnaires, results, shared results and the compare results pages.
  • Risk Assessment Extra: Fixed an issue where users could no longer create “Fill in the Blank” questions.
  • Risk Assessment Extra: Fixed an issue where Assessments were no longer closing based on the time set for “Assessments Valid for”.
  • Risk Assessment Extra: Fixed an issue with the Risk Details section in Questionnaires showing the expanded icon when closed and the closed icon when expanded.
  • Risk Assessment Extra: Fixed an issue where completion emails were not sent to contacts who were SimpleRisk users.
  • Risk Assessment Extra: Updated the Questionnaire page so that it no longer appears question answers can be edited after completing a questionnaire.
  • Risk Assessment Extra: Fixed an issue where users could double submit a questionnaire.
  • Import-Export Extra: Fixed an issue where exporting the Dynamic Risk Report would not include all columns most notably Residual Risk Score.
  • Import-Export Extra: Fixed an issue where buttons would remain disabled after an import unless the user leaves or refreshed the page.
  • Customization Extra: Added the ability to create custom fields for Frameworks and Controls.
  • Customization Extra:  Fixed an issue where activating the Customization extra would create a second copy of the Risk Mapping field.
  • Customization Extra: Fixed an issue where Risk and Threat Mapping would not function properly with Customization Extra active.
  • ComplianceForge SCF Extra: Added a catch for SCF tables already existing when updating the Compliance Forge SCF Extra
  • Organizational Hierarchy Extra: Fixed an issue where the create button would be disabled after creating a business unit.
  • Organizational Hierarchy Extra: Fixed an issue where user dropdowns would show users in all BUs that user is a member of instead of just the users in the selected BU.
  • Vulnerability Management Extra: Fixed a broken access control.


November 15, 2021

  • Upgraded TinyMCE library from 5.8.2 to 5.10.0.
  • Fixed an issue where when the Risk matrix is greater than 5x5, Contributing risk displays incorrect values after a value has been updated or changed after submission. The Risk score will be correct but the likelihood or impact whichever was changed would display incorrectly.
  • Made an update so under the "Risks and Assets" report, we now show the "%" sign after the number for the Mitigation Percent field
  • Fixed an issue where custom fields would not be ordered correctly.
  • Fixed an issue where the "Sort By" values in the Risks and Controls report show "Asset Name" and "Asset Risk" instead of "Control Name" and "Control Risk".
  • Fixed arrow icon for Risk details on the Questionnaires page facing the incorrect direction.
  • Fixed an issue where the framework_control_test_results_to_risks table is added by the assessment extra but is required for core functionality to work which would cause inoperability in certain circumstances.
  • Fixed an issue on the compliance test creation menu where lower resolutions would not display dropdowns correctly.
  • Risk Assessment Extra: Added the ability to create multiple tabs in a single questionnaire so users are no longer required to display the entire assessment all at once all of the time.
  • Import-Export Extra: Fixed an issue where the Dynamic Risk Report could not be exported with PHP 7.4.


October 27, 2021

  • Added 2 new items to the actions dropdown menu. “Mark as unmitigated” and “Mark as unreviewed” each of these will remove any data related to mitigations or reviews respectively for the risk currently being viewed. This will cause these risks to then report as being unmitigated in all reports and the same for reviews when that action is selected.
  • Returned the default display size of the Risk Assessments and Additional Notes fields to their original default size. They still retain the ability to drag and drop the corner to expand them.
  • Fixed an issue where a table required for Compliance Audit Tests was only added if the user had the Assessments extra. This was preventing users with no extras from being able to see audit tests.
  • Fixed an issue when creating a compliance test with lower resolutions not displaying multi-select dropdowns correctly.
  • Risk Assessment Extra: Fixed an issue where using PHP 7.4 and trying to view Questionnaire Results that contained no pending risk would result in an error.
  • ComplianceForge SCF Extra: Fixed an issue for missing base_url in SESSION with ComplianceForge API call.
  • Customization Extra: Fixed an issue when a large number of custom fields are selected for a project template the UI displays poorly.


October 10, 2021

  • Updated the memory limit healthcheck to handle -1 and not set values.
  • Fixed an issue where the modal windows for adding new controls would not close when adding a new control.
  • Fixed an issue where deleted controls would still be displayed.
  • Upgrade Extra: Fixed an issue where the Upgrade Extra was unable to function with active extras in some circumstances.
  • Risk Assessment Extra: Fixed an issue that prevented the upgrade script from executing when activating the extra.
  • Import-Export Extra: Fixed an issue where having Customization Extra off would prevent the system from being able to export properly.
  • ComplianceForge SCF Extra: Moved the SCF to the SimpleRisk github to prevent issues obtaining the SCF for installation into SimpleRisk.
  • ComplianceForge SCF Extra: Fixed an issue where users could receive an error regarding a table already existing when working with the Compliance Forge SCF extra.
  • Vulnerability Management Extra: Fixed an issue that would prevent the extra from installing.


Q3 2021 Release Target (September 30, 2021)

  • Added a new Control Type field. When the Control Type is Enterprise you will be able to track a status of pass fail that stays with that control, whereas before you could only review the state of a control by reviewing its most recent audit tests. This also feeds into new additions you will see on the mitigation page for Control Validation when a control is attached to a mitigation. This includes the ability to attach a control artifact.
  • Added a new feature that allows users to create a risk based on a control failure when submitting the failed control test during an audit. When users save an audit test with a test result of “Fail” the user will be prompted with the ability to submit a risk based on this failure or attaching this failed control to an existing risk. Users can select “No” to not associate the failed test with a risk.
  • Added the ability for users to configure the max subject length of risks. (Configure → Settings)
  • Added all customization fields to Dynamic Risk Report regardless of if they appear in an active template.
  • Added audit logging for documentation reviews.
  • Added the ability to select jquery CDN or local for restricted environments.
  • Updated to a lower resource costing version of the font system in place. 
  • Added filters to the Risks and Controls Report. 
  • Added filters to the Risks and Assets Report. 
  • Added Reporting for Risk Mapping to the Dynamic Risk Report 
  • Added the ability to edit asset names in the Asset Management menu. 
  • Added several improvements and details to the Risks and Assets report including new fields for highest residual risk, average residual risk, highest inherent risk, and average inherent risk. 
  • Added a filter for projects to the Risks and Assets report. 
  • Risks and Controls report now displays the color of the highest risk score in the table header for each control. 
  • Added the ability to edit asset names directly through the “Edit Assets” menu in the “Asset Management” section. 
  • Added the ability to edit Project names in the “Plan Project” menu.
  • Added additional details associated with projects. (Due Date, Consultant, Business Owner, Data Classification.) 
  • Added additional debugging to the Upgrade Extra. 
  • Added a Healthcheck to ensure php max_var_char is set properly. 
  • Added a Healthcheck to ensure php-gd and php-zip are present.
  • Integrated CSRF Magic to allow for newer versions to be included with SimpleRisk. 
  • Fixed XSS when adding an attack vector with a script in the name. 
  • Fixed XSS when adding an IM playbook with script in the name. 
  • Fixed an issue where a user could view all Asset Valuations without permission to do so. 
  • Fixed an SQLi when retrieving risks from the database.
  • Fixed an issue where changing date format would result in the Document Program next review date not automatically populating. 
  • Updated the display method for active audits to support high volumes of active audits. 
  • Fixed an issue where users could configure the risk scoring levels into a state that was not functional and could not be corrected through the UI. 
  • Fixed an issue where custom fields continued to not be exported unless currently assigned to a template. 
  • Updated jquery CDN to use google instead of jquery’s CDN. 
  • Fixed a bug where asset management using team-based separation would not block the view of assets properly. 
  • Fixed an issue where sorting by Next Review Date in the Dynamic Risk Report would cause the report to indefinitely say “Processing”. 
  • Fixed an issue where submitting a risk with any template outside of the default would cause affected assets to not poll correctly. 
  • Fixed a bug where users were unable to upgrade the Upgrade Extra unless they were on the newest release. 
  • Fixed an issue where the link generated for Management Review yes/no in All Open Risks Assigned to me incorrectly adds 1000 to the url for the risk ID. 
  • Fixed an issue where All Risks Assigned to Me report did not function as intended with team-based separation turned off. 
  • Fixed a bug where admin users could add users with invalid e-mail addresses. 
  • Fixed an issue where using the SimpleRisk API would create a session for the user that could be used to gain access to the UI. 
  • Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly.
  • Risk Assessment: Fixed a bug where Risk Submission via the Risk Analysis did not function.
  • Risk Assessment: Fixed a bug where not entering certain fields during risk submission of a pending risk would prevent the confirmation messages from displaying. 
  • Risk Assessment: Fixed an issue where Risk Analysis did not use the correct submission date format. 
  • Risk Assessment: Fixed an issue where fill in the blank questions could not be edited. 
  • Risk Assessment: Fixed an issue where Questionnaire Results would load extremely slow
  • Import-Export: Updated the extra to function with multiple templates and export the template associated with a risk and it may now be declared during import as well.
  • Customization: Fixed a bug where removing the Risk Scoring Method field would result in the risk being unable to be scored or displayed properly. 
  • Customization: Fixed an issue where removing the Supporting Documentation field would break the ability to submit risks.
  • Notification: Fixed a bug where the middle date range for sending a notification for the Document Program would not send as intended. 
  • Notification: Fixed an issue where the 3rd and furthest out date e-mail notification for Document Program would display $due_date instead of the number of days until due.
  • Team-Based Separation: Added an asset permission for “Allow all users to see assets not assigned to a team” which is checked by default. When unchecked only admins will see assets that are not currently assigned to a team.
  • Incident Management: Fixed a bug in Incident Management where the related risks subject was encrypted when the Encrypted Database Extra was enabled. 
  • Incident Management: Fixed a bug where the Fontawesome icon name changed and the disk "save" icon wasn't displaying.
  • Custom Authentication: Added the ability to manage and map Roles and Teams to users using LDAP or SAML. A new claim/assertion may be required to make those values available to SimpleRisk.
  • Vulnerability Management: This newly added extra takes the functionality once rolled into the Import/Export Extra and completely reworks the way we approach vulnerability management. Where before we would pull any and all vulnerabilities from a given instance of your application of choice we now offer the ability to filter this down by site and risk level and provide the opportunity to triage the entries added before generating risks. This extra is offered free of charge to all users who already possess a license to import/export and should already be available for download.


Q3 2021 Bug Fix Release (July 13, 2021)

  • The audit trail now records actions related to the Document Program.
  • Fixed an issue with some small icons and symbols that would not be displayed properly.
  • Fixed an issue where the Additional Stakeholders field would not be displayed as intended.
  • Upgrade: Updated the extra to update the database to the latest version instead of just the next version.
  • Upgrade: Added new checks before an upgrade to avoid issues that could make the upgrade fail.
  • Custom Authentication: Updated the extra to use the SimpleSAMLphp files that are now provided in the SimpleRisk Core.


Q2 2021 Bug Fix Release (June 30, 2021)

  • Made it so that Admin users can no longer disable their own account
  • Updated the usages of echo in the API


Q2 2021 Release Target (June 25, 2021)

  • Added a new automated backup scheduling system under Configure → Settings → Backups.
  • Increased granularity in the audit log regarding risks.
  • Increased the information retained for the audit log regarding audit test.
  • Added the ability to add custom impact descriptions for the Contributing Risk scoring methodology. 
  • Added an "About This Page" link in the help menu to provide additional context and help for the different pages in SimpleRisk. This feature is still under construction and only available for the Risk Management module at this time.
  • When no mitigating control is available for a mitigation the system will now report “No Control Available” 
  • Updated mouseover descriptions for User Permissions. 
  • The control short name is now displayed with audit tests. 
  • Removed the ability for admins to remove their own admin rights. 
  • Admins can no longer change what teams they belong to as they have access to all risks. 
  • Updated the Dynamic Risk Report so that when you group by a value that can have multiple checked for a single risk (ie. "teams"), it only shows that group once with all associated risks. In previous releases, it splits it out so if you assign a risk to multiple teams, that shows as a separate grouping. 
  • Added Project Status (Active, On Hold, etc.) to the Dynamic Risk Report. 
  • Filters on the Define Tests page are now kept after editing a test. 
  • Filters on the Define Control Frameworks page are now kept after editing a control. 
  • The Management Review filter found on Plan Mitigations and Perform Reviews is now a dropdown to be in line with mitigation planned. 
  • Added a “Back” button to the Manage Users tab in User Management when editing a user. 
  • Updated from unsupported Zend Escaper to the newer Laminas Escaper. 
  • Added Risk Scoring to the dynamic risk report to allow users to display a column of the current risk scoring methods in use for risks listed in the table. 
  • Added a field to display the Inherent Risk score from 30/60/90 days ago in the Dynamic Risk Report.
  • Added the ability to view the contributing risk likelihood and impact values in the Dynamic Risk Report. 
  • Increased control_number field size to 50 characters. 
  • Added a healthcheck to determine what the memory_limit value is set to in the php.ini file. 
  • Added a healthcheck to determine what USE_DATABASE_FOR_SESSIONS is set to in the config.php file.
  • Fixed an issue where “Current Control Maturity” and “Desired Control Maturity” values are not copied when cloning a control. 
  • Fixed an issue where browser zoom would cause the Governance → Define Control Framework page would not display properly. 
  • Fixed an issue where users could receive a notice in the PHP log when viewing the Document Program page. 
  • Fixed an issue where an Asset Group’s name would be escaped when editing and would save with unintended characters in the group name. 
  • Fixed an issue where not setting a compliance test result and leaving null would result in being unable to see that test in the past audits. 
  • Fixed an issue where long control names would not display properly in Compliance → Past Audits. 
  • Fixed a bug where approximate time was not saved when editing a compliance test. 
  • Fixed an issue with double encoding pop up menus on the Governance → Define Exceptions page. 
  • Fixed an issue where submitting a risk the displayed pop confirmation would not be escaped properly. 
  • Fixed an issue where returning the test audits last test date and next date were incorrect. 
  • Fixed an issue experienced when using Internet Explorer where the page doctype would be improperly set causing display and submission issues. 
  • Fixed an issue with the Connectivity Visualizer not showing assets when the Encrypted Database Extra is not enabled. 
  • Added a Default Desired Maturity value to Settings. 
  • Added a Default Current Maturity value to Settings. 
  • Fixed a Fatal Error when trying to communicate with SimpleRisk services when they are unavailable.
  • Fixed a potential XSS vulnerability on the Control Gap Analysis report. 
  • Fixed a potential XSS vulnerability with Control Exceptions. 
  • Fixed a potential XSS vulnerability on the Dynamic Risk Report. 
  • Fixed a potential XSS vulnerability on the View Risk page. 
  • Fixed a potential XSS vulnerability on the Custom Authentication Settings tab when mapping LDAP groups. 
  • Fixed a potential XSS vulnerability on the Plan Mitigation 
  • Fixed a potential XSS vulnerability in the Connectivity Visualizer. 
  • Fixed an issue where Team-Based Separation could be circumvented. 
  • Fixed an issue where a username matching a UID could be used to login as that username.
  • Fixed a potential XSS vulnerability on the Add and Delete Assets page 
  • Fixed a potential XSS vulnerability on the Manage Asset Groups page 
  • Limited platform to one password reset for a given user every ten minutes to prevent 'Email Bomb' attacks.
  • Customization: Added the ability to create multiple templates for use with Organizational Hierarchy.
  • Customization: Fixed an issue where User Multi-Select dropdowns would cause a risk to be unable to save.
  • Customization: Fixed an issue where the Risk Mapping field could not be restored.
  • Customization: User Multi Dropdowns will now respect organization hierarchy.
  • Custom Authentication: Added a check that prevents users from manually creating duplicate users using LDAP/SAML.
  • Risk Assessment: Added sharing functionality for Risk Assessments allowing you to give access to the results to a person who does not have a SimpleRisk login.
  • Risk Assessment: Import/Export capabilities have been updated to be more in line with how Risk imports work. Question IDs are now absolute values and no longer only relative to the import. Mapping question ID will update the question in the line and leaving it unmapped imports the question as a new question.
  • Risk Assessment: Fixed an issue where mapped controls were not saved if Compliance Assessment was not checked.
  • Risk Assessment: We now display the Question ID in various places to help with the new changes to import/export
  • Risk Assessment: When an Import is done that includes an answer that has Submit Risk set to "1" and no "Subject" defined we now set submit risk to "0" and give the user a warning that questions lacking a subject were edited to not attempt to submit a blank risk subject.
  • Risk Assessment: Imports can now be used to remove answers to a question. Only answers imported with a given question will remain on the imported question even if others already exist in the system for that question.
  • Import-Export: Added the Current and Desired Control Maturity fields to Control Import.
  • Import-Export: Added the Current and Desired Control Maturity fields to Control Export.
  • Import-Export: Filters on the Dynamic Risk report will now be respected when exporting.
  • Notification: Added a new feature allowing users to customize their notifications layout and text.
  • Notification: Fixed an issue where certain configurations in the Notification Extra Configuration page would not be saved.
  • Notification: Fixed an issue where Automated Notifications of Unreviewed / Past Due Risks fails to complete if there's a user with no review permissions and only the notify reviewer option is selected.
  • Notification: Fixed an issue where mitigation related e-mails would not decrypt properly with encryption turned on.
  • Notification: Fixed an issue where unreviewed risks did not appear in the unreviewed/past due risk scheduled e-mail
  • Notification: Added Notify Approver to the notify section for Document Reviews.
  • Notification: When a review rejects and closes a risk the close notification will now send as expected.
  • Organizational Hierarchy: Fixed an issue where Org Hierarchy would not function properly with admin users who did not belong to all teams.
  • Organizational Hierarchy: Added the ability for users to now assign individual templates based on the active Business Unit they are currently working with.
  • Organizational Hierarchy: Fixed a potential XSS vulnerability associated with the use of Organizational Hierarchy
  • Incident Management: Added permissions for Incident Management.


Q1 2021 Release Target (March 5, 2021)

  • Add a "Current Control Maturity" value for each control to define the existing level of maturity for that control.
  • Add a "Desired Control Maturity" value for each control to define the desired level of maturity for that control.
  • Added a "Control Gap Analysis" report to show all controls where the current control maturity is less than the desired level of maturity.
  • Added the ability to filter columns in the Active Audits table so that they may be searched and filtered the same way the Dynamic Risk Report works.
  • Added the ability to filter by control name on the Define Tests menu of Compliance.
  • Added the ability to filter by control family on the Define Tests menu of Compliance.
  • When Exporting to XLS via the Dynamic Risk Report all filters and configurations are now respected.
  • When using the printer friendly version of the Dynamic Risk Report column filters will now affect the generated document for printing.
  • Added the Mitigation Percent field to the mitigation columns available for display in the Dynamic Risk Report.
  • Added a last review date field to the Governance Document Program to bring its feature set in line with other repeating tasks in SimpleRisk.
  • Added a field for Team to the Document Program.
  • Level of Mitigation effort now sorts based on magnitude and no longer alphabetically.
  • Updated the Asset Selection widget to show available items on the left and selected items on the right.
  • Updated the OWASP Risk Scoring methodology so that the resulting risk score is reflective of their Overall Risk Severity.
  • Updated the Risk Catalog to have the latest information from ComplianceForge.
  • Created a new Threat Catalog with the latest information from ComplianceForge.
  • Added Assessment Uploads to the Fix Encoding page.   Now any broken attached files to assessments will be identified so they may be replaced. This only applies to files uploaded in version 20201005-001.
  • Fixed a bug where the default custom display settings for a user would be empty.
  • Fixed an issue where enabling extras in a specific order could generate an error.
  • Fixed an issue where users could create a mitigation for a risk that does not exist.
  • Fixed an issue where updating a risk could set the submission date to 00:00 of the current day.
  • Fixed an issue where using the sorting function on the comment section of the Dynamic Risk Report did not function as intended.
  • Fixed a bug where the risk appetite report would be affected by closed risks.
  • Fixed a bug where Next Review Date in the Document Program did not respect the configured date format
  • Fixed an issue where users could add projects to the system without the correct privilege to do so when executing a review or adding a risk during after an assessment.
  • When admins change a users Role or Permissions the changes will now take affect immediately instead of when the next session is set.
  • Disabling a user now immediately destroys their session.
  • Customization: Fixed an XSS vulnerability in Customization Extra Asset Field Name.
  • Customization: Fixed an issue where removing the risk mapping it could no longer be restored to the original placement.
  • Customization: Fixed an issue where custom fields would not sort properly in the Dynamic Risk Report.
  • Risk Assessment: Fixed an issue where users may record an undefined index error when submitting a new tag with a risk assessment questionnaire question.
  • Import-Export: Added the NIST 800-171 Controls to the one-click framework installation option.
  • Import-Export: Added the ability to export the list of users currently in SimpleRisk along with their roles, permissions and teams.
  • Import-Export: Added the ability to import a list of users along with their roles, permissions and teams.
  • Import-Export: Now when exporting XLS from the Dynamic Risk Report all filters will be respected in the generated export.
  • Import-Export: When creating a printable version of the Dynamic Risk Report the column filters will now be reflected in the printed version.
  • Import-Export: Fixed an issue where importing control frameworks from the GitHub was not properly capturing the framework_id.
  • Import-Export: Added the ability to map mitigating controls when importing risks.
  • Import-Export: Fixed an issue where Close Reason could not be null when importing risks.
  • Notification: Updated the user interface to use twisties to hide the details of notifications.
  • Notification: Made improvements to the notification of document reviews and fixed an issue where users would not receive them at the configured time.
  • Notification: Fixed an issue where notify on review and notify on close settings were not functioning.
  • Notification: Added new configurations for document exception notifications to bring it in line with other scheduled notifications.
  • Jira: Fixed an issue that would cause an error to be logged when submitting risks with this extra.


Q4 2020 Release Target (January 21, 2021)

  • Adding a new report to visually show relationships between frameworks, controls, risks and assets
  • Adding a new report to view latest comments and updates to risks
  • Added Last Test Date to the audit timeline report.
  • Added searchable fields from the Dynamic Risk Report to all other reports in the reporting section.
  • Re-ordered the control dropdown menus to be in alphabetical order.
  • Changed the format on the Document Program so the edit buttons are easier to use.
  • Fixed an issue where Next Review Date and Approval Date fields would display in different date formats when editing items in the Document Program.
  • Fixed an issue where users were unable to set a Last Test Date prior to the current day when editing Compliance Tests.
  • Fixed an issue where searching for items in the Document Program using Framework or Control would not function if the item belongs to multiple selections.
  • Fixed an issue where Timezone was not being displayed correctly according to what was configured in Settings.
  • Fixed an issue where editing the tags associated with an asset would submit them twice.
  • Fixed an issue where the tabs to switch between risks and the risk list would break when a risk was edited.
  • Changing a value in the Add and Remove values now records an audit entry as expected.
  • Fixed an issue where the User Permissions in the User Management were not correctly spaced.
  • Fixed a XSS vulnerability on the Settings page under the Configure menu.
  • Organizational Hierarchy Extra: Update to not show assets that are not in the same Business Unit(s) as the current user.
  • Team-Based Separation: Apply team separation to the viewing and use of assets in dropdowns, searches, and asset management.
  • Incident Management Extra: Add the ability to edit existing playbooks and add your own custom playbooks.
  • Incident Management Extra: Added incident closure states for Duplicated, Error, Expected, False Positive, Inconclusive, Precursor and True Positive.
  • Incident Management: Add an Overview report for the current month of Incidents.
  • Incident Management: Add an Incident Trend report for the past 13 months of Incidents.
  • Incident Management: Add a Lessons Learned report to show lessons learned and associated incidents.
  • Incident Management: Add an "Add and Remove Values" menu under Configure to allow users to add dropdown items.
  • Incident Management: Add a "Settings" menu under Configure to enable Incident Management configuration settings.
  • Incident Management: Updated Incident Management to use tags the same way as the rest of SimpleRisk.
  • Incident Management: The “Collected on” field will now save properly when users have a date format set other than default.
  • Incident Management: Editing and saving incidents no longer duplicates notes/evidence.
  • Customization: Fixed an XSS on the Customization Extra configuration page.
  • Customization: Fixed an issue where users could not disable the Risk Mapping field.
  • Customization: Fixed an XSS on the All Open Risks By Team By Risk Level report while using Custom Fields.
  • Customization: Fixed an XSS on the Management Review page when using Custom Fields.
  • Risk Assessment: Fixed an issue where after Assessments was turned on for the first time some text would be displayed somewhere randomly on the next page loaded.
  • Risk Assessment: Fixed an issue where adding a new tag to an answer would not make it available for later use in dropdowns.
  • Risk Assessment: Unified how tags work in Assessments to match the rest of SimpleRisk.
  • Risk Assessment: Changed the separator for multiple tags on active/closed risks on the questionnaire results page as commas were found to be misleading.
  • Jira: Added the ability to have a risk added in Jira trigger a new risk in SimpleRisk.
  • ComplianceForge SCF: Fixed an issue where users would receive an error when disabling the ComplianceForge SCF Extra.


Q4 2020 Bug Fix Release (November 23, 2020)

  • Added a page to identify any broken files as a result of the 20201005-001 upload bug. You will
    find this page in the Configure menu at the top followed by Fix Upload Issues on the left. If
    you do not see it then you have not been affected by this bug. If you do see this page you need
    to go into it and it will allow you an easy place to identify the broken uploads and upload
    replacements to replace them.
  • Added a warning when the max tag length of 255 is exceeded.
  • Fixed the display issue causing problems viewing the edit and delete buttons in the Governance
    Document Program.
  • Fixed a UI bug in the User Management page.
  • Custom Authentication: Fixed an issue where SAML authentication did not work if SimpleRisk was not being run out of the web server context root.
  • Custom Authentication: Fixed a bug that would leave a php warning in the log when an AD user’s account is
    created upon the first login.
  • Customization: Fixed an issue where the Risk Mapping field was unable to be removed from a template.
  • Risk Assessment: Fixed a bug where the questionnaire tracking table was not set to use innodb.
  • Encryption: Fixed an issue with hitting the API while encryption is on.
  • Encryption: Fixed an issue where users were unable to sort by a given column on the Dynamic Risk
    Report as long as Encryption was enabled.
  • Organizational Hierarchy: Fixed a performance issue for SAML users with Organizational Hierarchy enabled.
  • Import-Export: Saved Reports will now export to XLS properly on the Dynamic Risk Report.
  • Import-Export: Fixed an issue where exported affected assets not properly escape certain symbols.
  • Import-Export: Added the FedRAMP Low Baseline Controls to the one-click framework installation option.
  • Import-Export: Added the FedRAMP Moderate Baseline Controls to the one-click framework installation option.
  • Import-Export: Added the FedRAMP Low Baseline Controls to the one-click framework installation option.
  • Import-Export/Risk Assessment: Added NIST SP 800-171 DoD Assessment to the one-click assessment installation option.
  • Email Notification: Fixed an issue preventing scheduled notifications from being sent.
  • Incident Management: Fixed an issue where updating the incident subject didn't show after being saved.
  • Incident Management: Fixed an issue where updating the incident status didn't show after being saved.
  • Incident Management: Fixed an issue where the risk subject was not decrypted with Encryption enabled.
  • Incident Management: Fixed an issue where the asset name was not decrypted with Encryption enabled.


Q4 2020 Bug Fix Release (November 6, 2020)

  • Fixed a bug causing empty files to be uploaded for every file upload function in SimpleRisk.


Q3 2020 Release (October 5, 2020)

  • Ordering of Past Audits under Compliance by time, in addition to date, so that the last one completed displays at the top.
  • Rewrote the API health check to more closely reflect an actual API call.
  • Updated the way that SimpleRisk handles user permissions to make it easier to add new permissions going forward.
  • Updated the way that SimpleRisk handles sessions for improved visibility and consistency.
  • Ability to customize views for the Plan Mitigation, Perform Reviews and Review Regularly pages
  • Ability to filter by asset tags in the Risks and Assets report
  • Creation of a Printable View of the groupings in the Dynamic Risk Report
  • Added GUI-based notifications of when licensed Extras have expired.
  • Fixed a console message about refusing to load the image URL because it violates the CSP directive.
  • Custom Authentication Extra: Added ability to select sAMAccountName and userPrincipalName as a Username Attribute when using LDAP authentication.
  • Notification Extra: Fixed a bug affecting scheduled notifications.
  • Import-Export Extra: Added the ability to install and uninstall frameworks from the GitHub repository with the click of a button.
  • Import-Export Extra: Added AICPA 2017 SOC2 Trusted Services Criteria (TSC) to the one-click framework installation option.
  • Import-Export Extra: Added CIS Critical Security Controls v7 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 1 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 2 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 3 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 4 to the one-click framework installation option.
  • Import-Export Extra: Added CMMC v1.02 Maturity Level 5 to the one-click framework installation option.
  • Import-Export Extra: Added Information Security Regulation Version 2.0 to the one-click framework installation option.
  • Import-Export Extra: Added NIST 800-53 to the one-click framework installation option.
  • Import-Export Extra: Added NIST Cybersecurity Framework (CSF) to the one-click framework installation option.
  • Import-Export Extra: Added PCI DSS v3.2.1 to the one-click framework installation option.
  • Import-Export Extra/Risk Assessment Extra: Added the ability to install and uninstall assessment templates from the GitHub repository with the click of a button.
  • Import-Export Extra/Risk Assessment Extra: Added NIST Cybersecurity Framework (CSF) to the one-click assessment installation option.
  • Import-Export Extra/Risk Assessment Extra: Added PCI DSS v3.2.1 Self-Assessment Questionnaire D for Merchants to the one-click assessment installation option.
  • Incident Management Extra: Bug that each playbook is not treated as per incident.
  • ComplianceForge SCF Extra: Updated to display the SCF Control Number as part of the control short name and both the SCF Control Number and SCF Domain as part of the control long name.
  • Risk Assessment Extra: Addition of a risk catalog linked to questionnaires and the Secure Controls Framework
  • Risk Assessment Extra: Updating the Additional Notes with Assessment Information


Q2 2020 Release (July 11, 2020)

  • Ability to attach files to policy and control exceptions
  • New permissions under Risk Management for creating, deleting, and managing projects
  • New permissions under Compliance for defining tests and initiating and managing audits
  • Ability to save the column filter selections in the Dynamic Risk Report
  • Fixed a bug with sorting by Subject in the Dynamic Risk Report
  • Fixed a bug where the "Define Tests" page under Compliance would refresh after a new test had been added
  • Added a report under Configuration -> User Management to track users and all of the responsibilities they are associated with.
  • Added a report under Configuration -> User Management to track users and all of the roles they are associated with.
  • Updated the Risks and Controls report to sort by the inherent risk score for the "Risks by Control" view.
  • Added the ability to select a "Document Owner" from the Document Program menu under Governance
  • Added an "Additional Stakeholders" user multi-select dropdown in the Document Program menu under Governance
  • Added an "Approver" user select dropdown in the Document Program menu under Governance
  • Added a "Next Review Date" date select field in the Document Program menu under Governance
  • Added a "Review Frequency" field in the Document Program menu under Governance
  • Added the ability to choose whether to sort by Asset Name or Asset Risk in the Risks and Assets report
  • Added the ability to choose the columns displayed for the Active Audits page under Compliance
  • Removed Obsolete Reports from Reporting
  • Updated to invalidate the old password reset token for a user if a new token is generated
  • Change "Review Date" to "Approval Date" in the Document Program menu under Governance
  • Changed the Health Check to a tab layout and added a Summary tab
  • Added a new health check to ensure the SimpleRisk Base URL defined in Settings matches the base URL that is being used to access the instance
  • Import-Export Extra: Added the ability to save custom fields in the Import/Export mappings.
  • Team-Based Separation Extra: Added a report under Configuration -> User Management for users mapped to teams and teams mapped to users.
  • Email Notification Extra: Added the ability to send automated notifications for document reviews.
  • Organizational Hierarchy Extra: The Organizational Hierarchy Extra enables the ability to define multiple Business Units which can include any number of teams. Users can then be assigned across one or more teams under various Business Units. This affects a user's ability to see and use the teams, users, and assets which they are not associated with.
  • Incident Management Extra: The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.


Q1 2020 Release (March 28, 2020)

  • Add filterable and sortable columns for Dynamic Risk Report and similar tabular views of data
  • Enhance usability of the Dynamic Risk Report by creating expandable sections
  • Performance improvements by converting concatenated ids to junction tables and adding indexes
  • Ability to choose if High Risk Report is based on the Inherent or Residual risk score
  • Fix for creation of circular references with control framework parent-child relationships
  • Fix for different looking Action buttons on the Audit Timeline report
  • Added a new audit log type for user events
  • The Risks and Assets report now includes the risk's locations/teams in the row instead of the asset's locations/teams.
  • Group names are now included on the Assets by Risk report in brackets.
  • The Audit Trail now includes an entry when a framework is deleted.
  • After adding a test to a control, you are now brought back to the same place you were when you clicked "Add Test".
  • Changing user permissions while a session is open will now immediately take effect without the need to logout.
  • Added the ability to control whether the "High Risk Report" is based on the Inherent or Residual risk score.
  • Added a new health check to see if an Extra is compatible with the SimpleRisk instance version.
  • Added a new health check to see if an instance is running the most recent version of an Extra.
  • Added a new health check to check for proper MySQL database user permissions.
  • Sorted the "Mitigation Controls" dropdown when planning a mitigation in alphabetical order.
  • Fixed an issue in the Risks and Assets report where assets that were part of an asset group were not displayed when the asset was assigned to a risk and the asset group was not.
  • Fixed a bug where using the "Group By" feature on the Dynamic Risk Report would show both a column header and footer when that was not necessary.
  • Updated a function that caused an error when the SimpleRisk Base URL was not set.
  • Fixed a bug when updating your user profile language while selecting "--".
  • Fixed a bug where users would not receive password reset emails without setting the simplerisk_base_url value.
  • Fixed an issue where MySQL instances with STRICT_TRANS_TABLES enabled would throw an error if too many characters were entered into the Compliance related fields.
  • Fixed a bug where the risk levels for "Custom" Classic Risk scoring were not being set properly.
  • Removed Control Regulation from Add and Remove Values as this is now managed through the Governance section of SimpleRisk.
  • Fixed a UI bug that would occur when a Framework's name was too long.
  • Fixed an issue where reporting with Risks and Assets would cause an incorrect maximum quantitative loss when an asset group was attached to a risk.
  • Fixed a bug that was causing the Site/Location and Asset Valuation for assets to not accept new changes.
  • Fixed various issues that occur when SimpleRisk is run from a sub-directory of the virtualhost's web root.
  • Fixed a bug where all pages were making unnecessary calls to the SimpleRisk update server.
  • Fixed a bug where circular references could be made for Frameworks using parent/child associations.
  • Fixed undefined index errors on the Risk and Controls report.
  • Fixed a bug where the Contributing Risk popup window was named "SimpleRisk OWASP Calculator" instead of "SimpleRisk Contributing Risk Calculator".
  • Added the ability to set SimpleRisk to make requests via a proxy through the SimpleRisk UI under the "Security" tab in Configure -> Settings.
  • Open sessions are now immediately invalidated when a password is reset.
  • When account lockouts occur, any active sessions from that account are also invalidated.
  • Various security fixes
  • ComplianceForge SCF: Changed the user interface for enabling and disabling frameworks.
  • ComplianceForge SCF: Added functionality to dynamically download the current ComplianceForge SCF release and update SimpleRisk with the new controls and mappings.
  • Jira: Integration with Jira (Official Release)
  • Risk Assessment: Added a new "Fill in the blank" question type
  • Risk Assessment: Added the ability to send assessments to users already defined in SimpleRisk
  • Email Notification: Fixed an issue where email notifications were not sent with risk closures.
  • Custom Authentication: Added the ability to add a manager attribute through LDAP to the account created in SimpleRisk.
  • Custom Authentication: Added the ability to specify display name, email address, and manager username value attributes for SAML authentication.
  • Custom Authentication: Updated SAML authentication to handle when strict_user_validation is turned off.
  • Upgrade: Continuing to move closer to a true "one-click" upgrade process.
  • Customization: Added an option to have results in a single-select or multi-select dropdown displayed in alphabetical order.
  • Customization: Added a new "Hyperlink" custom field that allows users to create clickable hyperlinks in their templates.
  • Import-Export: Fixed a bug with importing existing assets with updated custom fields.
  • Import-Export: Fixed a bug where the "Export to XLS" button did not work in the Dynamic Risk Report unless a subject column was selected.
  • Import-Export: Added the "Date Closed" column for risk exports.
  • Import-Export: Added the ability to import a Mitigation Submission Date value.
  • Import-Export: Updated import mappings to store custom fields.
  • Import-Export: Added "Additional Stakeholders" to imports.


Q4 2019 Release (November 30, 2019)

  • Added a selection to view the Date Closed value on the Dynamic Risk Report.
  • Updated existing multi-select dropdowns to be searchable and scrollable.
  • Added the ability to search tags when filtering by tags in the Dynamic Risk Report.
  • Added a new filter on the Compliance Active Audits page that allows you to filter based on the "Test Name" column.
  • Added a new filter on the Compliance Past Audits page that allows you to filter based on the "Test Name" column.
  • Added a new "Actions" column in the Audit Timeline report enabling the user to initiate a new audit of the test, view active audits of the test, or view past audits of the test directly from the page.
  • Updated the Team field for assets to be a multi-select dropdown.
  • Updated the "Associated Frameworks" under the Audit Timeline report so that only active frameworks are displayed.
  • Added the ability for a user to select any document type as a parent in the Document Hierarchy on the Governance page.
  • Removed the ability to create a risk subject with only whitespace characters.
  • Removed the "report requires PHP >= 5.5" message if you are running PHP >= 5.5.
  • Added a health check to detect an outdated version of PHP.
  • The missing "Initiate Test" functionality was added back to the Initiate Audits page.
  • Fixed an issue where the pop up menus were no longer able to be scrolled through.
  • Fixed an issue where filtering by an asset or asset group in the Dynamic Risk Report did not work.
  • Fixed an issue where you could not make a tag that contained spaces in it.
  • Fixed an issue where you could not sort by Residual Risk Score in the Dynamic Risk Report after grouping by risk level.
  • Fixed an issue where the Dynamic Risk Report did not properly group by risk level when using custom risk level names.
  • Fixed an issue where changing tabs in the Configure -> Settings menu caused the Risk Appetite slider to disappear until the page is refreshed.
  • Fixed an issue where the "All" button on the Risk Appetite Report did not expand to show all risks under the selected tab.
  • Fixed a spelling issue for "Mitigation Supporting Documenttation" under the Mitigation tab in the Configure, Extras, and Customization menus.
  • Added additional code to prevent a time-based account enumeration attack on login.
  • Fixed a CSRF vulnerability with the new one-click-upgrade functionality.
  • Fixed a SQL Injection vulnerability with audit trail logs.
  • Fixed a Stored XSS vulnerability with the new risk appetite functionality.
  • Fixed a Stored XSS vulnerability with the Frameworks and Controls tabs.
  • Fixed an issue where any user could access the list of Framework Controls.
  • Fixed an issue where an unprivileged user could change the risk levels.
  • Jira: Integration with Jira (Beta)
  • Risk Assessment: Created a new "Control Audit" button when viewing a questionnaire result that will show all controls mapped to the question asked, their associated frameworks, and whether the answer was a "Pass" or "Fail".
  • Risk Assessment: Made it so that each time a pending risk is accepted it did not reload the entire page.
  • Risk Assessment: Fixed an issue where you would receive a datatables error if you added a text filter for questionnaire questions and select a filter template.
  • Email Notification: Fixed an issue where the scheduled reporting section of the Notification Extra would send e-mails to users it should not send emails to.
  • Upgrade: Fixed an issue where the Upgrade Extra would throw an error regarding undefined available_extras when attempting to upgrade even if no upgrade was needed.
  • API: Added an API query to update the values of a risk.
  • API: Fixed an issue in the API Extra when attempting to create a new API key for a user.
  • Customization: Fixed an issue where required asset fields would inhibit database upgrades.
  • Import-Export: Added support for asset groups to Tenable and Rapid7 integrations.
  • Import-Export: Fixed an issue where you could not import fields set to be encrypted using the Customization Extra.


Q3 2019 Release (September 30, 2019)

  • Ability to define a custom "risk appetite" value
  • Creation of a new "Risk Appetite" report that shows separate tabs for risks within and outside the appetite
  • Ability to save selections in the Dynamic Risk Report with a name 
  • Ability to share saved selections in the Dynamic Risk Report with other users
  • Customization: Ability to define custom fields as required
  • Risk Assessment: Ability to add sub-templates as questionnaire logic
  • Customization/Encryption: Ability to define custom fields as encrypted
  • Risk Assessment: Ability to audit questionnaire responses against a defined control framework


Q2 2019 Release (June 30, 2019)

  • Addition of a "Manager" value for each user that will automatically populate the "Owner's Manager" field for risks
  • Fix for IE10 compatibility issues
  • Add the "Mitigation Control" value to the Dynamic Risk Report
  • Updated handling of roles so that user permissions change when role permissions are changed
  • Fix so that updating a control in the Governance section doesn't refresh the entire page
  • Add an audit trail entry for Accepting and Rejecting a Risk Mitigation
  • Add functionality to combine multiple assets into an "Asset Group" that can be added to a risk
  • Add translations for the Mongolian language
  • Association of teams with audit tests
  • Ability to delete active audits
  • Risk Assessment: Ability to select multiple contacts for an assessment
  • Import-Export: Ability to import vulnerabilities with Rapid7 Nexpose
  • Import-Export: Export of controls to a CSV file
  • Ability to specify your own scores for risks depending on the likelihood and impact values
  • Team-Based Separation: Restrict access to audit tests by associated team
  • Advanced Search: Creation of a new SimpleRisk Extra to enable more targeted search criteria


Q1 2019 Release (March 31, 2019)

  • Addition of tagging of risks and assets
  • Addition of asset groups
  • Addition of text-based description for asset valuation range
  • Enable project selection as part of risk review
  • Association of Frameworks and Controls with Policies, Guidelines, Standards, and Procedures
  • Ability to Document Exceptions to Policies and Controls
  • Addition of a help menu
  • Addition of the Audit Timeline report
  • Customization of e-mail prepend value
  • Ability to export the audit log
  • Import-Export: Ability to import assets with Rapid7 Nexpose