November 2023

New features & updates

Secureframe API

We recently introduced Secureframe API - so customers can use a REST API to programmatically write and read data, to and from Secureframe. Now, users can integrate with and pull evidence from any tool or service – whether it’s your cloud-based applications or your local systems – beyond our 200+ native integrations. Read more about Secureframe API in this blog.

Quantitative Risk Assessment for Enhanced Risk Management

We have expanded our Enhanced Risk Management offering to include quantitative risk assessment using the Annualized Loss Expectancy Methodology. This methodology delivers a more precise understanding of a risk in terms of financial loss. 

New Risk Management Capabilities

This month we introduced more features and capabilities to the Risk Management solutions so you can save time, streamline tasks, and improve collaboration. All customers can now benefit from the following:

• Flexible CSV uploads: You can easily upload your risk register to Secureframe without any pre-work. Our flexible CSV uploader provides an intuitive workflow that allows you to import your existing risk register into Secureframe without taking time to format it based on our templates.
• Document attachments: You can now attach documents related to a risk during the risk assessment workflow. For example, you may attach proof of cyber liability insurance for a risk you chose "Transfer" as its treatment.
• Tasks and notifications: You can now create risk management tasks in the Secureframe platform with the option to send notifications via a preferred notification delivery method – email, Jira, or Slack.
• View and delete archived risks: You can now view and track archived risks and hard delete a risk from the archives, such as if a risk was added by accident or is a duplicate. All hard deleted risks cannot be reverted.

Read the blog to learn more.

Organizations & Child Accounts

Customers can now organize cloud resource integrations (AWS, Azure & GCP) using Organization and Child (project/subscription) connections. You can easily set up, see, filter, sync, and exclude child connections to better manage cloud resource integrations in Secureframe.

Find documentation for each provider here: AWS, Azure, GCP

Add Custom Security Training URLs

We added the ability to link third-party security training vendors within the Secureframe training module. If you select “Other (Third Party)” as your security awareness training vendor, you now have the option to include the URL for that training. Your employees can access the link to the training within the Secureframe platform. This will direct them to the training site where they can complete their security awareness training.

New Policy Editor with AI-powered Text Revisions

We added enhanced functionality to our policy editor with a more comprehensive editing toolset and AI-powered text revisions. The improvements to the policy editor include the ability to comment on a policy to improve collaboration and an advanced editing toolset to make it easier to build, customize, and publish policies. Our new editing tool set includes: advanced tables, find and replace, seamless copy and paste from Google Docs, Word, and Excel, and more

In addition, we added our latest AI-powered capability, Comply AI for Policies, which uses generative AI to help you write and refine your policies. Comply AI for Policies improves productivity by saving you hours of work by delivering clear and polished policies that align with the tone and voice of your organization. To use Comply AI for Policies, highlight the area of text you want to revise and either select from the out-of-the-box prompts or send a custom prompt. Generative AI will provide suggested changes for you to review and choose to insert the changes, ask it to try again, or discard the changes.

Read the blog to learn more.

Device Archiving

Now, customers have the ability to archive devices by archiving the associated vendor.

October 2023

New features & updates

Improved Risk Management module with Comply AI for Risk

We recently launched our new enterprise-grade Risk Management tool that includes an AI-powered risk assessment workflow with Comply AI and an Enhanced Risk Management module tailored to your unique business needs.

The end-to-end Risk Management tool includes:

• Risk register to track and manage risks
• Risk library to easily identify risks 
• Risk assessment workflow to determine risk scores and treatment plans
• Risk history to easily track changes 
• Control mapping to link mitigating controls to risks

The Enhanced Risk Management module offers more robust and flexible tools, including:

• Dashboards
• Custom scores
• Custom tags

Read the blog to learn more about the improved Risk Management module. 

Office365 User Filtering

Companies can now optionally exclude unlicensed accounts and guest accounts from being pulled in on the Office365 integration. Existing connections must be archived and a new connection must be created for this functionality to work.

Read-only Policies

We just added the ability to make policies read-only. For policies that do not require acceptance, you can now mark them as read-only when editing. Personnel reviewing these policies will not have to select ‘Accept’. Learn more about Secureframe policy management here.

Enhancements to Azure Active Directory Integration

Users of Azure AD can now pull fields like:

• MFA status for users 
• Start and end date for employees 
• Job title for employees

Find more information about Azure AD permissions in this article.

JamfPro Screen Lock Support

The JamfPro integration now syncs screen lock information for Mac and Windows, and each respective test is now automated. Find all of our integrations here, and please reach out if you have additional questions.

September 2023

New features & updates

New Bulk Action Bar

We recently added a new bulk action bar on the following pages:

• Personnel
• Tests
• Asset Inventory

We've consolidated the individual bulk action buttons from the top menu into a dedicated bar that floats on the page as a user scrolls to make bulk actions easier than before. 

Additional Trust Services Criteria

We have added two optional trust services criteria (TSC) to your existing SOC 2 report - processing integrity and privacy. It is up to your business to decide if either of them is in scope for your compliance program.

Processing integrity provides assurance that information in the audited system is complete, valid, accurate, timely and authorized to fully satisfy the entity's objectives. Privacy provides assurance that personal identifiable information (PII) is safeguarded beyond the minimally required security requirements. 
These will be defaulted to disabled for your existing report and will not impact any passing percentages unless enabled. Please don’t hesitate to contact us if you have any questions.

AWS Inspector Update

An updated Amazon Inspector integration is available for AWS customers. This iteration of Inspector is more scalable, supports container images and multi-account management, and uses AWS Systems Manager Agent, among other improvements. We will continue syncing Inspector Classic in AWS accounts where it is used - no need to switch immediately.

Improvements to Custom Control Creation and Bulk Mapping

We just released a new way for customers to create custom control AND map either existing or new custom controls to framework requirements all in 1 CSV. Now, you can:

• Auto update date fields
• See warnings on invalid inputs
• Find suggestions on typo mistakes

Find more information in this Helpdesk article.

Improvements to Secureframe Questionnaire Automation

We've introduced updates to Secureframe Questionnaire Automation, including:

• Improvements to the Questionnaire model performance that enhances customer automation rates
• Security Questionnaires Starter Pack: we highly recommend that customers fill out this starter pack of the most commonly requested security questionnaires to maximize their success.

August 2023

New features & updates

Comply AI for Remediation is now available for AWS, Azure, and GCP

Comply AI for Remediation is now available for all Secureframe customers. Comply AI for Remediation uses generative AI to provide infrastructure as code remediation guidance to fix misconfigurations in AWS, Microsoft Azure, and Google Cloud Platform (GCP). Remediation methods include: 

• Command Line Interface (CLI)
• Terraform
• AWS CloudFormation
• AWS Cloud Development Kit (CDK)
• Azure Resource Manager (ARM)
• GCP Deployment Manager

Custom Frameworks

We now offer the ability to create custom frameworks! Customers can now incorporate into a custom framework things like specific security controls, processes, and policies that align with your organization’s unique requirements, industry standards, and regulatory obligations. Map existing tests and controls (pre-built or custom) to your custom framework for a more comprehensive and personalized approach to compliance management. Find the documentation for custom frameworks and reach out to support@secureframe.com for more information on how to get started.

Test Library

Our new Test Library offers a repository of all Secureframe and user-created custom tests. This provides customers with the ability to leverage the extensive suite of automated tests available in the Test Library for your custom controls and frameworks. Users can access this inventory of tests that may not be directly mapped to specific frameworks, allowing them to incorporate additional tests and take advantage of the hundreds of automated tests that Secureframe has already built.  Access the Test Library from the “tests” page in the left side navigation, and find the documentation here for further guidance.

Trust Center Improvements

By popular demand, we recently delivered two improvements to Secureframe’s Trust Center: 

1. Custom email destinations for document request notifications. You can now set document request notifications to mail to specific people or group inboxes!
2. The ability to host FAQs on your Trust Center to reduce the need to fill out a security questionnaire for a prospective customer. You can now add FAQs and answers in the Trust Center Site Designer.

default Version Control Branches

Users can now specify default branch and testing settings for repositories in integration connection settings. Settings are applied to only new repositories synced and do not affect repositories that have already been synced.

July 2023

New features & updates

Personnel Management Updates

We recently revamped the personnel management page to provide a better user experience. The update includes a new personnel table, as well as a notification bar at the top of the page alerting users of unlinked accounts.

Unlinked accounts are accounts Secureframe is unable to link to an existing user. Users can click on the unlinked accounts notification to review the unliked accounts and link them to a respective user. Unlinked accounts can also belong to former employees or service accounts.

Integration with DigitalOcean

We’re excited to announce an integration with DigitalOcean, a cloud hosting provider that offers cloud computing services and Infrastructure as a Service (IaaS). Secureframe automatically pulls relevant data from DigitalOcean and tests access, application, networking, storage, monitoring, and alerting configurations for applicable framework compliance. To get started with DigitalOcean, find and connect from the integrations tab in Secureframe.

June 2023

New features & updates

Comply AI for Remediation

We expanded our AI-powered capabilities with the launch of Comply AI for remediation. Comply AI automatically generates infrastructure as code (IaC) remediation guidance to fix misconfigurations in AWS. The capability also features a chatbot for users to submit requests and get more tailored remediation. Comply AI will soon work with Google Cloud and Microsoft Azure for faster and easier cloud remediation. Learn more about Secureframe AI here.

Custom Controls

We are excited to announce the ability to create custom controls in Secureframe! The Controls tab enables you to view a list of controls mapped to their respective frameworks and the health status of those controls. You now have the ability to add custom controls individually or in bulk, tailoring the platform to meet your organization's unique needs. This customizability enables you to incorporate specific security controls, processes, and policies that align with your requirements.

AWS GovCloud Integration

We are excited to announce that Secureframe now offers an integration with AWS GovCloud, providing users the same Secureframe experience as customers operating in commercial environments. By automating compliance tasks such as monitoring, policies, and evidence collection, Secureframe simplifies the compliance process for organizations navigating the complexities of federal regulatory requirements, while ensuring the security of government-related workloads and data. Secureframe provides visibility around security vulnerabilities and misconfigurations in your GovCloud environment, and monitors compliance against federal compliance frameworks. Read the blog.

New Company Onboarding

We made updates to our company onboarding for a better user experience. With our new onboarding, we’ve reduced the number of onboarding steps, integrated onboarding throughout the rest of the platform to deliver a more seamless experience, and provided more context to help users easily navigate their onboarding. 

May 2023

New features & updates

Secureframe Trust

We recently announced the availability of Secureframe Trust – a powerful combination of our Trust Center, Knowledge Base, and ML-powered Questionnaire Automation solutions. 

Now, you can proactively showcase the measures your organization is taking around security, compliance, and privacy with a Trust Center that continuously pulls in data from the Secureframe platform. You have the ability to customize this page - show only what you want to show, and adjust the look and feel of your Trust Center with customized logos, colors, and information. You can upload documents, review/approve/deny requests for information, and enforce automated NDAs. If a visitor has additional security questions after perusing your Trust Center, they can submit an RFP or questionnaire, and our Questionnaire Automation and Knowledge Base can help streamline that process.

Learn more about Secureframe Trust here.

Export tests as JSON

We recently added the ability to view and export raw JSON evidence for AWS, Azure, and GCP to aid in remediation for your failed tests. JSON provides more detail so you can easily identify the reason a test failed and quickly remediate the issue. Raw JSON is helpful for your auditors as well because it reduces the amount of time it takes them to review the evidence and provides them with additional details to help minimize follow-up questions. 

When downloading a test, you will now see two options: ‘Download Test data (.csv)’ or ‘Download Test data (JSON)’. You can easily navigate the JSON evidence for every resource associated with a test using the arrows in the platform which allows you to review on an individual resource basis so you can focus on a specific area of concern

If you choose to download as JSON, it will contain details for all of the resources associated with the test. This will help you get as much or as little information as you need to remediate issues in your cloud infrastructure and maintain compliance. Learn more about exporting tests as JSON here.

Updated Navigation Experience

We made updates to the navigation in the platform to make it easier for you to find what you're looking for. The update groups pages together so they are more organized for a better user experience. Check it out on the platform today!

Ability to filter on unconfigured repos

We recently added the ability to add "has_production_branches" as a filterable field to the repositories table and search_data. This allows customers to see where they need to apply configurations, which need to be complete for the associated tests to work.

April 2023

New features & updates

Upload PDF Policies

This month, we introduced the ability to upload PDF policies to Secureframe, giving our customers flexibility during the onboarding experience. Policies are governing documents describing what an organization does to ensure security and compliance. 

Now users have the ability to directly upload one or multiple PDF policies, in addition to using the inline editor. Find more information on creating and editing policies here.

New Secureframe Training Lessons

Secureframe Training automates training for SOC 2, HIPAA, PCI DSS, GDPR, and more – so organizations can quickly meet security and privacy compliance requirements and save time assigning, tracking, and reporting on required training.

This month we introduced two new lessons to our Security Awareness Training module: Anti-Counterfeiting and Privacy. Find the new lessons in Employee Onboarding > Training, or reach out to learn more about how you can easily deploy and track required employee training with Secureframe.

Passing with Upload Indicator

We recently added a visual indicator for tests, to show tests that are passing but also adding the ability to show if each test has evidence uploaded against it.

Default Group Assignments

Before, we defaulted policies to be assigned to the "Employees" and "Contractors" groups when publishing them for the first time. The edit policies multi-select only showed up when editing an existing policies. Now, when creating or publishing a new policy, there's an option to group multi-select in the editor view when creating a policy for the first time, pre-populated with "employees" and "contractor" groups if no other groups are present.

Policy Acceptance Date

We made a change to policies to always show the last accepted date for policy acceptance. This ensures accountability and notiication of changes - showing the last accepted date helps users stay informed about changes in policy and reminds both users and admins to review the policies periodically.

March 2023

New features & updates

Manage Test Updates on the Test Activity Dashboard

In March we launched an exciting new feature that improves automation and helps with continuous compliance: Test Activity Dashboard. This new experience allows Secureframe to keep your tests up-to-date with the latest automation enhancements and compliance checks.

New or updated tests appear on the dashboard depending on the frameworks you have signed up for. Keep your tests in their current state if you have an upcoming audit and want to wait to switch to the new/updated test. For any new/updated tests, you have a Required Action Date that is at least 3 weeks after the test is introduced into your account. 

If you don’t take any action, the new/updated tests will be automatically introduced into your account on the required action date. Future releases for test changes happen on a periodic basis on the last Friday of each month. 

Learn more here.

Enhanced Microsoft Intune Automation

We recently enhanced four upload tests for Microsoft Intune with automation:
1) Anti-malware is enabled on user endpoints is enforced via Microsoft Intune
2) Screens lock on production user endpoints after a maximum of 15 minutes of inactivity, enforced via Microsoft Intune
3) Local firewall cannot be disabled by the user and log continuously on production user endpoints, enforced via Microsoft Intune
4) Strong password policy of at least 8 characters and alphanumeric is enforced on user endpoints via Microsoft Intune

Read more about Secureframe's endpoint security here.

Enhanced Jumpcloud Integration

We've made enhancements to our integration with Jumpcloud for centralized identity and access management (IAM), easier user provisioning/deprovisioning, and streamlined compliance monitoring. This integration allows you to sync devices-related information from your JumpCloud account and automates compliance checks and evidence collection (for example, hard drive encryption enforcement) using JumpCloud's REST APIs. Learn more about the integration and how to connect to it here.

February 2023

New features & updates

Real-Time Support Through Live Chat

Now you can chat in real-time with a Secureframe Customer Experience Representative! Just as before, if you need help you can go to “Help & Support > Chat”. Once a chat is initiated, if you want to chat online with a Secureframe representative, you will be offered the option “I still need support”. If you click this button, you will be able to speak to a Secureframe Customer Experience rep. Our representatives are available Monday - Friday from 9AM - 7PM ET. 

Learn more here.

Announcing Secureframe for MSPs

We are excited to expand the Secureframe Trusted Partner Program to include our world-class MSP Partner Program and launch our multi-tenant portal to make it easy for service providers to bring the power of Secureframe’s compliance automation platform to their clients. Secureframe for MSPs offers:

• Centralized account management: Purpose-built to help service providers manage their customers’ end-to-end compliance journey, Secureframe’s multi-tenant portal centralizes all activities related to each customer’s security and privacy compliance into a single pane of glass.
• Streamlined deal management and support: Secureframe’s partner portal (PRM) enables service providers to register deals and gain access to marketing, sales, technical support, and other resources to close deals, serve clients, and grow revenue.
• Enhanced revenue earning potential: Secureframe’s partner program unlocks new revenue streams through its referral, reseller, security consultants, and MSP/MSSP options where partners can function as any or all partner types depending on their business model and preference
• DattoRMM integration: Secureframe’s integration to DattoRMM, used by MSPs to remotely secure, monitor, and manage endpoints, automates evidence gathering for antivirus software, asset inventory intelligence, and more.

Custom Upload Tests

We recently introduced custom upload tests, which allow you to author your own upload tests in the Secureframe platform. Custom upload tests offer tailored compliance validation for individual business needs, comprehensive coverage, and increase flexiblity and scalability in your security posture. If the existing Secureframe authored tests do not cover your company’s criteria, you can create a new test or set of tests that take uploads as evidence. These can be standalone tests or can be mapped to controls in existing security frameworks activated in your account. On the test page in Secureframe, you can create or delete custom upload tests. Learn more about custom upload tests here.

DattoRMM Integration

To further enable service providers for success and based on partner demand, Secureframe has added a new DattoRMM integration. The integration pulls automated configuration evidence like the presence of antivirus software, asset inventory intelligence, and more into the Secureframe platform to further demonstrate a client’s security and privacy posture.

January 2023

New features & updates

Secureframe Questionnaire Automation

Secureframe’s machine learning-powered automation makes the tedious process of responding to RFPs and security questionnaires fast and easy for organizations of all sizes. Our innovative solution suggests responses to RFP and questionnaire questions using content and context from the Secureframe platform along with approved prior responses to deliver 90%+ accuracy. 

You have the ability to edit answers to reflect updates in your security and privacy posture, as well as collaborate with your in-house subject matter experts to ensure answers are kept current in the Secureframe Knowledge Base as your security, privacy, and compliance system of record.

Knowledge Base Chrome Extension

Easily access your Secureframe Knowledge Base from Google Chrome!
You can now look up content and answers to questions easily while on a call, answering emails, or filling out questionnaires. Type keywords, phrases, or whole questions in to the search field to immediately discover related content in the Knowledge Base. The ‘select-to-search’ feature automatically searches any highlighted text on your active tab. Try it today.

Test Comments

Test Comments allow tests to be the nexus of communication for users in Secureframe working toward remediating a test. Now you can take, edit, and delete notes and comments to collaborate on testing.

December 2022

New features & updates

Secureframe Training

Training employees on security and privacy awareness is a key requirement of most compliance frameworks, including SOC 2. Secureframe Training, our in-platform training product with modern and engaging content, now includes Security Awareness Training. This adds to our existing, comprehensive set of training that includes HIPAA, GDPR, CCPA, PCI, and Secure Coding.

Make training your workforce easy and automatic with content that’s kept up-to-date by our compliance experts. You can review the available training modules in the Personnel > Settings > Onboarding section of the app.

Interested in adding privacy and security training? Ask your customer success manager or email contact@secureframe to add Secureframe Training or get a demo.

November 2022

New features & updates

Knowledge Base Scheduled Reviews

Keep your Knowledge Base content fresh by scheduling regular review cycles. 

Fully customize these review settings and receive automated email notifications when your content expires. Learn more about this new feature in our Help Center article.

Expanded Trusted Partner Program + Launch Partners for the Secureframe Trust API

You need the flexibility to customize your security and privacy compliance program to the unique needs of your business.

That’s why Secureframe provides 100+ pre-built integrations with the most popular applications across cloud services, identity providers, background checks, HR and people management, device management, developer tools, single sign-on, and more that you’re already using every day. Rootly, Electric, Basis Theory, and Indent are now joining our industry-leading trusted partner ecosystem to help our mutual customers further automate and streamline compliance. 

Learn more by reading our blog announcement.

October 2022

New features & updates

New Comments Tab on Tests Page

Collaborate with other users at your company using the new comments section. You can leave shared notes, work through remediation steps, and chat with your fellow team members, making it easier and faster to pass tests.

Click on any test and navigate to the "Comments" tab to get started.

Custom Knowledge Base Tags

Manage your content from uploaded security questionnaires and RFPs with custom tags.

Create and mark records for different teams, topics, or specialty areas. You can then filter on these tags for easy access the next time you are looking for content.

September 2022

New features & updates

Test update notifications

Integration Tests can now have a tolerance window! Sometimes configurations are tricky to figure out. Now you can set a tolerance window so that the test will not fail right away after Secureframe detects an incorrect configuration.  

When a tolerance is set, Tests will first show an "at risk" status so that the owners know that something needs to be fixed. Learn how to set a tolerance window for a test in our Help Center.

Due dates for uploaded tests

You can now set due dates for Upload Tests! Every time you go through an audit there is evidence to refresh. Now, you can set due dates to remind you to do these tasks. 

When you set a due date, you can also set a test interval so that the Test will auto-increment to the next due date after it has been refreshed with new evidence. See how to set a due date for a Test in our Help Center article.

Automate responding to security questionnaires and RFPs with Secureframe

Responding to security questionnaires and RFPs has long been a manual, tedious process with forms that vary from customer to customer with no standardized format, set, or order of questions. Even if you are SOC 2 or ISO 27001 compliant, many companies will still require a security questionnaire to be filled out. 

That’s why we’re excited to introduce Secureframe Questionnaires, a machine-learning-powered solution that makes it fast and easy to respond to customer questionnaires. When you receive an RFP or security questionnaire, simply upload it to Secureframe, tag the questions and answer fields, verify Secureframe’s suggested answers from the Secureframe Knowledge Base, export the completed document to the original format, and send it back to your customer. 

Read the blog post to learn more.

Secureframe adds 12 new frameworks, including NIST, ISO 27701, CMMC, and more

We are excited to announce that we’ve added these new frameworks to help you achieve and maintain compliance:

• NIST SP 800-53 
• CMMC
• NIST 800-171 
• PCI DSS SAQ-A and -D
• NIST Privacy
• ISO 27701
• NIST CSF 
• Microsoft SSPA 
• MSVP

 Read the blog post to learn more.

With these additions, Secureframe’s modern, all-in-one governance, risk, and compliance (GRC) platform can do more to help your organization and compliance teams to quickly understand requirements, manage controls, streamline workflows, and stay up-to-date with the latest security, privacy, and compliance standards.

JIRA integration update

The updated JIRA integration automates compliance checks and evidence collection for five existing requirements. To learn more, read our Help Desk Article.

Vendor page update

We’ve updated our Vendors page so it is easier to filter and sort. Now you can quickly skim your vendors list, identify which ones are high-risk, and review vendors that you own.

July 2022

New features & updates

New tests page 

We’ve created a new page to view your compliance journey designed around tests. This page allows you to manage all your company tests in one easy-to-organize place:

• Set custom and saved filter views
• View test details
• View framework mappings
• Remediate tests

For more information on how the Test Page works, take a look at our Help Center article.

June 2022

New features & updates

Custom Upload Tests

We have added the ability to author your own Custom Upload Tests. If existing Secureframe-authored tests do not meet your company’s criteria, you can now create a new test or new set of tests that accept file uploads as evidence.

For more details, read our Help Desk Article on Custom Upload tests.