April 2025

New features & updates

CMMC 2.0 Level 3

We now support CMMC Level 3, the most advanced and rigorous level of the maturity model framework. Level 3 includes 24 additional requirements beyond Level 2 and is designed for organizations handling the most sensitive controlled information.

This rounds out our support for the full CMMC 2.0 framework, making Secureframe the most comprehensive solution for organizations across the defense industrial base.

GovRAMP Framework (formerly StateRAMP)

We’re proud to be the first platform to offer full support for GovRAMP, formerly known as StateRAMP. Secureframe now includes both GovRAMP Low and Moderate levels.

GovRAMP is built on the foundation of NIST 800-53, with significant overlap with both FedRAMP and TX-RAMP, making it a natural extension of the federal compliance frameworks many organizations are already familiar with. More than 28 states are currently participating in the GovRAMP program, and adoption continues to grow.

Azure Government integration

Secureframe now supports Azure Government Cloud connections, joining our existing support for AWS GovCloud. This integration allows you to sync resources from Azure Gov environments, helping meet strict CMMC 2.0 and FedRAMP requirements.

Microsoft GCC High Login

Customers in Microsoft 365 Government environments can now sign into Secureframe using Microsoft GCC High credentials. This update supports secure access and identity requirements for CMMC 2.0 and FedRAMP readiness.

Vendor Module: Updated table view

We’ve upgraded the Vendor Table to make it easier than ever to track vendor reviews. You can now view in-progress and upcoming reviews directly from the table, making it faster to stay on top of what’s next. Each review also displays the current assignee, so responsibilities are always clear. And for teams that prefer to tailor their workflow, the table still supports editing default columns and saving custom views for quick access to the information that matters most.

New Personnel Details editing experience

We’ve overhauled the Personnel Details editing experience for better usability and consistency across the platform.

• Clearer UI and improved guidance for managing user data
• Visibility into the source vendor for each data field, so you know when values are coming from integrations
• Ability to un-override the Status field if you want integrations to drive active/inactive status again
• You can now edit Job Title and Department, which were previously locked fields

Learn more in our Help Center.

March 2025

New features & updates

New Audit Module

We’re excited to introduce the new Audit Module, built to make managing audits smoother than ever! With this release, you can:

• Create and track audits in a centralized space
• Store audit reports for future reference
• Auto-provision auditor access (no more manual permissioning!)
• View audit data in the APC (Auditor Partner Console) using our Castle component
• Auditor Super Admins can now unlink themselves from customer accounts post-audit

This update helps streamline the entire audit process for both customers and auditors.

Dashboard V2

We’ve refreshed the Secureframe Dashboard with an updated design and a new Action Items widget that shows expiring evidence, upcoming reviews, task due dates, and more.

Check out the new Dashboard

Zendesk integration

Our new Zendesk integration allows for bi-directional syncing, similar to our Jira integration. Use Zendesk as a task destination, with task updates flowing between systems. You can also sync Zendesk tickets to Secureframe for incident tracking, nonconformities, vulnerabilities, system changes, and user access, all mapped to your compliance tests.

Enhanced Help flyout

We’ve replaced the old help menu with a new, streamlined Help Flyout designed to get you the support you need faster. Quickly access Secureframe Academy, the Get Started page, and reach out to our support team directly from the flyout.

Need more help? The "Email us" button now links directly to our Customer Success team.

CMMC 2.0 Personnel Table

We’ve added two new columns to the Personnel Table to support CMMC compliance:

• Last Login: Easily identify inactive accounts
• Secureframe MFA: See at a glance who has MFA enabled

These updates help customers meet CMMC's Access Control and Account Management requirements.

Security Questionnaires: Doc and PDF imports

You can now import .doc and PDF files directly into the Security Questionnaires module, making it easier than ever to streamline the vendor review process.

MFA and password policy enhancements

To strengthen account security and meet compliance standards like CMMC, we’ve introduced new authentication and password policies:

• MFA (TOTP) is now required for all Super Admins, Admins, and Auditors
• MFA is enforced for direct login and magic link authentication
• Passwords now expire every 12 months and cannot be reused for four cycles

Learn more in our Help Center

TISAX framework update

We’ve updated our TISAX framework and Statement of Applicability (SOA) export to better align with the latest TISAX assessment requirements.

Policy table enhancements

Two new columns have been added to the Policy Table:

• Acceptance Rate: Track policy acknowledgment across your org
• Mapped Frameworks: See how each policy ties back to your frameworks

Learn more in the Help Center

February 2025

New features & updates

CMMC 2.0 Level 1 and Level 2 updates

We’ve updated CMMC Level 1 & Level 2 frameworks to reflect the DoD’s final ruling. With CMMC compliance becoming mandatory for all DoD contracts in Q2 2025, Secureframe customers get immediate access to the finalized requirements, controls, and tests, ensuring a smooth transition as CMMC goes into effect.

DORA framework now includes technical standards

We’ve expanded our DORA framework to include Technical Standards requirements and their associated control/test mappings. With DORA officially enacting these standards, Secureframe ensures your organization remains fully compliant and up to date with the latest financial sector regulations.

Microsoft Teams integration

Secureframe now integrates with Microsoft Teams, making it easier to coordinate compliance tasks directly from your preferred communication platform. Create, post replies, and close out tasks in Secureframe, with real-time updates sent to the respective Teams channel. This new integration keeps compliance workflows streamlined and ensures your team stays on top of follow-up actions without leaving Microsoft Teams.

CAPTCHA for Secureframe Trust Center

To enhance security and prevent spam, we’ve added CAPTCHA validation to all resource requests in the Secureframe Trust Center. CAPTCHA ensures only legitimate requests are submitted to help safeguard against bot-driven spam while maintaining a seamless experience for real users.

Windows build signing for Secureframe Agent

All new Secureframe Agent connections and builds for Windows are now digitally signed to enhance security and integrity. This update ensures that every Windows build of the Secureframe Agent is verified and protected, maintaining trust and security for our users.

Add single personnel without a CSV upload

You can now manually add individual personnel to Secureframe through a new modal without uploading a CSV, providing a faster, more convenient way to add one-off personnel, POCs, or admins without disrupting workflows.

January 2025

New features & updates

Support for NIST 800-171 Rev. 3

We now support NIST 800-171 Revision 3, ensuring that customers can meet the most up-to-date compliance requirements. Given the significant updates in this revision, organizations may still be attested against the older Rev. 2 requirements, so we’ve made both available to help businesses transition seamlessly. No other compliance automation platforms currently support Rev. 3, giving Secureframe users a first-mover advantage in aligning with the latest federal security standards.

New endpoint security integrations

We’ve expanded our endpoint security integrations to automate compliance testing across more security tools:

• Scalefusion MDM Integration: Automates testing for firewall and hard drive encryption enablement. 
• WatchGuard EDR Integration: Automates compliance testing for anti-malware, firewall (Windows devices), and hard drive encryption. 

These integrations reduce manual effort, ensuring devices meet compliance standards automatically. Both integrations can be found under the Endpoint Security category in our Integrations library.

Upgraded Service Partner console

We’ve enhanced our Service Partner console for IT service providers and MSPs to improve transparency and efficiency. Instantly view what’s included in each subscription with clear packaging details and transparent pricing, and enjoy an intuitive, streamlined workflow for faster provisioning. 

December 2024

New features & updates

Physical security test update 

We’ve upgraded our physical security tests from policy-based assessments to upload-based tests, allowing users to directly upload specific evidence for each test. This change provides greater transparency and aligns with auditor expectations, ensuring not only the presence of a physical security policy but also corresponding evidence to verify its implementation.

Refreshed Frameworks page

We’ve enhanced the Frameworks page to make progress tracking more intuitive. A reinstated progress bar now shows how many of your current controls overlap with a new framework. It’s easier than ever to visualize your compliance status, allowing for better planning and faster framework adoption.

Last upload time for more accurate testing

Track compliance more effectively with the new Last Upload At column, which shows the last time evidence was uploaded to each test. Color-coded tags highlight test states, making it easy to quickly identify stale evidence that requires refreshing.

November 2024

New features & updates

Improved enablement and disablement flows for requirements and controls 

Enabling and disabling flows for requirements and controls now includes all of the relevant sub objects, making it faster and easier to enable and disable full control sets. 

October 2024

New features & updates

Custom Automated Tests 

Create tailored automated tests against integration data and automate more of your security and compliance processes. Companies with unique systems, processes, or compliance requirements can now create custom automated tests against cloud resources for AWS, Azure, Google Cloud Platform, and DigitalOcean integrations.

• Search resources: Search for any cloud resource in your environment.
• Set test scope: Specify exactly which resources or subset of resources should be included or excluded from tests, ensuring more accurate results.
• Set evaluation criteria: Specify the conditions in which resources returned by the query should pass or fail
• Publish new tests: Leverage the data already integrated into Secureframe to build custom tests that address your unique compliance requirements.
• Edit tests: At any time, you can tweak the logic of published CAT tests as your compliance and security needs evolve.

Support for CMMC Level 1

Our CMMC offering is now split into separate frameworks for CMMC 2.0 Level 1 and CMMC 2.0 Level 2, making it faster and easier for companies to view and comply with Level 1 requirements. 

Integration connection form improvements

Connection forms for the AWS, Azure, GCP, Azure DevOps, and GitLab integrations now include step by step instructions, with guided walkthrough videos available in-app, making it easier than ever for users to successfully connect these integrations. 

SecurityScorecard Integration

Introducing a new widget that displays your company’s SecurityScorecard rating for free. Users can also click into the widget to view additional details. 

Vendor risk assessment and vendor portal bulk upload support

Users can upload multiple documents simultaneously when conducting a vendor risk assessment, or while uploading docs to the portal.

NDA acceptance UI improvements

Users can now see a pdf preview of non-disclosure agreements prior to acceptance. Document downloads are disabled when the Trust Center is in the unpublished state. 

Risk level tab now accessible in vendor reviews 

Users can now see the risk level tab during a vendor review. 

Task support available for standard VRM

Customers using Standard VRM can now use the task functionality. 

Bulk assign categories and departments to vendors

Now, in addition to bulk assigning tags, users can bulk assign categories and departments to vendors. 

Ability to view excluded child connections

Customers on AWS, Azure, and Google Cloud Platform can now view which child connections were excluded during the initial connection setup after-the-fact.

Reset policy acceptances

Admins can now reset policy acceptances for personnel directly from the Secureframe app. 

Error messaging improvements

New alert banners will direct users from the Tests page to the Integrations page for disconnect and sync errors for our AWS, Azure, and Google Cloud Platform integrations, and an alert banner will be displayed on the home dashboard for disconnect errors. New information will also be available in the integrations table, including last sync status and error description, making it easier for users to understand and fix any integration issues. 

September 2024

New features & updates

Vendor Portal

Effortlessly manage your third-party security assessments with the new Vendor Portal. Easily send out security questionnaires to vendors, request updated compliance documentation, and track responses in one place. This feature simplifies vendor reviews, helping you stay compliant and reduce risks with less manual effort. For more details, check out our Help Center article here. 

AWS, Azure, and Google Cloud Platform integration enhancements

When refreshing an individual test, only resources specific to that test will sync, drastically reducing integration sync times to just minutes and speeding up workflows for faster results.

Linear integration now supports bi-directional syncing

With improved bi-directional syncing, tasks completed in Linear or Secureframe now automatically update in both systems. Sync Linear tasks to Secureframe and easily track compliance across incidents, nonconformities, vulnerabilities, system changes, and user access based on SLAs.

Faster framework provisioning

New frameworks can now be added to your Secureframe instance up to 5x faster, with provisioning running in the background, allowing users to multitask without disruption.

Additional Trust Center customization

Users can now add document-specific rejection reasons to add context on a per document basis, as well as customize a generic, non-document specific message, making communications clearer and more tailored to their needs. 

Improved access permissions for Auditor role

Previously, the default auditor role limited access to Policies and the Data Room. We’ve extended Auditor role permissions to provide view-only access to additional data, including tests, controls, policies, and asset inventories, allowing auditors to more efficiently perform customer audits within the platform. The Auditor role does not include the Company Onboarding permission. 

August 2024

New features & updates

Support for TISAX Framework

TISAX (Trusted Information Security Assessment Exchange) is a European standard specifically designed for the automotive industry. It is essential for companies, including suppliers and service providers, that handle sensitive automotive information. TISAX ensures that these companies meet rigorous data protection and information security standards, thereby maintaining the security of critical automotive data throughout the supply chain.

Security Questionnaires Generative Model Upgrade

A new model version introduces significant scaling and speed enhancements, allowing questionnaires with more than a thousand questions and hundreds of rephrased answers to be processed quickly. 

Control Overrides

Users can now manually set the health status of controls. This functionality is designed to offer more flexibility in evaluating the status of controls and setting them in the platform. Whether you need to designate a control that is partially implemented as failing or need to manually pass a control, this puts the power in the hands of the user doing the control reviews. 

Trust Center Enhancements

• Customize your logo and URL: Users can now link their Trust Center logo to their website. A new section in the site designer called “App bar” allows you to edit your logo, the URL it points to, and customize the logo image description. 
• Custom domain fixes: It’s now easier to update and delete a custom domain as well as your secureframetrust.com subdomain

Third-Party Risk Management Improvements

• The review status column on the main vendors page now displays the individual vendor’s review status, rather than the parent review container status 
• A new response field for Findings in Third-Party Risk Management reviews allow you to document remediation plans
• A Documents column has been added to the main vendors page and can be toggled on from the table column selector
• Users can now edit schedules and templates in bulk from a single modal
• Users can now directly edit the “Last reviewed at” date for a vendor if they haven’t yet completed a review in Secureframe
• Parent reviews will now automatically complete when all child reviews are completed

July 2024

New features & updates

Support for TX-RAMP

Secureframe now supports TX-RAMP. TX-RAMP (Texas Risk and Authorization Management Program) is a framework that standardizes the risk management and authorization process for cloud services used by Texas state agencies, universities, and other institutions. Organizations need to comply with TX-RAMP to ensure they meet the state’s security and privacy requirements, facilitating secure and efficient cloud service usage within the public sector. There are 2 levels to this framework and we support both levels.

Secureframe Zapier Application for Trust Center

Customers can now streamline their Trust Center document request management with Secureframe’s new Zapier application. This integration allows organizations to create custom rules and automate Trust Center document requests and notifications seamlessly, reducing the time and effort spent on managing these processes.

• Set up custom rules like a check in Salesforce or Hubspot to automatically approve documents for certain contacts (like existing customers)
• Set up Slack notifications so your team is notified on new requests in real-time

Integration with ClickUp

1) Task and Notifications: ClickUp can now be used as a task destination. Tasks closed out in ClickUp will automatically close out in secureframe on next sync. Tasks closed out in Secureframe will automatically close out in ClickUp.
2) Compliance Testing: Sync ClickUp tasks to Secureframe and track compliance for access changes, vulnerabilities, nonconformities, incidents, and system changes based on SLAs

Trust Center Updated View Option

Choose to see compliance, resources, and sub-processors sections in either a list or grid view. The list view is better for scrolling through large amounts of content, while the grid view offers a more visual layout. A "View All" option appears for sections with 10 or more items, leading to a detailed page with a full list of searchable content.

Ability to Bulk-Import Subprocessors

If using the updated third-party risk management experience, you can now import sub-processors directly from your vendor list in Secureframe, saving time by automatically including vendor names, descriptions, and logos. You can also update or swap logos and modify vendor details within the Secureframe app. Adding sub-processors from vendors in Comply saves time during Trust Center setup.

Github Updates

Users can now opt out of syncing public repos. Often times, public repos are not in audit scope and/o customers do not have control over the types of checks that run on these repos. This feature provides customers with enhanced integration setup flexibility.

Updates to Automatic Invites and Manual Invites

Admins can now control specific groups that they send automatic onboarding invitations to. We’ve also updated the styling on the manual invites table to match other tables in our platform. This functionality allows our customers to customize the onboarding to only those that need access to our platform.

June 2024

New features & updates

Support for SOX ITGC

Secureframe now supports SOX ITGC. SOX ITGC refers to the Information Technology General Controls under the Sarbanes-Oxley Act, which are internal controls IT departments must implement to support the integrity of financial reporting. Secureframe helps customers set up policies and procedures required to meet SOX ITGC requirements, collects evidence against SOX ITGC compliance, and maintains continuous compliance with continuous control monitoring. Read more about SOX ITGC in the blog here.

Track custom controls in Trust Center monitoring

Users can now add any control from any framework in the Monitoring section in Trust Center and customize the display language. Learn more in the help article and walkthrough.

May 2024

New features & updates

Framework Scoping

Now customers can link frameworks to segregated environments to tag assets and personnel to specific compliance frameworks like SOC 2, PCI, and HIPAA, so compliance efforts are focused on the relevant areas of business that directly impact the organization’s compliance posture.

Customers can:

• filter out assets that have no compliance relevance or chance of compliance evidence
• assign assets to the right product scope
• exclude assets from reports

Learn more in the Help Center here.

Integration with Bitwarden

We now offer an integration with Bitwarden via tests specific to Bitwarden for organizations that use it as part of their tech stack.

Integration with Figma

We now offer an integration with Figma via tests specific to Figma for organizations that use it as part of their tech stack.

Integration with FactorialHR

We now offer an integration with Factorial whereby we support syncing user information from the FactorialHR system.

Comments on Controls

Users now have the ability to add comments to controls in Secureframe for better communication and collaboration between users in an organization.

Support for ISO 27017

We now offer support for ISO 27017. ISO 27017 is crucial for enhancing cloud security by offering specific controls and guidelines tailored for cloud services. While similar to ISO 27001 in terms of overlap of requirements and controls, ISO 27001 provides a general framework for information security management across any environment, while ISO 27017 focuses specifically on cloud computing environments.

April 2024

New features & updates

Enhancements to Questionnaire Automation and Trust AI

This month we've made huge enhancements to our ML-powered Questionnaire Automation, including:

• an improved answer verification step - you can now verify your answers with suggested answers from Generative AI (Trust AI), control and test information pulled from Secureframe Comply, policies, and your Knowledge Base
• the ability to attach evidence or policies in the answer verification screen as images or files
• the ability to download completed questionnaires or RFPs as a zip file including all documents, attachments, and policies

Read more about the Questionnaire Automation enhancements here, and read more about Trust AI here.

Hard Deleting Evidence from Upload Tests

Users can now hard delete evidence that was accidentally uploaded to upload tests.

Updates to Evidence

Customers now have the ability to use URLs as evidence instead of just files, for more flexibility and convenience. They also now have the ability to add comments or findings to evidence uploaded. Evidence with findings will not pass the upload test.

Tags on Tests and Controls

Users now have the ability to add tags to tests and controls, and filter for those tests/controls by these tags. Customers benefit from improved organization and visibility, efficient searching and filtering, and easier reporting.

Integration with SimpleMDM

We now offer an integration with SimpleMDM via tests specific to SimpleMDM for organizations that use it as part of their tech stack.

Integration with Salesforce

We now offer an integration with Salesforce via tests specific to Salesforce for organizations that use it as part of their tech stack.

Updates to the Integration Page

Users can now see tests and controls related to an integration, as well as the permissions and data pulled for an integration prior to connecting it for more context on our integrations.

Multiple File Evidence Uploads

Customers can create multiple uploads with one click - this feature reduces time to compliance by simplifying the upload process for multiple files in a single test.

Integration with FusionAuth

We now offer an integration with FusionAuth via tests specific to FusionAuth for organizations that use it as part of their tech stack.

March 2024

New features & updates

New Trust Center Site Designer

Secureframe Trust Center Site Designer has undergone a significant overhaul to enhance user experience and customization capabilities. These enhancements include:

• Default Trust Center Upgrade: Streamlined design and additional customizability features.
• Flexible Editing: Real-time preview and seamless interaction with elements.
• Robust Customization: Easily create custom HTML sections and override any aspect of your layout with a global CSS stylesheet to match your Trust Center to your brand.
• Section Control: Intuitive panel features for easy section management.
• Centralized Monitoring: Consolidated security controls for monitoring in one place.
• Detailed Fields: 'Purpose' and 'Location' fields for comprehensive subprocessor details.
• Seamless Deployment: Configure, preview, and publish effortlessly to a custom domain.

Learn more about the new capabilities in the blog.

Support for NIS2 Framework

Secureframe now supports NIS2, an updated EU directive aimed at enhancing cybersecurity across all member states by improving national capabilities, cooperation, and risk management practices among key sectors and digital service providers. NIS 2 will go into effect in October 2024, and will apply to many European countries across industries and sectors.

Support for Essential Eight

Secureframe now provides support for customers looking to achieve compliance with Essential Eight. The Essential Eight is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC) to help organizations mitigate cyber threats and protect their systems against a range of cyber attacks.

Integration with SentinelOne

Secureframe now offers an integration with SentinelOne for orgs that use it as part of their tech stack. SentinelOne provides cybersecurity solutions by using artificial intelligence to automatically prevent, detect, and respond to cyber threats in real time.

Updates to the Controls table for bulk actions

The Controls table has been updated with new styling and a bulk actions bar for ease of use and time-savings.

Updates to the Personnel table for filtering

The personnel table updated with new operators, allowing users to single select vs. multi-select based on operator chosen. This update provides consistency with the table filtering experience in other parts of the app.

February 2024

New features & updates

ISO 9001 Framework Added

Secureframe now supports ISO 9001, a quality management framework. ISO 9001 is an internationally recognized standard that helps organizations provide customers with consistent, good-quality products and/or services.

Organizations can save time obtaining and maintaining ISO 9001 by leveraging Secureframe's Policy Management and Risk Management tools. We created policy templates for ISO 9001, including a QMS manual and a quality policy, and our Risk Management features make it easy for users to manage and monitor internal and external risks that may affect conformity of products and services.

Learn more about ISO 9001 in our blog.

PCI 4.0 Updates

Secureframe now supports the latest version of the Payment Card Industry Data Security Standard, PCI DSS 4.0. PCI DSS version 4.0 goes into effect on March 31, 2024. Any report on compliance (ROC) or self assessment questionnaire (SAQ) must be completed against the PCI DSS 4.0 standard following this date. Changes to PCI DSS include: enhanced testing requirements and control structure, introduction of risk analysis, documentation of roles and responsibilities, and a required scoping exercise.

Tickets Table

Users will now see an Asset Inventory > Tickets table, updated with new styling, that shows Jira tickets synced to Secureframe. This new table will provide better visibility for users to be able to monitor Jira tickets for tests related to access management, change management, vulnerability management, and more.

Integration with Duo

Secureframe now offers tests specific to Duo for orgs that use it as part of their tech stack. Duo is a popular 2FA solution that helps organizations boost security by verifying user identity, establishing device trust, and providing a secure connection to company networks and applications.

Integration with Crowdstrike

Secureframe now offers tests specific to Crowdstrike for orgs that use it as part of their tech stack. Crowdstrike is a popular EDR vendor that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware.

Integration with LaunchDarkly

Secureframe now offers tests specific to LaunchDarkly for orgs that use it as part of their tech stack. LaunchDarkly is a SaaS platform for developers to manage feature flags/toggles and test code in production.

January 2024

New features & updates

Enhancements to the Personnel Page

Personnel Status Column: users can go into the Personnel table and now see a new “Status” column which shows which personnel still have any outstanding tasks they need to complete. You can also easily filter the columns in the table to just show the columns relevant to those outstanding tasks.
New Editable Personnel Fields: Users can now edit attributes on a personnel directly through the Personnel details page instead of having to upload a csv.

Group Import Support

Secureframe now supports group imports for use in product, in personnel settings. Now, users can import groups from the following integrations: Google Workspace, O365, MS Entra ID (Azure AD), and Okta. This update helps users to achieve faster workflows and easier group management.

Added Support for CPRA

The California Consumer Privacy Act (CCPA) has recently been amended by the California Privacy Rights Act (CPRA), expanding the scope of privacy requirements. To help you meet these new requirements, we launched support for CPRA which includes additional tests and controls to satisfy the new requirements. Anyone looking to leverage Secureframe to maintain CCPA will also get access to the CPRA tests and controls.

Rippling MDM Support

Secureframe now supports group imports for use in product, in personnel settings. Now, users can import groups from the following integrations: Google Workspace, O365, MS Entra ID (Azure AD), and Okta. This update helps users to achieve faster workflows and easier group management.

December 2023

New features & updates

New Frameworks: FTC Safeguards Rule, NYDFS NYCRR 500, and Cyber Essentials

We introduced support for three new frameworks on our platform: FTC Safeguards Rule, NYDFS NYCRR 500, and Cyber Essentials. Each new framework includes control mapping to framework requirements, automated tests that collect compliance evidence from integrated technologies, and built-in Secureframe tasks such as policy management as required by each framework. 

Learn more here.

Test Details and Asset Details Updates

We are empowering our users with enhanced visibility, allowing you to diagnose the root cause of a failing test with greater precision and efficiency. Seamlessly access and analyze both test evidence details and asset information for cloud resources and devices. 

Within the test evidence tab, you'll find advanced filtering options for assets associated with a test, categorized by their status: failing, passing, or ignored. Dive deeper by selecting an individual asset to reveal comprehensive details. Clicking on 'full asset details' seamlessly directs you to the asset inventory, where you can see relevant information, modify asset ownership, and inspect JSON evidence for cloud resources. This is the first step in better enabling you to fix failing controls as efficiently as possible.

Connection Labels for Devices

We now show the device connection source in the device inventory, allowing customers to more easily identify the source of devices when they have multiple connections with the same MDM vendor.

Cloud Resources Table Update with Bulk Bar

The Assets > Cloud Resources table has been updated with new styling and the bulk actions bar for better use of use, time-savings, and consistency. This update makes bulk actions easier than before.

Update to Deel Integration

Secureframe's integration with Deel is now automated via API, so customers no longer have to wait for the connection to occur.

Kolide Enhancements

Secureframe now pulls in HD encryption for Linux devices.

November 2023

New features & updates

Secureframe API

We recently introduced Secureframe API - so customers can use a REST API to programmatically write and read data, to and from Secureframe. Now, users can integrate with and pull evidence from any tool or service – whether it’s your cloud-based applications or your local systems – beyond our 200+ native integrations. Read more about Secureframe API in this blog.

Quantitative Risk Assessment for Enhanced Risk Management

We have expanded our Enhanced Risk Management offering to include quantitative risk assessment using the Annualized Loss Expectancy Methodology. This methodology delivers a more precise understanding of a risk in terms of financial loss. 

New Risk Management Capabilities

This month we introduced more features and capabilities to the Risk Management solutions so you can save time, streamline tasks, and improve collaboration. All customers can now benefit from the following:

• Flexible CSV uploads: You can easily upload your risk register to Secureframe without any pre-work. Our flexible CSV uploader provides an intuitive workflow that allows you to import your existing risk register into Secureframe without taking time to format it based on our templates.
• Document attachments: You can now attach documents related to a risk during the risk assessment workflow. For example, you may attach proof of cyber liability insurance for a risk you chose "Transfer" as its treatment.
• Tasks and notifications: You can now create risk management tasks in the Secureframe platform with the option to send notifications via a preferred notification delivery method – email, Jira, or Slack.
• View and delete archived risks: You can now view and track archived risks and hard delete a risk from the archives, such as if a risk was added by accident or is a duplicate. All hard deleted risks cannot be reverted.

Read the blog to learn more.

Organizations & Child Accounts

Customers can now organize cloud resource integrations (AWS, Azure & GCP) using Organization and Child (project/subscription) connections. You can easily set up, see, filter, sync, and exclude child connections to better manage cloud resource integrations in Secureframe.

Add Custom Security Training URLs

We added the ability to link third-party security training vendors within the Secureframe training module. If you select “Other (Third Party)” as your security awareness training vendor, you now have the option to include the URL for that training. Your employees can access the link to the training within the Secureframe platform. This will direct them to the training site where they can complete their security awareness training.

New Policy Editor with AI-powered Text Revisions

We added enhanced functionality to our policy editor with a more comprehensive editing toolset and AI-powered text revisions. The improvements to the policy editor include the ability to comment on a policy to improve collaboration and an advanced editing toolset to make it easier to build, customize, and publish policies. Our new editing tool set includes: advanced tables, find and replace, seamless copy and paste from Google Docs, Word, and Excel, and more

In addition, we added our latest AI-powered capability, Comply AI for Policies, which uses generative AI to help you write and refine your policies. Comply AI for Policies improves productivity by saving you hours of work by delivering clear and polished policies that align with the tone and voice of your organization. To use Comply AI for Policies, highlight the area of text you want to revise and either select from the out-of-the-box prompts or send a custom prompt. Generative AI will provide suggested changes for you to review and choose to insert the changes, ask it to try again, or discard the changes.

Read the blog to learn more.

Device Archiving

Now, customers have the ability to archive devices by archiving the associated vendor.

October 2023

New features & updates

Improved Risk Management module with Comply AI for Risk

We recently launched our new enterprise-grade Risk Management tool that includes an AI-powered risk assessment workflow with Comply AI and an Enhanced Risk Management module tailored to your unique business needs.

The end-to-end Risk Management tool includes:

• Risk register to track and manage risks
• Risk library to easily identify risks 
• Risk assessment workflow to determine risk scores and treatment plans
• Risk history to easily track changes 
• Control mapping to link mitigating controls to risks

The Enhanced Risk Management module offers more robust and flexible tools, including:

• Dashboards
• Custom scores
• Custom tags

Read the blog to learn more about the improved Risk Management module. 

Office365 User Filtering

Companies can now optionally exclude unlicensed accounts and guest accounts from being pulled in on the Office365 integration. Existing connections must be archived and a new connection must be created for this functionality to work.

Read-only Policies

We just added the ability to make policies read-only. For policies that do not require acceptance, you can now mark them as read-only when editing. Personnel reviewing these policies will not have to select ‘Accept’. Learn more about Secureframe policy management here.

Enhancements to Azure Active Directory Integration

Users of Azure AD can now pull fields like:

• MFA status for users 
• Start and end date for employees 
• Job title for employees

Find more information about Azure AD permissions in this article.

JamfPro Screen Lock Support

The JamfPro integration now syncs screen lock information for Mac and Windows, and each respective test is now automated. Find all of our integrations here, and please reach out if you have additional questions.

September 2023

New features & updates

New Bulk Action Bar

We recently added a new bulk action bar on the following pages:

• Personnel
• Tests
• Asset Inventory

We've consolidated the individual bulk action buttons from the top menu into a dedicated bar that floats on the page as a user scrolls to make bulk actions easier than before. 

Additional Trust Services Criteria

We have added two optional trust services criteria (TSC) to your existing SOC 2 report - processing integrity and privacy. It is up to your business to decide if either of them is in scope for your compliance program.

Processing integrity provides assurance that information in the audited system is complete, valid, accurate, timely and authorized to fully satisfy the entity's objectives. Privacy provides assurance that personal identifiable information (PII) is safeguarded beyond the minimally required security requirements. 
These will be defaulted to disabled for your existing report and will not impact any passing percentages unless enabled. Please don’t hesitate to contact us if you have any questions.

AWS Inspector Update

An updated Amazon Inspector integration is available for AWS customers. This iteration of Inspector is more scalable, supports container images and multi-account management, and uses AWS Systems Manager Agent, among other improvements. We will continue syncing Inspector Classic in AWS accounts where it is used - no need to switch immediately.

Improvements to Custom Control Creation and Bulk Mapping

We just released a new way for customers to create custom control AND map either existing or new custom controls to framework requirements all in 1 CSV. Now, you can:

• Auto update date fields
• See warnings on invalid inputs
• Find suggestions on typo mistakes

Find more information in this Helpdesk article.

Improvements to Secureframe Questionnaire Automation

We've introduced updates to Secureframe Questionnaire Automation, including:

• Improvements to the Questionnaire model performance that enhances customer automation rates
• Security Questionnaires Starter Pack: we highly recommend that customers fill out this starter pack of the most commonly requested security questionnaires to maximize their success.

August 2023

New features & updates

Comply AI for Remediation is now available for AWS, Azure, and GCP

Comply AI for Remediation is now available for all Secureframe customers. Comply AI for Remediation uses generative AI to provide infrastructure as code remediation guidance to fix misconfigurations in AWS, Microsoft Azure, and Google Cloud Platform (GCP). Remediation methods include: 

• Command Line Interface (CLI)
• Terraform
• AWS CloudFormation
• AWS Cloud Development Kit (CDK)
• Azure Resource Manager (ARM)
• GCP Deployment Manager

Custom Frameworks

We now offer the ability to create custom frameworks! Customers can now incorporate into a custom framework things like specific security controls, processes, and policies that align with your organization’s unique requirements, industry standards, and regulatory obligations. Map existing tests and controls (pre-built or custom) to your custom framework for a more comprehensive and personalized approach to compliance management. Find the documentation for custom frameworks and reach out to support@secureframe.com for more information on how to get started.

Test Library

Our new Test Library offers a repository of all Secureframe and user-created custom tests. This provides customers with the ability to leverage the extensive suite of automated tests available in the Test Library for your custom controls and frameworks. Users can access this inventory of tests that may not be directly mapped to specific frameworks, allowing them to incorporate additional tests and take advantage of the hundreds of automated tests that Secureframe has already built.  Access the Test Library from the “tests” page in the left side navigation, and find the documentation here for further guidance.

Trust Center Improvements

By popular demand, we recently delivered two improvements to Secureframe’s Trust Center: 

1. Custom email destinations for document request notifications. You can now set document request notifications to mail to specific people or group inboxes!
2. The ability to host FAQs on your Trust Center to reduce the need to fill out a security questionnaire for a prospective customer. You can now add FAQs and answers in the Trust Center Site Designer.

default Version Control Branches

Users can now specify default branch and testing settings for repositories in integration connection settings. Settings are applied to only new repositories synced and do not affect repositories that have already been synced.

July 2023

New features & updates

Personnel Management Updates

We recently revamped the personnel management page to provide a better user experience. The update includes a new personnel table, as well as a notification bar at the top of the page alerting users of unlinked accounts.

Unlinked accounts are accounts Secureframe is unable to link to an existing user. Users can click on the unlinked accounts notification to review the unliked accounts and link them to a respective user. Unlinked accounts can also belong to former employees or service accounts.

Integration with DigitalOcean

We’re excited to announce an integration with DigitalOcean, a cloud hosting provider that offers cloud computing services and Infrastructure as a Service (IaaS). Secureframe automatically pulls relevant data from DigitalOcean and tests access, application, networking, storage, monitoring, and alerting configurations for applicable framework compliance. To get started with DigitalOcean, find and connect from the integrations tab in Secureframe.

June 2023

New features & updates

Comply AI for Remediation

We expanded our AI-powered capabilities with the launch of Comply AI for remediation. Comply AI automatically generates infrastructure as code (IaC) remediation guidance to fix misconfigurations in AWS. The capability also features a chatbot for users to submit requests and get more tailored remediation. Comply AI will soon work with Google Cloud and Microsoft Azure for faster and easier cloud remediation. Learn more about Secureframe AI here.

Custom Controls

We are excited to announce the ability to create custom controls in Secureframe! The Controls tab enables you to view a list of controls mapped to their respective frameworks and the health status of those controls. You now have the ability to add custom controls individually or in bulk, tailoring the platform to meet your organization's unique needs. This customizability enables you to incorporate specific security controls, processes, and policies that align with your requirements.

AWS GovCloud Integration

We are excited to announce that Secureframe now offers an integration with AWS GovCloud, providing users the same Secureframe experience as customers operating in commercial environments. By automating compliance tasks such as monitoring, policies, and evidence collection, Secureframe simplifies the compliance process for organizations navigating the complexities of federal regulatory requirements, while ensuring the security of government-related workloads and data. Secureframe provides visibility around security vulnerabilities and misconfigurations in your GovCloud environment, and monitors compliance against federal compliance frameworks. Read the blog.

New Company Onboarding

We made updates to our company onboarding for a better user experience. With our new onboarding, we’ve reduced the number of onboarding steps, integrated onboarding throughout the rest of the platform to deliver a more seamless experience, and provided more context to help users easily navigate their onboarding. 

May 2023

New features & updates

Secureframe Trust

We recently announced the availability of Secureframe Trust – a powerful combination of our Trust Center, Knowledge Base, and ML-powered Questionnaire Automation solutions. 

Now, you can proactively showcase the measures your organization is taking around security, compliance, and privacy with a Trust Center that continuously pulls in data from the Secureframe platform. You have the ability to customize this page - show only what you want to show, and adjust the look and feel of your Trust Center with customized logos, colors, and information. You can upload documents, review/approve/deny requests for information, and enforce automated NDAs. If a visitor has additional security questions after perusing your Trust Center, they can submit an RFP or questionnaire, and our Questionnaire Automation and Knowledge Base can help streamline that process.

Learn more about Secureframe Trust here.

Export tests as JSON

We recently added the ability to view and export raw JSON evidence for AWS, Azure, and GCP to aid in remediation for your failed tests. JSON provides more detail so you can easily identify the reason a test failed and quickly remediate the issue. Raw JSON is helpful for your auditors as well because it reduces the amount of time it takes them to review the evidence and provides them with additional details to help minimize follow-up questions. 

When downloading a test, you will now see two options: ‘Download Test data (.csv)’ or ‘Download Test data (JSON)’. You can easily navigate the JSON evidence for every resource associated with a test using the arrows in the platform which allows you to review on an individual resource basis so you can focus on a specific area of concern

If you choose to download as JSON, it will contain details for all of the resources associated with the test. This will help you get as much or as little information as you need to remediate issues in your cloud infrastructure and maintain compliance. Learn more about exporting tests as JSON here.

Updated Navigation Experience

We made updates to the navigation in the platform to make it easier for you to find what you're looking for. The update groups pages together so they are more organized for a better user experience. Check it out on the platform today!

Ability to filter on unconfigured repos

We recently added the ability to add "has_production_branches" as a filterable field to the repositories table and search_data. This allows customers to see where they need to apply configurations, which need to be complete for the associated tests to work.

April 2023

New features & updates

Upload PDF Policies

This month, we introduced the ability to upload PDF policies to Secureframe, giving our customers flexibility during the onboarding experience. Policies are governing documents describing what an organization does to ensure security and compliance. 

Now users have the ability to directly upload one or multiple PDF policies, in addition to using the inline editor. Find more information on creating and editing policies here.

New Secureframe Training Lessons

Secureframe Training automates training for SOC 2, HIPAA, PCI DSS, GDPR, and more – so organizations can quickly meet security and privacy compliance requirements and save time assigning, tracking, and reporting on required training.

This month we introduced two new lessons to our Security Awareness Training module: Anti-Counterfeiting and Privacy. Find the new lessons in Employee Onboarding > Training, or reach out to learn more about how you can easily deploy and track required employee training with Secureframe.

Passing with Upload Indicator

We recently added a visual indicator for tests, to show tests that are passing but also adding the ability to show if each test has evidence uploaded against it.

Default Group Assignments

Before, we defaulted policies to be assigned to the "Employees" and "Contractors" groups when publishing them for the first time. The edit policies multi-select only showed up when editing an existing policies. Now, when creating or publishing a new policy, there's an option to group multi-select in the editor view when creating a policy for the first time, pre-populated with "employees" and "contractor" groups if no other groups are present.

Policy Acceptance Date

We made a change to policies to always show the last accepted date for policy acceptance. This ensures accountability and notiication of changes - showing the last accepted date helps users stay informed about changes in policy and reminds both users and admins to review the policies periodically.

March 2023

New features & updates

Manage Test Updates on the Test Activity Dashboard

In March we launched an exciting new feature that improves automation and helps with continuous compliance: Test Activity Dashboard. This new experience allows Secureframe to keep your tests up-to-date with the latest automation enhancements and compliance checks.

New or updated tests appear on the dashboard depending on the frameworks you have signed up for. Keep your tests in their current state if you have an upcoming audit and want to wait to switch to the new/updated test. For any new/updated tests, you have a Required Action Date that is at least 3 weeks after the test is introduced into your account. 

If you don’t take any action, the new/updated tests will be automatically introduced into your account on the required action date. Future releases for test changes happen on a periodic basis on the last Friday of each month. 

Learn more here.

Enhanced Microsoft Intune Automation

We recently enhanced four upload tests for Microsoft Intune with automation:
1) Anti-malware is enabled on user endpoints is enforced via Microsoft Intune
2) Screens lock on production user endpoints after a maximum of 15 minutes of inactivity, enforced via Microsoft Intune
3) Local firewall cannot be disabled by the user and log continuously on production user endpoints, enforced via Microsoft Intune
4) Strong password policy of at least 8 characters and alphanumeric is enforced on user endpoints via Microsoft Intune

Read more about Secureframe's endpoint security here.

Enhanced Jumpcloud Integration

We've made enhancements to our integration with Jumpcloud for centralized identity and access management (IAM), easier user provisioning/deprovisioning, and streamlined compliance monitoring. This integration allows you to sync devices-related information from your JumpCloud account and automates compliance checks and evidence collection (for example, hard drive encryption enforcement) using JumpCloud's REST APIs. Learn more about the integration and how to connect to it here.

February 2023

New features & updates

Real-Time Support Through Live Chat

Now you can chat in real-time with a Secureframe Customer Experience Representative! Just as before, if you need help you can go to “Help & Support > Chat”. Once a chat is initiated, if you want to chat online with a Secureframe representative, you will be offered the option “I still need support”. If you click this button, you will be able to speak to a Secureframe Customer Experience rep. Our representatives are available Monday - Friday from 6am - 6pm EST. 

Learn more here.

Announcing Secureframe for MSPs

We are excited to expand the Secureframe Trusted Partner Program to include our world-class MSP Partner Program and launch our multi-tenant portal to make it easy for service providers to bring the power of Secureframe’s compliance automation platform to their clients. Secureframe for MSPs offers:

• Centralized account management: Purpose-built to help service providers manage their customers’ end-to-end compliance journey, Secureframe’s multi-tenant portal centralizes all activities related to each customer’s security and privacy compliance into a single pane of glass.
• Streamlined deal management and support: Secureframe’s partner portal (PRM) enables service providers to register deals and gain access to marketing, sales, technical support, and other resources to close deals, serve clients, and grow revenue.
• Enhanced revenue earning potential: Secureframe’s partner program unlocks new revenue streams through its referral, reseller, security consultants, and MSP/MSSP options where partners can function as any or all partner types depending on their business model and preference
• DattoRMM integration: Secureframe’s integration to DattoRMM, used by MSPs to remotely secure, monitor, and manage endpoints, automates evidence gathering for antivirus software, asset inventory intelligence, and more.

Custom Upload Tests

We recently introduced custom upload tests, which allow you to author your own upload tests in the Secureframe platform. Custom upload tests offer tailored compliance validation for individual business needs, comprehensive coverage, and increase flexiblity and scalability in your security posture. If the existing Secureframe authored tests do not cover your company’s criteria, you can create a new test or set of tests that take uploads as evidence. These can be standalone tests or can be mapped to controls in existing security frameworks activated in your account. On the test page in Secureframe, you can create or delete custom upload tests. Learn more about custom upload tests here.

DattoRMM Integration

To further enable service providers for success and based on partner demand, Secureframe has added a new DattoRMM integration. The integration pulls automated configuration evidence like the presence of antivirus software, asset inventory intelligence, and more into the Secureframe platform to further demonstrate a client’s security and privacy posture.

January 2023

New features & updates

Secureframe Questionnaire Automation

Secureframe’s machine learning-powered automation makes the tedious process of responding to RFPs and security questionnaires fast and easy for organizations of all sizes. Our innovative solution suggests responses to RFP and questionnaire questions using content and context from the Secureframe platform along with approved prior responses to deliver 90%+ accuracy. 

You have the ability to edit answers to reflect updates in your security and privacy posture, as well as collaborate with your in-house subject matter experts to ensure answers are kept current in the Secureframe Knowledge Base as your security, privacy, and compliance system of record.

Knowledge Base Chrome Extension

Easily access your Secureframe Knowledge Base from Google Chrome!
You can now look up content and answers to questions easily while on a call, answering emails, or filling out questionnaires. Type keywords, phrases, or whole questions in to the search field to immediately discover related content in the Knowledge Base. The ‘select-to-search’ feature automatically searches any highlighted text on your active tab. Try it today.

Test Comments

Test Comments allow tests to be the nexus of communication for users in Secureframe working toward remediating a test. Now you can take, edit, and delete notes and comments to collaborate on testing.

December 2022

New features & updates

Secureframe Training

Training employees on security and privacy awareness is a key requirement of most compliance frameworks, including SOC 2. Secureframe Training, our in-platform training product with modern and engaging content, now includes Security Awareness Training. This adds to our existing, comprehensive set of training that includes HIPAA, GDPR, CCPA, PCI, and Secure Coding.

Make training your workforce easy and automatic with content that’s kept up-to-date by our compliance experts. You can review the available training modules in the Personnel > Settings > Onboarding section of the app.

Interested in adding privacy and security training? Ask your customer success manager or email contact@secureframe to add Secureframe Training or get a demo.

November 2022

New features & updates

Knowledge Base Scheduled Reviews

Keep your Knowledge Base content fresh by scheduling regular review cycles. 

Fully customize these review settings and receive automated email notifications when your content expires. Learn more about this new feature in our Help Center article.

Expanded Trusted Partner Program + Launch Partners for the Secureframe Trust API

You need the flexibility to customize your security and privacy compliance program to the unique needs of your business.

That’s why Secureframe provides 100+ pre-built integrations with the most popular applications across cloud services, identity providers, background checks, HR and people management, device management, developer tools, single sign-on, and more that you’re already using every day. Rootly, Electric, Basis Theory, and Indent are now joining our industry-leading trusted partner ecosystem to help our mutual customers further automate and streamline compliance. 

Learn more by reading our blog announcement.

October 2022

New features & updates

New Comments Tab on Tests Page

Collaborate with other users at your company using the new comments section. You can leave shared notes, work through remediation steps, and chat with your fellow team members, making it easier and faster to pass tests.

Click on any test and navigate to the "Comments" tab to get started.

Custom Knowledge Base Tags

Manage your content from uploaded security questionnaires and RFPs with custom tags.

Create and mark records for different teams, topics, or specialty areas. You can then filter on these tags for easy access the next time you are looking for content.

September 2022

New features & updates

Test update notifications

Integration Tests can now have a tolerance window! Sometimes configurations are tricky to figure out. Now you can set a tolerance window so that the test will not fail right away after Secureframe detects an incorrect configuration.  

When a tolerance is set, Tests will first show an "at risk" status so that the owners know that something needs to be fixed. Learn how to set a tolerance window for a test in our Help Center.

Due dates for uploaded tests

You can now set due dates for Upload Tests! Every time you go through an audit there is evidence to refresh. Now, you can set due dates to remind you to do these tasks. 

When you set a due date, you can also set a test interval so that the Test will auto-increment to the next due date after it has been refreshed with new evidence. See how to set a due date for a Test in our Help Center article.

Automate responding to security questionnaires and RFPs with Secureframe

Responding to security questionnaires and RFPs has long been a manual, tedious process with forms that vary from customer to customer with no standardized format, set, or order of questions. Even if you are SOC 2 or ISO 27001 compliant, many companies will still require a security questionnaire to be filled out. 

That’s why we’re excited to introduce Secureframe Questionnaires, a machine-learning-powered solution that makes it fast and easy to respond to customer questionnaires. When you receive an RFP or security questionnaire, simply upload it to Secureframe, tag the questions and answer fields, verify Secureframe’s suggested answers from the Secureframe Knowledge Base, export the completed document to the original format, and send it back to your customer. 

Read the blog post to learn more.

Secureframe adds 12 new frameworks, including NIST, ISO 27701, CMMC, and more

We are excited to announce that we’ve added these new frameworks to help you achieve and maintain compliance:

• NIST SP 800-53 
• CMMC
• NIST 800-171 
• PCI DSS SAQ-A and -D
• NIST Privacy
• ISO 27701
• NIST CSF 
• Microsoft SSPA 
• MSVP

 Read the blog post to learn more.

With these additions, Secureframe’s modern, all-in-one governance, risk, and compliance (GRC) platform can do more to help your organization and compliance teams to quickly understand requirements, manage controls, streamline workflows, and stay up-to-date with the latest security, privacy, and compliance standards.

JIRA integration update

The updated JIRA integration automates compliance checks and evidence collection for five existing requirements. To learn more, read our Help Desk Article.

Vendor page update

We’ve updated our Vendors page so it is easier to filter and sort. Now you can quickly skim your vendors list, identify which ones are high-risk, and review vendors that you own.

July 2022

New features & updates

New tests page 

We’ve created a new page to view your compliance journey designed around tests. This page allows you to manage all your company tests in one easy-to-organize place:

• Set custom and saved filter views
• View test details
• View framework mappings
• Remediate tests

For more information on how the Test Page works, take a look at our Help Center article.

June 2022

New features & updates

Custom Upload Tests

We have added the ability to author your own Custom Upload Tests. If existing Secureframe-authored tests do not meet your company’s criteria, you can now create a new test or new set of tests that accept file uploads as evidence.

For more details, read our Help Desk Article on Custom Upload tests.