May 2026

• ControlMap Copilot now in open beta 

  ControlMap Copilot — the GRC assistant embedded across assessments, controls, evidence, risks, audits, and policy and procedure workflows — is now in open beta, enabled across all CM Pro client environments and available to MSP partner users in every supported region (US, EU, Canada, and Australia). Eligible Super Admins and Compliance Managers can turn it on from a new prompt in the client portal title bar and manage it anytime from the profile dropdown. Copilot is free during the beta.

• CMMC audits rebuilt around sub-objectives for eMASS

  CMMC assessments now treat sub-objectives as auditable items, and sub-objective content flows into audit evidence requests and the eMASS report. Work done at the sub-objective level in the Objectives view (Notes, Action Items, Policies, Procedures, Governance) populates the matching audit request, so auditors see it without re-entry. This applies to all CMMC audits, including existing ones. 
   

• New audit fields and clearer test-result labels

  Audit pages across all frameworks now include "Interview" and "Examine" fields for capturing assessor evidence, and audit test results are relabeled to Not Met / Met with exceptions / Met for clearer alignment with how assessors evaluate requirements. 

   

• ControlMap Public API now available in all regions

  The ControlMap Public API is now deployed across every supported region, not just the US. Partners hosted in the EU, Canada, and Australia can call the API against their own region, and the documentation now lists the base URL for each region so the right endpoint is unambiguous.
   

• PCI DSS updated to 4.0.1 with SAQ tagging and filter

  PCI is updated to the latest 4.0.1 standard, and PCI objectives can now be tagged and filtered by SAQ type (SAQ-A, SAQ-A(EP), SAQ-B, and others), with a second tag for PCI Milestones. This lets Partners scope PCI work to the SAQ that applies to a given client.
   

• Jamf integration enhancements

  The Jamf integration now syncs computer inventory, users, and mobile devices using paginated APIs, improving the reliability and completeness of asset data pulled from Jamf.
   

• Owner and approver changes now send email notifications

  Changing the owner or approver on Evidence, Policies, Procedures, and Risk Register items — including via bulk actions — now reliably triggers the expected email, so assignees are informed of their new responsibilities.
   

• Evidence export and re-import

  The Export Evidence report now includes structure and file metadata in the ZIP, and that ZIP can be re-imported into another framework or tenant. Evidence is recreated and remapped to matching requirements, with a clear status when a mapping isn't found.

This month, we also resolved a range of Partner-reported issues across the platform:

• Integrations

  Corrected AWS compliance-check status, Microsoft Intune assets not appearing, Azure AD now honoring "exclude disabled/inactive users," and KnowBe4 training data not syncing.
   

• Reports

  Fixed report-generation failures, the Objectives report omitting objectives for NIST CSF, and SSP formatting issues.
   

• Evidence

  Resolved multi-file upload failures and auditor-portal evidence download problems.
   

• Risk Register & assessments

  Fixed risk edits not persisting after save and the "Show Answering Guidance" button not working across frameworks.

April 2026

• ControlMap Copilot now in beta

  ControlMap's AI assistant is now available in beta, accessed via a new sparkle icon in the page header. Visibility is gated to MSP Super Admins and Compliance. For more details, check out ControlMap Copilot (Beta): Frequently Asked Questions.

• Public API expanded across Assessments and Frameworks/Objectives

  The ControlMap Public API adds substantial new coverage this month: 
  
  Assessments add read endpoints for Partner-level and client-level assessment summaries, plus paginated assessment question search and single-question detail retrieval. Assessments also add write endpoints for saving and clearing answers, creating, updating, and deleting question responses, and mapping or unmapping assessment questions to evidences, action items, policies, and procedures.
  
  Frameworks and Objectives add read endpoints for Partner-level and client-level objective summaries (with framework stats), paginated objective search scoped to a specific client and framework, and single-objective detail retrieval. Together these unlock end-to-end programmatic workflows so partners can monitor and complete assessments on behalf of clients and pull objective progress without UI access.
   

• Entra integration: Inclusion Rules and service account filter

  The Entra integration's Exclusions tab is now a unified Inclusions and Exclusions tab. You can choose Inclusions mode to ingest only the accounts you want (by email, group, or pattern) instead of building complex exclusion lists. A dedicated service account filter is also available so service accounts can be excluded from sync.
   

• Integration syncs no longer overwrite manual asset fields with null

  When an integration syncs an asset and the source value for a mapped field is null, ControlMap now preserves any value you entered manually instead of clearing it. Non-null source values continue to overwrite. This protects manually curated asset details from being lost on subsequent syncs.
   

• Authenticity added to the CIA Matrix for DORA

  The CIA Matrix now includes Authenticity as a fourth scoring dimension across all assets, supporting frameworks like DORA and BSI C5 that require it. Existing assets default to Low for Authenticity, which does not negatively affect OAV scoring.
   

• Confluence embedded document rendering improved

  Pages embedded through the Confluence Content Widget now render images and better preserve core formatting such as headings, lists, bold/italic, links, and tables. Partners can review more of their Confluence documentation in ControlMap without bouncing back to Confluence.
   

• Health Score now ignores future-dated evidence requests

  Health Score only adjusts for evidence requests that are past their due date. Scheduled future evidence requests, including auto-scheduled ones, no longer drag the score down before they're actually due.
   

• Objectives report now includes notes

  The Objectives report adds notes and implementation notes columns to the XLS export. Auditors who use external platforms can now align their audit work without manually copying this content from the in-app audit view.
   

• ScalePad LM Location now maps to ControlMap Region

  Assets ingested from the ScalePad LM integration now populate the ControlMap Region field from LM's Location value. Previously the field came through blank, requiring manual entry.
   

March 2026

• New Public API endpoints for Reports and Action Items: The ControlMap Public API in the ScalePad Developer Portal adds two new endpoint families this month. Reports (read) lets partners pull report summaries across all clients. Action Items now supports both read and write, including the full set of POA&M fields (Roadmap, Priority, and more), enabling partners to programmatically manage action item workflows.

• Integration removal now offers data cleanup options: When removing an integration, a confirmation modal now gives you two clear choices: keep all ingested data and mappings, or permanently delete everything brought in by that integration. This eliminates the need for support escalations to clean up leftover data after removing and re-adding integrations. 
   
• KnowBe4 integration: Exclude inactive and disabled accounts: The KnowBe4 integration now includes an Exclusions tab with an option to exclude inactive and disabled accounts from syncing into ControlMap. This is enabled by default, reducing clutter from archived users appearing in People records.
   
• Quick access to last approved document version: In document list views, clicking the "approved" link in the Status column now opens the last approved version directly. This is useful when the latest version is still in progress and you need to reference the approved baseline without hunting for it.
   
• Azure AD GCC option restricted to GovCloud regions: The Azure AD GCC integration option is now only visible in GovCloud environments. Partners in US, CA, EU, and AU regions will see only the standard Azure AD integration, preventing accidental connections to an unsupported configuration.
   
• POA&M Report now includes Roadmap and Priority: The POA&M Report now includes Roadmap and Priority columns, so you can track action item prioritization directly in the exported report without manual data entry or switching between views.
   
• SSP Report layout improved for CMMC: Implementation Details in the SSP Report now appear before sub-objective assessment questions, matching the logical order shown on the Framework Objectives page. This helps assessors and partners review implementation context before evaluating the corresponding answers.
   

February 2026

• Assessment progress now on the MSP dashboard: Partners can now see each customer’s overall assessment progress across all active frameworks directly on the MSP dashboard. Company cards include a new Assessments tab, and the Companies list adds an Assessments Progress column with a progress pill.
   
• New Audit report section and CMMC subobjective report: Reports now includes a new Audit section to group audit focused reports. A new CMMC subobjective report (eMASS format) is also available there to support subobjective status reporting without manual compilation.

• Bulk management for People records: Admins can now clean up and manage People at scale. The People list supports column sorting, multi select, and bulk actions (Invite, Change Group, Notify, Delete) with confirmation prompts, plus a filter to find People linked to 0 accounts and bulk delete orphaned records. Notify action on this page was also fixed to prevent an unintended email blast to all people records.
   
• In Scope Only filter expanded to more framework views: To reduce clutter and keep teams focused on agreed scope, the In Scope Only filter is now available in framework specific Evidence, Controls, and Documents pages. It’s enabled by default and hides items tied only to out of scope objectives.
   
• Inline note preview for CMMC subassessments: Notes are now easier to review in subassessments, with a dedicated Notes section showing a two line preview and a View more option.
   
• LM integration now populates Region for ingested assets: Assets brought in via LM now have Region populated in CM using LM’s Location value, reducing blank Region fields for LM sourced assets.
   
• Evidence report downloads are more reliable: Evidence Report entries are now sorted newest first and only show rows for actual sync runs, reducing “No Data Found” errors and eliminating date guessing across integrations.
   
• File preview removed for non-US regions: Since file preview isn’t supported outside the US (vendor limitation), it has been removed in non-US regions. Clicking a file now downloads it immediately. US behavior remains unchanged.
   

• GovCloud tenant improvements: GovCloud specific issues causing partner friction were resolved, with a focus on improving day to day stability for GovCloud tenants.

January 2026

• ControlMap Public API now live in the ScalePad Developer Portal: The first ControlMap Public API endpoint is now available in the ScalePad API Developer Portal, starting with Customer Health. This lets partners pull client health metrics programmatically for automation, reporting, and dashboards. This first endpoint is available in the US region only. We plan to roll it out to all regions and release additional endpoints next month

• Introducing Progress Stages (MSP portal): You can now track where each client company is in your compliance onboarding process using Progress Stages. This is designed for partners managing large volumes of onboardings across multiple teams, making it easier to segment clients and understand what needs attention next. Partners can create and manage a configurable list of stages, assign a stage per company, bulk update stages, and filter companies by stage.
   
• Audit comments now visible in Framework Objectives: Auditor recommendations and internal audit comments are now accessible where many compliance teams do the work. Instead of jumping to the Audits area to find context, you can now view these comments directly within Framework > Objectives > Audit Tests. This helps reduce back and forth and speeds up remediation, especially for larger partners with separated audit and remediation roles.