KCM GRC Change Log – Knowledge Base

Below is a list of our new feature releases and updates for the KnowBe4 Compliance Manager GRC (KCM GRC) platform.

The latest list of updates will be displayed at the top of the page.

2020 Changes
2019 Changes
2018 Changes
2017 Changes

Release Date	Description
November 2020	We've made the following changes under the Vendor Risk Management module portion of your platform: The Consensus Assessment Initiative Questionnaire (CAIQ) v3.1 Lite questionnaire template has been added to the questionnaire builder. When creating a questionnaire, you can now format custom questions to use multiple lines. When typing, press the Return or Enter button on your keyboard and your formatting will be saved. Under the Risk Management module, you can now format a Risk Description to use multiple lines. When typing, press the Return or Enter button on your keyboard and your formatting will be saved. The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): SAE18 SOC2 TSC to SAE20 SOC2 TSC v3.2020
October 2020	The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): NIST 800-53 Rev 4 to Rev 5
September 2020	The Consensus Assessment Initiative Questionnaire (CAIQ) v3.1 questionnaire template has been added to the Vendor Risk Management module portion of your platform. This questionnaire provides updates to its predecessor: CAIQ v3.0.1. Under CAIQ v3.1, 49 new questions have been added and updates have been made to 25 existing questions, in order to improve the clarity and accuracy of the questionnaire. To learn more about building questionnaires for your vendors (or other third parties), please see: Creating and Configuring Questionnaires. Additional data has been added to the scope export. This includes an HTML file where you can view scoped requirements, the mapped controls, control tasks, and evidence. To export a scope from your account, navigate to Compliance > Scope Exports. You can now edit the due date for tasks that are created under a standard task schedule. To learn more about control tasks and task schedules, see: Working with Task Schedules for Controls. The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): American Land Title Association Assessment Procedures v2.5 to 3.0 CJIS Security Policy v5.8 to v5.9 Commonwealth of Virginia Hosted Environment Information Security Standard SEC 525 v03.1 to v04.1 Commonwealth of Virginia ITRM Standard SEC501 v10.2 to v11.2 Customs Trade Partnership Against Terrorism v4.2019 to v3.2020 FDA 21CFR11 v4.2016 to v4.2019 UK Data Security and Protection Toolkit Standard v1.9.6 to v20-21
August 2020	We've added a robust guide to our knowledge base for your users who are assigned to complete tasks for controls: Monitoring and Completing Tasks (a Guide for Contributors). This guide will explain the following for users who have a Contributor user role: How do I know if I'm assigned to a task? How do I monitor my upcoming tasks? How do I navigate my account? Understanding task requirements Adding evidence and completing tasks What if my task failed? We've improved our email notifications so you will not receive as many emails from KCM GRC. Whenever you are set to receive more than one notification at a time, these notifications are combined into one email digest. When there is more than one notification in an email, the subject line will read "KCM GRC Email Digest". You can now edit the due dates for one-time tasks. To learn more about one-time tasks and task schedules, please see: Working With Task Schedules for Controls.
July 2020	We've made major updates to your KCM GRC platform. These enhancements include workflow changes, faster loading performance, an updated user interface, and brand new features! Please see our Enhancements to the KCM GRC Platform and Compliance Management Workflows (July 2020) article for more details on these enhancements.
April 2020	We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to KCM GRC over the previous quarter. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): NIST 800-34 Contingency Planning Guide for Federal Information Systems NIST 800-61 Computer Security Incident Handling Guide Secure Software Lifecycle Requirements and Assessment Procedures South Carolina Insurance Data Security Act
March 2020	Under the Vendor Risk Management (VRM) module, we've added a new feature for your vendor questionnaires. You can now create custom questions to use in multiple questionnaires. See this article for more information. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): California Consumer Privacy Act AB 25 (Amendment to California Consumer Privacy Act) California Consumer Privacy Act AB 1130 (Amendment to California Consumer Privacy Act) California Consumer Privacy Act AB 1146 (Amendment to California Consumer Privacy Act) California Consumer Privacy Act AB 1355 (Amendment to California Consumer Privacy Act) California Consumer Privacy Act AB 1564 (Amendment to California Consumer Privacy Act) California Consumer Privacy Act AB 1202 (Amendment to California Consumer Privacy Act) Cybersecurity Law of the People’s Republic of China Higher Education Community Vendor Assessment Tool Lite (HECVAT) International Automotive Task Force - Sanctioned Interpretations National Indian Gaming Commission MCS Audit Checklist National Indian Gaming Commission MICS Audit Checklist Information Technology & IT Data Virginia House Bill 2178 Minimum Security Standards The following are updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Cybersecurity Maturity Model Certification v1.0 to v1.02 NIST 800-171 Rev 1 to Rev 2 Secure Controls Framework v2019.6 to v2020.3
February 2020	We've added three new system templates for you to use in your questionnaires (see this article for more information): 2020 SIG Lite 2020 SIG Core 2020 SIG Full When building questionnaires from templates, we've made it easier to select all of the questions from a template. See here for details. Increased the maximum character count for the Response field when Vendor Users are responding to questionnaire issues. For more information please see our Guide for Vendor Users. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): California Proposition 65 (Safe Drinking Water and Toxic Enforcement Act of 1986) NIST Privacy Framework Stop Hacks and Improve Electronic Data Security Act (New York SHIELD Act) Technology Risk Management Checklist Framework - Monetary Authority of Singapore Telephone Consumer Protection Act Telephone Consumer Protection Act - Examination Worksheet UK Anti Bribery Statute Adequate Procedures Checklist United Postal Service Information Security Handbook US Foreign Corrupt Practices Act Verified Internet Pharmacy Practice Sites (VIPPS) Water Shutoff Protection Act (California Senate Bill 998) The following are updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Cybersecurity Maturity Model Certification DRAFT v0.7 to v1.0
January 2020	Regarding the system questionnaire templates that are offered under the Vendor Risk Management (VRM) module, we've resolved an issue where the incorrect answer was considered the 'correct answer' for one question. This change automatically updates the Vendor Score for any vendor who has answered the following question: Affected Questionnaire Template: CAIQ v3.0.1 Affected Question: BCR-06.1 Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)? The 'correct answer' has been changed from "Yes" to "No" We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to KCM GRC over the previous quarter. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Freedom of Information and Protection Privacy Act Office for Civil Rights (OCR) Phase 2 Audit Protocol Restrictions of Hazardous Substances (EU Directive 2015/863)

Release Date	Description
December 2019	We've added a new reporting feature called Custom Reporting. You can quickly create reports that provide details on the status of your tasks and the rate of completion for the controls you've implemented across your compliance and risk management initiatives. For more information, please see our Custom Reporting Guide. We've made the following changes to the Vendor Risk Management module: You can now create a template from the questionnaire you've created in your questionnaire builder. Your custom questionnaire templates can be re-used in a new questionnaire. In the questionnaire builder, after you've added questions to your questionnaire, you can now adjust the order in which the questions are displayed. A new column was added to the table in your Questionnaire List. You can now see the status of your questionnaires from this area. For more information, please see this article. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Customs Trade Partnership Against Terrorism (CTPAT) Cybersecurity Maturity Model Certification DRAFT (Levels 1 through 5) FFIEC IT Examination Handbook Singapore Personal Data Protection Act VDA - Trusted Information Security Assessment Exchange (TISAX) Vermont Data Broker Regulation
November 2019	From the Vendor Risk Management module, you can now export a CSV file containing the details of a questionnaire that your vendor has completed. For more information, see Exporting Finalized Questionnaires. From the Vendor Risk Management module, you can now export a CSV file containing the details of your blank questionnaires. See here for more information. The questionnaire builder under the Vendor Risk Management (VRM) module has been completely overhauled to provide a better user experience and additional functionality. You can now preview, clone, and export the questionnaires you've created in your questionnaire builder. See this article to learn more. We've made the following changes to the Vendor Risk Management module: Resolved an issue where Vendor Users were unable to update vendor Issues from their Vendor Portal. Resolved an issue where updating/editing a questionnaire name from the Questionnaire - [Questionnaire Name] page did not carry over to previously and currently-scheduled questionnaires. The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Bank Secrecy Act Examination Manual Colorado Data Protection Act Internet of Things Assessment Questionnaire US Government Auditing Standards
October 2019	We've made the following changes to the Vendor Risk Management module: Resolved an issue where the incorrect answer was considered the 'correct answer' for vendor responses when using the 2019 SIG Lite and/or 2019 SIG Full questionnaire templates. These changes affected 46 questions in total. This will also update the Vendor Score for all affected vendors. If you'd like details about the answer changes, please reach out to our Support team. Resolved an issue where deleted questionnaires were not being removed from the Questionnaire List. Made minor visual changes to the way you view questionnaire schedules. For more information, see the Schedules tab under the Working with Vendor Profiles (Vendor Details) section of this article. We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to KCM GRC, and the remaining KnowBe4 product line–over the previous quarter. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): American Land Title Association Assessment Procedures Association of Corporate Counsel (ACC) Model Information Protection and Security Controls for Outside Counsel Canada's Anti-Spam Legislation Cayman Islands Data Protection Law Cloud Computing Compliance Controls Catalogue Illinois Personal Information Protection Act North Carolina Identity Theft Protection Act UK Data Security and Protection Toolkit The following are updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Secure Controls Framework v2019.6
September 2019	Regarding the Questionnaire Templates offered under the Vendor Risk Management (VRM) module, we've resolved an issue where the incorrect answer was considered the 'correct answer' for vendor responses. This change affects any questionnaire that includes the question(s) below. Therefore, this will also update the Vendor Score for all applicable vendors. For more information, please reach out to our Support team. Affected Questionnaire Templates: 2019 SIG Lite, 2019 SIG Full Affected Questions: D.7 Are Constituents able to view client's unencrypted Data? The 'correct answer' has been changed from "Yes" to "No" Regarding the Vendor Risk Management (VRM) module, we've fixed an issue in the questionnaire builder where the question text wasn't fully visible if it were longer than a single line. This issue also impacted "free-form" responses from vendors. The issue has now been resolved. Regarding the Vendor Risk Management (VRM) module, we've fixed an issue where questionnaire questions were displayed in an incorrect order for vendor users and for KCM administrators when they were completing or reviewing questionnaires, respectfully. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Connecticut Insurance Data Security Law Lexcel England and Wales for In-house Legal Departments Lexcel England and Wales for Legal Practices Lexcel International Portugal Data Protection Law Sarbanes Oxley Act UK Data Protection Act
August 2019	If you're using OneLogin or Okta as your SSO/SAML provider, you can configure your single sign-on by adding the "KCM GRC Platform" application to your provider's portal. See this article for more information. The following enhancements have been made to the Vendor Risk Management (VRM) Module: Regarding evidence due dates when using EDR, you can now override the default Effective Date Range Settings (found under Account Settings) on a per-control basis. See this article for more information. You can now manually offset the Vendor Score found under each vendor profile. From the Vendor Details page, click the Update button to change the existing Vendor Score. You can now include informational questions in your vendor assessments. These questions are not counted against the questionnaire score. Vendor Users can now edit their questionnaire answers after they have been saved, before the questionnaire has been finalized. You can now permanently delete vendor profiles from the Vendor List area of your VRM module. You can now permanently delete questionnaires from the Questionnaire List area of your VRM module. Fixed an issue in the questionnaire builder where you could save questions without adding answer options and were unable to configure the questionnaire as a result. Fixed an issue where auditor users were able to view tasks that had not been approved by an approving manager. Auditor users can only see tasks and task evidence that has been approved. See this article for more information about KCM user role permissions. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Australian Privacy Act Australian Prudential Standard CPS 234 BDSG - German Federal Data Protection Act MDSAP - Australia: Therapeutic Goods (Medical Devices) Regulations MDSAP - Brazil: RDC (16, 23, 67) MDSAP - Canada: Medical Devices Regulations MDSAP - Japan: MHLW MO 169 MDSAP - USA: Title 21 Food and Drug Regulation New Hampshire Senate Bill 193 v8.2019 Privacy Shield Framework - EU-US Privacy Shield Framework - Swiss-US Texas House Bill 4390 - Privacy Protection Act
July 2019	The KCM GRC platform now supports single sign-on and SAML 2.0 to allow your users to quickly and easily log in to KCM using your organization's single sign-on, without having to set up or use a password. See this article for more information. Under the Policy Management module, we've fixed an issue where "Invalid Date" was incorrectly showing under Policy Management > Campaigns > Campaign Name > Users tab (in Safari browsers). We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to the KnowBe4 product line over the previous quarter. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Brazilian Data Protection Law (LGPD) Commonwealth of Virginia Hosted Environment Information Security Standard SEC 525 FERPA Financial Conduct Authority Handbook (UK) Interagency Guidelines - Information Security Standards ISO 27002 Texas Administrative Code §202 - State Agencies Texas Administrative Code §202 - Institutions of Higher Education UK Public Sector Network Code of Connection The following are *updated* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): CJIS Security Policy v5.8 HIPAA Privacy and Breach Rule HIPAA Security Rule The following enhancements have been made to the Vendor Risk Management (VRM) Module: When reviewing vendor questionnaires, you can now filter questions by the following: incorrect answers, answers with attachments, answers with issues, and informational questions. When reviewing vendor questionnaires, incorrect answers are now visually notated by a red line on the left-hand side of the question. In response to the significant growth of KCM GRC, the architecture of your platform was upgraded on July 17, 2019. This upgrade improves performance and allows us to better serve you by streamlining platform administration and maintenance.
June 2019	The following enhancements have been made to the Vendor Risk Management (VRM) Module: When creating questionnaires, you can now upload a CSV file of custom questions. See here for details. When reviewing questionnaires, you can now change the score of vendor responses from the Questionnaire Review and Issue Details pages. When sending (scheduling) a questionnaire, you can set a suggested due date. The questionnaire assessee will see the due date in their email notification, and in their vendor portal. A Scheduled Questionnaires Calendar has been added to the Vendor Management Dashboard. All questionnaires are listed on the day were sent or will be sent. You can now cancel active questionnaires from the Assigned Questionnaires tab, under the Vendor Details page. You can now cancel questionnaire schedules (questionnaires to be sent) from the Schedules tab, under the Vendor Details page. If your vendor did not receive the email notification for their assigned questionnaire, you can now generate and send their login link from the Assigned Questionnaires tab, under the Vendor Details page. You can now archive questionnaires that have not been sent or scheduled. Vendor Administrator users can now view vendor profiles and questionnaires that have been archived. See this article to learn more about KCM user role privileges. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Gramm-Leach-Bliley Act Privacy Rule Gramm-Leach-Bliley Act Safeguard Rule IRS Publication 1075
May 2019	You can now follow this article to stay informed of the new and updated Managed Templates available for your account. Our team ensures we have the up-to-date versions of these frameworks available for your use. Contact your Customer Success Manager to have additional templates added to your account. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): ASD Information Security Manual v3.2019 Commonwealth of Virginia ITRM Standard SEC501 v10.1 UK Ministry of Defence - Defence Standard Low Profile UK Ministry of Defence - Defence Standard Moderate Profile UK Ministry of Defence - Defence Standard High Profile The following are *updated* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): CIS Critical Security Controls Group 1 7.1 CIS Critical Security Controls Group 2 7.1 CIS Critical Security Controls Group 3 7.1
April 2019	The Vendor Risk Management (VRM) module was released. The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your KCM GRC platform. See our Introduction Guide to learn more. Updates were made to the User Roles available in your account. This includes updates to the User Management and User Profile pages in your account. See more information in our Working with Users article. You can now manage evidence submission settings (DocuLinks and documents) at the scope level–in addition to the account-wide settings. See more information in our Managing Account Settings article, here. The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): NCUA ACET v1.0 DFARS NIST 800-171 SA v11.2017 HMG Security Policy v1.0 Massachusetts Data Privacy Regulation v2009 The following are *updated* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): CIS Critical Security Controls 7.1 CCIS Critical Security Controls 7 to 7.1_Changes
March 2019	The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): PCI DSS SAQ A PCI DSS SAQ B PCI DSS SAQ B-IB PCI DSS SAQ C PCI DSS SAQ C-VT PCI DSS SAQ D Merchants PCI DSS SAQ P2PE PCI DSS - SAQ D Service Providers v3.2.1 Secure Controls Framework OWASP Level 1 v4.0 OWASP Level 2 v4.0 OWASP Level 3 v4.0
February 2019	The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): Financial Services Sector Coordinating Council (FSSCC) v1.0 NIST SP 800-171 Appendix E v2016 FedRAMP High Baseline Controls v8.2018 FedRAMP Moderate Baseline Controls v8.2018 FedRAMP Low Baseline Controls v8.2018 FedRAMP LI-SaaS Baseline v8.2018 NIST 800-53 High-Impact Baseline rev4 NIST 800-53 Moderate-Impact Baseline rev4 NIST 800-53 Low-Impact Baseline rev4 International Traffic in Arms Regulations (ITAR) v12.2018 The following are *updated* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): NIST 800-53 rev4
January 2019	The following are *new* Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): PCI DSS - Self-Assessment Questionnaire A-EP v3.2.1 AB-375 Consumer Privacy Act of California v1.0 NAIC MDL - Insurance Data Security Law v4th Quarter 2017 PIPEDA v12.2018 HITECH v2.2009 The following are *updated* managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account): HIPAA Privacy and Breach v1.0 HIPAA Security Rule v1.0 PCI DSS Appendix A v3.2.1 CJIS Security Policy v5.7 SWIFT CSP v2019

Release Date	Description
December 2018	New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account): SSAE18 SOC2 TSC (AT-C 105/205) The ability to create Risk tags was added. Added a new tab called Risk Settings to the Account Settings page where you can manage custom categories and risk tags. You can now create, edit, delete, and CSV upload custom Risk templates.
November 2018	New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account): NIST SP 800-171 A Added the user role Risk Administrator. Added the ability to map controls to a risk. Added the Risk Management report. See here for more information. Added the ability to export the Evidence Repository to a CSV file.
October 2018	The Risk Management Module has been added to KCM GRC. Risk Management simplifies the processes of identifying, assessing, and managing the risks faced by your organization. See here for more information. The threat Quick Add screen was added. For more information, see here. The View Risk screen was added. See here for more information. Added the ability to upload risk templates with a CSV file from the Risk Templates screen. Added the ability to import risks to the risk registry with a CSV file. Added sample CSV files to download and use as a template when using a CSV file for imports. Added colors for the different Risk categories.
September 2018	The ability to Clone Scopes was added. A new Managed Template is now available as a result of revisions to NIST SP 800-171 Rev. 1 (contact your Customer Success Manager to have additional Templates added to your account): NIST SP 800-171 Rev. 1 (updated 06/07/2018)
June 2018	Executive Reporting features have been added to KCM GRC. Executive Reports give you the ability to send status reports for one or more Scopes at a frequency you choose. See here for more information. Two new Managed Templates are now available as a result of revisions to PCI DSS (contact your Customer Success Manager to have additional Templates added to your account): PCI DSS v3.2.1: The most current Template for this publication (supersedes PCI DSS v3.2) PCI DSS Changes v3.2.1: Consists only of the changes made to this publication since the previous KCM GRC Template (PCI DSS v3.2)
May 2018	Multi-Factor Authentication is now available for your KCM GRC platform. New versions of Managed Templates are now available (contact your Customer Success Manager to have additional Templates added to your account): CIS Critical Security Controls 7 NIST Cybersecurity Framework v1.1 NIST SP 800-171 Rev. 1 (Updated 2/20/2018)
April 2018	New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account): General Data Protection Regulation (GDPR) The Policy Management module was added to KCM GRC. Policy Management allows you to easily track and manage your organization's policy distribution and user acknowledgments. See here for more information.
February 2018	New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account): UK Cyber Security Essentials
January 2018	Two new Managed Templates are now available as a result of revisions to NIST SP 800-171 (contact your Customer Success Manager to have additional Templates added to your account): NIST SP800-171 2017: The most current Template for this publication (supersedes NIST SP800-171 2015) NIST SP 800-171 Changes 2015-2017: Consists only of the changes made to this publication since the previous KCM GRC Template (NIST SP800-171 2015)

Release Date	Description
December 2017	Improved reporting features, such as Gantt charts and additions to the Evidence Repository table
November 2017	New and improved account settings features: Ability to add a display name and company logo Ability to restrict access to allow only certain IPs Limit control and task documents to DocuLinks and/or uploads Hide your console from KCM GRC support Configure the time needed to prepare evidence for ongoing tasks, when using Effective Date Range (EDR) feature. Effective Date Range (EDR) feature release: Allows admins to set start, end, and due date for tasks. End date/Due dates are dependent on Frequency of task. Frequency settings can be manually adjusted in Account Settings. Start, end, and due date can be modified within each Task. Set up an advanced, one-time task: Allows admins to set up a one-time task with a start, end, and due date.

Related articles