CCM 1.4 Release Notes
Release date: June 2026
Continuous Control Monitoring 1.4 introduces Control Attestations. Until now a control's status came solely from its control tests: any failing test made the control fail, and a control with no tests had no status. There was no first-class, audited way to say "this control is satisfied by evidence that lives outside JupiterOne" - a vendor SOC 2 report, a risk acceptance, or a manual process - and have that reflected in your compliance posture.
Attestations close that gap. An authorised user can formally justify a control for a defined period; the control is then reported as Attested (a pass, with a caveat) instead of failing, with the full justification retained for audit and automatic re-failure when the attestation expires.
What is new in CCM 1.4
| Feature | What it means for you |
|---|---|
| Control Attestations | Record external or compensating evidence against a control and have it count toward compliance for a bounded time |
| Attested status | A control covered by a valid attestation reports as Pass, with an Attested note in the Effectiveness column - a pass with a caveat, never a hidden failure |
| Combined control view | Attestations and control tests now live in one Control tests and attestations section on the control page |
| Automatic expiry | When an attestation expires the control automatically re-fails, so a lapsed justification can never silently mask a gap |
| Compliance rollups & filters | Valid attested controls count as passing in scorecards, framework counts, and digests; you can filter the controls list by Attested |
Control Attestations
An attestation is a record that justifies a control's compliance using evidence outside of its automated tests. Create one from the control detail page when you have control-edit permission.
Each attestation captures:
- Subject - a short title for the justification (e.g. "Vendor SOC 2 Type II report")
- Description - the supporting detail, in markdown
- Expiry date - when the justification lapses and the control re-evaluates
- Owner - the person responsible for renewing it
- Document link - an optional link to supporting evidence
Attestations are effective immediately - there is no approval workflow in this release. A control can carry more than one attestation (for example, one per vendor); the rules for how multiple attestations combine are described in How attestations affect control status below.
Attestations apply to live controls. The justification, edit, and revocation history is retained in the audit trail independently of the control, so revoking or expiring an attestation never erases the record of why it existed.
Attested status - a pass with a caveat
When a control is covered by a valid attestation, its status is reported as Pass, and the Effectiveness column shows an Attested note. This is deliberate: an attested control is compliant for reporting purposes, but the Attested marker makes clear the pass is backed by evidence rather than a passing test.
- Scorecards, framework compliance counts, and daily digests count valid attested controls as passing.
- The controls list still lets you find them: filter by Attested to see exactly which controls are passing by attestation rather than by test.
- An expired attestation is not a pass - the control fails (see below).
Combined "Control tests and attestations" view
The control detail page now presents a single Control tests and attestations section. Attestations appear above the control tests. When a control has one or more active attestations, the section makes clear that those attestations are determining the control's status and the tests below are not currently contributing - especially when the control has both attestations and tests.
This keeps everything about a control's compliance in one place: you can see the justification and the underlying test results together, and never have an attestation quietly hide a failing test.
How attestations affect control status
A control's status combines its control tests and its attestations. Revoked attestations are removed and never count. The table below shows the resulting status for every combination:
| Control tests | Attestations | Control status |
|---|---|---|
| No tests | None (or only revoked) | Not evaluated |
| Passing | None (or only revoked) | Pass |
| Failing | None (or only revoked) | Fail |
| Any state | At least one valid attestation, none expired | Pass (Attested) |
| Any state | Any attestation has expired | Fail |
The key rules:
- A valid attestation makes the control Pass (Attested) - even if its tests are failing or it has no tests at all.
- If any non-revoked attestation has expired, the control Fails - even if other attestations are still valid and even if its tests pass. One lapsed justification fails the control, so an expiry is never overlooked.
- Revoking an attestation removes it from the calculation; the control reverts to whatever its tests (or remaining attestations) say.
Automatic expiry handling
Attestation expiry is a time event, so CCM re-evaluates attested controls on a recurring schedule (within 24 hours) in addition to recomputing immediately whenever an attestation is created, edited, or revoked. A control whose only attestation lapses returns to failing automatically - even if it has no control tests that would otherwise trigger a re-evaluation.
To renew an attestation before it lapses, open the control and Edit the attestation to extend its expiry date. Each attestation in the Control tests and attestations list shows its current state (active, expiring soon, expired, or revoked) so you can spot upcoming expiries.
Getting started
If you are an existing CCM user: Control Attestations are available immediately on your live controls.
- Open any live control from Compliance > Controls Status.
- In the Control tests and attestations section, choose Add an attestation.
- Enter the subject, description, expiry date, owner, and an optional document link, then save.
- The control's status updates to Pass with an Attested note; it will automatically re-fail if the attestation expires.
- Use the Attested filter on the controls list to review everything currently passing by attestation.
If you are new to CCM: Start with the CCM 1.2 setup steps to create your frameworks, requirements, and controls, then layer attestations on top where automated tests cannot tell the whole story.
For full feature documentation, see Continuous Control Monitoring.