What's New in CISO Assistant — Week 03, 2026 (v3.10.0 – v3.10.3)

This was a big week. Four releases — v3.10.0 through v3.10.3 — shipped in rapid succession, delivering one of the most feature-rich sprints in CISO Assistant’s history. Here is everything that matters.

Major: Actors

The headline feature of the 3.10 series is Actors — a new first-class concept that decouples the “who is responsible” question from user accounts. Actors can represent people, teams, vendors, or any party that plays a role in your GRC processes, whether or not they have a login. Existing relations such as risk owners and control assignees have been migrated to reference Actors rather than Users (v3.10.1), and a toggle lets you decide whether entities remain visible in the actors list.

This is a breaking change at the data-model level: if you have integrations that rely on user-based ownership fields, review the migration notes before upgrading.

AI & MCP Server

The built-in MCP (Model Context Protocol) server received a wave of enhancements:

• TPRM object support — Third-Party Risk Management objects can now be queried and managed through the MCP interface.
• EBIOS RM support — EBIOS Risk Manager objects are also exposed, letting AI assistants reason over feared events, attack paths, and operational scenarios.
• Bootstrap skill — A new Claude skill walks you through setting up a fresh CISO Assistant instance by asking a handful of questions and pre-populating the workspace.
• Basic risk-assessment skill — Another skill helps draft an initial risk assessment, with fixes for ambiguity in object resolution.

Framework & Library Updates

• Microsoft Cloud Security Benchmark added to the library.
• ISO 27001 Chinese translation now available.
• DORA ↔ FINMA 2023/01 mapping contributed by @votrepresencedigitale — welcome as a new contributor!
• CIS Controls v8 mapping tools for both NIST CSF 2.0 + ISO 27001:2022 and NIST 800-53 Rev. 5 (v3.10.2).

UX & Workflow Improvements

• Revamped Data Wizard and Libraries pages — Cleaner layout, faster navigation.
• Quick filters on the libraries list — Filter by available mappings or by libraries that have updates waiting.
• Kanban view for Applied Controls — Drag-and-drop your controls across status columns, with full respect for any active table filters (v3.10.3).
• Domain focus mode — Collapse the scope to a single domain and work distraction-free (v3.10.3).
• Domain is now changeable on all object forms, so you can reorganise without recreating records (v3.10.3).
• Authors and reviewers are now displayed directly in detail views.
• Delete option in the standard context menu — One less click to remove an object.
• Flash-mode inherits table filters — Propagated filters from the applied-controls table carry over into flash-mode editing.

Assignments & Collaboration

• My Assignments page now surfaces team-related assignments alongside personal ones (v3.10.2).
• Notifications for expiring evidences — Get alerted on the day an evidence expires, so nothing silently lapses.

EBIOS RM

• Excel export/import (beta) — You can now round-trip EBIOS RM data through Excel for offline collaboration or review.
• Improved ARM import — Additional edge cases are handled when importing Attack Reference Models.

Performance & Backend

• IAM caching — A new cache layer for identity and access management cuts redundant lookups (v3.10.2).
• Optimized validation workflows — Less overhead when processing approval chains (v3.10.2).
• WAL enabled on SQLite — Write-Ahead Logging is now turned on by default for SQLite backends, improving concurrent write performance and resilience (v3.10.3).

Security & Permissions

• RBAC check on target folder before allowing object moves, closing a gap where a user could move an object into a folder they shouldn’t have write access to.
• Sidebar display fix for custom roles — Users with non-standard role configurations no longer see broken or missing navigation items (v3.10.3).

Bug Fixes

• Implementation-group filtering on applied controls now correctly applies to audit scope (v3.10.2).
• Incidents with duplicate names are allowed when they belong to the same domain but carry different reference IDs (v3.10.2).
• Trailing line-break removed from Markdown rendering (v3.10.3).
• Removed stale owner relationship from the FindingsAssessment model (v3.10.3).

CLI

clica full backup/restore — A new CLI command lets you perform a complete backup and restore of your CISO Assistant instance from the terminal, useful for migration scripts and disaster-recovery runbooks.

For the full list of changes across all four releases, see the releases page on GitHub.