What's New in CISO Assistant — Week 09, 2026 (v3.13.0 – v3.13.4)

Five releases make Week 09 one of the densest of the year so far. The highlights include enforced MFA for organisations with strict authentication policies, a completely new advanced analytics page for audits, an interactive EBIOS RM graph editor, and a guided onboarding experience through presets and journeys.

Security & Authentication

Admin-enforced MFA (v3.13.0) — Administrators can now require all users to set up multi-factor authentication. Combined with the MFA redirect fix in v3.13.4 (which now works correctly across both layouts), this gives security teams a straightforward way to raise the authentication baseline across the organisation.

Hardened Excel formula escaping (v3.13.2) — The escape_excel_formula utility has been strengthened to prevent CSV/Excel injection attacks when exporting data. A companion CI policy check now guards against template injection at the code level.

RBAC fixes — Two privilege-escalation paths were closed: a bypass in the task-template calendar endpoint (v3.13.1) and another on the get_controls_info function (v3.13.2). Deletion of built-in user groups via API is also now blocked (v3.13.0).

OIDC email fallback (v3.13.2) — When the identity provider does not return an email claim, CISO Assistant now falls back to preferred_username or upn, improving compatibility with Azure AD and other enterprise IdPs.

Advanced Analytics

Audit analytics page (v3.13.0) — A brand-new analytics view gives auditors a high-level picture of audit progress and compliance posture, replacing the need to manually aggregate data across requirement assessments.

Radar chart for section scores (v3.13.2) — The advanced analytics page now renders per-section scores as a radar chart, making it easy to spot weak areas at a glance.

EBIOS RM

Interactive operating-mode graph editor (v3.13.2) — The EBIOS Risk Manager workflow gains a visual, interactive graph for editing operating modes. This is a significant usability leap over the previous form-based approach and makes it much easier to model complex attack paths.

Onboarding & UX

Presets and journeys (v3.13.2) — New users can now choose from curated presets that pre-configure a workspace for common compliance goals (e.g., NIS2, ISO 27001). Journeys guide users step-by-step through the initial setup, dramatically reducing time-to-value.

Focus Mode improvements (v3.13.0) — The folder list in Focus Mode is now searchable and sorted alphabetically, a small but welcome quality-of-life change for users managing many folders.

Cleaner audit toolbox (v3.13.1) — The audit toolbox layout has been tidied up, and v3.13.2 adds visual refinements to the flash-mode view along with inline observation support.

Auditor/respondent workflow and notifications (v3.13.1) — Auditors and respondents now receive targeted notifications at each stage of the assessment lifecycle, and comments on individual requirement assessments are fully supported.

Team management (v3.13.4) — The team-leader field is now optional, giving more flexibility when setting up cross-functional teams.

Performance

Lazy loading for autocomplete fields (v3.13.0, v3.13.2) — Asset-based autocomplete fields now load data on demand instead of fetching everything upfront. This was extended in v3.13.2 to cover all asset-based fields, noticeably improving page-load times in environments with large asset inventories.

Faster demo data loading (v3.13.2) — The demo-data import has been optimised, cutting setup time for evaluation and training environments.

Framework & Library Updates

• ANSSI MonAideCyber Questionnaire v2 (v3.13.1) — Updated to the latest version of the ANSSI self-assessment questionnaire.
• ITSP.10.171 — Canadian Centre for Cyber Security (v3.13.2) — Added by community contributor @tarkadia, available in both French and English.
• CISA Cybersecurity Performance Goals 2.0 (CPG 2.0) (v3.13.2) — The latest edition of CISA’s cross-sector performance goals.
• PCI-DSS v4.0.1 (v3.13.2) — Updated in both English and French.
• CMMC v2 (v3.13.2) — Removed a blank question that was causing confusion in assessments.
• ISO objectives management (v3.13.4) — Improved handling of ISO-standard objectives.

Deployment & Infrastructure

AWS Web Identity Token and S3 region support (v3.13.2) — Contributed by @tajpouria. Deployments using AWS S3 for object storage can now authenticate via web identity tokens and specify a region, enabling cleaner IAM role integration in EKS and similar environments.

PostgreSQL SSL connections (v3.13.2) — Contributed by @scottmckenzie (welcome!). CISO Assistant can now connect to PostgreSQL over SSL, a requirement for many managed database services.

AWS_LOCATION for object storage (v3.13.2) — A new environment variable lets operators customise the storage path prefix in S3-compatible backends.

Community Contributions

A warm welcome to two new contributors this week:

• @scottmckenzie — PostgreSQL SSL support
• @CPAtoCybersecurity — Owner field support in the Applied Controls bulk-import wizard (v3.13.4)

Bug Fixes

• DORA RoI export now aligns with EBA validation rules, includes correct taxonomy codes and parent LEI, and excludes draft contracts (v3.13.0, v3.13.2).
• Autocomplete-select highlighting for suggested items works correctly again (v3.13.0).
• Risk-scenario assignment notifications are now sent reliably (v3.13.1).
• Only visible navigation items appear in the command palette (v3.13.1).
• Date formatting respects the user’s locale (v3.13.2).
• Matrix tooltip regression resolved (v3.13.2).
• Business impact analysis is now supported in the data wizard (v3.13.2).
• Missing translations and EBIOS shortcut positioning fixed (v3.13.4).

For the full list of changes, see the v3.13.0 – v3.13.4 releases on GitHub.