What's New in CISO Assistant — Week 11, 2026 (v3.14.1 – v3.14.4)

Four releases this week deliver a headline feature — a full markdown policy editor with lifecycle and export capabilities — alongside persistent UI state, cost tracking on action plans, and important SSO security improvements.

Policy Management

Markdown policy editor with lifecycle and export (v3.14.3) — Users can now author and edit policies directly in markdown within CISO Assistant, complete with lifecycle states (draft, review, approved, retired) and the ability to export polished documents. This removes the need to maintain policies in external tools and keeps everything linked to the controls and frameworks they support.

Security & Authentication

SSO token via cookie (v3.14.1) — The SSO flow now transmits the authentication token via an HTTP-only cookie instead of embedding it in the URL. This closes a potential token-leakage vector through browser history, server logs, and referrer headers.

Deep search for OIDC email claims (v3.14.3) — When the identity provider nests the email claim inside a complex token structure, CISO Assistant now performs a recursive search to locate it, improving compatibility with non-standard IdP configurations.

TLS 1.2 for SMTP (v3.14.3, v3.14.4) — A new environment variable allows operators to force TLS 1.2 for outbound SMTP connections, with improved compatibility handling in v3.14.4. This is relevant for organisations whose mail relays require a specific TLS floor.

UX Improvements

Modernised command palette (v3.14.1) — The command palette has been visually refreshed with a modern look and now includes an indicator on the main page so new users can discover it more easily.

Persistent table filters (v3.14.4) — Table filter selections are now saved to the browser’s localStorage, so your preferred views survive page reloads and navigation. Several additional minor UI fixes are bundled in the same release.

Auto-generated IDs (v3.14.1) — When creating objects, the ID field now clearly indicates that it will be auto-generated if left blank, reducing confusion for users who were unsure whether a manual ID was required.

Filter by asset in measures (v3.14.1) — The measures (applied controls) list can now be filtered by asset, making it straightforward to answer “which controls protect this specific asset?”

Accreditation (homologation) improvements (v3.14.3) — Multiple usability refinements to the accreditation object make it easier to manage security accreditation workflows end-to-end.

Cost Tracking

Cost summary on action plans (v3.14.1) — Action plans now display a cost summary, rolling up the estimated and actual costs of individual measures. This also aligns with the CRQ IAM model, making it easier to tie remediation spend to quantified risk reduction.

Framework & Library Updates

• ReCyF (v3.14.1) — Added support for the ReCyF (Reference Cyber Framework).
• ReCyF to NIS2 2024/2690 mapping (v3.14.2) — A mapping between ReCyF and the NIS2 implementing regulation (2024/2690) is now available, letting organisations trace controls across both frameworks.

DORA Compliance

• Linter messages have been simplified for clarity, and a bug affecting data storage/processing location validation has been fixed (v3.14.1).
• Duplicate XBRL messages have been removed from the validation output (v3.14.1).

Performance

Lazy mode on applied-controls for findings (v3.14.3) — The applied-controls field on findings now uses lazy loading, preventing slowdowns in environments with a large number of controls.

Bug Fixes

• Custom role editing works correctly again (v3.14.1).
• Audit editing inside an enclave no longer fails (v3.14.1).
• Mapping inference internal structure corrected (v3.14.1).
• Croatian translation updated (v3.14.1).
• Disappearing labels on update resolved (v3.14.1).
• EvidenceRevision attachment field updated and backup-restore process improved (v3.14.1).
• Migration issue in main branch fixed (v3.14.1).

For the full list of changes, see the v3.14.1 – v3.14.4 releases on GitHub.