· intuitem · News  · 5 min read

What's New in CISO Assistant — Week 17, 2026 (v3.16.0)

A heavy v3.16.0 release: merge applied controls, action plans for incidents, custom analytics dashboards, four new framework libraries (CNDP Morocco, OIV Air Transport, 3CF v3.1, recyf enrichment), NIST CSF 2.0 recommendations, and a long sweep of UX, performance and bug fixes.

A heavy v3.16.0 release: merge applied controls, action plans for incidents, custom analytics dashboards, four new framework libraries (CNDP Morocco, OIV Air Transport, 3CF v3.1, recyf enrichment), NIST CSF 2.0 recommendations, and a long sweep of UX, performance and bug fixes.

A single but very dense release this week. v3.16.0 lands a long backlog of features, framework additions, and quality-of-life improvements across the platform.

Workflow Power-Ups

  • Merge applied controls — Combine duplicate or overlapping applied controls into a single record without losing history. A frequently requested capability for teams cleaning up legacy data.
  • Action plan for incidents — Incidents now carry an action plan, mirroring the pattern already used elsewhere in the product so response work is structured and trackable.
  • Cancelled status for risk scenarios — A new lifecycle state for scenarios that no longer apply, distinct from “accepted” or “mitigated”.
  • Add an exception in the past — Backdating exceptions is now allowed, so historical decisions can be recorded faithfully rather than being clamped to “today”.
  • Markdown justification field — Justifications now render as markdown, so links, lists, and formatting carry through. Thanks to @martinzerty.
  • Reset filters & clear cache button — A single control to wipe table filters and refresh cached state when something looks off.

Analytics & Dashboards

  • Custom dashboard on the analytics extra tab — Admins can embed a custom dashboard alongside the built-in analytics views, useful for plugging in a Metabase, Superset, or internal BI panel.

Library Expansion

Four substantial library additions this week:

  • 🇲🇦 Loi marocaine n° 09-08 (CNDP) — The Moroccan personal data protection law, contributed by @oulkhabou.
  • Règles OIV — Secteur “Transport Aérien” (2016) — The French OIV (Operators of Vital Importance) sectoral rules for air transport, contributed by @tarkadia.
  • Cadre de Conformité Cyber France (3CF) v3.1 — The latest revision of the French cyber compliance framework, also from @tarkadia.
  • Framework name fix — “Règles OIV — Secteur « Activités civiles de l’État »” had its display name corrected.

Framework Enrichment

  • NIST CSF 2.0 — recommended controls — The framework now ships with recommendations attached to its subcategories, giving teams a head start on implementation.
  • recyf enrichment — Recommended controls added to the recyf framework as well.
  • doc-pol → “key reference controls”doc-pol graduates into a curated set of key reference controls, with a Claude skill alongside it to map other frameworks against it.
  • New skill: prepare mappings — A Claude skill to help draft framework-to-framework mappings.
  • Framework-Nazionale-C-DP fixes — Several issues resolved in the Italian Framework Nazionale Cybersecurity & Data Protection. Thanks to @eric-intuitem.

Vulnerabilities & Findings

  • Context menu on vulnerabilities — Right-click to quickly toggle severity and status without opening the detail view.
  • Vulns table — source consistency and alias search — The vulnerabilities table is now consistent in how it reports the source, and search now spans aliases.
  • Wizard: detected_at and due_date on import — Vulnerability imports can now carry detection and due dates directly.
  • Findings — description column — The findings table gains a description column for at-a-glance context.

Incidents, Assessments & Domains

  • Domain export/import — more objects covered — The export/import scope grows, so domain transfers are more complete out of the box.
  • Asset.is_business_function attribute — A new attribute on assets, exposed in the data wizard. Thanks to @martinzerty.
  • Click issue on incident export — fixed — A small but annoying interaction bug.
  • Journeys presets — implementation groups & generic pages — Preset journeys can now reference implementation groups and generic pages, broadening their templating power.

DPA, DORA & EBIOS

  • DORA b_05.01.c0030 — empty foreign key fix — The field now reads as empty rather than 0 when not applicable. Thanks to @nas-tabchiche.
  • Translated questions in serializer, exports, and tree helpers — Question translations are now respected end-to-end. Thanks again to @nas-tabchiche.
  • Builder UX adjustments and bug fixes — A round of polish on the framework builder, also from @nas-tabchiche.

Performance

  • Assets page load time — Optimized to feel snappier on large inventories.
  • Applied controls list load time — Same treatment for the applied controls list.

UX & Polish

  • AutoComplete — truncate long options — Long entries no longer blow out the dropdown layout.
  • AutoCompleteSelect — enhancements — Further refinement to the autocomplete behavior. Thanks to @tchoumi313.
  • Reference link on entity assessment — Backend persistence was missing; now fixed.
  • Disable on-the-fly evidence creation from task autocomplete — Temporarily disabled while the flow is reworked.
  • Reset priority and impact on applied controls — These fields can now be cleared, not just changed.
  • SOA export — translation and ref_id ordering — Additional controls now export in translated form and respect the ref_id order.
  • Plural for target frameworks in campaigns — Wording fix for multi-framework campaigns. Thanks to @eric-intuitem.

Bug Fixes

  • HTML export ordering on Postgres — Order is now preserved on Postgres deployments.
  • Scoring logic moved to backend — Eliminates an inconsistency between client- and server-side scoring.
  • Field visibility on the framework view — Debugged. Thanks to @martinzerty.
  • 500 error & residual tabs when hiding fields — Fixed by @Mohamed-Hacene.
  • Perimeter fetching & Django validation — More robust handling of validation errors. Thanks to @tchoumi313.
  • Framework duplicate — UNIQUE constraint on long names — No more failure when duplicating frameworks with long names. Thanks to @nas-tabchiche.
  • Processing natures — no longer permission-gated — Removed an unintended access restriction.
  • LICENSE_EXPIRATION default check — Now correctly recognizes 'unset' as the default value. Thanks to @martinzerty.
  • Legacy existing_controls column — Risk assessment imports accept the legacy column again. Thanks to @Mohamed-Hacene.
  • Missing i18n keys — Filled in. Thanks to @tarkadia.
  • MCP tools for exceptions management — Updated to match the new exception model.
  • Restart policy on the front containerrestart: always now set in every Docker Compose file. Thanks to @Okuromatsu for their first contribution.

Helm

  • Extra volumes & affinity config — The Helm chart now exposes additional knobs for advanced deployments. Thanks to @Nathanael-Mtd.

New Contributor

A warm welcome to @Okuromatsu, who landed their first contribution this week — a small but real-world papercut fix on the Docker front-container restart policy.

For full details, check out the v3.16.0 release notes on GitHub.

Share:
Back to Blog

Related Posts

View All Posts »
What's New in CISO Assistant — Week 20, 2026 (v3.16.2)

What's New in CISO Assistant — Week 20, 2026 (v3.16.2)

v3.16.2 brings two new framework libraries (EU CER directive, UK Defence Standard 05-138), an experimental UI mode for asset creation, a specialized wizard for customer questionnaire prefill, the start of CBDDO and DoW ZT-OT framework support, plus a healthy round of audit performance work, mapping engine fixes, and i18n improvements.

What's New in CISO Assistant — Week 18, 2026 (v3.16.1)

What's New in CISO Assistant — Week 18, 2026 (v3.16.1)

A focused v3.16.1 release: a new journeys editor, Azure Blob Storage as an alternative to S3, AI chat memory improvements, EPSS feeds, IEC 62443 outline, NIST CSF 1.1 enriched with reference controls, expanded respondent mode for third parties, and a steady stream of performance and bug fixes.