· intuitem · News  · 5 min read

What's New in CISO Assistant — Week 22, 2026 (v3.16.5 – v3.17.0)

A big stretch: native project management arrives, framework-driven reporting goes cross-domain, requirement nodes gain their own score scales, and OIDC picks up a strict state/nonce mode. Plus new NCSC CAF v4.0 and TRUE II frameworks, analytics on applied controls, the psycopg2→psycopg3 upgrade, and a long tail of fixes across four releases (v3.16.5 → v3.17.0).

A big stretch: native project management arrives, framework-driven reporting goes cross-domain, requirement nodes gain their own score scales, and OIDC picks up a strict state/nonce mode. Plus new NCSC CAF v4.0 and TRUE II frameworks, analytics on applied controls, the psycopg2→psycopg3 upgrade, and a long tail of fixes across four releases (v3.16.5 → v3.17.0).

This edition catches up on four releases — v3.16.5 and v3.16.6 (the last patches in the v3.16.3 line), followed by v3.16.7 and the v3.17.0 minor bump. It’s a dense run: a brand-new project management module, cross-domain reporting, per-node score scales, a hardened OIDC flow, new frameworks, and a deep batch of fixes.

Headline Features

  • Project management — CISO Assistant now ships a native project management capability, giving teams a structured place to plan and track work alongside their GRC activities (PR #4156). Thanks to @ab-smith.
  • Framework-driven reporting across domains — Reporting is now framework-driven and works across domains, making it possible to assemble consolidated reports that span multiple scopes (PR #4175). Thanks to @ab-smith.
  • Score scale at requirement node level — Requirement nodes can now carry their own score scale, allowing finer-grained scoring schemes within a single framework (PR #4173). Thanks to @Mohamed-Hacene.
  • BIA and follow-ups in Perimeters — Business Impact Analyses and follow-ups are now exposed among a Perimeter’s related objects, keeping continuity work close to its scope (PR #4158). Thanks to @eric-intuitem.

Security

  • OIDC strict state/nonce mode — A new strict mode enforces state and nonce validation in the OIDC flow, tightening protection against replay and CSRF-style attacks during authentication (PR #4191). Thanks to @tchoumi313.
  • Jinja sandbox for DOCX templates — DOCX template rendering now runs Jinja in a sandboxed environment, reducing the blast radius of untrusted template content (PR #4217). Thanks to @ab-smith.
  • Tighter internal-IP checks for PDF and webhooks — Internal IP validation for PDF generation and webhooks has been hardened against SSRF-style abuse (PR #4216). Thanks to @ab-smith.

Analytics & Reporting

  • Analytics on applied controls — Applied controls gain a dedicated analytics view (PR #4193). Thanks to @ab-smith.
  • Auditee mode and advanced analytics on by default — Both the auditee mode and advanced analytics feature flags are now enabled by default, putting these capabilities in front of more users out of the box (PR #4205). Thanks to @Mohamed-Hacene.
  • Analytics export to XLSX (experimental) — An experimental export sends analytics to XLSX, handy for basic Power BI integration (PR #4073). Thanks to first-time contributor @Lidelle123.
  • Summary page performance boost — A second performance pass speeds up the Summary page (PR #4003). Thanks to @monsieurswag.

Framework & Library Updates

  • 🇬🇧 NCSC Cyber Assessment Framework (CAF) v4.0 — The latest version of the UK NCSC’s CAF is now available as a library (PR #4167). Thanks to @tarkadia.
  • 🇫🇷 TRUE II (n° 901/SGDSN/ANSSI) — France’s TRUE II framework joins the catalog (PR #4190). Thanks to @tarkadia.
  • EU CER Directive — missing Excel file — The EU’s CER Directive library now ships its Excel file (PR #4162). Thanks to @tarkadia.

UX

  • Risk acceptance justification on approval — Approvers are now prompted for a justification when they check off a risk acceptance, improving the audit trail (PR #3772). Thanks to @martinzerty.
  • Validation flow modal aligned to existing patterns — The validation flow modal now follows the platform’s established modal patterns (PR #4183). Thanks to @martinzerty.
  • Requirement assessment weights displayed — Requirement assessments now show their weight (PR #4143). Thanks to @Mohamed-Hacene.
  • Risk matrix tooltip readability — Risk matrix tooltips are easier to read (PR #4225). Thanks to @ab-smith.
  • Risk scenario page on small screens — Fixed an overlap on the risk scenario page on small screens (PR #4042). Thanks to first-time contributor @PraveenMudalgeri.
  • XPF currency support — The CFP franc (XPF) is now a selectable currency (PR #4188). Thanks to @ab-smith.

Bug Fixes

  • Prefill implementation groups on compliance assessments — The selected implementation groups of a compliance assessment are now prefilled correctly (PR #4166). Thanks to @martinzerty.
  • Safer form initialization — Avoids an unsafe form initialization path in the frontend (PR #4165). Thanks to @nas-tabchiche.
  • Built-in role permissions sync after migrate — Built-in role permissions now re-sync after every post_migrate emission, keeping permissions consistent (PR #4147). Thanks to @nas-tabchiche.
  • Reject out-of-range requirement scores — Out-of-range and unbounded requirement scores are now rejected (PR #4226). Thanks to @nas-tabchiche.
  • Custom objects published correctly — Custom objects are now created with is_published=true as expected (PR #4180). Thanks to @eric-intuitem.
  • Terminology visibility honored after restart/migrate — Visibility choices on terminology now stick across restarts and migrations (PR #4192), and visibility parameters are managed more consistently overall (PR #4186). Thanks to @ab-smith and @eric-intuitem.
  • Findings links with related objects — Fixed findings links to related objects (PR #4189). Thanks to @martinzerty.
  • Metrics widget time range sticks — Time range edits now persist on the metrics widget (PR #3725). Thanks to @martinzerty.
  • EBIOS RM strategic scenario report chain — The strategic scenario report chain now uses the focused feared event (PR #4172). Thanks to @Mohamed-Hacene.
  • Audit donuts with implementation groups — Fixed audit donut rendering when implementation groups are in play (PR #4229). Thanks to @Mohamed-Hacene.
  • Role name translation — Role names are now translated correctly (PR #3964). Thanks to @eric-intuitem.
  • SSR bootstrap resilience — Added retry logic to the frontend SSR bootstrap API calls (PR #4200). Thanks to first-time contributor @pasmud.
  • Chat widget FAB mounted in app layout (pro) — The ChatWidget floating action button is now mounted in the app layout (PR #4209). Thanks to @fastlorenzo.

Internationalization

  • 🇨🇿 Czech translation expanded — The Czech localization received an update and a substantial expansion (PRs #4184, #4195). Thanks to @zdenek-pergl.
  • EBIOS RM casing consistent across translations — Standardized the casing of “EBIOS RM” across translations (PR #4123). Thanks to @monsieurswag.

Maintenance

  • psycopg2 → psycopg3 ⚠️ — The backend’s PostgreSQL driver was upgraded from psycopg2 to psycopg3, a breaking change worth noting for self-hosted deployments (PR #4220). Thanks to @nas-tabchiche.
  • New documentation structure — The documentation was reorganized, with a new authoring section added (PRs #4197, #4213).
  • Dependency and CI upkeep — Intermediate backend dependency upgrades, a Playwright bump, GitHub Actions pinned to commit SHAs, job-scoped workflow token permissions, and a Postgres test matrix.

New Contributors

A warm welcome to three first-time contributors across these releases:

  • @PraveenMudalgeri — fixed the risk scenario page layout on small screens.
  • @pasmud — added retry logic to the SSR bootstrap calls.
  • @Lidelle123 — contributed the experimental analytics export to XLSX.

For full details, check out the v3.16.5, v3.16.6, v3.16.7, and v3.17.0 release notes on GitHub.

Share:
Back to Blog

Related Posts

View All Posts »
What's New in CISO Assistant — Week 21, 2026 (v3.16.3 – v3.16.4)

What's New in CISO Assistant — Week 21, 2026 (v3.16.3 – v3.16.4)

Two releases land back-to-back: v3.16.3 brings the AI Defense Matrix and KSA PDPL frameworks, a Responsibility Matrix (RACI/RASCI/RAPID), Ebios RM import in Egerie format, task labels, and full Estonian language support — followed by a v3.16.4 hotfix round covering Matrix Editor, breadcrumbs, and journey templates.

What's New in CISO Assistant — Week 20, 2026 (v3.16.2)

What's New in CISO Assistant — Week 20, 2026 (v3.16.2)

v3.16.2 brings two new framework libraries (EU CER directive, UK Defence Standard 05-138), an experimental UI mode for asset creation, a specialized wizard for customer questionnaire prefill, the start of CBDDO and DoW ZT-OT framework support, plus a healthy round of audit performance work, mapping engine fixes, and i18n improvements.

What's New in CISO Assistant — Week 18, 2026 (v3.16.1)

What's New in CISO Assistant — Week 18, 2026 (v3.16.1)

A focused v3.16.1 release: a new journeys editor, Azure Blob Storage as an alternative to S3, AI chat memory improvements, EPSS feeds, IEC 62443 outline, NIST CSF 1.1 enriched with reference controls, expanded respondent mode for third parties, and a steady stream of performance and bug fixes.

What's New in CISO Assistant — Week 17, 2026 (v3.16.0)

What's New in CISO Assistant — Week 17, 2026 (v3.16.0)

A heavy v3.16.0 release: merge applied controls, action plans for incidents, custom analytics dashboards, four new framework libraries (CNDP Morocco, OIV Air Transport, 3CF v3.1, recyf enrichment), NIST CSF 2.0 recommendations, and a long sweep of UX, performance and bug fixes.