What's New in CISO Assistant — Week 22, 2026 (v3.16.5 – v3.17.0)

This edition catches up on four releases — v3.16.5 and v3.16.6 (the last patches in the v3.16.3 line), followed by v3.16.7 and the v3.17.0 minor bump. It’s a dense run: a brand-new project management module, cross-domain reporting, per-node score scales, a hardened OIDC flow, new frameworks, and a deep batch of fixes.

Headline Features

• Project management — CISO Assistant now ships a native project management capability, giving teams a structured place to plan and track work alongside their GRC activities (PR #4156). Thanks to @ab-smith.
• Framework-driven reporting across domains — Reporting is now framework-driven and works across domains, making it possible to assemble consolidated reports that span multiple scopes (PR #4175). Thanks to @ab-smith.
• Score scale at requirement node level — Requirement nodes can now carry their own score scale, allowing finer-grained scoring schemes within a single framework (PR #4173). Thanks to @Mohamed-Hacene.
• BIA and follow-ups in Perimeters — Business Impact Analyses and follow-ups are now exposed among a Perimeter’s related objects, keeping continuity work close to its scope (PR #4158). Thanks to @eric-intuitem.

Security

• OIDC strict state/nonce mode — A new strict mode enforces state and nonce validation in the OIDC flow, tightening protection against replay and CSRF-style attacks during authentication (PR #4191). Thanks to @tchoumi313.
• Jinja sandbox for DOCX templates — DOCX template rendering now runs Jinja in a sandboxed environment, reducing the blast radius of untrusted template content (PR #4217). Thanks to @ab-smith.
• Tighter internal-IP checks for PDF and webhooks — Internal IP validation for PDF generation and webhooks has been hardened against SSRF-style abuse (PR #4216). Thanks to @ab-smith.

Analytics & Reporting

• Analytics on applied controls — Applied controls gain a dedicated analytics view (PR #4193). Thanks to @ab-smith.
• Auditee mode and advanced analytics on by default — Both the auditee mode and advanced analytics feature flags are now enabled by default, putting these capabilities in front of more users out of the box (PR #4205). Thanks to @Mohamed-Hacene.
• Analytics export to XLSX (experimental) — An experimental export sends analytics to XLSX, handy for basic Power BI integration (PR #4073). Thanks to first-time contributor @Lidelle123.
• Summary page performance boost — A second performance pass speeds up the Summary page (PR #4003). Thanks to @monsieurswag.

Framework & Library Updates

• 🇬🇧 NCSC Cyber Assessment Framework (CAF) v4.0 — The latest version of the UK NCSC’s CAF is now available as a library (PR #4167). Thanks to @tarkadia.
• 🇫🇷 TRUE II (n° 901/SGDSN/ANSSI) — France’s TRUE II framework joins the catalog (PR #4190). Thanks to @tarkadia.
• EU CER Directive — missing Excel file — The EU’s CER Directive library now ships its Excel file (PR #4162). Thanks to @tarkadia.

UX

• Risk acceptance justification on approval — Approvers are now prompted for a justification when they check off a risk acceptance, improving the audit trail (PR #3772). Thanks to @martinzerty.
• Validation flow modal aligned to existing patterns — The validation flow modal now follows the platform’s established modal patterns (PR #4183). Thanks to @martinzerty.
• Requirement assessment weights displayed — Requirement assessments now show their weight (PR #4143). Thanks to @Mohamed-Hacene.
• Risk matrix tooltip readability — Risk matrix tooltips are easier to read (PR #4225). Thanks to @ab-smith.
• Risk scenario page on small screens — Fixed an overlap on the risk scenario page on small screens (PR #4042). Thanks to first-time contributor @PraveenMudalgeri.
• XPF currency support — The CFP franc (XPF) is now a selectable currency (PR #4188). Thanks to @ab-smith.

Bug Fixes

• Prefill implementation groups on compliance assessments — The selected implementation groups of a compliance assessment are now prefilled correctly (PR #4166). Thanks to @martinzerty.
• Safer form initialization — Avoids an unsafe form initialization path in the frontend (PR #4165). Thanks to @nas-tabchiche.
• Built-in role permissions sync after migrate — Built-in role permissions now re-sync after every post_migrate emission, keeping permissions consistent (PR #4147). Thanks to @nas-tabchiche.
• Reject out-of-range requirement scores — Out-of-range and unbounded requirement scores are now rejected (PR #4226). Thanks to @nas-tabchiche.
• Custom objects published correctly — Custom objects are now created with is_published=true as expected (PR #4180). Thanks to @eric-intuitem.
• Terminology visibility honored after restart/migrate — Visibility choices on terminology now stick across restarts and migrations (PR #4192), and visibility parameters are managed more consistently overall (PR #4186). Thanks to @ab-smith and @eric-intuitem.
• Findings links with related objects — Fixed findings links to related objects (PR #4189). Thanks to @martinzerty.
• Metrics widget time range sticks — Time range edits now persist on the metrics widget (PR #3725). Thanks to @martinzerty.
• EBIOS RM strategic scenario report chain — The strategic scenario report chain now uses the focused feared event (PR #4172). Thanks to @Mohamed-Hacene.
• Audit donuts with implementation groups — Fixed audit donut rendering when implementation groups are in play (PR #4229). Thanks to @Mohamed-Hacene.
• Role name translation — Role names are now translated correctly (PR #3964). Thanks to @eric-intuitem.
• SSR bootstrap resilience — Added retry logic to the frontend SSR bootstrap API calls (PR #4200). Thanks to first-time contributor @pasmud.
• Chat widget FAB mounted in app layout (pro) — The ChatWidget floating action button is now mounted in the app layout (PR #4209). Thanks to @fastlorenzo.

Internationalization

• 🇨🇿 Czech translation expanded — The Czech localization received an update and a substantial expansion (PRs #4184, #4195). Thanks to @zdenek-pergl.
• EBIOS RM casing consistent across translations — Standardized the casing of “EBIOS RM” across translations (PR #4123). Thanks to @monsieurswag.

Maintenance

• psycopg2 → psycopg3 ⚠️ — The backend’s PostgreSQL driver was upgraded from psycopg2 to psycopg3, a breaking change worth noting for self-hosted deployments (PR #4220). Thanks to @nas-tabchiche.
• New documentation structure — The documentation was reorganized, with a new authoring section added (PRs #4197, #4213).
• Dependency and CI upkeep — Intermediate backend dependency upgrades, a Playwright bump, GitHub Actions pinned to commit SHAs, job-scoped workflow token permissions, and a Postgres test matrix.

New Contributors

A warm welcome to three first-time contributors across these releases:

• @PraveenMudalgeri — fixed the risk scenario page layout on small screens.
• @pasmud — added retry logic to the SSR bootstrap calls.
• @Lidelle123 — contributed the experimental analytics export to XLSX.

For full details, check out the v3.16.5, v3.16.6, v3.16.7, and v3.17.0 release notes on GitHub.