What's New in CISO Assistant — Week 24, 2026 (v3.17.3 – v3.18.0)

Two releases this week: a small, focused v3.17.3 on June 9, followed by the feature-rich v3.18.0 minor bump on June 14. Highlights include smarter Jira integration, a per-object audit trail, two new Saudi NCA frameworks, a security fix, and a notable build-tooling change.

Headline Features

• Dynamic field & value mappings for Jira — The Jira integration now supports dynamic field and value mappings, complete with auto-suggested defaults — making it far easier to wire CISO Assistant data to your Jira instance without hand-mapping every field (PR #4148). Thanks to @nas-tabchiche.
• Per-object audit trail (pro) — Objects now carry their own audit trail, giving a clear, per-record history of changes (PR #4312). Thanks to @ab-smith.
• Feature flags layout + profiles — The feature-flags screen gets a cleaner layout and now includes profiles, making capability management easier to navigate (PR #4308). Thanks to @ab-smith.

Framework & Library Updates

• NCNICC-1:2025 (Saudi Arabia) (v3.17.3) — A new library adds the Saudi National Cybersecurity Authority’s NCNICC-1:2025 framework (PR #4285). Thanks to @smakarim, making their first contribution.
• CCC-1:2020 — Cloud Cybersecurity Controls (Saudi Arabia) — Another Saudi NCA framework joins the catalog: the Cloud Cybersecurity Controls (CCC-1:2020) library (PR #4294). Thanks again to @smakarim.
• NIST CSF v2.0 journey polish — Added annotations and a French version to the NIST CSF v2.0 journey, plus a fix to the NIST CSF 2.0 Excel file (PR #4331). Thanks to @tarkadia.
• ENS framework — English version — The Spanish ENS framework now ships an English version (PR #4327). Thanks to @tarkadia.

Security

• IDOR fix in ecosystem chart data — Closed an insecure direct object reference (IDOR) in the ecosystem chart data endpoint (PR #4317), alongside a fix for missing permission checks on the experimental ecosystem page (PR #4314). Thanks to @melinoix.

UX

• ID before Name in forms (v3.17.3) — Forms now place the ID ahead of the Name across the board, and the category moves into the front section for applied controls (PR #4282). Thanks to @eric-intuitem.
• Link icon in control plans (v3.17.3) — When a task in a control plan has a link defined, a link icon now appears next to its name (PR #4284). Thanks to @eric-intuitem.

Observability

• Frontend JSON logger — A minimal JSON logger arrives on the frontend, with default log levels aligned across the stack for cleaner, more parseable logs (PR #4332). Thanks to @ab-smith.

Bug Fixes

• Third-party audit field visibility (v3.17.3) — Fixed which audit fields are visible to third parties (PR #4289). Thanks to @Mohamed-Hacene.
• Mixed-scale aggregation in tree & radar — Normalized mixed-scale aggregation so tree and radar displays render correctly (PR #4227). Thanks to @nas-tabchiche.
• Applied controls columns in risk tables — Restored the applied-controls columns in the current/residual risk tables (PR #4307). Thanks to @melinoix.
• Result computation & audit score clamping — Fixed a result-computation bug (PR #4104) and clamped audit score progress values to valid ranges (PR #4329). Thanks to @Mohamed-Hacene.
• Framework builder publish reliability — Improved framework-builder publish reliability and error reporting (PR #4330). Thanks to @nas-tabchiche.
• Respondent handling refactor — A clean refactor addressing respondent issues (PR #4293). Thanks to @eric-intuitem.
• OpenAI API base fragments — Prevented stray fragments in the OpenAI API base URL (PR #4304). Thanks to @melinoix.

Maintenance

• Poetry → uv — The backend build tooling moved from Poetry to uv, a faster Python package and project manager — worth noting for self-hosted and contributor setups (PR #3844). Thanks to @Axxiar.
• Documentation touch-ups — Added allowed-IPs configuration docs and a settings UI note (PR #4321), updated mapping documentation (PR #4309), and recovered framework-reporting nuance docs (PR #4334).

For full details, check out the v3.17.3 and v3.18.0 release notes on GitHub.