· intuitem · News  · 5 min read

What's New in CISO Assistant — Week 17, 2026 (v3.16.0)

A heavy v3.16.0 release: merge applied controls, action plans for incidents, custom analytics dashboards, four new framework libraries (CNDP Morocco, OIV Air Transport, 3CF v3.1, recyf enrichment), NIST CSF 2.0 recommendations, and a long sweep of UX, performance and bug fixes.

A heavy v3.16.0 release: merge applied controls, action plans for incidents, custom analytics dashboards, four new framework libraries (CNDP Morocco, OIV Air Transport, 3CF v3.1, recyf enrichment), NIST CSF 2.0 recommendations, and a long sweep of UX, performance and bug fixes.

A single but very dense release this week. v3.16.0 lands a long backlog of features, framework additions, and quality-of-life improvements across the platform.

Workflow Power-Ups

  • Merge applied controls — Combine duplicate or overlapping applied controls into a single record without losing history. A frequently requested capability for teams cleaning up legacy data.
  • Action plan for incidents — Incidents now carry an action plan, mirroring the pattern already used elsewhere in the product so response work is structured and trackable.
  • Cancelled status for risk scenarios — A new lifecycle state for scenarios that no longer apply, distinct from “accepted” or “mitigated”.
  • Add an exception in the past — Backdating exceptions is now allowed, so historical decisions can be recorded faithfully rather than being clamped to “today”.
  • Markdown justification field — Justifications now render as markdown, so links, lists, and formatting carry through. Thanks to @martinzerty.
  • Reset filters & clear cache button — A single control to wipe table filters and refresh cached state when something looks off.

Analytics & Dashboards

  • Custom dashboard on the analytics extra tab — Admins can embed a custom dashboard alongside the built-in analytics views, useful for plugging in a Metabase, Superset, or internal BI panel.

Library Expansion

Four substantial library additions this week:

  • 🇲🇦 Loi marocaine n° 09-08 (CNDP) — The Moroccan personal data protection law, contributed by @oulkhabou.
  • Règles OIV — Secteur “Transport Aérien” (2016) — The French OIV (Operators of Vital Importance) sectoral rules for air transport, contributed by @tarkadia.
  • Cadre de Conformité Cyber France (3CF) v3.1 — The latest revision of the French cyber compliance framework, also from @tarkadia.
  • Framework name fix — “Règles OIV — Secteur « Activités civiles de l’État »” had its display name corrected.

Framework Enrichment

  • NIST CSF 2.0 — recommended controls — The framework now ships with recommendations attached to its subcategories, giving teams a head start on implementation.
  • recyf enrichment — Recommended controls added to the recyf framework as well.
  • doc-pol → “key reference controls”doc-pol graduates into a curated set of key reference controls, with a Claude skill alongside it to map other frameworks against it.
  • New skill: prepare mappings — A Claude skill to help draft framework-to-framework mappings.
  • Framework-Nazionale-C-DP fixes — Several issues resolved in the Italian Framework Nazionale Cybersecurity & Data Protection. Thanks to @eric-intuitem.

Vulnerabilities & Findings

  • Context menu on vulnerabilities — Right-click to quickly toggle severity and status without opening the detail view.
  • Vulns table — source consistency and alias search — The vulnerabilities table is now consistent in how it reports the source, and search now spans aliases.
  • Wizard: detected_at and due_date on import — Vulnerability imports can now carry detection and due dates directly.
  • Findings — description column — The findings table gains a description column for at-a-glance context.

Incidents, Assessments & Domains

  • Domain export/import — more objects covered — The export/import scope grows, so domain transfers are more complete out of the box.
  • Asset.is_business_function attribute — A new attribute on assets, exposed in the data wizard. Thanks to @martinzerty.
  • Click issue on incident export — fixed — A small but annoying interaction bug.
  • Journeys presets — implementation groups & generic pages — Preset journeys can now reference implementation groups and generic pages, broadening their templating power.

DPA, DORA & EBIOS

  • DORA b_05.01.c0030 — empty foreign key fix — The field now reads as empty rather than 0 when not applicable. Thanks to @nas-tabchiche.
  • Translated questions in serializer, exports, and tree helpers — Question translations are now respected end-to-end. Thanks again to @nas-tabchiche.
  • Builder UX adjustments and bug fixes — A round of polish on the framework builder, also from @nas-tabchiche.

Performance

  • Assets page load time — Optimized to feel snappier on large inventories.
  • Applied controls list load time — Same treatment for the applied controls list.

UX & Polish

  • AutoComplete — truncate long options — Long entries no longer blow out the dropdown layout.
  • AutoCompleteSelect — enhancements — Further refinement to the autocomplete behavior. Thanks to @tchoumi313.
  • Reference link on entity assessment — Backend persistence was missing; now fixed.
  • Disable on-the-fly evidence creation from task autocomplete — Temporarily disabled while the flow is reworked.
  • Reset priority and impact on applied controls — These fields can now be cleared, not just changed.
  • SOA export — translation and ref_id ordering — Additional controls now export in translated form and respect the ref_id order.
  • Plural for target frameworks in campaigns — Wording fix for multi-framework campaigns. Thanks to @eric-intuitem.

Bug Fixes

  • HTML export ordering on Postgres — Order is now preserved on Postgres deployments.
  • Scoring logic moved to backend — Eliminates an inconsistency between client- and server-side scoring.
  • Field visibility on the framework view — Debugged. Thanks to @martinzerty.
  • 500 error & residual tabs when hiding fields — Fixed by @Mohamed-Hacene.
  • Perimeter fetching & Django validation — More robust handling of validation errors. Thanks to @tchoumi313.
  • Framework duplicate — UNIQUE constraint on long names — No more failure when duplicating frameworks with long names. Thanks to @nas-tabchiche.
  • Processing natures — no longer permission-gated — Removed an unintended access restriction.
  • LICENSE_EXPIRATION default check — Now correctly recognizes 'unset' as the default value. Thanks to @martinzerty.
  • Legacy existing_controls column — Risk assessment imports accept the legacy column again. Thanks to @Mohamed-Hacene.
  • Missing i18n keys — Filled in. Thanks to @tarkadia.
  • MCP tools for exceptions management — Updated to match the new exception model.
  • Restart policy on the front containerrestart: always now set in every Docker Compose file. Thanks to @Okuromatsu for their first contribution.

Helm

  • Extra volumes & affinity config — The Helm chart now exposes additional knobs for advanced deployments. Thanks to @Nathanael-Mtd.

New Contributor

A warm welcome to @Okuromatsu, who landed their first contribution this week — a small but real-world papercut fix on the Docker front-container restart policy.

For full details, check out the v3.16.0 release notes on GitHub.

Share:
Back to Blog

Related Posts

View All Posts »