The 2021 Executive Order that introduced SBOM mandates, zero-trust architecture targets, and software vendor attestation requirements.
All federal agencies, plus any software producer selling into the federal government.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Software vendors selling to the federal government must self-attest to SSDF (NIST 800-218) compliance.
SBOMs for every release artifact, formatted per NTIA minimum elements.
Federal agencies must adopt zero-trust architecture per OMB M-22-09.
Multi-factor authentication and encryption for data at rest and in transit, with phasing per M-22-09.
Endpoint Detection and Response on federal endpoints (M-22-01).
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Self-attestation form pre-populated from SSDF telemetry.
SBOM auto-generation in CycloneDX, SPDX, and NTIA-compliant formats with VEX.
Zero-trust reference architecture for hosted Safeguard deployments documented on the trust center.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
CISA SSDF attestation form — pre-filled, exported as signed PDF.
Per-release SBOM with VEX annotations.
Mapping table: EO 14028 sections → controls → Safeguard telemetry.
These frameworks share substantial control overlap with EO 14028. Customers running one assessment typically satisfy the others with the same evidence base.
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
North America
Supply Chain Risk Management practices for federal systems — the foundation for SBOM and software provenance requirements.
North America
Federal cloud authorisation for systems handling High-impact CUI and mission data.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.