Compliance Frameworks

Every framework you're audited against.

Safeguard maps continuous evidence to the frameworks your auditors actually ask about — US, international, and sector-specific. 25 regimes covered today.

US frameworks

The audits, attestations, and federal baselines that US-based teams ship against — mapped to continuous evidence, not annual screenshots.

8 frameworks

SOC 2

SOC 2 Type II

Continuous trust services evidence packs, CC controls auto-mapped.

See coverage

NIST SSDF

NIST SSDF (SP 800-218)

Practice-level evidence for every release.

See coverage

NIST CSF

NIST CSF 2.0

Govern/Identify/Protect/Detect/Respond/Recover mapped to your stack.

See coverage

FedRAMP

Moderate & High baseline coverage, sovereign deployment for federal.

See coverage

HIPAA

PHI-aware controls for healthcare.

See coverage

PCI-DSS

PCI-DSS 4.0

Software inventory + reachability evidence for cardholder data envs.

See coverage

CMMC 2.0

DIB-ready, with controlled-unclassified-information coverage.

See coverage

StateRAMP

State and local gov baseline.

See coverage

International frameworks

European, UK, APAC, and LATAM regulations — Safeguard ships the SBOMs, VEX, and AI-BOM evidence regulators actually ask for.

11 frameworks

ISO 27001

Annex A controls linked to live evidence.

See coverage

ISO 27017

Cloud-specific controls.

See coverage

ISO 27018

PII processing in the cloud.

See coverage

ISO 42001

AI management system.

See coverage

EU CRA

Continuous SBOMs + VEX + vulnerability handling per the Cyber Resilience Act.

See coverage

EU AI Act

AI-BOM + provenance + eval evidence.

See coverage

NIS2

Essential & important entities supply chain reporting.

See coverage

DORA

Financial sector operational resilience.

See coverage

CE Plus

UK Cyber Essentials Plus

UK government baseline.

See coverage

DPDP

DPDP (India)

Personal data protection.

See coverage

LGPD

LGPD (Brazil)

Brazilian privacy law.

See coverage

Sector & industry

Industry-specific regimes — medical, industrial, transport, energy, finance — where the regulator names the artifacts they want.

6 frameworks

FDA

FDA Premarket Cybersecurity

Medical device SBOM + VEX for premarket submissions.

See coverage

EU MDR

EU MDR / IVDR

Medical device EU coverage.

See coverage

IEC 62443

ISA/IEC 62443

Industrial automation & control systems.

See coverage

TSA SD

TSA Security Directives

Pipeline + rail + aviation OT.

See coverage

NERC CIP

Bulk electric system.

See coverage

NYDFS

NYDFS Cybersecurity Reg

New York financial sector.

See coverage

A framework not listed?

If your auditor is asking for it, we'll map it. Book a 30-minute call and we'll walk through your control set with the Safeguard evidence engine live.

See the compliance hub