Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
252 articles
The 2026 SBOM compliance guide: where a software bill of materials is now required
SBOM requirements have spread from a single US executive order to regulations across sectors and continents. Here's a framework-by-framework map of where you need one in 2026.
CCPA and CPRA for Developers: What the Code Actually Has to Do
California's privacy laws are usually framed as a legal problem, but honoring opt-outs, deleting data, and maintaining reasonable security are engineering problems. Here's the developer's view of CCPA and CPRA.
DORA compliance for financial services: the software supply chain angle
The Digital Operational Resilience Act is now in force across EU financial services. Here's how its five pillars reach into your software supply chain and ICT third parties.
ISO 27001 application security: the Annex A controls that govern your code
ISO/IEC 27001:2022 added and sharpened Annex A controls for secure development and technical vulnerabilities. Here's how they apply to application and supply chain security.
SOX Compliance for Software: IT General Controls and the Supply Chain
Sarbanes-Oxley is a financial-reporting law, but it reaches deep into the software that produces the numbers. Here's how IT general controls, change management, and dependency integrity fit under SOX.
SOC 2 and software supply chain security: mapping the Trust Services Criteria
SOC 2 never says the words 'software bill of materials,' but auditors increasingly expect supply-chain evidence. Here's how the Trust Services Criteria map to your dependencies.
ISO 27001 vs SOC 2: Which Certification Matters More
ISO 27001 and SOC 2 answer different questions. Here's how to read both when vetting supply chain security vendors like Snyk and Safeguard.
The FedRAMP Authorization Guide: Paths, Baselines, and Continuous Monitoring
FedRAMP is how cloud products earn the right to sell to U.S. federal agencies. Here's how the authorization paths work, what the NIST 800-53 baselines require, and where your software supply chain gets scrutinized.
The NIST Secure Software Development Framework (SSDF), explained
NIST SP 800-218 is the framework behind federal secure-development attestations. Here's what its four practice groups ask of you and how to produce the evidence.
The HIPAA Security Rule for Software Teams: Safeguards, Structure, and Change Ahead
The HIPAA Security Rule is technology-neutral by design, but its administrative, physical, and technical safeguards translate into concrete engineering work. Here's how the rule is structured and how a proposed 2025 overhaul could tighten it.
SBOMs and Executive Order 14028: how a 2021 order reshaped software supply chain policy
Executive Order 14028 made the software bill of materials a matter of federal policy. Here's the story of how it happened, what it requires, and what it means for you in 2026.
CMMC 2.0 Explained: What Defense Contractors and Their Software Must Do
CMMC 2.0 turns NIST SP 800-171 into a certification requirement for the defense supply chain. Here's how the three levels work, who assesses them, and where your software components fit.