Safeguard
Topic

Compliance & Frameworks

In-depth guides and analysis on compliance & frameworks from the Safeguard engineering team.

15 articles

Compliance & Frameworks

Automating cloud compliance checks in Terraform and CloudFormation pipelines

Terrascan went fully archived in November 2025. Here's how to gate CIS and SOC 2 checks in Terraform/CloudFormation pipelines with tools still standing.

Jul 14, 20266 min read
Compliance & Frameworks

Security compliance frameworks cheat sheet: SOC 2, ISO 27001, PCI DSS, HIPAA

SOC 2, ISO 27001, PCI DSS 4.0, and HIPAA share roughly the same engineering controls — build them once and stop re-implementing access control four times.

Jul 13, 20267 min read
Compliance & Frameworks

FedRAMP Moderate: What It Actually Requires From Your Security Architecture

FedRAMP Moderate maps to roughly 300 NIST 800-53 controls — and FedRAMP 20x is now replacing the old triennial paperwork cycle with continuous evidence.

Jul 10, 20267 min read
Compliance & Frameworks

What healthtech AppSec needs beyond generic security practices

242.9 million records were exposed in 2024 HIPAA breaches. Generic AppSec checklists don't satisfy FDA premarket SBOM rules or a pending HIPAA rewrite.

Jul 10, 20266 min read
Compliance & Frameworks

A Practical Guide to EU Cyber Resilience Act Compliance

The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.

Jul 9, 20266 min read
Compliance & Frameworks

A HIPAA technical safeguards checklist for application security teams

HHS reported 663 large healthcare breaches in 2024 exposing 242.9M records. Here's how §164.312's technical safeguards map to concrete app-sec controls.

Jul 9, 20267 min read
Compliance & Frameworks

What AI Executive Orders Actually Mean for Enterprise Security Teams

The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.

Jul 8, 20267 min read
Compliance & Frameworks

Mapping security training and roles to the NIST NICE Framework

NIST's NICE Framework sorts cybersecurity work into 7 categories and 52 work roles — most security teams have never mapped a single job description to it.

Jul 8, 20266 min read
Compliance & Frameworks

DORA compliance for application risk management

DORA became fully applicable on 17 January 2025 with no grace period, and its ICT risk-management articles map almost line-for-line onto standard AppSec practice.

Jul 8, 20266 min read
Compliance & Frameworks

Japan METI's SBOM Guidance: What Software Vendors Need to Know

METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.

Jul 8, 20267 min read
Compliance & Frameworks

Mapping NIST CSF 2.0 to your AppSec program

NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.

Jul 8, 20266 min read
Compliance & Frameworks

The SEC's cybersecurity disclosure rules, explained for CISOs and boards

Since December 18, 2023, U.S. public companies must disclose material cyber incidents within four business days — and boards must now document their oversight of the risk.

Jul 8, 20266 min read
Compliance & Frameworks — Supply Chain Security Blog | Safeguard