Compliance & Frameworks
In-depth guides and analysis on compliance & frameworks from the Safeguard engineering team.
15 articles
Automating cloud compliance checks in Terraform and CloudFormation pipelines
Terrascan went fully archived in November 2025. Here's how to gate CIS and SOC 2 checks in Terraform/CloudFormation pipelines with tools still standing.
Security compliance frameworks cheat sheet: SOC 2, ISO 27001, PCI DSS, HIPAA
SOC 2, ISO 27001, PCI DSS 4.0, and HIPAA share roughly the same engineering controls — build them once and stop re-implementing access control four times.
FedRAMP Moderate: What It Actually Requires From Your Security Architecture
FedRAMP Moderate maps to roughly 300 NIST 800-53 controls — and FedRAMP 20x is now replacing the old triennial paperwork cycle with continuous evidence.
What healthtech AppSec needs beyond generic security practices
242.9 million records were exposed in 2024 HIPAA breaches. Generic AppSec checklists don't satisfy FDA premarket SBOM rules or a pending HIPAA rewrite.
A Practical Guide to EU Cyber Resilience Act Compliance
The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.
A HIPAA technical safeguards checklist for application security teams
HHS reported 663 large healthcare breaches in 2024 exposing 242.9M records. Here's how §164.312's technical safeguards map to concrete app-sec controls.
What AI Executive Orders Actually Mean for Enterprise Security Teams
The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.
Mapping security training and roles to the NIST NICE Framework
NIST's NICE Framework sorts cybersecurity work into 7 categories and 52 work roles — most security teams have never mapped a single job description to it.
DORA compliance for application risk management
DORA became fully applicable on 17 January 2025 with no grace period, and its ICT risk-management articles map almost line-for-line onto standard AppSec practice.
Japan METI's SBOM Guidance: What Software Vendors Need to Know
METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.
Mapping NIST CSF 2.0 to your AppSec program
NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.
The SEC's cybersecurity disclosure rules, explained for CISOs and boards
Since December 18, 2023, U.S. public companies must disclose material cyber incidents within four business days — and boards must now document their oversight of the risk.