Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
Vulnerability management under the EU Cyber Resilience Ac...
The EU Cyber Resilience Act sets hard deadlines for vulnerability reporting and SBOMs. Here's what changes, when, and how Safeguard stacks up against Anchore.
EU CRA SBOM requirements overview and compliance tips
The EU Cyber Resilience Act makes SBOMs mandatory for connected products by December 2027. Here is what CRA compliance actually requires, and how to prepare.
NIST 800-37 Risk Management Framework explained in plain ...
NIST 800-37's seven-step Risk Management Framework explained in plain English: who must comply, how it ties to FedRAMP and SSDF, and where teams stall.
NIST 800-53 security and privacy controls overview
A breakdown of NIST 800-53 Rev 5's control families, SBOM and supply-chain requirements, and why scanning tools like Anchore cover only a narrow slice of what compliance demands.
UK PSTI Act Consumer IoT: Year-One Review
The UK PSTI Act's first year of enforcement reveals how consumer IoT vendors are struggling with minimum security requirements, password rules, and disclosure policies.
NIST 800-190 container security guide compliance
NIST 800-190 requires evidence across five container risk categories, not just image scans. Where Anchore-based pipelines fall short and how to close the gap.
NIST 800-218 / SSDF attestation requirements
What NIST SP 800-218 (SSDF) attestation actually requires, the CISA form's four claims, key OMB deadlines, and where Anchore's SBOM-first approach leaves gaps Safeguard closes.
DoD software factory reference design and secure software...
What a real DoD software factory requires under the DevSecOps Reference Design, where Anchore's scanning fits and falls short, and how continuous SBOM evidence enables cATO.
ATO and continuous ATO (cATO) for government software
ATO takes 6-18 months and expires the moment it's signed. Here's what continuous ATO (cATO) really requires, where container-only tools like Anchore fall short, and how Safeguard closes the gap.
STIG compliance scanning for hardened/Chainguard containe...
Chainguard images have near-zero CVEs, but shell-based scanners like Anchore flag them as STIG non-compliant. Here is why, and how to fix it.
DoD Risk Management Framework (RMF) mapping for container...
How DoD RMF container control mapping actually works, where Anchore's scan-first approach leaves manual crosswalk work for compliance teams, and how Safeguard automates NIST 800-53 evidence.
FDA Premarket Cybersecurity for Medical Devices 2026
A senior engineer's guide to FDA premarket cybersecurity for medical devices in 2026: section 524B, SBOM expectations, SPDF, and what reviewers actually ask about.