Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
CISA's Software Identification Ecosystem: What You Need to Know
CISA is building a comprehensive software identification ecosystem that ties SBOMs, vulnerabilities, and procurement together. Here is what it means for software producers and consumers.
CMMC 32 CFR Part 170: The Program Rule and the Four Phases
DoD's CMMC program rule became effective December 16, 2024 with a four-phase rollout running through November 2028. The companion DFARS rule landed September 10, 2025.
How Snyk's open-source license compliance engine classifi...
How Snyk's license compliance engine groups open-source licenses and maps them to low, medium, high, and critical severity levels.
NIST SSDF PW.4: Reusing Well-Secured Software, Explained
PW.4 is the SSDF practice that governs how you consume third-party and open-source components. Here is what its tasks actually ask for and how to satisfy them with evidence, not policy documents.
License Compliance Debt: The Quiet Risk Growing Alongside...
Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.
Compliance Reporting with Safeguard: From Raw Data to Audit-Ready Documents
How to use Safeguard's compliance reporting engine to generate audit-ready documentation for SOC 2, ISO 27001, NIST SSDF, and other frameworks without weeks of manual work.
NIS2 Directive: What EU Software Vendors Must Do Now
NIS2 is in force, transposition is late in half the EU, and the obligations bind anyway if you're in scope. The supply chain security and 24-hour reporting duties, decoded.
NIS2 in Italy: Legislative Decree 138/2024 and the Tiered Sanctions Regime
Italy's NIS2 transposition entered into force on 16 October 2024 via Decree 138/2024, with fines reaching 10 million EUR or 2% of global turnover for essential entities.
DORA Register of Information: Lessons From the First Submission
The 30 April 2025 ESA deadline forced banks and insurers to inventory every ICT contract against 105 prescribed data points — and exposed structural gaps in third-party data.
NIST 800-171 Rev. 3 and the DoD Class Deviation: Stuck on Rev. 2
NIST published 800-171 Rev. 3 on May 14, 2024. Twelve days earlier, DoD froze DFARS 7012 to Rev. 2 via Class Deviation 2024-O0013.
BSD 3-Clause License Explained
The BSD 3-clause license is one of the most permissive open source licenses in wide use — here's what its three conditions actually require and how it differs from MIT and Apache 2.0.
Software Transparency Goes Global: Regulatory Developments in 2025
From the EU Cyber Resilience Act to Japan's software security guidelines, governments worldwide are mandating software transparency. A comprehensive overview of the global regulatory landscape.