Safeguard
Topic

Compliance

In-depth guides and analysis on compliance from the Safeguard engineering team.

254 articles

Compliance

NIST SP 800-218A: SSDF Practices for Generative AI Models

NIST finalized SP 800-218A on July 26, 2024, augmenting the Secure Software Development Framework with practices specific to generative AI and dual-use foundation models.

Feb 10, 20256 min read
Compliance

The SBOM Compliance Landscape in 2025: What You Need to Know

From the US Executive Order to the EU Cyber Resilience Act, SBOM requirements are becoming law. Here is where things stand in 2025 and what organizations need to do to comply.

Jan 18, 20256 min read
Compliance

SOC 2 Type II for Engineering Teams: What Auditors Actually Check

Auditors don't start with your policies — they sample your PRs, tickets, and access reviews. Here's what a SOC 2 Type II observation window actually tests, control by control.

Dec 16, 20246 min read
Compliance

EU Cyber Resilience Act: Final Text Analysis and Compliance Roadmap

The EU Cyber Resilience Act was finalized in 2024, mandating cybersecurity requirements and SBOMs for products with digital elements. Here is what the final text requires and how to prepare.

Oct 10, 20247 min read
Compliance

Compliance Automation Tools Compared: What Actually Reduces Audit Pain in 2024

The compliance automation market is crowded with platforms promising to make audits painless. Here is an honest comparison of what works, what does not, and where supply chain compliance fits in.

Aug 10, 20245 min read
Compliance

HIPAA and Third-Party Software Components: A Developer Guide

HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.

Jun 23, 20246 min read
Compliance

PCI DSS 4.0 Software Supply Chain Requirements Explained

PCI DSS 4.0 quietly turned component inventories, third-party code review, and payment page script control into audit line items. Here's the requirement-by-requirement map.

May 23, 20246 min read
Compliance

Types of Security Audits, Explained

There isn't one kind of security audit — compliance audits, penetration tests, code audits, and architecture reviews all answer different questions and require different evidence.

May 14, 20245 min read
Compliance

CMMC Level 2 for Software Vendors: A Practical Roadmap

CMMC Level 2 means all 110 NIST SP 800-171 controls, assessed by a C3PAO for most contractors. Here's the scoping, gap-closing, and evidence roadmap for software vendors.

May 3, 20246 min read
Compliance

UK Product Security and Telecommunications Infrastructure Act: Software Implications

The UK's PSTI Act bans default passwords and mandates vulnerability disclosure. Here's what it means for software embedded in connected products.

Apr 18, 20246 min read
Compliance

IoT Firmware SBOMs: From Nice-to-Have to Regulatory Requirement

Government mandates and industry standards are making SBOMs mandatory for IoT firmware. Here's what manufacturers need to know to comply.

Apr 12, 20246 min read
Compliance

Latin America's Evolving Cybersecurity Regulations and Supply Chain Implications

From Brazil's LGPD to Mexico's cybersecurity reforms, Latin America is building a regulatory framework that will reshape how organizations manage software supply chain risk across the region.

Apr 8, 20246 min read
Compliance (Page 19) — Supply Chain Security Blog | Safeguard