Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
NIST SP 800-218A: SSDF Practices for Generative AI Models
NIST finalized SP 800-218A on July 26, 2024, augmenting the Secure Software Development Framework with practices specific to generative AI and dual-use foundation models.
The SBOM Compliance Landscape in 2025: What You Need to Know
From the US Executive Order to the EU Cyber Resilience Act, SBOM requirements are becoming law. Here is where things stand in 2025 and what organizations need to do to comply.
SOC 2 Type II for Engineering Teams: What Auditors Actually Check
Auditors don't start with your policies — they sample your PRs, tickets, and access reviews. Here's what a SOC 2 Type II observation window actually tests, control by control.
EU Cyber Resilience Act: Final Text Analysis and Compliance Roadmap
The EU Cyber Resilience Act was finalized in 2024, mandating cybersecurity requirements and SBOMs for products with digital elements. Here is what the final text requires and how to prepare.
Compliance Automation Tools Compared: What Actually Reduces Audit Pain in 2024
The compliance automation market is crowded with platforms promising to make audits painless. Here is an honest comparison of what works, what does not, and where supply chain compliance fits in.
HIPAA and Third-Party Software Components: A Developer Guide
HIPAA never mentions npm, but a vulnerable dependency in an ePHI system is a Security Rule problem. How risk analysis, patching, and BAAs map to your dependency tree.
PCI DSS 4.0 Software Supply Chain Requirements Explained
PCI DSS 4.0 quietly turned component inventories, third-party code review, and payment page script control into audit line items. Here's the requirement-by-requirement map.
Types of Security Audits, Explained
There isn't one kind of security audit — compliance audits, penetration tests, code audits, and architecture reviews all answer different questions and require different evidence.
CMMC Level 2 for Software Vendors: A Practical Roadmap
CMMC Level 2 means all 110 NIST SP 800-171 controls, assessed by a C3PAO for most contractors. Here's the scoping, gap-closing, and evidence roadmap for software vendors.
UK Product Security and Telecommunications Infrastructure Act: Software Implications
The UK's PSTI Act bans default passwords and mandates vulnerability disclosure. Here's what it means for software embedded in connected products.
IoT Firmware SBOMs: From Nice-to-Have to Regulatory Requirement
Government mandates and industry standards are making SBOMs mandatory for IoT firmware. Here's what manufacturers need to know to comply.
Latin America's Evolving Cybersecurity Regulations and Supply Chain Implications
From Brazil's LGPD to Mexico's cybersecurity reforms, Latin America is building a regulatory framework that will reshape how organizations manage software supply chain risk across the region.