Safeguard
Topic

Compliance

In-depth guides and analysis on compliance from the Safeguard engineering team.

254 articles

Compliance

FedRAMP and the software supply chain: a 2026 guide

FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.

Jul 3, 20265 min read
Compliance

ISO 27001 Annex A controls guide: the software and supplier set

ISO/IEC 27001:2022 restructured Annex A into 93 controls and added new ones for secure development and supply chain. Here is the subset that lands on engineering teams and how to evidence it.

Jul 3, 20266 min read
Compliance

HIPAA compliance for developers: securing the software supply chain

HIPAA does not name your open source dependencies, but its Security Rule holds you responsible for them. Here's what developers building health-tech actually need to do.

Jul 2, 20266 min read
Compliance

GDPR for software developers: privacy by design in practice

GDPR is not just a legal team's problem. Data protection by design, security of processing, and processor due diligence all translate into code, dependencies, and architecture. Here is the developer's view.

Jul 2, 20266 min read
Compliance

PCI DSS 4.0 for developers: a practical secure-coding guide

PCI DSS 4.0 moved secure development from an annual review to a continuous engineering practice. Here's what Requirement 6 means for developers writing and shipping code.

Jul 2, 20265 min read
Compliance

PCI DSS 4.0 Requirement 6: the software security guide

Requirement 6 is where PCI DSS 4.0 turned application and software security into a continuous, evidenced discipline. Here is a clause-by-clause walkthrough of 6.2 through 6.5 and what auditors expect.

Jul 2, 20266 min read
Compliance

DORA regulation deep dive: ICT risk, testing, and third-party rules

The Digital Operational Resilience Act applies to EU financial entities and their ICT providers. Here are the five pillars, the register of information, and what your software supply chain now has to withstand.

Jul 1, 20266 min read
Compliance

NIS2 Directive explained: the software and supply-chain obligations

NIS2 rewired EU cybersecurity law around supply-chain security, vulnerability handling, and 24-hour incident reporting. Here is who is in scope and what your software teams now have to prove.

Jul 1, 20267 min read
Compliance

What is the EU Cyber Resilience Act (CRA)? A software supply chain guide

The Cyber Resilience Act sets binding cybersecurity rules for products with digital elements sold in the EU. Here's who it covers, what it demands of software, and how to prepare before the 2027 deadline.

Jul 1, 20266 min read
Compliance

PCI DSS compliance for application security teams

PCI DSS 4.0's software inventory rules are enforced since March 2025. Here's why scanner-only tools like Checkmarx miss Requirements 6.3.2, 6.4.3, and 11.6.1.

Jun 25, 20267 min read
Compliance

HIPAA requirements and application security

HIPAA's Security Rule ties ePHI protection to application security, but scanner tools like Checkmarx rarely map findings to 45 CFR safeguards. Here's what compliance teams actually need.

Jun 25, 20267 min read
Compliance

Federal AST mandate M-22-09 explained

OMB's M-22-09 forces federal agencies to run continuous application security testing under zero trust. Here's what changed, and how Safeguard compares to Checkmarx.

Jun 25, 20267 min read
Compliance (Page 2) — Supply Chain Security Blog | Safeguard