Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
FedRAMP and the software supply chain: a 2026 guide
FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.
ISO 27001 Annex A controls guide: the software and supplier set
ISO/IEC 27001:2022 restructured Annex A into 93 controls and added new ones for secure development and supply chain. Here is the subset that lands on engineering teams and how to evidence it.
HIPAA compliance for developers: securing the software supply chain
HIPAA does not name your open source dependencies, but its Security Rule holds you responsible for them. Here's what developers building health-tech actually need to do.
GDPR for software developers: privacy by design in practice
GDPR is not just a legal team's problem. Data protection by design, security of processing, and processor due diligence all translate into code, dependencies, and architecture. Here is the developer's view.
PCI DSS 4.0 for developers: a practical secure-coding guide
PCI DSS 4.0 moved secure development from an annual review to a continuous engineering practice. Here's what Requirement 6 means for developers writing and shipping code.
PCI DSS 4.0 Requirement 6: the software security guide
Requirement 6 is where PCI DSS 4.0 turned application and software security into a continuous, evidenced discipline. Here is a clause-by-clause walkthrough of 6.2 through 6.5 and what auditors expect.
DORA regulation deep dive: ICT risk, testing, and third-party rules
The Digital Operational Resilience Act applies to EU financial entities and their ICT providers. Here are the five pillars, the register of information, and what your software supply chain now has to withstand.
NIS2 Directive explained: the software and supply-chain obligations
NIS2 rewired EU cybersecurity law around supply-chain security, vulnerability handling, and 24-hour incident reporting. Here is who is in scope and what your software teams now have to prove.
What is the EU Cyber Resilience Act (CRA)? A software supply chain guide
The Cyber Resilience Act sets binding cybersecurity rules for products with digital elements sold in the EU. Here's who it covers, what it demands of software, and how to prepare before the 2027 deadline.
PCI DSS compliance for application security teams
PCI DSS 4.0's software inventory rules are enforced since March 2025. Here's why scanner-only tools like Checkmarx miss Requirements 6.3.2, 6.4.3, and 11.6.1.
HIPAA requirements and application security
HIPAA's Security Rule ties ePHI protection to application security, but scanner tools like Checkmarx rarely map findings to 45 CFR safeguards. Here's what compliance teams actually need.
Federal AST mandate M-22-09 explained
OMB's M-22-09 forces federal agencies to run continuous application security testing under zero trust. Here's what changed, and how Safeguard compares to Checkmarx.