Safeguard
Topic

Compliance

In-depth guides and analysis on compliance from the Safeguard engineering team.

254 articles

Compliance

License compatibility when combining open source components

Open source license conflicts like GPL-Apache incompatibility often surface after merge. Here's why scanners miss them and how build-time enforcement closes the gap.

May 22, 20266 min read
Compliance

Open source license risk in M&A due diligence

Open source license conflicts hide in most acquisition targets' codebases. Here's why manifest-based SCA tools like Mend.io miss them in M&A diligence — and what a real audit needs.

May 22, 20268 min read
Compliance

HIPAA Security Rule Update: What the 2026 Final Rule Will Require

HHS published the HIPAA Security Rule NPRM in January 2025. Finalization is on the agenda for 2026. Covered entities and business associates need to start work now.

May 20, 20266 min read
Compliance

NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026

The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.

May 14, 20268 min read
Compliance

EO 14028 producer self-attestation: where the CISA Form sits in 2026

The CISA Secure Software Development Attestation Form went live in March 2024. Two years and several revisions later, here is what producers actually have to attest, and where the common gotchas are.

May 14, 20268 min read
Compliance

State Privacy Laws 2025-2026: The Security Mandates Hidden Inside

Twenty state comprehensive privacy laws are in force by 2026. Most carry baseline security mandates that security teams - not just privacy lawyers - must operationalize.

May 13, 20267 min read
Compliance

DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026

BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.

May 13, 20268 min read
Compliance

FTC Section 5 and software security: how 'unfair practices' became a supply chain doctrine

The Federal Trade Commission has spent the last several years building a software-security enforcement theory under Section 5. Drizly, SolarWinds, and Henry Schein each contributed pieces of the framework.

May 13, 20268 min read
Compliance

SOC 2 compliance guide for engineering teams

SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.

May 13, 20267 min read
Compliance

ISO 27001 compliance for software development teams

ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.

May 13, 20268 min read
Compliance

CISA's Secure-by-Design pledge two years in: vendor commitments and procurement effects

CISA's Secure-by-Design pledge launched in April 2024 with seven voluntary goals. Two years later, signatories are publishing progress reports and procurement teams are starting to ask hard questions.

May 12, 20268 min read
Compliance

Cheat sheet: meeting security compliance standards

A concrete, numbers-first cheat sheet for SOC 2, ISO 27001, PCI DSS 4.0, and SBOM mandates — deadlines, timelines, and audit gaps that actually matter.

May 12, 20267 min read
Compliance (Page 5) — Supply Chain Security Blog | Safeguard