Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
License compatibility when combining open source components
Open source license conflicts like GPL-Apache incompatibility often surface after merge. Here's why scanners miss them and how build-time enforcement closes the gap.
Open source license risk in M&A due diligence
Open source license conflicts hide in most acquisition targets' codebases. Here's why manifest-based SCA tools like Mend.io miss them in M&A diligence — and what a real audit needs.
HIPAA Security Rule Update: What the 2026 Final Rule Will Require
HHS published the HIPAA Security Rule NPRM in January 2025. Finalization is on the agenda for 2026. Covered entities and business associates need to start work now.
NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026
The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.
EO 14028 producer self-attestation: where the CISA Form sits in 2026
The CISA Secure Software Development Attestation Form went live in March 2024. Two years and several revisions later, here is what producers actually have to attest, and where the common gotchas are.
State Privacy Laws 2025-2026: The Security Mandates Hidden Inside
Twenty state comprehensive privacy laws are in force by 2026. Most carry baseline security mandates that security teams - not just privacy lawyers - must operationalize.
DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026
BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.
FTC Section 5 and software security: how 'unfair practices' became a supply chain doctrine
The Federal Trade Commission has spent the last several years building a software-security enforcement theory under Section 5. Drizly, SolarWinds, and Henry Schein each contributed pieces of the framework.
SOC 2 compliance guide for engineering teams
SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.
ISO 27001 compliance for software development teams
ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.
CISA's Secure-by-Design pledge two years in: vendor commitments and procurement effects
CISA's Secure-by-Design pledge launched in April 2024 with seven voluntary goals. Two years later, signatories are publishing progress reports and procurement teams are starting to ask hard questions.
Cheat sheet: meeting security compliance standards
A concrete, numbers-first cheat sheet for SOC 2, ISO 27001, PCI DSS 4.0, and SBOM mandates — deadlines, timelines, and audit gaps that actually matter.