Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
DORA regulation and operational resilience for financial software
DORA became fully applicable Jan 17, 2025. Here's what it requires of software supply chain risk, incident reporting, and SBOMs — with concrete deadlines.
NIS2 Directive compliance for software vendors
NIS2 became enforceable October 17, 2024, and Article 21 now requires software vendors to prove SBOM, CVE remediation, and disclosure practices to EU customers.
CISA's Secure by Design pledge explained
CISA's voluntary Secure by Design pledge has grown from 68 signatories to 300+, but it's unverified and self-reported. Here's what the seven goals really require.
SEC cybersecurity disclosure rules for public companies
The SEC's 2023 rules give public companies four business days to disclose material cyber incidents. Here's what triggers the clock, and how supply chain visibility keeps you compliant.
CISA Secure by Design Operational Guidance 2026
Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.
FDA SBOM requirements for medical device software
Since Oct 2023 the FDA can reject medical device submissions missing a compliant SBOM. Here's what Section 524B actually requires, in plain terms.
Audit-readiness for open source usage policies
What auditors actually ask for in an open source usage policy review, what triggers it, and the evidence gaps that turn a written policy into a finding.
Software supply chain compliance for federal contractors
CMMC 2.0, OMB M-22-18, and SBOM mandates now hit federal contractors with overlapping deadlines and evidence demands — here's what's actually required.
CMMC compliance for software vendors
CMMC 2.0 is now contractually mandatory across the DoD supply chain. Here's what software vendors must know about levels, deadlines, costs, and SBOMs.
Board-level reporting on application security risk
Boards now face legal disclosure deadlines on cyber risk. Here's what belongs in a board-level appsec report, how often to deliver it, and what the SEC and NYDFS require.
Cyber insurance requirements for application security programs
Cyber insurers now require SBOMs, patch SLAs, and audit trails for AppSec programs. Here's what carriers actually ask for and how to pass renewal.
EO 14144 to EO 14306: How the Federal Software Mandate Evolved
EO 14144 set ambitious supply chain rules for federal software in January 2025. EO 14306 in June reshaped them. Here is what survived, what changed, and what to plan for.