Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
CRA Conformity Assessment: Choosing Between Modules A, B+C, and H
The CRA offers three conformity routes: Module A self-assessment, Module B+C type examination plus production conformity, and Module H quality management system audit.
CISA KEV Catalog Growth Analysis 2025-2026
A data-grounded analysis of CISA Known Exploited Vulnerabilities catalog growth through 2025 and 2026, and the operational implications for defenders.
California SB-327 IoT Security Enforcement Update
A 2026 enforcement update on California SB-327, the IoT security statute that set a national precedent, and what manufacturers and integrators need to know.
How to lower FedRAMP certification costs
FedRAMP authorizations cost $250K-$3M and take 12-18 months. See where that spend actually goes, how Chainguard's hardened images fit in, and how to cut costs.
FedRAMP High: requirements and readiness
What FedRAMP High actually requires: 421 controls, 12-24 month timelines, and how supply chain security vendors like Chainguard and Safeguard measure up.
FedRAMP compliance checklist: steps, requirements, docume...
A concrete FedRAMP compliance checklist: steps, documentation, timelines, and how supply chain evidence like Chainguard images and Safeguard SBOMs fits in.
FedRAMP vulnerability scanning requirements explained
FedRAMP mandates monthly vulnerability scans and 30-day remediation windows. Here's what Rev 5 requires, and why minimal images like Chainguard's don't exempt you.
Simplify PCI DSS 4.0 compliance with hardened containers
PCI DSS 4.0's 30-day patch clock is brutal for container-heavy CDEs. Here's how hardened, minimal images cut CVE noise and make audits defensible.
White House M-22-18 SBOM Attestation Update
OMB M-22-18 and the CISA Secure Software Self-Attestation form continue to evolve. Here is what producers and federal buyers must change in 2026.
CMMC 2.0 compliance for containerized workloads
CMMC 2.0 enforcement is phasing in through 2028. Hardened container images help, but 35+ of 110 NIST 800-171 controls need continuous evidence Chainguard's approach doesn't cover.
SOC 2 and the hardened software supply chain
SOC 2 attests to internal controls, not to whether a hardened image or build pipeline is secure. Here is how Chainguard's approach fits, and what it does not cover.
India DPDP Act Software Security Implications 2026
A senior engineer's view of the Digital Personal Data Protection Act in 2026: security safeguards, significant data fiduciaries, breach notification, and software controls that actually comply.