Regulatory Compliance
In-depth guides and analysis on regulatory compliance from the Safeguard engineering team.
138 articles
US DoD Zero Trust: Software Dimensions
Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually doing about it.
GDPR Meets CRA: Software Overlap
GDPR Article 32 and the EU Cyber Resilience Act look like separate regimes, but for any software handling personal data they converge at the component level. Here's where they overlap and where they diverge.
Open Banking API Supply Chain Security
Open banking depends on a tangle of SDKs, certificate authorities, and directory services. What PSD2, the UK's Open Banking Standard, and the emerging US framework mean for supply chain security.
ISO 27001 Meets NIST CSF: Integration
Running an ISMS under ISO 27001:2022 while executives want NIST CSF 2.0 reporting? These frameworks integrate cleanly if you map Annex A controls to CSF subcategories once and stop duplicating work.
Gramm-Leach-Bliley Software Security Update
The FTC Safeguards Rule amendments effective May 13, 2024 expand breach-notification and software supply chain expectations for financial institutions under GLBA.
OSS Contributor License Agreements Reviewed
CLAs, DCOs, and the subtle differences between Apache ICLAs, Google corporate CLAs, and Eclipse ECAs shape what contributors give up and what projects can do.
SOX IT Controls Meet Software Controls
Sarbanes-Oxley IT general controls predate modern software delivery. Here's how change management, access, and segregation of duties controls actually look when applied to CI/CD pipelines and software components.
Utilities Sector NERC CIP Software Supply Chain
NERC CIP-013 turned software supply chain into a regulated obligation for the bulk electric system. A practical look at what utilities are actually doing.
Australia's Essential Eight and Software Supply Chain
The ACSC's November 2023 Essential Eight update tightened patching, application control, and software inventory expectations that every Australian-regulated entity now has to evidence.
HIPAA Meets HITRUST: Supply Chain Depth
HIPAA's Security Rule is thin on supply chain specifics. HITRUST CSF fills the gap with prescriptive third-party and software controls. Here's how the two frameworks intersect and how to build a program that satisfies both.
PCI DSS 4.0 Software Security Requirements
PCI DSS 4.0 became mandatory on March 31, 2024, overhauling software security, SBOM visibility, and supply chain controls for every entity that touches cardholder data.
Defense Industrial Base Supply Chain and CMMC
How the Defense Industrial Base is adapting its software supply chain to CMMC 2.0, NIST SP 800-171, and DFARS flow-down obligations.