Safeguard
Topic

SBOM & Compliance

In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.

41 articles

SBOM & Compliance

SBOM Quality: Fields Auditors Actually Check

Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.

Mar 24, 20266 min read
SBOM & Compliance

VEX Statements: Eliminating SBOM Noise In 2026

An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.

Mar 19, 20266 min read
SBOM & Compliance

Reachability-Driven SBOM Prioritisation In 2026

An SBOM is a list. A reachability-prioritised SBOM is a triage queue. The difference determines whether the SBOM produces value or sits unread.

Mar 15, 20263 min read
SBOM & Compliance

AI-BOM And EU AI Act Article 10 Data Governance

Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.

Mar 14, 20267 min read
SBOM & Compliance

SBOM Cross-Vendor Normalisation: Enterprise Program

Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.

Mar 9, 20267 min read
SBOM & Compliance

SBOM Incident Response: Finding Affected Products Fast

When a critical CVE drops, the only number that matters is minutes-to-blast-radius. Here is how a well-run SBOM programme answers the question in under five minutes.

Mar 4, 20267 min read
SBOM & Compliance

Signed SBOMs As Procurement Leverage

Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.

Feb 27, 20267 min read
SBOM & Compliance

SBOM requirements for financial services under DORA

DORA now requires EU financial entities to track every software component down to the dependency level. Here's what the SBOM requirements actually mean.

Jan 5, 20267 min read
SBOM & Compliance

Software bill of materials expectations from banking regu...

FFIEC and OCC examiners now expect banks to show software transparency. Here's what SBOM banking regulators actually ask for, and how to be ready before the next exam.

Jan 4, 20267 min read
SBOM & Compliance

FDA SBOM requirements under Section 524B for medical devi...

What Section 524B means for medical device makers: FDA SBOM requirements, premarket cybersecurity guidance, and how to avoid a Refuse to Accept letter.

Jan 2, 20267 min read
SBOM & Compliance

SBOM requirements under DoD software supply chain risk ma...

A practical breakdown of DoD SBOM requirements — where they came from, how Software Fast Track enforces them, and what happens when contractors can't produce one.

Dec 27, 20257 min read
SBOM & Compliance

Fulcio Certificate Lifecycle: Enterprise View

Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.

Dec 22, 20247 min read
SBOM & Compliance (Page 2) — Supply Chain Security Blog | Safeguard