SBOM & Compliance
In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.
41 articles
SBOM Quality: Fields Auditors Actually Check
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
VEX Statements: Eliminating SBOM Noise In 2026
An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.
Reachability-Driven SBOM Prioritisation In 2026
An SBOM is a list. A reachability-prioritised SBOM is a triage queue. The difference determines whether the SBOM produces value or sits unread.
AI-BOM And EU AI Act Article 10 Data Governance
Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.
SBOM Cross-Vendor Normalisation: Enterprise Program
Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.
SBOM Incident Response: Finding Affected Products Fast
When a critical CVE drops, the only number that matters is minutes-to-blast-radius. Here is how a well-run SBOM programme answers the question in under five minutes.
Signed SBOMs As Procurement Leverage
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
SBOM requirements for financial services under DORA
DORA now requires EU financial entities to track every software component down to the dependency level. Here's what the SBOM requirements actually mean.
Software bill of materials expectations from banking regu...
FFIEC and OCC examiners now expect banks to show software transparency. Here's what SBOM banking regulators actually ask for, and how to be ready before the next exam.
FDA SBOM requirements under Section 524B for medical devi...
What Section 524B means for medical device makers: FDA SBOM requirements, premarket cybersecurity guidance, and how to avoid a Refuse to Accept letter.
SBOM requirements under DoD software supply chain risk ma...
A practical breakdown of DoD SBOM requirements — where they came from, how Software Fast Track enforces them, and what happens when contractors can't produce one.
Fulcio Certificate Lifecycle: Enterprise View
Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.