Safeguard v3: Compliance-First Supply Chain Security

The regulatory landscape for software supply chain security has shifted from voluntary best practices to legal requirements. The EU Cyber Resilience Act mandates vulnerability handling and SBOM disclosure for products sold in Europe. FDA cybersecurity guidance requires medical device manufacturers to provide SBOMs and vulnerability management evidence. NIST SSDF and CISA guidance are shaping procurement requirements across the US federal government.

Safeguard v3 is built for this reality. The release focuses on compliance: mapping your supply chain security activities to regulatory requirements, automating evidence collection, and generating the documentation that auditors and regulators expect.

Compliance Framework Mapping

v3 introduces compliance frameworks as a first-class concept. A compliance framework defines the requirements that apply to your organization and maps them to specific controls and evidence types.

Safeguard ships with pre-built mappings for:

• EU Cyber Resilience Act (CRA) -- Vulnerability handling, SBOM disclosure, incident reporting requirements
• FDA Cybersecurity Guidance -- Premarket submission requirements, postmarket management expectations
• NIST SSDF (SP 800-218) -- Secure software development practices and evidence requirements
• NIST SP 800-161r1 -- Supply chain risk management controls
• PCI DSS v4.0 -- Software supply chain requirements for payment processors
• SOC 2 Type II -- Trust service criteria relevant to supply chain security

Each framework mapping connects regulatory requirements to Safeguard capabilities. For example, CRA Article 11 requires manufacturers to "identify and document vulnerabilities and components contained in the product." Safeguard maps this to: SBOM generation and storage (ESSCM), vulnerability correlation (SCA), and vulnerability disclosure (Portal).

The mapping is not just documentation. Safeguard tracks your compliance posture against each framework, showing which requirements are fully met, partially met, or not yet addressed. This gives compliance teams a real-time view of their regulatory readiness instead of a point-in-time assessment.

Automated Evidence Collection

Compliance is fundamentally an evidence exercise. Regulators and auditors do not take your word for it -- they want proof. v3 automates the collection of evidence that demonstrates your supply chain security practices.

Evidence is collected automatically from your normal Safeguard usage:

• SBOM generation records -- Timestamps, tools used, coverage metrics
• Vulnerability scan results -- What was found, when it was found, what was done about it
• Policy check results -- Which policies were evaluated, pass/fail results, exception approvals
• Remediation records -- When vulnerabilities were identified, when fixes were applied, time-to-remediate metrics
• SBOM sharing records -- Which customers received SBOMs, when, through what mechanism

This evidence is stored with full audit trails: who performed the action, when, and what the result was. Evidence cannot be modified retroactively, providing the immutability that auditors require.

Audit-Ready Reports

v3 adds a report generation engine that produces compliance documentation from your collected evidence.

Framework Assessment Reports show your compliance posture against a specific framework, with evidence linked to each requirement. Hand this to an auditor and they can see exactly how you meet each requirement, with links to the underlying data.

Periodic Compliance Reports summarize your supply chain security activities over a time period: SBOMs generated, vulnerabilities found and remediated, policy violations detected and resolved, customer disclosures made. These are designed for board reporting and management review.

Customer Compliance Packages bundle the documentation a customer needs for their own compliance: your SBOM for their product version, your vulnerability status, your security practices attestation, and your compliance certifications. The Portal can deliver these automatically, but v3 also supports generating them as downloadable packages.

Reports are generated in PDF and HTML formats with your organization's branding. They are designed to look professional enough to hand directly to regulators, auditors, or customers without further formatting.

VEX Document Support

Vulnerability Exploitability eXchange (VEX) is a companion format to SBOMs that communicates the status of vulnerabilities relative to a specific product. VEX answers the question: "You have a vulnerability in a component. Is it actually exploitable in the context of this product?"

v3 adds full support for VEX authoring and consumption.

VEX authoring lets you create VEX statements for vulnerabilities in your products. For each CVE that affects a component in your SBOM, you can document:

• Not affected -- The vulnerable code path is not present or not reachable in your product
• Affected -- The vulnerability is exploitable and you are working on a fix
• Fixed -- The vulnerability has been addressed in a specific version
• Under investigation -- You are still determining the impact

Each statement includes justification text explaining the assessment. This is critical for the "not affected" status -- regulators and customers want to know why you believe a vulnerability does not impact your product.

VEX consumption allows you to import VEX documents from your vendors. When a vendor declares that a CVE does not affect their product, that declaration is reflected in your TPRM view. This reduces false-positive noise from third-party vulnerability monitoring.

VEX documents are generated in both CycloneDX VEX and CSAF (Common Security Advisory Framework) formats.

Compliance Workflow

The typical compliance workflow in v3:

1. Configure frameworks. Select the compliance frameworks relevant to your organization. Safeguard maps your existing activities to framework requirements.

2. Identify gaps. The compliance dashboard shows which requirements are fully met, partially met, and unmet. For unmet requirements, Safeguard recommends the specific actions needed.

3. Close gaps. Use Safeguard's tools to implement the missing controls: enable SBOM generation in CI/CD, configure vulnerability monitoring, set up customer disclosure through the Portal.

4. Generate evidence. As you use Safeguard, evidence is collected automatically. No additional effort required.

5. Produce reports. When audit time comes, generate the framework assessment report. Evidence is pre-linked. The auditor can drill down from any requirement to the supporting evidence.

What This Means for Different Roles

For compliance officers: v3 transforms supply chain compliance from a manual, periodic exercise into a continuous, automated one. You have real-time visibility into your compliance posture and can generate audit documentation on demand.

For security teams: VEX authoring gives you a structured way to communicate vulnerability impact to customers and regulators. Instead of ad-hoc emails and spreadsheets, you produce machine-readable documents that integrate with downstream tools.

For engineering leaders: Compliance requirements are mapped to technical controls. You can see exactly which engineering practices contribute to which compliance requirements, making it easier to justify investment and prioritize work.

For sales teams: Customer compliance packages are available on demand. When a prospect asks about your supply chain security practices during procurement, you can provide professional documentation immediately instead of scrambling to collect it.

Getting Started

v3 is available now for all Safeguard customers. Existing data and configurations are preserved -- v3 adds new capabilities without changing existing ones.

Start by selecting your applicable compliance frameworks in the Settings panel. Safeguard will assess your current posture and identify gaps. Most customers find that their existing Safeguard usage already covers 60 to 80 percent of the requirements. Closing the remaining gaps is a matter of enabling specific features and configuring specific policies.

For organizations that have not yet started their compliance journey, the framework mappings serve as a roadmap. They tell you exactly what you need to implement and how Safeguard helps you implement it.