compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
CMMC Level 2 Supply Chain Control Evidence
CMMC Level 2 assessments demand structured evidence for the SR family and adjacent controls. Learn how to produce assessor-ready supply chain artifacts.
Enterprise AI Data Residency Requirements, 2026
Data residency for AI workloads has moved from nice-to-have to contractually required. The shape of the requirement is specific and worth knowing before procurement.
Signed SBOMs As Procurement Leverage
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
What is ISO 27001
ISO 27001 is the international ISMS standard with 93 Annex A controls. Here's what it requires, who needs it, and what it costs to certify.
What is the NIST Cybersecurity Framework
A breakdown of the NIST Cybersecurity Framework's six functions, its 2024 update, and why GV.SC makes it central to software supply chain security.
NIST SSDF 1.2 Draft: What the Comment Period Revealed
NIST opened public comment on SP 800-218r1 SSDF v1.2 on December 17, 2025. The draft adds AI development practices, refines supply-chain controls, and aligns with EO 14306.
What is FedRAMP
FedRAMP governs how federal agencies vet cloud software. Here's what it requires, what it costs, how long it takes, and what FedRAMP 20x changes.
What is the NIST Secure Software Development Framework (SSDF)
NIST SSDF (SP 800-218) explained: its four practice groups, the EO 14028 origin, federal attestation deadlines, and how it differs from SLSA and SP 800-53.
What is Executive Order 14028
EO 14028 forced federal software vendors to prove what's in their code. Here's what it requires, who it binds, and what's changed since 2021.
What is a Security Policy
A security policy is the documented, executive-approved rulebook auditors test against — here's what belongs in one, how often to review it, and what breaks when it isn't enforced.
DORA for Financial Services Software Supply Chain
How EU DORA is reshaping software supply chain expectations for financial services in 2026, with practical guidance on ICT third-party risk, SBOMs, and incident reporting.
What is a Security Risk Assessment
A security risk assessment ranks real business risk, not raw CVE counts. Here's what it involves, how often it's required, and how it differs from scanning.