compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
SBOM as a Product, Not a Checkbox
Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.
SEC Form 8-K Item 1.05: Two Years of Enforcement Lessons
Two years into mandatory cybersecurity incident disclosure, the SEC has issued comment letter sweeps and settled enforcement actions. Here is what filers got wrong.
FAQ: CycloneDX vs SPDX — Which to Use?
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
Implementing the ISO 27001:2022 Revision in 2026
The transition window to the 2022 revision of ISO 27001 closed in October 2025. Here is what we have learned from helping organizations implement it cleanly.
Safeguard Lion 2.0: Multi-Jurisdiction Compliance
Lion 2.0 is Safeguard's compliance model. The 2.0 release adds multi-jurisdiction mapping, control-level evidence, and a new export for audit packages.
SEC Cyber Incident Disclosure Rule: Year Two
Two years into Item 1.05 of Form 8-K, the SEC has clarified materiality, enforcement posture, and how Regulation S-K Item 106 cybersecurity narratives will be judged.
Does GitHub Copilot Use Your Code? IP and Licensing Questions Answered
Does GitHub Copilot steal your code, or just learn patterns from it? The honest answer depends on which setting you're using, what plan you're on, and whether the suggestion it hands back matches code it was trained on.
The Software Transparency Act of 2026: What It Means for the Industry
Proposed legislation would require SBOMs for all critical infrastructure software. Here's a detailed analysis of the bill and its implications.
What is a Security Baseline
A security baseline is the minimum, testable set of controls every system or repo must meet — here's how it differs from policy, and how to build one for your supply chain.
SOC 2 Type II Evidence: Griffin AI vs Mythos
A SOC 2 Type II auditor samples a control population across a reporting period. Griffin AI creates that population as a natural output. Mythos-class pure-LLM tools leave you reconstructing it.
What is Third-Party Risk Management
Third-party risk management explained: what it covers, why SolarWinds and MOVEit made it board-level, and how modern TPRM differs from supply chain security.
What is Vendor Risk Management
Vendor risk management now means tracking code-level supply chain risk, not just SOC 2 reports—here's what it covers, how to tier vendors, and what regulations require it.