Safeguard
Tag

compliance

Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.

435 articles

Industry Analysis

SBOM as a Product, Not a Checkbox

Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.

Feb 5, 20267 min read
Compliance

SEC Form 8-K Item 1.05: Two Years of Enforcement Lessons

Two years into mandatory cybersecurity incident disclosure, the SEC has issued comment letter sweeps and settled enforcement actions. Here is what filers got wrong.

Feb 4, 20266 min read
Best Practices

FAQ: CycloneDX vs SPDX — Which to Use?

Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.

Feb 4, 20266 min read
Compliance

Implementing the ISO 27001:2022 Revision in 2026

The transition window to the 2022 revision of ISO 27001 closed in October 2025. Here is what we have learned from helping organizations implement it cleanly.

Feb 4, 20265 min read
Product

Safeguard Lion 2.0: Multi-Jurisdiction Compliance

Lion 2.0 is Safeguard's compliance model. The 2.0 release adds multi-jurisdiction mapping, control-level evidence, and a new export for audit packages.

Feb 4, 20266 min read
Compliance

SEC Cyber Incident Disclosure Rule: Year Two

Two years into Item 1.05 of Form 8-K, the SEC has clarified materiality, enforcement posture, and how Regulation S-K Item 106 cybersecurity narratives will be judged.

Feb 4, 20267 min read
AI Security

Does GitHub Copilot Use Your Code? IP and Licensing Questions Answered

Does GitHub Copilot steal your code, or just learn patterns from it? The honest answer depends on which setting you're using, what plan you're on, and whether the suggestion it hands back matches code it was trained on.

Feb 4, 20266 min read
Compliance

The Software Transparency Act of 2026: What It Means for the Industry

Proposed legislation would require SBOMs for all critical infrastructure software. Here's a detailed analysis of the bill and its implications.

Feb 1, 20266 min read
Best Practices

What is a Security Baseline

A security baseline is the minimum, testable set of controls every system or repo must meet — here's how it differs from policy, and how to build one for your supply chain.

Jan 30, 20267 min read
AI Security

SOC 2 Type II Evidence: Griffin AI vs Mythos

A SOC 2 Type II auditor samples a control population across a reporting period. Griffin AI creates that population as a natural output. Mythos-class pure-LLM tools leave you reconstructing it.

Jan 29, 20267 min read
Compliance

What is Third-Party Risk Management

Third-party risk management explained: what it covers, why SolarWinds and MOVEit made it board-level, and how modern TPRM differs from supply chain security.

Jan 29, 20268 min read
Compliance

What is Vendor Risk Management

Vendor risk management now means tracking code-level supply chain risk, not just SOC 2 reports—here's what it covers, how to tier vendors, and what regulations require it.

Jan 29, 20267 min read
compliance (Page 26) — Safeguard Blog