compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
The SBOM Maturity Model: A Practical Roadmap for Enterprise Adoption
Most organizations are still at SBOM Level 0. Here's a five-level maturity model to guide your journey from no SBOMs to full supply chain transparency.
SOX Compliance in Software Development: The Supply Chain Angle
Sarbanes-Oxley requirements for internal controls extend into software development and supply chain integrity. Here's the connection most teams miss.
Software Transparency and the EU Cyber Resilience Act
The EU Cyber Resilience Act is rewriting the rules for software sold in Europe. Mandatory vulnerability handling, SBOM requirements, and security-by-design obligations are coming for every vendor.
SLSA vs SSDF vs S2C2F: Framework Comparison
Three supply chain integrity frameworks. Three different authors. Three different audiences. A practical comparison of SLSA, NIST SSDF, and Microsoft S2C2F for teams picking one.
Supply Chain Security for Government Agencies
Government agencies face unique software supply chain threats. Here's how federal and state organizations can protect critical infrastructure from compromise.
NIST CSF Updates Put Supply Chain Risk Management Front and Center
NIST's 2022 updates to the Cybersecurity Framework signal a major shift: supply chain risk management is no longer optional — it's a core pillar.
CISA SBOM Guidance: What Government Agencies Need to Know
CISA's evolving SBOM requirements are reshaping how government agencies procure and manage software. Here's what the guidance says and how to operationalize it.
NIST SP 800-218 (SSDF) Final Publication: What It Means for Your Organization
NIST finalized the Secure Software Development Framework in February 2022. If you sell software to the US government — or plan to — compliance is no longer optional.
CI/CD Pipeline Audit Logging: What to Capture and Why
Your CI/CD pipeline is a high-value target. Without proper audit logging, you will not know when it has been compromised until it is too late.
SBOM Formats Compared: CycloneDX vs SPDX in 2022
Two SBOM standards are competing for adoption. CycloneDX and SPDX take fundamentally different approaches to describing software components. Here's what matters when choosing between them.
CISA Known Exploited Vulnerabilities Catalog Launched
CISA's KEV catalog changes vulnerability management from theoretical risk to confirmed exploitation. Here's what it means and how to use it for prioritization.
NTIA SBOM Minimum Elements: What Your SBOM Actually Needs to Contain
The NTIA published its minimum elements for SBOMs in July 2021. Here's a practical breakdown of what's required, what's optional, and where most organizations fall short.