Compliance
CISA Secure by Design Operational Guidance 2026
Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.
May 8, 20265 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.
EO 14144 set ambitious supply chain rules for federal software in January 2025. EO 14306 in June reshaped them. Here is what survived, what changed, and what to plan for.
The Dutch Parliament approved the Cyberbeveiligingswet on 15 April 2026, with target entry into force on 1 July 2026 — 21 months after the EU transposition deadline.
The Second Amendment to NYDFS Part 500 added universal MFA and an asset inventory mandate on November 1, 2025. The April 2026 certification reveals where covered entities stand.
CMMC Phase 1 began in November 2025. Phase 2 lands on November 10, 2026, requiring mandatory C3PAO Level 2 assessments. We unpack the contractor implications.
FedRAMP 20x Phase Two is running Moderate-baseline pilots through Q2 2026. We walk through KSIs, machine-readable OSCAL, and the path to wide-scale adoption.
TSA's November 2024 Enhancing Surface Cyber Risk Management NPRM would formalize what pipeline and rail SDs already require. Operators should prepare now.
What the EU CRA actually requires from software vendors — SBOMs, vulnerability handling, CE marking, timelines through 2027, and penalties up to EUR 15M.
A 2026 reality check on EU AI Act enforcement: which obligations are active, what regulators expect, and the technical evidence enterprises must produce.
Weekly insights on software supply chain security, delivered to your inbox.