Safeguard.sh Documentation Center

Compliance

FedRAMP HIGH, IL7, EO 14028, and regulatory compliance

Compliance

Safeguard.sh is built for enterprise compliance requirements, with FedRAMP HIGH and IL7 certification and comprehensive regulatory support.

Coverage at a glance

Safeguard ships a Vanta/Drata-class GRC experience: 197 compliance frameworks worldwide and 394 integrations that collect evidence automatically.

Coverage
Compliance frameworks197 across 6 regions
Integrations / connectors394 across 28 categories
Ways to connect3 — OAuth consent, API token / PAT, or MCP server
Deep evidence collectors9 (GitHub, Okta, GitLab, Slack, Google Workspace, Datadog, AWS, Azure, GCP)
Policies22+ baseline templates per framework, plus custom

Frameworks by region: Americas 70 · International 41 · Europe 28 · Asia-Pacific 28 · Middle East & Africa 19 · Internal/baseline 11.

Every framework is scored after each assessment, with per-control and per-requirement drill-down. After a run, the compliance pipeline generates — for real — the scored record, controls, control tests, requirement evidence, policy evaluations, and connector evidence (from connected integrations). The full regulatory framework list by region is below; connector coverage is detailed on the Connectors page.

Certifications

FedRAMP HIGH

Safeguard.sh holds FedRAMP HIGH authorization:

  • Continuous monitoring
  • Annual assessments
  • Incident response procedures
  • Security control implementation

IL7 (Impact Level 7)

Approved for Department of Defense use:

  • Classified information handling
  • Enhanced security controls
  • DoD-specific requirements
  • Continuous authorization

SOC 2 Type II

Third-party audited controls for:

  • Security
  • Availability
  • Confidentiality
  • Processing Integrity

EO 14028 Support

Executive Order 14028 compliance features:

SBOM Requirements

  • NTIA minimum elements
  • SPDX and CycloneDX formats
  • Automated completeness checking
  • Compliance scoring

Software Security

  • Vulnerability disclosure
  • Secure development practices
  • Supply chain security
  • Artifact signing

Regulatory Frameworks

Safeguard.sh supports compliance with frameworks across the Americas, EU / UK, APAC, and MEA. Lino (our compliance model) maps your environment's evidence to each framework's control catalog continuously.

Americas

FrameworkJurisdictionSupport
NIST SP 800-53 Rev. 5US FederalControl mapping, automated evidence collection
NIST Cybersecurity Framework 2.0US (broad)Framework alignment dashboards
NIST SSDF (SP 800-218)US Federal softwarePractice-level attestation, SBOM tie-in
FedRAMP HIGH / Moderate / 20xUS Federal cloudAuthorized boundary; continuous monitoring; OSCAL export
DoD IL4 / IL5 / IL7US Department of DefenseIL7-approved deployment option
CISA Secure Software Development AttestationUS Federal softwareForm generation and evidence bundling
CMMC 2.0US Defense industrial baseLevel 1, 2, 3 mapping
EO 14028 SBOM minimum elementsUS FederalValidation and generation
SOX (ITGC)US public companiesSoftware-change control evidence
PCI DSS 4.0Payment industrySoftware supply chain controls (section 6)
HIPAA / HITECHUS healthcareBusiness associate evidence
HITRUST CSFUS healthcareControl mapping
LGPDBrazilData protection control mapping
PIPEDACanadaPrivacy control alignment

European Union & United Kingdom

FrameworkJurisdictionSupport
EU Cyber Resilience Act (CRA)EUEssential requirements mapping, SBOM, vulnerability handling, CE marking evidence
NIS2 DirectiveEUSupply chain risk management and incident reporting
Digital Operational Resilience Act (DORA)EU financial servicesICT third-party risk evidence, register of information
GDPREUProcessing activity and sub-processor tracking
eIDAS 2.0EUQualified electronic signature integration for attestations
ENISA Common Criteria Scheme (EUCC)EUEvidence assembly for ICT product certification
UK Product Security and Telecommunications Infrastructure Act (PSTI)UKVulnerability disclosure and SBOM support for consumer IoT
UK Cyber Assessment Framework (CAF)UK critical servicesControl mapping and evidence
ISO/IEC 27001:2022Global / EU-commonAnnex A control mapping
ISO/IEC 27036GlobalSupply chain security mapping
ISO/IEC 5230 (OpenChain)GlobalOpen-source license compliance program

Asia-Pacific

FrameworkJurisdictionSupport
DPDP Act 2023IndiaData protection impact and processor tracking
CERT-In Directions (2022)IndiaIncident reporting, six-hour window workflows
RBI IT Framework for BanksIndia financial servicesSoftware supply chain control mapping
Japan Cybersecurity Management GuidelinesJapanSupply chain clause mapping
Japan Software Security Guidelines (METI)JapanSSDF-aligned practice evidence
APRA CPS 234 / CPS 230Australia financial servicesICT control and supply chain evidence
Australia Essential EightAustraliaPatch management and application control signals
Singapore MAS TRM GuidelinesSingapore financial servicesThird-party risk and software security
Singapore Cybersecurity Act / CCoP 2.0Singapore critical infrastructureControl mapping
South Korea K-ISMS / K-ISMS-PSouth KoreaISMS control mapping
Hong Kong HKMA Cybersecurity Fortification InitiativeHong Kong FSControl evidence
Taiwan Cybersecurity Management ActTaiwanSupply chain risk clauses
China MLPS 2.0 (Multi-Level Protection Scheme)ChinaControl mapping (for China-region tenancies only)
China Data Security Law / PIPLChinaData residency and processor tracking

Middle East & Africa

FrameworkJurisdictionSupport
UAE NESA / SIA IASUAEControl mapping
UAE PDPLUAEData protection mapping
Saudi Arabia NCA ECCSaudi ArabiaEssential Cybersecurity Controls mapping
Saudi Arabia PDPLSaudi ArabiaData protection mapping
POPIASouth AfricaData protection control mapping
Israel Privacy Protection RegulationsIsraelData processor evidence

Industry-Specific

FrameworkSectorSupport
FDA Premarket Cybersecurity (Section 524B)Medical devicesSBOM and vulnerability reporting
IEC 62443Industrial control systemsSupply chain clauses
UNECE WP.29 / ISO 21434AutomotiveSupply chain cybersecurity management
DO-326A / ED-202AAviationSupply chain security evidence
IEC 81001-5-1Health softwareSBOM and lifecycle security evidence
NERC CIPNorth American energySoftware integrity and SBOM support
TIBER-EUEU financial threat-led testingDetection telemetry mapping

AI-Specific Frameworks

FrameworkJurisdictionSupport
EU AI ActEUModel provenance, training data lineage, conformity evidence
NIST AI Risk Management Framework (AI RMF 1.0)USRisk register and profile mapping
ISO/IEC 42001 (AI management system)GlobalControl mapping and evidence
Executive Order 14110US FederalDual-use foundation model inventory and reporting

Compliance Reports

Generate compliance documentation:

Pre-Built Reports

  • FedRAMP POA&M support
  • EO 14028 compliance report
  • SBOM completeness audit
  • Vulnerability summary

Custom Reports

Create reports for specific requirements:

  1. Navigate to Reports
  2. Click Create Report
  3. Select compliance framework
  4. Configure scope and date range
  5. Generate and export

Data Residency

Deployment options for data residency:

  • US Cloud - US data centers only
  • EU Cloud - EU data centers only
  • On-Premises - Your infrastructure
  • Air-Gapped - Disconnected environments

Security Architecture

Multi-Tenant Isolation

  • Complete tenant separation
  • Dedicated encryption keys
  • Isolated compute resources
  • Network segmentation

Encryption

  • TLS 1.3 in transit
  • AES-256 at rest
  • Customer-managed keys option
  • Hardware security modules

Access Control

  • Role-based access (RBAC)
  • Single Sign-On (SSO)
  • Multi-factor authentication
  • API key management

Audit Support

Supporting your audits:

  • Complete audit trails
  • Evidence collection
  • Assessor access (read-only)
  • Documentation packages

API Reference

REST API, CLI, and MCP server documentation

All Frameworks

The complete list of all 197 compliance frameworks Safeguard supports.

On this page

ComplianceCoverage at a glanceCertificationsFedRAMP HIGHIL7 (Impact Level 7)SOC 2 Type IIEO 14028 SupportSBOM RequirementsSoftware SecurityRegulatory FrameworksAmericasEuropean Union & United KingdomAsia-PacificMiddle East & AfricaIndustry-SpecificAI-Specific FrameworksCompliance ReportsPre-Built ReportsCustom ReportsData ResidencySecurity ArchitectureMulti-Tenant IsolationEncryptionAccess ControlAudit Support