Cybersecurity Compliance

Simplify regulatory and customer-driven compliance

FACT Platform for Cybersecurity Compliance

Following high-profile incidents like the SolarWinds attack and Log4j, regulators are now requiring cybersecurity compliance with a growing list of legislation in multiple sectors. Likewise, customers are insisting their suppliers provide comparable levels of transparency. FACT can help provide the necessary attestation of products and components to prove compliance.

Thumbnail of the Executive Order 14028

Executive Order 14028

In response to high-profile supply chain cyber attacks, the U.S. federal government responded in 2021 with Executive Order 14028: Improving the Nation's Cybersecurity. The Order directs all government agencies to require SBOMs from suppliers of critical software — and the definition of critical software is extremely broad. The Order gave rise to additional guidance from multiple agencies (CISA, NSA, and ODNI) on software supply chain security best practices targeting developers, vendors, and asset owners.

Private industry is expecting no less and the demand for SBOMs is growing. Addressing this demand, FACT:

  • allows vendors and asset owners alike to generate NTIA-compliant SBOMs in CycloneDX and SPDX formats.
  • reduces the cost of compliance efforts.
  • enables better communication on vulnerabilities between vendors and asset owners via VEX documents.

For more details and analysis of the Executive Order, visit our comprehensive timeline of EO 14028's deliverables.

Background image for the Vulnerability Call to Action

Schedule a session with our technical staff to see how FACT enables compliance with regulatory requirements like SBOMs, attestation, and more.

NERC-CIP Cybersecurity Compliance

Electric power utilities have industry-specific compliance obligations: CIP-013-1 - Cyber Security - Supply Chain Risk Management.


Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;


Verification of software integrity and authenticity of all software and patches, provided by the vendor for use in the BES Cyber System; and



Verify the identity of the software source; and


Verify the integrity of the software obtained from the software source.

FACT provides a quick win for operators of the Bulk Electric System (BES) and their vendors to demonstrate compliance with key requirements, such as:

Comprehensive and continuous reporting on all known and suspected vulnerabilities hidden in software and firmware
Trust Scores that validate the integrity and authenticity of software, firmware, and patches
Evidence of a proactive cybersecurity program


Draft guidance issued by the FDA for the medical industry has also turned its eye to the software supply chain as a source of risk. Although these are non-binding recommendations, the agency recognizes that full transparency of 3rd-party components is critical. It acknowledges the rapidly evolving landscape and emerging threats as a basis for an “updated, iterative approach to device cybersecurity.”

“ support supply chain risk management processes, all software, including that developed by the device manufacturer (“proprietary software”) and obtained from third parties should be assessed for cybersecurity risk and that risk should be addressed. Accordingly, device manufacturers are expected to document all software components of a device and to mitigate risks associated with these software components.”

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff

FACT documents all software components in a device and provides SBOMs, even for legacy devices where source code is unavailable.
FACT provides easy-to-use Trust Scores for assessing risk.
FACT identifies known and suspected vulnerabilities on an ongoing basis to help prioritize mitigations.

Want to see how the FACT platform streamlines compliance?

3rd-Party Supplier Discovery

When legislators, regulators, or customers seek to block software from specific vendors or countries, it can be challenging to determine if you have any of their components in your environment. For example, in 2017 the U.S. Department of Homeland Security banned Kaspersky products from all government departments (and other countries have followed suit over the years). For companies supplying the federal government, this restriction kicked off the difficult and costly task of finding and removing deeply buried Kaspersky components. FACT can help make discovery easy by:

  • quickly providing a supply chain wide-view of every instance of a specific vendor’s software
  • identifying the vendors of each component in a software package, no matter how deeply nested
  • displaying vendor risk scores to enable risk-informed purchasing decisions and ongoing vendor monitoring