A detailed technical breakdown of what US federal compliance frameworks (EO 14028/NIST SSDF, DISA STIGs, CMMC Level 2/NIST 800-171, FedRAMP, FISMA, ITAR) actually require from software build pipelines. The post catalogs specific controls per framework with their technical implementations, then synthesizes cross-cutting SDLC themes: SBOM generation and validation, security scanning enforcement (SAST/SCA/container/IaC), container image hardening, build provenance and artifact signing, secret scanning, version control and change management, testing evidence, and continuous compliance evidence collection. Key highlights include CMMC's five 5-point controls that cannot be deferred via POA&M, DISA Container Image Guide requirements mapping to Dockerfile/Kubernetes practices, and the industry direction toward continuous machine-readable evidence rather than periodic manual audits. The post concludes with a pitch for Earthly Lunar as a guardrails engine addressing these requirements.
Table of contents
The landscapeEO 14028 and the NIST Secure Software Development FrameworkDISA STIGs: container and DevSecOps requirementsCMMC Level 2 and NIST 800-171FedRAMP: the SA, SR, CM, RA, and SI familiesFISMA and ITAR: peripheral fitWhat addressing these requirements looks likeHow Lunar fitsSort: