Achieve CMMC Level 2 with GitLab Dedicated for Government

For defense industrial base (DIB) companies, the US Department of Defense has issued Cybersecurity Maturity Model Certification (CMMC). final rule And new guidance on “FedRAMP equivalence” has dramatically increased the cost of compliance and fundamentally changed the way they run their risk management programs. The era of “self-verification” of security programs is gone; DIB companies are required to strictly implement NIST 800-171 in their environments handling controlled unclassified information (CUI), and have their security controls audited by a third-party assessment organization (3PAO) every three years.

DIB companies are focused on engineering, not compliance, and formal audits quickly become expensive. These changes add significant complexities for companies focused on supporting war fighters. Good news? Dedicated GitLab for government FedRAMP Moderate authorization means DIB companies can use GitLab dedicated to government directly without any additional audits or authorizations, reducing the impact and cost of compliance.

Basic Rules: FedRAMP Medium Equivalency

The security of controlled unclassified information (CUI) within the DIB is governed by a fundamental legal and contractual mandate: the Defense Federal Acquisition Regulation Supplement (DFARS). Volume 252.204-7012This section specifically states that if a contractor uses an external cloud service provider to “store, process, or transmit any covered defense information”, that provider must meet security requirements “equivalent to the security requirements established by the Government for the FedRAMP Moderate Baseline,”

DOD memorandum dated January 2, 2024, “Federal Risk and Authorization Management Program (FedRAMP) Medium Equivalency for Cloud Service Provider (CSP) Cloud Service OfferingsDefines “FedRAMP Moderate Equivalency” and also directly specifies that FedRAMP Moderate Cloud Service Offerings (CSOs) can be used to meet equivalence requirements without any additional assessments, such as individual CMMC assessments:

“This memorandum does not apply to CSOs that are FedRAMP Moderate Authorized under the existing FedRAMP process. FedRAMP Moderate Authorized CSOs identified in the FedRAMP Marketplace Provide the security necessary to store, process, or transmit CDI in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) section 252.204-7012, “Security of Covered Defense Information and Cyber ​​Incident Reporting” and This can be leveraged without further evaluation to meet equivalence requirements,

GitLab Platform: A Proven Path to Compliance

GitLab’s GovCloud offering, dedicated to GitLab government, Has received FedRAMP Moderate authorizationThis means DIB companies can leverage dedicated GitLab as their DevSecOps platform for government immediately and without any additional audits or compliance checks, DIB companies leveraging dedicated GitLab for government inherit all of our security controls and our evidence bodies, removing the risk and cost of compliance from themselves and allowing them to focus on their mission,

Shared Responsibility Matrix: Your Role as a DIB Contractor

While a FedRAMP-authorized solution significantly reduces your compliance burden, compliance is a joint effort. You are responsible for the security controls in place. This is where the Shared Responsibility Matrix (SRM), also known as the Customer Responsibility Matrix (CRM), comes in.

When you adopt GitLab Dedicated for Government, you will receive a comprehensive SRM that clearly outlines which security controls are managed by GitLab and which are your responsibility as the customer. Your CMMC C3PAO will use this document to ensure that you have implemented the necessary controls on your behalf. By leveraging GitLab’s FedRAMP-authorized platform, you can confidently meet your CMMC Level 2 compliance requirements, focusing on your mission while trusting that GitLab has you covered.

To learn more about GitLab dedicated to government, visit our GitLab for the public sector page. Interested in a demo? Contact Sales for more information [email protected],

Reference