FedRAMP and GitHub

GitHub Enterprise Cloud is now FedRAMP Authorized, which brings software collaboration to governments everywhere

🎉 GitHub Enterprise Cloud + FedRAMP Tailored Authorized 🎉

Governments around the world use GitHub to build software, shape policy, and share information with constituents. To ensure that governments can have access to best-in-class tools, we’ve worked with the US Federal Government to secure FedRAMP Tailored Authorization for GitHub Enterprise Cloud. Government users can now rely on GitHub knowing that our platform meets the FedRAMP Tailored baseline of security standards set by our US federal government partners.

With GitHub Enterprise Cloud’s FedRAMP Tailored ATO, agencies can more easily:


Why did the GSA determine that FedRAMP Tailored is the right baseline for GitHub?

As the Federal government takes advantage of the capabilities of modern software development and collaboration that GitHub provides, it is important they also do so in a way that is compliant with their security requirements, including OMB A-130 and the Risk Management Framework (NIST SP 800-37). FedRAMP Tailored provides agencies with a flexible and reusable template for ensuring a strong, FISMA-compliant security baseline for low risk Software as a Service (SaaS) systems.

For this reason, when GSA looked to authorize GitHub.com for use within their agency, they determined that FedRAMP Tailored was the right baseline to apply. It provides for familiar security controls and framework, while allowing the flexibility to use modern tools with established security track records.

The FedRAMP Tailored baseline is purpose-built for modern and nimble SaaS solutions like GitHub. Other FedRAMP baselines are designed for either Infrastructure- or Platform-as a Service (IaaS or PaaS).

Code is the most important asset that we create. Why is FedRAMP Tailored the right authorization to apply here?

FedRAMP Tailored was designed for Software as a Service systems like GitHub. FedRAMP requires that agencies specify the type of data that can reside within authorized systems. Best practices suggest that source code contain no information — personally identifiable or otherwise — so it is seen as low risk to operations.

FedRAMP Tailored can also speed the authorization process with reusable evidence and NIST 800-53 control inventories that agencies can base their own ATOs decisions on. The FedRAMP office can even share the previous authorization package ready for your review. Your agency’s Authorizing Officer (AO) may review and accept this package and issue an agency-specific Authority to Operate (ATO).
Download our authorization package from the FedRAMP Marketplace 

Does GitHub now comply with the Federal Information Security Management Act (FISMA)?

GitHub’s FedRAMP authorization satisfies your FISMA concerns. FISMA is the law that requires US federal agencies and their partners to procure information systems and services only from organizations that adhere to how they meet the controls identified by the NIST in Special Publication 800-53 rev 4. The FISMA process (but not the underlying standards themselves) was replaced by FedRAMP in 2011.

In summary

GitHub’s FedRAMP Tailored authorization confirms our commitment to Government information security. It opens our best-of-breed software development and collaboration platform to even more missions, allowing even more agencies to benefit from the rigorous security of GitHub Enterprise Cloud.