Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Security Compliance, Dedicated Markets Team

  1. You are here:
  2. Handbook
  3. Security at GitLab
  4. Security Assurance
  5. Security Compliance, Dedicated Markets Team

Security Compliance (Dedicated Markets) Mission

Our Mission is to advance customer trust with a focus on customers operating in highly regulated industries or who otherwise have unique security and compliance requirements. We will accomplish this mission by:

  1. Enabling GitLab Dedicated to be the most trusted DevSecOps offering in the market, demonstrated by security certifications and attestations.
  2. Achieving and maintaining industry-specific security certifications such as FedRAMP and FIPS 140-2 compliance for the U.S. Public Sector.
  3. Applying compliance automation and compliance-as-code guardrails to minimize toil and enable product, development, and infrastructure teams.
  4. Use our own product (dogfooding) to meet key security controls, improve our offering, and demonstrate to customers how they can do the same.

For more information on the direction of the GitLab Dedicated category, please see this page.

Core Competencies

As a member of the Security Assurance sub-department, and fork of the existing Security Compliance team, we share many of the same core competencies. The difference between our teams is in the product/system scope (GitLab Dedicated and any future offerings for highly regulated markets) and the security certifications we are pursuing.

  1. Security Certifications
  2. Observation and Remediation Management
    • Identifying control weaknesses and gaps (observations)
    • Remediation recommendations
    • Tracking remediation plans to completion
  3. Continuous Monitoring of GitLab's Security Controls which are mapped to applicable regulatory requirements and security certifications/frameworks we have committed to.

Some of our work is not public for now. Please see the internal handbook to find out more about what our team is working on, or reach out to us.

Vision and Focus Areas

Security Compliance is part of the 2nd line of defense and our goal is identify and treat risks early before they have more severe impacts later on (i.e. regulatory or reputational). We strive to partner with the 1st line of defense (Engineering, Product, and other parts of the organization) to shift compliance left where it is both more effective and less burdensome. To achieve that vision, we need to focus on the following areas and solicit feedback from other parts of the organization:

Where we work

We primarily work out of projects in our Dedicated Compliance team subgroup, the Security Department and Security Assurance parent groups, the GitLab Dedicated issue tracker, and the Security Compliance Observation Management project.

Metrics and Measures of Success

  1. Security Control Health
  2. Security Observations

Contact the Team

Program DRI Responsibilities
Security Compliance (Dedicated Markets) team manager @corey-oas FedRAMP Authorization Program and compliance/certification roadmap for GitLab Dedicated and GitLab Dedicated for U.S. Government)
GitLab Dedicated security compliance @dchangkuon Continuous monitoring, gap assessments, and external audit coordination (e.g. SOC 2 Type 2).
FedRAMP Information System Security Officer (ISSO) @niben01 FedRAMP vulnerability posture reporting, maintaining Plan of Action & Milestone reporting, and deviation requests
FedRAMP Continuous Monitoring Program @kbray Continuous monitoring improvements and automation, significant change identification, and compliance documentation maintenance
Edit this page View source