The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.
This Compliance Production Readiness Assessment process applies to new systems/tools/services or any existing system/tool/service that is processing new data or existing data in a different way that might change the compliance and regulatory obligations.
An example of a scope change would be a system like Calendly that might only be processing Yellow data today but due to a new feature is now processing Orange data. This new type of data being ingested into such a system would change the security control requirements and would required increased support from the system owner to help ensure these controls are operating effectively.
Please reach out to the Security Compliance team using the
@sec-compliance-team tag in the #sec-assurance slack channel and we can work with any questions you have about this process.