Skip to content

Add REGULATED RED sub-classification level for regulatory compliance

Corey Oasrequested to merge
add-regulated-data-classification into main

Summary

This MR proposes updating the GitLab Data Classification Standard to include a new REGULATED category for customer data subject to specific regulatory frameworks (CUI, FedRAMP Moderate, etc.) to differentiate it from general customer data. This change will enable more precise security controls and integration restrictions based on regulatory requirements.

Problem Statement

The current RED classification encompasses all customer data uniformly, but some customer data is subject to specific regulatory frameworks that require enhanced security controls beyond standard customer data protections. Examples include:

  • Controlled Unclassified Information (CUI) - Unclassified information requiring safeguarding under various U.S. laws, regulations, or government policies
  • FedRAMP Moderate Impact Data - Data requiring compliance with FedRAMP Moderate security controls for federal cloud services

Without distinguishing regulated data, GitLab cannot implement the differentiated security controls required for regulatory compliance, creating potential compliance risks and limiting our ability to serve regulated customers effectively.

Proposed Solution

Add a Sub-classification under RED: REGULATED RED

REGULATED (Regulated Data)

  • Data subject to specific regulatory frameworks requiring enhanced security controls and compliance measures
  • Access requires explicit approval and must comply with applicable regulatory requirements
  • Exposure could cause significant loss, trigger regulatory violations, and potentially result in loss of certifications, authorizations, or legal penalties

Regulatory Labels/Subcategories:

  1. REGULATED-CUI: Controlled Unclassified Information as defined by NIST SP 800-171
  2. REGULATED-FEDRAMP: Data requiring FedRAMP Moderate or High security controls

Key Changes Made

  • Added new REGULATED RED sub-classification level with comprehensive definition
  • Created subcategories for different regulatory frameworks
  • Updated classification hierarchy and examples
  • Added definition for "Regulated Data" in the definitions section

Benefits

  1. Enhanced Compliance: Enables implementation of framework-specific security controls
  2. Risk Mitigation: Reduces compliance risks through proper data categorization
  3. Operational Clarity: Provides clear guidance for handling different types of regulated data
  4. Scalability: Framework supports addition of new regulatory requirements

Impact Assessment

  • Low Risk: This is an additive change that enhances existing classifications
  • Backward Compatible: Existing classifications remain unchanged
  • Zip Purchase Request: Workflow will need to be updated account for new data classification level
  • Training Required: Training content will need to be updated
  • System Updates: Data Classification Index and related systems will need updates
  • Integration Request: CorpSec Integration Request issue template will need to be updated with above guidance

Next Steps

  1. Review and approval by Security and Legal teams
  2. Update Data Classification Index (internal)
  3. Create Epic to track updates to other documents/processes
Edited by Corey Oas

Merge request reports