Vision: Mapping the GCF to multiple frameworks as a SSOT
Problem to solve
Organizations need a way to manage the compliance of their GitLab projects. They need an easy way to apply specific compliance controls to their projects to reduce the friction of managing these rules. Compounding this problem further, legal and regulatory compliance frameworks change regularly, which can translate to a change in policy or procedure for an organization and, by extension, their use of GitLab.
Intended users
- Sidney (Systems Administrator)
- Any audit or compliance management stakeholders participating in the oversight of GitLab
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ -->
Further details
GitLab's @gitlab-com/gl-security/compliance team has been working diligently on the GitLab Control Framework (GCF), which already maps SOC2, PCI, and ISO controls to the GCF. By using the GCF's Controls by Family approach and existing mapping pages, we could feasibly translate this to product features that help customers implement compliance controls for projects that map to these frameworks via the GCF.
Benefits of this approach
- GitLab can more efficiently maintain a single, authoritative compliance framework
- GitLab can become a thought leader in the compliance space using the GCF as an anchor point
- In the spirit of open source and transparency, this framework could benefit other organizations seeking to unify multiple compliance frameworks
Example: GCF Mapping
| Control Family | GCF Control | Related Framework Controls |
|---|---|---|
| Change Management | CM.1.02 - Change Approval Control Guidance |
ISO: A.12.5.1, A.14.2.3, A.14.2.4, A.14.2.8, A.14.2.9 SOC2: CC8.1 PCI: 1.1.1, 10.4.2, 6.3.2, 6.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.4.6 |
| Identity and Access Management | IAM.1.01 - Logical Access Provisioning Control Guidance |
ISO: A.9.2.1, A.9.2.2, A.9.2.3, A.9.4.1, A.12.5.1, A.18.1.3 SOC2: CC6.1, CC6.2, CC6.3, CC6.6, CC6.7 PCI: 7.1.4, 8.1.2 |
| Risk Management | RM.3.01 - Remediation Tracking Control Guidance | SOC2: CC4.2, CC5.1, CC5.2 |
Example: GCF Project Controls
Based on existing control mapping. Example "GCF Control" taken from the table above (GCF Mapping).
| GCF Control | Control Objective | Solution |
|---|---|---|
| CM.1.02 | 1. Change description 2. Impact of change 3. Test results 4. Back-out procedures |
1. Require MRs have linked issue 2. Auto-generate an issue for impact assessment 3. SAST/DAST/other scan results in MR widget 4. Add image snapshot to a pipeline stage |
Example WIP
Proposal
A three phase approach to implementing the GCF as the standard framework for introducing compliance controls to projects.
Phase 1
Determine the specific control families that apply to a customer's use of GitLab.
Complete the mapping of GitLab features to the GCF based on the chosen families.
Phase 2
Create an MVC using one control from one family that customers can apply to Project. (e.g. CM.1.02 - Change Approval)
Create an MVC report for a Project compliance controls output. (e.g. a csv report showing the project has [Control1, Control2, Control3] with links to GCF)
Incorporate this data into the group-level compliance dashboard.
Phase 3
Iterate on the the control MVC to add additional control options (e.g. IAM.1.01 - Logical Access Provisioning Control Guidance and RM.3.01 - Remediation Tracking)
Note: This proposal does not block any current work around introducing compliance controls to projects. We will continue to iterate on smaller features towards this same end. This proposal provides a vision for the long-term value of this category.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.