FIPS 140-2 Compliant GitLab
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
## Overview
FIPS compliance is a requirement for the US Govt to utilize a piece of software. It is required for any [FISMA](https://www.nist.gov/programs-projects/federal-information-security-management-act-fisma-implementation-project) or FedRAMP system, and [cannot be waived](https://csrc.nist.gov/projects/cryptographic-module-validation-program).
In order for GitLab to be directly usable within the US Govt, we need to be compliant.
A brief overview of FIPS may be found in this [Wikipedia article](https://en.wikipedia.org/wiki/FIPS_140-2).
The intent of this epic is to fully satisfy FIPS compliance level 1 requirements.
There is a large group of PubSec and regular clients that are interested in FIPS compliance and FedRAMP standards. This initiative is a step in FedRAMP standards, therefore we will attempt to pursue FedRAMP standards where needed if that standards is a higher standard than FIPS 140-2. Decision on pursuing a FIPS 140-2 vs 140-3 standards can be discussed here: [FIPS 140-2 vs 140-3](https://gitlab.com/gitlab-org/gitlab/-/issues/351479)
Opportunity Canvas: https://docs.google.com/document/d/16kr9758syxIFDPCh3UQX9yayj7I0IjmoVf1YtIj-ug4/edit?usp=sharing
### FIPS Compliance
The US Federal Information Processing Standards (FIPS) covers a number of different standards:
FIPS 140: Cryptographic modules
FIPS 180: Secure hashes
FIPS 186: Digital signatures
and more
GitLab is currently focused on meeting FIPS 140 with an eye on FedRAMP compliance as the ultimate goal.
FIPS compliance means that GitLab can demonstrate to an external auditor that it:
1. Uses FIPS-approved cryptographical algorithms.
2. Handles keys, certificates, and other secrets in a secure manner.
3. Secures data in transit and at rest.
See this internal handbook page for more information: https://internal-handbook.gitlab.io/engineering/fips-compliance/
## Offering
We will offer a "FIPS-mode", where users on self-managed of any tier can choose to be FIPS compliant. Some features will automatically be turned off if we are unable to easily make them FIPS compliant, and some features will have documentation to manually turn them off or how to be FIPS compliant.
## Timeline
This project lead to FedRAMP therefore being FIPS compliant in a timely manner is important.
1. Audit Ready (70% development backlog completed) by milestone end of 14.10 (April 22)
2. FIPS Audit in 15.0 (May 2)
3. Complete followup Audit work and be FIPS compliant by 15.2 (July 25).
## GitLab Documentation
Documentation on the existing FIPS support in GitLab may be found [here](https://docs.gitlab.com/ee/development/fips_compliance.html).
It also details how to set up a development environment for testing FIPS, as this is non-trivial. This might be useful information to engineers from other groups working on FIPS-compliance issues.
## Engineering Progress
In alphabetical order. Visualized charts are available in [Sisense](https://app.periscopedata.com/app/gitlab/983489/FIPS-Project-Progress) (with data lag).
| Domain | Epic | Closed Issues | Total Issues | Progress % |
| ------ | ------ | ------ | ------ | ------ |
| Dev - Editor | https://gitlab.com/groups/gitlab-org/-/epics/7744 | 11 | 11 | 100% |
| Dev - Gitaly | https://gitlab.com/groups/gitlab-org/-/epics/6477 | 16 | 16 | 100% |
| Dev - Misc. | https://gitlab.com/groups/gitlab-org/-/epics/7500 | 15 | 15 | 100% |
| Dev - Source Code | https://gitlab.com/groups/gitlab-org/-/epics/6476 | 20 | 20 | 100% |
| Distribution | https://gitlab.com/groups/gitlab-org/-/epics/6453 | 37 | 37 | 100% |
| Enablement - Misc. | https://gitlab.com/groups/gitlab-org/-/epics/7524 | 5 | 5 | 100% |
| Ops - Misc. | https://gitlab.com/groups/gitlab-org/-/epics/7537 | 1 | 1 | 100% |
| Package | https://gitlab.com/groups/gitlab-org/-/epics/7523 | 12 | 12 | 100% |
| Runner | https://gitlab.com/groups/gitlab-org/-/epics/6481 | 2 | 2 | 100% |
| Secure | https://gitlab.com/groups/gitlab-org/-/epics/6479 | 41 | 41 | 100% |
| Eng - Catch all | https://gitlab.com/groups/gitlab-org/-/epics/5104 | 11 | 11 | 100% |
| **Overall** | | **171** | **171** | **100%** |
## Audit
## On-going Maintenance Considerations
## Updates
Feb 1st, 2022
FY22 Q4 OKR status update
Current: 46% (16/35), 14.8: 57% (20/35), 14.9: 80% (28/35), 14.10: 83% (29/35)
Total: 35 issues (+1 for audit, +2 for nice to have, total 38)
* Done - 16
* 14.8 - 4
* 14.9 - 8
* 14.10 - 1
* Backlog - 3
* Not scheduled - 8 (new issues were created since the last update, which is why this does not add up to 35)
Proposed FY23 Q1 OKR
Total issues required for audit ~ 39
Closed issues - 17
Issues scheduled within Q1 - 32
Not scheduled - 7
Current roadmap for completion - 82% (32/39)
January 14th, 2022
OKR status update
Current: 40% (14/35), 14.7: 54% (19/35), 14.8: 54% (19/35), 14.9: 69% (24/35)
Total: 36 issues (+1 for audit, +2 for nice to have, total 38)
* Done - 14
* 14.7 - 5
* 14.8 - 0
* 14.9 - 5
* Backlog - 3
* New - 6 (some completed already/planned)
* Needs review - 6
* Must do after other work - 2
* Nice to have: 2
Of 70% of the we are at 14/25 (56%) and are currently scheduled for 19/25 (76%) after 14.7.
January 10th, 2022
OKR status update
Current: 40% (14/35), 14.7: 54% (19/35), 14.8: 69% (24/35)
Total: 36 issues (+1 for audit, +2 for nice to have, total 38)
* Done - 14
* 14.7 - 5
* 14.8 - 5
* Backlog - 3
* New - 6 (some completed already/planned)
* Needs review - 6
* Must do after other work - 2
* Nice to have: 2
December 20th, 2021
OKR status update
Current: 36% (13/36), 14.6: 42% (15/36), 14.7: 67% (24/36)
Total: 36 issues (+1 for audit, +1 for nice to have, total 38)
* Done - 13
* 14.6 - 2
* 14.7 - 9
* Not planned - 4
* New - 6 (some completed already/planned)
* Needs review - 6
* Must do after other work - 2
* Nice to have: 1
## Acceptance Criteria
1. Successful Audit of FIPS 140-2
2. FIPS Compliant product for FedRAMP offering
epic