Government IT offices now have access to a vast range of open source software resources and developers since GitHub gained FedRAMP operating authority for its Enterprise Cloud, according to a new special report.
The authorization from the Federal Risk and Authorization Management Program means government agencies can move beyond GitHub’s licensed platform for internal enterprise software development and take advantage of a wider universe of cloud-based open source development resources, knowing they meet federal security guidelines.
The expanded access to GitHub resources comes as a growing number of government agencies all over the world utilize GitHub’s open source collaboration platform. At last count, 143 U.S. federal civilian agencies, 14 Department of Defense agencies and 48 state agencies are using GitHub to collaborate on code, data, policy and procurement, according to GitHub figures.
Details about the expanded options for federal agencies – and how GitHub used a new FedRAMP authorization process to gain security approval – are contained in a new special report, “Federal Access to Open Source,” produced by FedScoop and underwritten by GitHub.
According to Ashley Mahan, acting director of the FedRAMP Program Office, the FedRAMP Tailored assessment process takes advantage of a subset of the NIST 800-53 technical control standards to fine-tune FedRAMP authorization specifically for software-as-a-service (SaaS) providers that handle low-risk, low-impact data and aren’t responsible for a host of network security controls.
GitHub is among the first cloud service providers to receive FedRAMP Tailored approval.
“We have historically had [government] customers on GitHub.com, but they were either doing it as shadow IT under a team plan or non-mission-critical system,” said Jamie Jones, GitHub principal architect. “Because GitHub.com did not have an authority to operate (ATO) it was not deemed appropriate for most organizations’ day-to-day mission-critical applications,” he explained.
By establishing FedRAMP Tailored, the GSA program office has created a more streamlined security approval process that is better suited for software-as-a-service providers.
Now with FedRAMP approval, Jones says there is no reason an agency currently using GitHub under a team or enterprise license not to move to the FedRAMP-authorized Enterprise Cloud version. And in most circumstances, there are a number of advantages.
“One key benefit of using the FedRAMP-authorized Enterprise Cloud is we can now support your agency’s identification and authorization tools,” Jones said. “For the extra capabilities we are providing, including faster support requests or the ability to use SAML and your identity providers, it’s far less of an administrative burden.”
According to the report, some of the features on GitHub Enterprise Cloud are quickly gaining parity with, and in some cases, exceeding the features of GitHub’s Enterprise Server, its on-premises offering. But the biggest advantage to agencies using GitHub Enterprise Cloud, according to Jones, is it gives them access to the entire GitHub universe of open source development and collaboration resources — and the vast community of developers contributing to those resources.