FAR 52.204-21 and DFARS 252.204-7012 Compliance

Is GitHub recognized as meeting government security standards FAR 52.204-21 and DFARS 252.204-7012?

Hi @sschelling13,

Welcome to the community! We are happy you are here. :slightly_smiling_face:

GitHub’s security and privacy policies and standards do not strictly conform to one given control framework, but are informed by leading industry practices.GitHub provides a self-assessment - the Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA-CAIQ) as evidence of mapping and assessment of controls, architecture, and processes as they relate to a variety of regulations, standards, and various security frameworks.

The most recent version can be downloaded here has published our SOC (Service Organization Controls) 2, Type 2, and SOC 1, Type 2, audit reports for GitHub Enterprise Cloud. For our customers with international presence, these audit reports also include our external audit opinions against the IAASB International Standards on Assurance Engagements: the ISAE 3000 and ISAE 3402.

If you’re currently using GitHub Enterprise Cloud, You can request a copy of these audit reports through your Support team. Otherwise you can self-serve a copy of our publicly available SOC 3 which can be found at github.com/security/trust.

Additionally, as of October 4, 2018, GitHub is listed as “Authorized To Operate” or “ATO” for FedRAMP Tailored (Low Impact) for GitHub Enterprise Cloud. Status can be verified at https://marketplace.fedramp.gov/#/product/github-enterprise-cloud.GitHub’s Privacy Policy and Statement: https://help.github.com/en/articles/github-privacy-statementPrivacy Shield is obsolete as of July, 2020, instead GitHub relies on Standard Contractual Clauses (SCCs). For more details, please review blog - https://github.blog/2020-07-23-safeguarding-trans-atlantic-developer-collaboration/

I hope this helps!