FedRAMP Authorized — Moderate Impact
GitHub Enterprise Cloud for Government by Microsoft (GitHub). 6 compliance features verified.
GitHub Enterprise Cloud for Government
by Microsoft (GitHub)
Impact Level
Moderate
Status
Authorized
Pricing
enterprise
Authorization Date: January 18, 2023 | Sponsoring Agency: GSA
Overview
GitHub Enterprise Cloud for Government provides FedRAMP Moderate authorized source code management and DevSecOps capabilities for government organizations. It offers code repositories, GitHub Actions CI/CD, security scanning, and Copilot AI assistance within a compliant boundary. The platform is hosted on Azure Government infrastructure.
Key Features
Certifications & Authorizations
Deployment Options
NIST 800-171 Compliance Coverage
How to Procure GitHub Enterprise Cloud for Government for Defense Contracts
GitHub Enterprise Cloud for Government is available through GSA MAS Schedule 70 (IT Professional Services) and SEWP V contracts under SIN 132-51 Software Licenses. Government pricing includes significant discounts compared to commercial rates, typically 20-30% reduction for federal agencies. The authorization boundary encompasses GitHub's SaaS platform including repositories, GitHub Actions runners, and integrated security features, but excludes customer code and configurations which remain customer responsibility. Contracting officers must approve the GitHub Customer Agreement addendum, data processing agreement, and BAA for HIPAA if applicable. The SSP documents a clear delineation between GitHub's platform responsibilities and customer configuration responsibilities. Typical procurement timeline spans 60-90 days including security review, legal approval, and technical configuration. For CMMC assessments, include GitHub Enterprise Cloud Gov within your assessment boundary as an External Service Provider (ESP) at the appropriate CMMC level. Document the shared responsibility model clearly, ensuring GitHub's FedRAMP controls map to your required CMMC practices. Maintain evidence of GitHub's authorization status and implement additional customer-side controls for code scanning, branch protection, and access management to meet CMMC requirements.
Compliance Cross-References
GitHub Enterprise Cloud for Government directly supports DFARS 252.204-7012 compliance through its FedRAMP Moderate authorization covering CUI protection requirements. The platform satisfies DFARS 252.239-7010 cloud computing security requirements via continuous monitoring, encryption at rest/transit, and incident response capabilities. For NIST 800-171, GitHub addresses multiple control families: Access Control (AC) through SSO integration and role-based permissions, System and Communications Protection (SC) via TLS 1.2+ encryption and network security controls, and Audit and Accountability (AU) through comprehensive logging and monitoring. The service aligns with CMMC Level 2 domains including Access Control (AC), Configuration Management (CM), and System and Information Integrity (SI) through built-in security scanning and vulnerability management. DoD Cloud Computing SRG IL2 requirements are met through the FedRAMP authorization, providing the foundational security controls necessary for CUI processing. Organizations leveraging this service can cite GitHub's ATO as evidence of meeting foundational cybersecurity requirements while implementing additional customer-side controls for complete CMMC compliance.
Defense Contractor Use Case
Defense contractors use GitHub Enterprise Government for source code management, CI/CD automation, and security scanning across development teams building government applications.
Related Products
More DevOps & Development Products
Frequently Asked Questions
What is the FedRAMP authorization level for GitHub Enterprise Cloud for Government?
GitHub Enterprise Cloud for Government is authorized at the FedRAMP Moderate impact level, with authorization granted on 2023-01-18 sponsored by GSA. The FedRAMP Moderate baseline includes approximately 325 security controls covering confidentiality, integrity, and availability.
Can defense contractors use GitHub Enterprise Cloud for Government for CUI?
GitHub Enterprise Cloud for Government is authorized at the FedRAMP Moderate baseline. While FedRAMP Moderate covers a broad range of government data, defense contractors handling CUI should carefully evaluate whether Moderate controls meet their specific DFARS 252.204-7012 and NIST 800-171 requirements. Some CUI categories may require FedRAMP High authorization depending on the sensitivity of the data and contract requirements.
How does GitHub Enterprise Cloud for Government pricing compare to commercial?
GitHub Enterprise Cloud for Government government pricing is typically negotiated on an enterprise basis and may differ from commercial list prices. Government and defense contractor pricing often includes compliance overhead that can make it 15-30% higher than commercial equivalents. However, volume discounts, GSA Schedule pricing, and multi-year commitments can help offset these costs. Contact Microsoft (GitHub) directly or check GSA Advantage for current government pricing.
Browse All FedRAMP Authorized Tools
Search and filter 80+ FedRAMP authorized products for your defense contracting needs.
Open FedRAMP FinderTrack GitHub Enterprise Cloud for Government FedRAMP compliance updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days