oscal-component.yaml

component-definition:
  uuid: 5a3d63ec-a50d-4ffb-813d-522f7f1bd413
  metadata:
    title: GitLab Capability
    last-modified: "2023-11-17T18:05:16Z"
    version: "20231117"
    oscal-version: 1.1.1
    parties:
      - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3
        type: organization
        name: Defense Unicorns
        links:
          - href: https://defenseunicorns.com
            rel: website
  components:
    - uuid: b11ec73a-bd37-42c8-80ef-c2c3c212d5fa
      type: software
      title: GitLab
      description: |
        GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager with wiki, issue-tracking, and CI/CD pipeline features. It enables teams to
         collaborate on code development, from planning and project management to testing and deployment, all within a single platform.
      purpose: Provides users with secure DevSecOps pipelines, Git operations, issue-tracking, and CI/CD capabilities.
      responsible-roles:
        - role-id: provider
          party-uuids:
            - f3cf70f8-ba44-4e55-9ea3-389ef24847d3
      control-implementations:
        - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c
          source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json
          description: Controls implemented by GitLab for inheritance by applications that adheres to FedRAMP High Baseline and DoD IL 6.
          implemented-requirements:
            - uuid: b080d9c1-717a-4126-ad2a-1a54a466db1b
              control-id: au-2
              description: >-
                GitLab logs event logs for authentication, account logon, account management events, admin events, data deletions, data changes, and permission changes.
            - uuid: 1937afb4-ea33-45c0-98f1-56fb5117b328
              control-id: au-3
              description: >-
                GitLab logs type of event, time of the even, location of the event, source of the event, outcome of the event, and subjects/objects involved in the event.
            - uuid: 8d0d31b5-88cf-412c-8750-79b6e0177e6d
              control-id: au-3.1
              description: >-
                GitLab additionally logs the identity, object, or resource that is being acted upon.
            - uuid: e5d0abe6-42a9-4d8a-9b57-7accc2b96f9c
              control-id: au-8
              description: >-
                GitLab event logs contain NIST compliant timestamps.
            - uuid: 028e2d67-0ec5-4867-9848-cf8d4e71352c
              control-id: au-10
              description: >-
                GitLab event logs contain the unique user or process id that takes the addition, modification, approval, sending, or relieving of data actions.
            - uuid: 387c6698-8517-4eb4-b085-d3593318f892
              control-id: au-12
              description: >-
                GitLab logs event logs for authentication, account logon, account management events, admin events, data deletions, data changes, and permission changes.
            - uuid: 49d01edf-e8f8-4c7b-bcdc-c72e5887c020
              control-id: cm-3.1
              description: >-
                GitLab provides change control via automated notification, prohibition of changes, testing, validation, documentation of changes, automated change implementation, and security and privacy representatives.
            - uuid: c9cdede1-d837-4bb9-ba8e-cf81650f6b60
              control-id: cm-3.2
              description: >-
                GitLab provides change control testing via automated notification, prohibition of changes, testing, validation, documentation of changes, automated change implementation, and security and privacy representatives.
            - uuid: 51c4cdbe-b8ba-47d1-87b8-1f0703b15606
              control-id: cm-3.6
              description: >-
                GitLab utilizes the underlying istio for FIPs encryption in transit. GitLab stores data in an encrypted Redis, PostgreSQL, and KMS backed S3 Buckets.
            - uuid: a0e3ea1e-6ccc-4b90-b2f0-87e863804040
              control-id: cm-8.2
              description: >-
                GitLab maintains the currency, completeness, accuracy, and the inventory of system components within in the system as all parts are stored and deployed through GitLab's CI/CD process.
            - uuid: ef55c29c-4ad3-4980-a9e0-a041e74c6a4c
              control-id: sa-3
              description: >-
                GitLab provides management of the system by incorporating information security and privacy considerations within the software development lifecycle through the use of DevSecOps CI/CD pipelines.
            - uuid: 9b707e59-27ea-4ec6-8690-caafa560847e
              control-id: sa-4.1
              description: >-
                GitLab provides description of the functional properties, components, and services within the system.
            - uuid: 5cbc2227-6762-42e9-9719-025987ca97a9
              control-id: sa-4.2
              description: >-
                GitLab contains the source code for the system and system components.
            - uuid: 259fa1fc-4c6b-4155-a622-9a24fa3cf821
              control-id: sa-4.5
              description: >-
                GitLab provides the default configurations for the system, components, or services that are implemented.
            - uuid: 058dfeba-8842-454e-ad10-529611bc0693
              control-id: sa-4.9
              description: >-
                GitLab provides the functions, ports, protocols, and services, for the system and system components within the source code.
            - uuid: 1570a74c-402e-49de-be71-c19a01cb6982
              control-id: sa-8
              description: >-
                GitLab provides secure CI/CD processes by including unit tests, SAST, building images, SBOMS, scanning images, pushing images to secure repositories, and signing images.
            - uuid: 3e624332-9163-4d47-905f-6cf0a0ec922b
              control-id: sa-10
              description: >-
                GitLab documents, manage, and controls the integrity of changes to the system. Provides documentation for approving changes to system and system components within the system.
            - uuid: bf80d8d9-4318-46c0-9730-091975f792e0
              control-id: sa-11
              description: >-
                GitLab provides a secure CI/CD process that includes unit tests, SAST scanning, and scanning of images within the pipelines.
            - uuid: 6049161e-9642-4272-a48e-b2bdcdf46178
              control-id: sa-11.1
              description: >-
                GitLab utilizes SonarQube and Gitleaks within the secure pipelines to conduct SAST scanning.
            - uuid: 1bd514fd-545b-4f86-b8d2-9fca5236bef3
              control-id: sa-11.2
              description: >-
                GitLab utilizes SonarQube and Gitleaks within the secure pipelines to conduct SAST scanning. In addition NueVector is utilized to conduct container image scanning within the pipeline.
            - uuid: 3d407634-5a25-400b-ac81-be5d27e006f5
              control-id: sc-13
              description: >-
                GitLab utilized Istio Network for FIPs encryption in transit. FIPs encryption for data at rest is handled by PostgreSQL, Redis, and AWS S3 backed by KMS.
  back-matter:
    resources:
      - uuid: 0afec63f-4a7e-4a92-b285-c87d3ef50c46
        title: UDS Capability GitLab
        rlinks:
          - href: https://github.com/defenseunicorns/uds-capability-gitlab