Compliance
Compliance
Compliance
How to Make Git Servers CMMC Compliant
%20(15).png)
As CMMC requirements tighten, one of the most pressing challenges for defense software contractors is ensuring their Git servers are configured to remain compliant.
Source code created under Department of War (DoW) contracts is often classified as Controlled Technical Information (CTI), a category of Controlled Unclassified Information (CUI). That means your Git repositories are likely covered by cybersecurity requirements in your contracts if you have DFARS 7012 or DFARS 7021 clauses.
Defining the System Boundary of Git Servers
In our experience, the first step is figuring out which system boundary your Git server may fall into. Git servers fall into one of three boundaries:
- Internal IT: Standard internal IT infrastructure
- Application/Product: Tied to an ATO/FedRAMP or product security boundary.
- Customer Environment: Government-provided or customer-hosted repositories. This is where the Git repository isn't hosted by you, but rather your customer.
If your Git server touches CUI or CTI in any way, it needs to be secured to government standards. If your customer isn't handling it, you need to deal with it as part of either your IT or product security boundary.
Evaluating Deployment Options
If internal or self-hosted you need to take necessary steps to make your Git server NIST 800-171 compliant. This involves directly changing settings and configurations on the server and the Git vendor you use.
- Internal Managed Hosting:
Your Git server remains in your compliance boundary, with a third party managing and configuring your Git server for security and compliance.
This option is usually offered by the vendor. If they offer a cloud version, you as a contractor need to make sure their Git server is FedRAMP Moderate authorized. Very few vendors go through this because this is a government specific requirement.
Evaluating Vendors
Some of the most common vendors in the DoW world are:
- GitLab: It is generally considered the safest choice for DoW contractors. For larger companies, GitLab offers a FedRAMP Moderate cloud version that provides a compliant hosting option. Smaller contractors, however, can self-host GitLab and configure the environment to meet NIST 800-171 requirements. This can be tedious and Atomus provides solutions to help contractors deploy and maintain GitLab in a compliant way.
- GitHub: GitHub is not currently compliant for storing CUI or CTI in either its cloud or self-hosted versions. The main issue is the lack of FIPS 140-2 encryption support as of August 2025. GitHub itself has explicitly advised against storing CUI or CTI on the platform, though it is actively pursuing FedRAMP authorization. Until that process is complete, contractors relying on GitHub face significant compliance risks.
- Bitbucket: Bitbucket does not offer a FedRAMP Moderate cloud version, leaving self-hosting as the only viable option. While self-hosting can be configured to meet NIST 800-171, Bitbucket has been known to have issues with FIPS encryption depending on your situation. Atomus may be able to provide solutions that help contractors address these gaps.
Atomus has helped 100+ companies get compliant, with NIST 800-171 and CMMC L2 requirements. If you are dealing with Git servers, most solutions on the market will not be a fit for you nor have the expertise you need. Schedule a free consultation with Atomus today.
.avif)
.webp)
.webp){kind=icon}
.avif)
