[{"data":1,"prerenderedAt":771},["ShallowReactive",2],{"/en-us/blog/categories/security":3,"navigation-en-us":20,"banner-en-us":419,"footer-en-us":429,"security-category-page-total-items-en-us":671,"security-category-page-featured-en-us":672,"security-category-page-8-en-us":697},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":11,"description":6,"extension":12,"meta":13,"navigation":14,"path":15,"seo":16,"slug":6,"stem":18,"testContent":6,"type":6,"__hash__":19},"blogCategories/en-us/blog/categories/security.yml","Security",null,{"template":8,"slug":9,"hide":10},"BlogCategory","security",false,{"name":5},"yml",{},true,"/en-us/blog/categories/security",{"title":5,"description":17},"Browse articles related to Security on the GitLab Blog","en-us/blog/categories/security","Hx58KagneyLDkWgUOsPQNGCsWqekf9YGQa6EJFfGFRw",{"data":21},{"logo":22,"freeTrial":27,"sales":32,"login":37,"items":42,"search":349,"minimal":380,"duo":399,"pricingDeployment":409},{"config":23},{"href":24,"dataGaName":25,"dataGaLocation":26},"/","gitlab logo","header",{"text":28,"config":29},"Get free trial",{"href":30,"dataGaName":31,"dataGaLocation":26},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":33,"config":34},"Talk to sales",{"href":35,"dataGaName":36,"dataGaLocation":26},"/sales/","sales",{"text":38,"config":39},"Sign in",{"href":40,"dataGaName":41,"dataGaLocation":26},"https://gitlab.com/users/sign_in/","sign in",[43,70,164,169,270,330],{"text":44,"config":45,"cards":47},"Platform",{"dataNavLevelOne":46},"platform",[48,54,62],{"title":44,"description":49,"link":50},"The intelligent orchestration platform for DevSecOps",{"text":51,"config":52},"Explore our Platform",{"href":53,"dataGaName":46,"dataGaLocation":26},"/platform/",{"title":55,"description":56,"link":57},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":58,"config":59},"Meet GitLab Duo",{"href":60,"dataGaName":61,"dataGaLocation":26},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":63,"description":64,"link":65},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":66,"config":67},"Learn more",{"href":68,"dataGaName":69,"dataGaLocation":26},"/why-gitlab/","why gitlab",{"text":71,"left":14,"config":72,"link":74,"lists":78,"footer":146},"Product",{"dataNavLevelOne":73},"solutions",{"text":75,"config":76},"View all Solutions",{"href":77,"dataGaName":73,"dataGaLocation":26},"/solutions/",[79,103,125],{"title":80,"description":81,"link":82,"items":87},"Automation","CI/CD and automation to accelerate deployment",{"config":83},{"icon":84,"href":85,"dataGaName":86,"dataGaLocation":26},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[88,92,95,99],{"text":89,"config":90},"CI/CD",{"href":91,"dataGaLocation":26,"dataGaName":89},"/solutions/continuous-integration/",{"text":55,"config":93},{"href":60,"dataGaLocation":26,"dataGaName":94},"gitlab duo agent platform - product menu",{"text":96,"config":97},"Source Code Management",{"href":98,"dataGaLocation":26,"dataGaName":96},"/solutions/source-code-management/",{"text":100,"config":101},"Automated Software Delivery",{"href":85,"dataGaLocation":26,"dataGaName":102},"Automated software delivery",{"title":5,"description":104,"link":105,"items":110},"Deliver code faster without compromising security",{"config":106},{"href":107,"dataGaName":108,"dataGaLocation":26,"icon":109},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[111,115,120],{"text":112,"config":113},"Application Security Testing",{"href":107,"dataGaName":114,"dataGaLocation":26},"Application security testing",{"text":116,"config":117},"Software Supply Chain Security",{"href":118,"dataGaLocation":26,"dataGaName":119},"/solutions/supply-chain/","Software supply chain security",{"text":121,"config":122},"Software Compliance",{"href":123,"dataGaName":124,"dataGaLocation":26},"/solutions/software-compliance/","software compliance",{"title":126,"link":127,"items":132},"Measurement",{"config":128},{"icon":129,"href":130,"dataGaName":131,"dataGaLocation":26},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[133,137,141],{"text":134,"config":135},"Visibility & Measurement",{"href":130,"dataGaLocation":26,"dataGaName":136},"Visibility and Measurement",{"text":138,"config":139},"Value Stream Management",{"href":140,"dataGaLocation":26,"dataGaName":138},"/solutions/value-stream-management/",{"text":142,"config":143},"Analytics & Insights",{"href":144,"dataGaLocation":26,"dataGaName":145},"/solutions/analytics-and-insights/","Analytics and insights",{"title":147,"items":148},"GitLab for",[149,154,159],{"text":150,"config":151},"Enterprise",{"href":152,"dataGaLocation":26,"dataGaName":153},"/enterprise/","enterprise",{"text":155,"config":156},"Small Business",{"href":157,"dataGaLocation":26,"dataGaName":158},"/small-business/","small business",{"text":160,"config":161},"Public Sector",{"href":162,"dataGaLocation":26,"dataGaName":163},"/solutions/public-sector/","public sector",{"text":165,"config":166},"Pricing",{"href":167,"dataGaName":168,"dataGaLocation":26,"dataNavLevelOne":168},"/pricing/","pricing",{"text":170,"config":171,"link":173,"lists":177,"feature":257},"Resources",{"dataNavLevelOne":172},"resources",{"text":174,"config":175},"View all resources",{"href":176,"dataGaName":172,"dataGaLocation":26},"/resources/",[178,211,229],{"title":179,"items":180},"Getting started",[181,186,191,196,201,206],{"text":182,"config":183},"Install",{"href":184,"dataGaName":185,"dataGaLocation":26},"/install/","install",{"text":187,"config":188},"Quick start guides",{"href":189,"dataGaName":190,"dataGaLocation":26},"/get-started/","quick setup checklists",{"text":192,"config":193},"Learn",{"href":194,"dataGaLocation":26,"dataGaName":195},"https://university.gitlab.com/","learn",{"text":197,"config":198},"Product documentation",{"href":199,"dataGaName":200,"dataGaLocation":26},"https://docs.gitlab.com/","product documentation",{"text":202,"config":203},"Best practice videos",{"href":204,"dataGaName":205,"dataGaLocation":26},"/getting-started-videos/","best practice videos",{"text":207,"config":208},"Integrations",{"href":209,"dataGaName":210,"dataGaLocation":26},"/integrations/","integrations",{"title":212,"items":213},"Discover",[214,219,224],{"text":215,"config":216},"Customer success stories",{"href":217,"dataGaName":218,"dataGaLocation":26},"/customers/","customer success stories",{"text":220,"config":221},"Blog",{"href":222,"dataGaName":223,"dataGaLocation":26},"/blog/","blog",{"text":225,"config":226},"Remote",{"href":227,"dataGaName":228,"dataGaLocation":26},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":230,"items":231},"Connect",[232,237,242,247,252],{"text":233,"config":234},"GitLab Services",{"href":235,"dataGaName":236,"dataGaLocation":26},"/services/","services",{"text":238,"config":239},"Community",{"href":240,"dataGaName":241,"dataGaLocation":26},"/community/","community",{"text":243,"config":244},"Forum",{"href":245,"dataGaName":246,"dataGaLocation":26},"https://forum.gitlab.com/","forum",{"text":248,"config":249},"Events",{"href":250,"dataGaName":251,"dataGaLocation":26},"/events/","events",{"text":253,"config":254},"Partners",{"href":255,"dataGaName":256,"dataGaLocation":26},"/partners/","partners",{"backgroundColor":258,"textColor":259,"text":260,"image":261,"link":265},"#2f2a6b","#fff","Insights for the future of software development",{"altText":262,"config":263},"the source promo card",{"src":264},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":266,"config":267},"Read the latest",{"href":268,"dataGaName":269,"dataGaLocation":26},"/the-source/","the source",{"text":271,"config":272,"lists":274},"Company",{"dataNavLevelOne":273},"company",[275],{"items":276},[277,282,288,290,295,300,305,310,315,320,325],{"text":278,"config":279},"About",{"href":280,"dataGaName":281,"dataGaLocation":26},"/company/","about",{"text":283,"config":284,"footerGa":287},"Jobs",{"href":285,"dataGaName":286,"dataGaLocation":26},"/jobs/","jobs",{"dataGaName":286},{"text":248,"config":289},{"href":250,"dataGaName":251,"dataGaLocation":26},{"text":291,"config":292},"Leadership",{"href":293,"dataGaName":294,"dataGaLocation":26},"/company/team/e-group/","leadership",{"text":296,"config":297},"Team",{"href":298,"dataGaName":299,"dataGaLocation":26},"/company/team/","team",{"text":301,"config":302},"Handbook",{"href":303,"dataGaName":304,"dataGaLocation":26},"https://handbook.gitlab.com/","handbook",{"text":306,"config":307},"Investor relations",{"href":308,"dataGaName":309,"dataGaLocation":26},"https://ir.gitlab.com/","investor relations",{"text":311,"config":312},"Trust Center",{"href":313,"dataGaName":314,"dataGaLocation":26},"/security/","trust center",{"text":316,"config":317},"AI Transparency Center",{"href":318,"dataGaName":319,"dataGaLocation":26},"/ai-transparency-center/","ai transparency center",{"text":321,"config":322},"Newsletter",{"href":323,"dataGaName":324,"dataGaLocation":26},"/company/contact/#contact-forms","newsletter",{"text":326,"config":327},"Press",{"href":328,"dataGaName":329,"dataGaLocation":26},"/press/","press",{"text":331,"config":332,"lists":333},"Contact us",{"dataNavLevelOne":273},[334],{"items":335},[336,339,344],{"text":33,"config":337},{"href":35,"dataGaName":338,"dataGaLocation":26},"talk to sales",{"text":340,"config":341},"Support portal",{"href":342,"dataGaName":343,"dataGaLocation":26},"https://support.gitlab.com","support portal",{"text":345,"config":346},"Customer portal",{"href":347,"dataGaName":348,"dataGaLocation":26},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":350,"login":351,"suggestions":358},"Close",{"text":352,"link":353},"To search repositories and projects, login to",{"text":354,"config":355},"gitlab.com",{"href":40,"dataGaName":356,"dataGaLocation":357},"search login","search",{"text":359,"default":360},"Suggestions",[361,363,367,369,373,377],{"text":55,"config":362},{"href":60,"dataGaName":55,"dataGaLocation":357},{"text":364,"config":365},"Code Suggestions (AI)",{"href":366,"dataGaName":364,"dataGaLocation":357},"/solutions/code-suggestions/",{"text":89,"config":368},{"href":91,"dataGaName":89,"dataGaLocation":357},{"text":370,"config":371},"GitLab on AWS",{"href":372,"dataGaName":370,"dataGaLocation":357},"/partners/technology-partners/aws/",{"text":374,"config":375},"GitLab on Google Cloud",{"href":376,"dataGaName":374,"dataGaLocation":357},"/partners/technology-partners/google-cloud-platform/",{"text":378,"config":379},"Why GitLab?",{"href":68,"dataGaName":378,"dataGaLocation":357},{"freeTrial":381,"mobileIcon":386,"desktopIcon":391,"secondaryButton":394},{"text":382,"config":383},"Start free trial",{"href":384,"dataGaName":31,"dataGaLocation":385},"https://gitlab.com/-/trials/new/","nav",{"altText":387,"config":388},"Gitlab Icon",{"src":389,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":387,"config":392},{"src":393,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":395,"config":396},"Get Started",{"href":397,"dataGaName":398,"dataGaLocation":385},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":400,"mobileIcon":405,"desktopIcon":407},{"text":401,"config":402},"Learn more about GitLab Duo",{"href":403,"dataGaName":404,"dataGaLocation":385},"/gitlab-duo/","gitlab duo",{"altText":387,"config":406},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":408},{"src":393,"dataGaName":390,"dataGaLocation":385},{"freeTrial":410,"mobileIcon":415,"desktopIcon":417},{"text":411,"config":412},"Back to pricing",{"href":167,"dataGaName":413,"dataGaLocation":385,"icon":414},"back to pricing","GoBack",{"altText":387,"config":416},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":418},{"src":393,"dataGaName":390,"dataGaLocation":385},{"title":420,"button":421,"config":426},"See how agentic AI transforms software delivery",{"text":422,"config":423},"Watch GitLab Transcend now",{"href":424,"dataGaName":425,"dataGaLocation":26},"/events/transcend/virtual/","transcend event",{"layout":427,"icon":428},"release","AiStar",{"data":430},{"text":431,"source":432,"edit":438,"contribute":443,"config":448,"items":453,"minimal":660},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":433,"config":434},"View page source",{"href":435,"dataGaName":436,"dataGaLocation":437},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":439,"config":440},"Edit this page",{"href":441,"dataGaName":442,"dataGaLocation":437},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":444,"config":445},"Please contribute",{"href":446,"dataGaName":447,"dataGaLocation":437},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":449,"facebook":450,"youtube":451,"linkedin":452},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[454,501,555,599,626],{"title":165,"links":455,"subMenu":470},[456,460,465],{"text":457,"config":458},"View plans",{"href":167,"dataGaName":459,"dataGaLocation":437},"view plans",{"text":461,"config":462},"Why Premium?",{"href":463,"dataGaName":464,"dataGaLocation":437},"/pricing/premium/","why premium",{"text":466,"config":467},"Why Ultimate?",{"href":468,"dataGaName":469,"dataGaLocation":437},"/pricing/ultimate/","why ultimate",[471],{"title":472,"links":473},"Contact Us",[474,477,479,481,486,491,496],{"text":475,"config":476},"Contact sales",{"href":35,"dataGaName":36,"dataGaLocation":437},{"text":340,"config":478},{"href":342,"dataGaName":343,"dataGaLocation":437},{"text":345,"config":480},{"href":347,"dataGaName":348,"dataGaLocation":437},{"text":482,"config":483},"Status",{"href":484,"dataGaName":485,"dataGaLocation":437},"https://status.gitlab.com/","status",{"text":487,"config":488},"Terms of use",{"href":489,"dataGaName":490,"dataGaLocation":437},"/terms/","terms of use",{"text":492,"config":493},"Privacy statement",{"href":494,"dataGaName":495,"dataGaLocation":437},"/privacy/","privacy statement",{"text":497,"config":498},"Cookie preferences",{"dataGaName":499,"dataGaLocation":437,"id":500,"isOneTrustButton":14},"cookie preferences","ot-sdk-btn",{"title":71,"links":502,"subMenu":511},[503,507],{"text":504,"config":505},"DevSecOps platform",{"href":53,"dataGaName":506,"dataGaLocation":437},"devsecops platform",{"text":508,"config":509},"AI-Assisted Development",{"href":403,"dataGaName":510,"dataGaLocation":437},"ai-assisted development",[512],{"title":513,"links":514},"Topics",[515,520,525,530,535,540,545,550],{"text":516,"config":517},"CICD",{"href":518,"dataGaName":519,"dataGaLocation":437},"/topics/ci-cd/","cicd",{"text":521,"config":522},"GitOps",{"href":523,"dataGaName":524,"dataGaLocation":437},"/topics/gitops/","gitops",{"text":526,"config":527},"DevOps",{"href":528,"dataGaName":529,"dataGaLocation":437},"/topics/devops/","devops",{"text":531,"config":532},"Version Control",{"href":533,"dataGaName":534,"dataGaLocation":437},"/topics/version-control/","version control",{"text":536,"config":537},"DevSecOps",{"href":538,"dataGaName":539,"dataGaLocation":437},"/topics/devsecops/","devsecops",{"text":541,"config":542},"Cloud Native",{"href":543,"dataGaName":544,"dataGaLocation":437},"/topics/cloud-native/","cloud native",{"text":546,"config":547},"AI for Coding",{"href":548,"dataGaName":549,"dataGaLocation":437},"/topics/devops/ai-for-coding/","ai for coding",{"text":551,"config":552},"Agentic AI",{"href":553,"dataGaName":554,"dataGaLocation":437},"/topics/agentic-ai/","agentic ai",{"title":556,"links":557},"Solutions",[558,560,562,567,571,574,578,581,583,586,589,594],{"text":112,"config":559},{"href":107,"dataGaName":112,"dataGaLocation":437},{"text":102,"config":561},{"href":85,"dataGaName":86,"dataGaLocation":437},{"text":563,"config":564},"Agile development",{"href":565,"dataGaName":566,"dataGaLocation":437},"/solutions/agile-delivery/","agile delivery",{"text":568,"config":569},"SCM",{"href":98,"dataGaName":570,"dataGaLocation":437},"source code management",{"text":516,"config":572},{"href":91,"dataGaName":573,"dataGaLocation":437},"continuous integration & delivery",{"text":575,"config":576},"Value stream management",{"href":140,"dataGaName":577,"dataGaLocation":437},"value stream management",{"text":521,"config":579},{"href":580,"dataGaName":524,"dataGaLocation":437},"/solutions/gitops/",{"text":150,"config":582},{"href":152,"dataGaName":153,"dataGaLocation":437},{"text":584,"config":585},"Small business",{"href":157,"dataGaName":158,"dataGaLocation":437},{"text":587,"config":588},"Public sector",{"href":162,"dataGaName":163,"dataGaLocation":437},{"text":590,"config":591},"Education",{"href":592,"dataGaName":593,"dataGaLocation":437},"/solutions/education/","education",{"text":595,"config":596},"Financial services",{"href":597,"dataGaName":598,"dataGaLocation":437},"/solutions/finance/","financial services",{"title":170,"links":600},[601,603,605,607,610,612,614,616,618,620,622,624],{"text":182,"config":602},{"href":184,"dataGaName":185,"dataGaLocation":437},{"text":187,"config":604},{"href":189,"dataGaName":190,"dataGaLocation":437},{"text":192,"config":606},{"href":194,"dataGaName":195,"dataGaLocation":437},{"text":197,"config":608},{"href":199,"dataGaName":609,"dataGaLocation":437},"docs",{"text":220,"config":611},{"href":222,"dataGaName":223,"dataGaLocation":437},{"text":215,"config":613},{"href":217,"dataGaName":218,"dataGaLocation":437},{"text":225,"config":615},{"href":227,"dataGaName":228,"dataGaLocation":437},{"text":233,"config":617},{"href":235,"dataGaName":236,"dataGaLocation":437},{"text":238,"config":619},{"href":240,"dataGaName":241,"dataGaLocation":437},{"text":243,"config":621},{"href":245,"dataGaName":246,"dataGaLocation":437},{"text":248,"config":623},{"href":250,"dataGaName":251,"dataGaLocation":437},{"text":253,"config":625},{"href":255,"dataGaName":256,"dataGaLocation":437},{"title":271,"links":627},[628,630,632,634,636,638,640,644,649,651,653,655],{"text":278,"config":629},{"href":280,"dataGaName":273,"dataGaLocation":437},{"text":283,"config":631},{"href":285,"dataGaName":286,"dataGaLocation":437},{"text":291,"config":633},{"href":293,"dataGaName":294,"dataGaLocation":437},{"text":296,"config":635},{"href":298,"dataGaName":299,"dataGaLocation":437},{"text":301,"config":637},{"href":303,"dataGaName":304,"dataGaLocation":437},{"text":306,"config":639},{"href":308,"dataGaName":309,"dataGaLocation":437},{"text":641,"config":642},"Sustainability",{"href":643,"dataGaName":641,"dataGaLocation":437},"/sustainability/",{"text":645,"config":646},"Diversity, inclusion and belonging (DIB)",{"href":647,"dataGaName":648,"dataGaLocation":437},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":311,"config":650},{"href":313,"dataGaName":314,"dataGaLocation":437},{"text":321,"config":652},{"href":323,"dataGaName":324,"dataGaLocation":437},{"text":326,"config":654},{"href":328,"dataGaName":329,"dataGaLocation":437},{"text":656,"config":657},"Modern Slavery Transparency Statement",{"href":658,"dataGaName":659,"dataGaLocation":437},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":661},[662,665,668],{"text":663,"config":664},"Terms",{"href":489,"dataGaName":490,"dataGaLocation":437},{"text":666,"config":667},"Cookies",{"dataGaName":499,"dataGaLocation":437,"id":500,"isOneTrustButton":14},{"text":669,"config":670},"Privacy",{"href":494,"dataGaName":495,"dataGaLocation":437},248,{"id":673,"title":674,"authorSlugs":675,"body":6,"categorySlug":9,"config":677,"content":680,"description":6,"extension":12,"isFeatured":14,"meta":690,"navigation":14,"path":691,"publishedDate":686,"seo":692,"stem":694,"tagSlugs":695,"__hash__":696},"blogPosts/en-us/blog/how-gitlab-built-a-security-control-framework-from-scratch.yml","How Gitlab Built A Security Control Framework From Scratch",[676],"davoud-tu",{"featured":14,"template":678,"slug":679},"BlogPost","how-gitlab-built-a-security-control-framework-from-scratch",{"title":681,"description":682,"authors":683,"heroImage":685,"date":686,"body":687,"category":9,"tags":688},"How GitLab built a security control framework from scratch","GitLab's Security Compliance team created a custom control framework to scale across multiple certifications and products — here's why and how you can, too.\n",[684],"Davoud Tu","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772630163/akp8ly2mrsfrhsb0liyb.png","2026-03-04","GitLab's Security Compliance team discovered that existing security control frameworks lacked the customization to fit the platform's multi-product, cloud-native environment.\n\nSo we built our own.\n\nHere's what we learned and why creating your own custom security control framework might be the right move for your compliance program.\n\n## The journey through frameworks\n\nWhen I joined GitLab's Security Compliance team in November 2022, we were using the [Secure Controls Framework](https://securecontrolsframework.com/) to manage controls across our external certifications and internal compliance needs. But as our requirements grew, we realized we needed something more comprehensive. \n\nWith FedRAMP authorization on our roadmap, we chose to adopt [NIST SP 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) next. NIST SP 800-53 includes more than 1,000 controls, but its comprehensiveness isn’t perfectly suited to GitLab’s environment.\n\nWe didn't need to implement every NIST control, only those applicable to our specific requirements. Our focus was on the quality of controls rather than quantity. Implementing unnecessary controls doesn't improve security; in fact, too many can make an environment less secure as individuals find ways to circumvent overly restrictive or irrelevant controls. \n\nSome controls also lacked the necessary granularity for our needs. For example, NIST’s AC-2 “Account Management” control covers account creation and provisioning, account modification and disabling, account removal and termination, shared and group account management, and account monitoring and reviews.\n\nIn practice, these are _at least_ six distinct controls with different owners, testing procedures, and risks. For attestations like SOC 2, each activity is tested as a separate control because they have different evidence requirements and operational contexts. NIST's all-encompassing AC-2 didn't match how we actually operate controls or how auditors actually assess us, and we needed controls granular enough to reflect our operational environment.  \n\nWe found ourselves constantly customizing, adding, and adapting NIST controls to fit our environment. At some point, we realized we weren't really using NIST SP 800-53 anymore, we were building our own framework on top of it. We decided a custom control framework, one tailored to GitLab’s environment, would best accommodate our multi-product offering and each product’s unique compliance needs.\n\n## Building the GitLab Control Framework\n\nThrough five methodical steps, we built our own common controls framework: the GitLab Control Framework (GCF).\n\n### 1. Analyze what we need\n\nWe reviewed our existing controls and mapped every requirement from external certifications we already maintained, certifications on our roadmap, and our internal compliance program: \n\n**External certifications:**\n\n* SOC 2 Type II  \n* ISO 27001, ISO 27017, ISO 27018, ISO 42001  \n* PCI DSS  \n* TISAX  \n* Cyber Essentials  \n* FedRAMP\n\n**Internal compliance needs:**\n\n* Controls for mission-critical systems that are not in-scope for external certifications   \n* Controls for systems with access to sensitive data\n\nThis gave us the baseline: what controls must exist to meet our compliance obligations.\n\n### 2. Learn from industry frameworks\n\nNext, we compared our requirements against industry-recognized frameworks:\n\n* NIST SP 800-53  \n* NIST Cybersecurity Framework (CSF)  \n* Secure Controls Framework (SCF)  \n* Adobe and Cisco Common Controls Framework (CCF)\n\nHaving adopted frameworks in the past, we wanted to learn from their structure and ensure we weren't missing critical security domains, controls, or best practices.\n\n### 3. Create custom control domains\n\nThrough this analysis, we created 18 custom control domains tailored to GitLab's environment:\n\n\n| Abbreviation | Domain | Scope of controls |\n| :---- | :---- | :---- |\n| AAM | Audit & Accountability Management | Logging, monitoring, and maintaining audit trails of system activities |\n| AIM | Artificial Intelligence Management | Specific to AI system development, deployment, and governance |\n| ASM | Asset Management | Identifying, tracking, and managing organizational assets |\n| BCA | Backups, Contingency, and Availability Management | Business continuity, disaster recovery, and system availability |\n| CHM | Change Management | Managing changes to systems, applications, and infrastructure |\n| CSR | Customer Security Relationship Management | Customer communication, transparency, and security commitments |\n| DPM | Data Protection Management | Protecting data confidentiality, integrity, and privacy |\n| EPM | Endpoint Management | Securing end-user devices and workstations |\n| GPM | Governance & Program Management | Security governance, policies, and program oversight |\n| IAM | Identity, Authentication, and Access Management | User identity, authentication mechanisms, and access control |\n| INC | Incident Management | Detecting, responding to, and recovering from security incidents |\n| ISM | Infrastructure Security Management | Network, server, and foundational infrastructure security |\n| PAS | Product and Application Security Management | Security capabilities built into the GitLab product that are dogfooded to secure GitLab's own development, such as branch protection & code security scanning |\n| PSM | People Security Management | Personnel security, training, and awareness |\n| SDL | Software Development & Acquisition Life Cycle Management | Secure SDLC practices and third-party software acquisition |\n| SRM | Security Risk Management | Risk assessment, treatment, and management |\n| TPR | Third Party Risk Management | Managing security risks from vendors and suppliers |\n| TVM | Threat & Vulnerability Management | Identifying and remediating security vulnerabilities |\n\n\u003Cbr>\u003C/br>\n\n\nEach domain groups related controls into logical families that align with how GitLab's security program is actually organized and operated. This structure provides a methodical approach for adding, updating, or removing controls as our needs evolve.\n\n### 4. Add context and data\n\nWith our domains defined, we needed to address two critical challenges: how to represent controls across multiple products without duplicating the framework, and how to capture meaningful implementation context to actually operate and audit at scale. \n\n#### Scaling across multiple products\n\nGitLab provides multiple product offerings: GitLab.com (multi-tenant SaaS on GCP), GitLab Dedicated (single-tenant SaaS on AWS), and GitLab Dedicated for Government (GitLab’s single-tenant FedRAMP offering on AWS). Each offering has different infrastructure, compliance scopes, and audit requirements. We needed to support product-specific audits without creating entirely separate frameworks.\n\nWe designed a control hierarchy where **Level 1 controls are the framework**, defining what should be implemented at the organizational level. **Level 2 controls are the implementation**, capturing the product-specific details of how each requirement is actually fulfilled.\n\n```mermaid\n%%{init: { \"fontFamily\": \"GitLab Sans\" }}%%\ngraph TD\n    accTitle: Control Hierarchy\n    accDescr: Level 1 requirements cascade to Level 2 implementations.\n    \n    L1[\"Level 1: Framework\u003Cbr/>What must be implemented\"];\n    L2A[\"Level 2: GitLab.com\u003Cbr/>How it's implemented\"];\n    L2B[\"Level 2: Dedicated\u003Cbr/>How it's implemented\"];\n    L2C[\"Level 2: Dedicated for Gov\u003Cbr/>How it's implemented\"];\n    L2D[\"Level 2: Entity\u003Cbr/>(inherited by all)\"];\n    \n    L1-->L2A;\n    L1-->L2B;\n    L1-->L2C;\n    L1-->L2D;\n```\n\n\u003Cbr>\u003C/br>\n\nThis separation allows us to maintain one framework with product-specific implementations, rather than managing duplicate frameworks for each offering. Entity controls apply organization-wide and are inherited by GitLab.com, GitLab Dedicated, and GitLab Dedicated for Government.\n\n#### Adding context to controls\n\nTraditional control frameworks track minimal information: a control ID, description, and owner. The GCF takes a different approach and its superpower is the extensive metadata we track for each control. Beyond just stating the control description or implementation statement, we capture:\n\n* Control owner: Who is accountable for the control and its risk?  \n* Environment: Does this apply organization-wide (Entity, inherited by all product offerings), to GitLab.com, or to Dedicated?  \n* Assets: What specific systems does this control cover?  \n* Frequency: How often is the control performed or tested?  \n* Nature: Is it manual, semi-automated, or fully automated?  \n* Classification: Is this for external certifications or internal risk?  \n* Testing details: How do we assess it? What evidence do we collect?\n\nThis context transforms the GCF from a simple control list into an operationalized control inventory.\n\nWith this structure, we can answer questions like: \n\n* Which controls apply to GitLab.com for our SOC 2 audit vs. GitLab Dedicated? → Filter by environment: GitLab.com  \n* What controls does the Infrastructure team own? → Filter by owner   \n* Which controls can we automate? → Filter by nature: Manual \n\n### 5. Iterate, mature, and scale\n\nThe GCF isn't static and was designed to evolve with our business and compliance landscape.\n\n#### Pursuing new certifications\n\nBecause we've operationalized context into the GCF, we can quickly determine the scope and gaps when pursuing new certifications (ISMAP, IRAP, C5, etc.): \n\n1. Determine scope: Which product has the business need (GitLab.com, GitLab Dedicated, or both)?\n2. Map requirements: Do existing controls already cover the new certification requirements?   \n3. Identify gaps: What new controls need to be created?  \n4. Update mappings: Link existing controls to the new certification requirements.\n\n#### Adapting to new regulations\n\nWhen new regulations emerge or existing requirements change: \n\n* Review existing controls: Does an existing control already cover the new requirement?   \n* Update or create: Either update existing control language or create a new control.  \n* Apply the most stringent: When multiple certifications have similar requirements, we implement the most stringent version — secure once, comply with many.\n* Map across certifications: Link the control to all relevant certification requirements.\n\n#### Managing control lifecycle\n\nThe framework adapts to various changes:\n\n* Requirement changes: When certifications update their requirements, we review impacted controls and update descriptions or mappings.\n* Deprecated controls: If a requirement is removed or a control is no longer needed, we mark it as deprecated and remove it from our monitoring schedule.  \n* New risks identified: Risk assessments may identify gaps requiring new internal controls.\n\n## The power of common controls: One control, multiple requirements\n\nSecuring once and complying with many isn't just a principle, it has tangible benefits across how we prepare for audits, support control owners, and pursue new certifications. Here's what that looks like in practice, both qualitatively and in the numbers. \n\n### Qualitative results\n\nSince implementing the GCF, we've seen significant improvements in how we manage compliance: \n\n#### Integrated audit approach\n\nThe GCF enables us to maintain one framework with controls mapped to multiple certification requirements, instead of managing separate control sets for each audit. One control can satisfy SOC 2, ISO 27001, and PCI DSS requirements simultaneously.\n\n#### Faster audit preparation\n\nThrough the GCF, we maintain one consolidated request list instead of separate lists for each audit. Because we've defined controls with specific context, our request lists say \"Okta user list\" instead of generic \"production user list,\" eliminating ambiguity and interpretation. We're not collecting “N/A” evidence or leaving it up to auditors to interpret what \"production\" means in our environment. Everything is already scoped to our actual systems.\n\n#### Reduced stakeholder burden\n\nThis integration directly reduces burden on our stakeholders. Control owners provide evidence once instead of responding to separate requests from SOC 2, ISO, and PCI auditors. When we collect evidence for access controls, it satisfies SOC 2, ISO 27001, and PCI DSS requirements simultaneously. One control, one test, one piece of evidence with multiple certifications and requirements satisfied.\n\n#### Efficient gap assessments\n\nWhen pursuing new certifications or launching new features, the operationalized context enables more efficient gap analysis. We can determine which controls already exist, what's missing, and what implementation is required. \n\n### Quantifiable results\n\n**Control efficiency:**\n\n* Reduced SOC controls by 58% (200 controls → 84\\) for GitLab.com and 55% (181 → 82) for GitLab Dedicated  \n* One framework now supports 8+ certifications \n\n**Audit efficiency:**\n\n* Consolidated 4 audit request lists into 1, reducing requests by 44% (415 → 231)  \n* 95% evidence acceptance rate before fieldwork for recent PCI audits\n\n**Framework scale:**\n\n* 220+ active controls across 18 custom domains  \n* Mapped to 1,300+ certification requirements  \n* Supports multiple product offerings\n\n## The path forward\n\nThe GCF continues to evolve as we add security and AI controls, pursue new certifications, and refine our approach. \n\n**For security compliance practitioners:** Don't be afraid to build your own framework if industry standards don't fit. The upfront investment pays dividends in scalability, efficiency, and controls that actually make sense for your environment. Sometimes the best framework is the one you design yourself.\n\n> If you found this helpful, check out our complete [GitLab Control Framework documentation](https://handbook.gitlab.com/handbook/security/security-assurance/security-compliance/sec-controls/), where we detail our framework methodology, control domains, and field structures.",[9,689],"tutorial",{},"/en-us/blog/how-gitlab-built-a-security-control-framework-from-scratch",{"config":693,"title":681,"description":682},{"noIndex":10},"en-us/blog/how-gitlab-built-a-security-control-framework-from-scratch",[9,689],"qI14Qhzuovj_SV9f7BaXknCJ6Nw6FEOi2BQuDFPvbis",[698,705,715,721,727,736,746,756,762],{"content":699,"config":703},{"title":700,"heroImage":701,"category":9,"description":702,"authors":-1},"GitLab Critical Patch Release: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749662877/Blog/Hero%20Images/security-cover-new.png","Learn more about the Critical Patch Release for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":704,"slug":-1},"https://about.gitlab.com/releases/2024/09/25/patch-release-gitlab-16-10-10-released/",{"content":706,"config":713},{"title":707,"heroImage":708,"category":9,"description":709,"authors":710},"GitLab Advanced SAST is now generally available","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749665917/Blog/Hero%20Images/blog-advanced-sast-creative-imagery-0390-1800x945-fy25.png","Reduce false positives, shorten remediation time, and improve development velocity with a proprietary solution built into GitLab.",[711,712],"Salman Ladha","Connor Gilbert",{"externalUrl":-1,"slug":714},"gitlab-advanced-sast-is-now-generally-available",{"content":716,"config":719},{"title":717,"heroImage":701,"category":9,"description":718,"authors":-1},"GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10","Learn more about GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":720,"slug":-1},"https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/",{"content":722,"config":725},{"title":723,"heroImage":701,"category":9,"description":724,"authors":-1},"GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7","Learn more about GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":726,"slug":-1},"https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/",{"content":728,"config":734},{"title":729,"heroImage":730,"category":9,"description":731,"authors":732},"Secure open source container infrastructure with GitLab and Chainguard","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098693/Blog/Hero%20Images/Blog/Hero%20Images/blog-image-template-1800x945%20%2823%29_2w6waL76KROjhJHM2vXet6_1750098693265.png","Learn how GitLab + Chainguard can help deliver secure containerized applications faster. This tutorial includes easy-to-follow code examples.",[733],"Fernando Diaz",{"externalUrl":-1,"slug":735},"secure-open-source-container-infrastructure-with-gitlab-and-chainguard",{"content":737,"config":744},{"title":738,"heroImage":739,"category":9,"description":740,"authors":741},"Annotate container images with build provenance using Cosign in GitLab CI/CD","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098395/Blog/Hero%20Images/Blog/Hero%20Images/blog-image-template-1800x945%20%2823%29_2w6waL76KROjhJHM2vXet6_1750098395162.png","Use GitLab pipelines to automate building, signing, and annotating Docker images. This tutorial shares code to show you how. Try it out in your own organization.",[742,743],"João Pereira","Tim Rizzi",{"externalUrl":-1,"slug":745},"annotate-container-images-with-build-provenance-using-cosign-in-gitlab-ci-cd",{"content":747,"config":754},{"title":748,"heroImage":749,"category":9,"description":750,"authors":751},"How to choose the right security scanning approach","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750097969/Blog/Hero%20Images/Blog/Hero%20Images/AdobeStock_282096522_securitycompliance.jpeg_1750097968823.jpg","GitLab offers multiple scanning methods for CI/CD pipelines, including compliance frameworks and scan and pipeline execution policies. Learn the basics, configurations, and advantages/disadvantages.",[752,753],"Matt Genelin","Mathias Ewald",{"externalUrl":-1,"slug":755},"how-to-choose-the-right-security-scanning-approach",{"content":757,"config":760},{"title":758,"heroImage":701,"category":9,"description":759,"authors":-1},"GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6","Learn more about GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":761,"slug":-1},"https://about.gitlab.com/releases/2024/08/21/patch-release-gitlab-17-3-1-released/",{"content":763,"config":769},{"title":764,"heroImage":765,"category":9,"description":766,"authors":767},"How GitLab helps meet NIS2 requirements","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659437/Blog/Hero%20Images/AdobeStock_398929148.jpg","The EU's NIS2 cybersecurity legislation focuses on resilience, incident response, and risk management. Learn how GitLab's DevSecOps platform helps meet these compliance requirements.",[768],"Joseph Longo",{"externalUrl":-1,"slug":770},"how-gitlab-helps-meet-nis2-requirements",1772652116737]