GitHub Copilot for Government IL2 status and near‑term actions

Bottom line

• There is no publicly posted primary‑source confirmation of a DoD IL2 authorization specifically for “GitHub Copilot for Government.” The FedRAMP Marketplace does not list GitHub Copilot as a separate authorized SaaS, and we cannot verify an IL2 PA or cATO for Copilot from official DoD or vendor compliance postings at this time.¹²
• Agencies can use GitHub Enterprise Cloud for Government (GECG), which GitHub documents as the government‑focused environment aligned to FedRAMP Moderate, while separately meeting DoD IL requirements at the workload level when building on authorized cloud platforms like Azure Government.³⁴⁵
• For AI coding assistance today under IL2/IL4/IL5 constraints, agencies can build and operate assistance patterns using Azure Government with Azure OpenAI Service, which is available in Azure Government and is documented to not use customer prompts or responses to train Microsoft or OpenAI models.⁶⁷

What IL2 means and how it’s authorized

• DoD Impact Level 2 (IL2) is defined in the DoD Cloud Computing Security Requirements Guide (CC SRG) as covering Non‑Controlled Unclassified Information (Non‑CUI) and public or private unclassified data; IL authorizations for cloud services are distinct from FedRAMP and require DoD assessment against the SRG with a DoD PA or component ATO.²
• Azure Government’s compliance posture includes FedRAMP High and DoD CC SRG IL2/IL4/IL5/IL6, providing an authorized substrate for IL‑segmented workloads when agencies deploy and operate in the corresponding Azure Government regions and apply required controls.⁴⁵

Current state of GitHub offerings relevant to federal teams

• GitHub Enterprise Cloud for Government is GitHub’s hosted environment designed for U.S. public sector customers and is documented by GitHub as the government‑focused offering; agencies should consult the product documentation for feature availability differences relative to commercial GitHub Enterprise Cloud.³
• The FedRAMP Marketplace lists GitHub Enterprise Cloud offerings, but does not list “GitHub Copilot” as a separately authorized product; absence from the Marketplace means we cannot verify a FedRAMP authorization specific to Copilot.¹
• GitHub Copilot’s enterprise policies for data handling are documented by GitHub, including controls under Copilot for Business and Copilot Enterprise; these documents should be used by agencies for privacy and security reviews when evaluating any pilot use in non‑government GitHub environments.⁸⁹

What’s coming

• There is no primary‑source announcement we can cite that commits to a specific timeline or status for an IL2‑authorized “GitHub Copilot for Government.” Agencies should monitor GitHub’s government documentation and official compliance postings for any updates.³
• Agencies should also monitor the FedRAMP Marketplace and DoD PA communications for any future listings that would confirm Copilot’s authorization posture for federal use cases.¹²

What federal dev teams can do today

• Use GECG for collaboration and source control where FedRAMP Moderate alignment is required, and ensure agency ATOs reflect the environment’s scope and any feature differences documented by GitHub.³
• If pursuing AI coding assistance under IL constraints, build within Azure Government:
  • Use Azure OpenAI Service available in Azure Government regions to host prompt‑completion workflows for code assistance; Microsoft documents that customer prompts/responses are not used to train foundation models, aiding privacy and data control assessments.⁶⁷
  • Enforce organizational guardrails and technical policies with Azure Policy to continuously audit and enforce configurations required by agency ATOs and OMB M‑24‑10 governance expectations.¹⁰¹¹
• Align governance and risk management to OMB M‑24‑10 and the NIST AI RMF:
  • Inventory and categorize AI uses (including developer assistance) and apply AI impact assessments and risk controls per M‑24‑10.¹¹
  • Implement the NIST AI RMF functions (Map, Measure, Manage, Govern) to drive controls, metrics, and oversight for code‑assistant deployments.¹²
• If evaluating Copilot in commercial GitHub environments, base decisions on GitHub’s published enterprise privacy and security documentation, and ensure agency governance and ATOs explicitly address data flows, logging, and developer‑side controls before any pilot.⁸⁹¹¹

Acquisition and compliance mapping

• Procurement and deployment must align to OMB M‑24‑10 guardrails for AI, including supplier assurances and impact assessments; agencies should require vendor documentation and, where applicable, FedRAMP or DoD PA evidence for the specific environment in which AI assistance runs.¹¹
• For DoD IL2 workloads, use platforms with documented IL authorizations (e.g., Azure Government) and ensure system‑level ATOs implement SRG control overlays appropriate to IL2/IL4/IL5/IL6 as applicable.⁴²

Watch points for mission owners and CIO shops

• FedRAMP Marketplace: monitor for any new listings or updates that would explicitly include Copilot in an authorized boundary.¹
• GitHub Government documentation: watch feature availability notes for GECG regarding Copilot or related AI features.³
• Azure Government service catalog: track Azure AI services availability and updates relevant to building compliant developer assistance.⁶

²: DoD Cloud Computing Security Requirements Guide (CC SRG) v1r4 — https://dl.dod.cyber.mil/wp-content/uploads/cloud/documents/Cloud_Computing_SRG_v1r4.pdf
⁵: Microsoft Learn — Azure Government documentation — https://learn.microsoft.com/azure/azure-government/documentation-government
⁶: Microsoft Learn — Azure services available in Azure Government — https://learn.microsoft.com/azure/azure-government/azure-services
⁷: Microsoft Learn — Data, privacy, and security for Azure OpenAI Service — https://learn.microsoft.com/azure/ai-services/openai/concepts/data-privacy
¹¹: OMB Memorandum M‑24‑10 — Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence — https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-10.pdf
¹²: NIST AI Risk Management Framework (AI RMF 1.0) — https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
¹: FedRAMP Marketplace — products search for GitHub — https://marketplace.fedramp.gov/#!/products?search=GitHub
³: GitHub Docs — About GitHub for Enterprises — https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-github-for-enterprises
⁸: GitHub Docs — Privacy Policies — https://docs.github.com/en/site-policy/privacy-policies
⁹: GitHub Docs — What is GitHub Copilot — https://docs.github.com/en/copilot/get-started/what-is-github-copilot
¹⁰: Microsoft Learn — Azure Policy overview — https://learn.microsoft.com/azure/governance/policy/overview
⁴: Microsoft Learn — Azure Government compliance overview — https://learn.microsoft.com/azure/azure-government/compliance/