JIRA Cloud/BitBucket ITAR/NIST 800-171 Compliance

Elias Moya June 3, 2020

Hi all,

 

Out of the JIRA Cloud service and BitBucket, can these services be or are they ITAR + NIST 800-171 compliant? As far as I know BitBucket cloud at least does not leave the United States, but there may be more requirements as to actually being considered an ITAR compliant vendor, and then there is also the case of how Controlled Unclassified Information is directed and trafficked. Thank you in advance!

19 comments

Comment

Log in or Sign up to comment
Griffin Jones
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 8, 2020

Our cloud services do not comply with ITAR or NIST800-171 at the moment however we are considering expanding our cloud certification profile and would love to hear what your requirements are.  

Like # people like this
Ryan Newton September 9, 2020

I am currently trying to get my company to utilize Altassian products (Confluence, Jira, etc.) however we need to have all our internal services and systems be NIST 800-171 compliant since we do work with DoD.

The main pushback I am getting is that these cloud products are not NIST 800-171 compliant. I would really love to get the company to use these products because I believe they are 1000% better than what is currently being used.

Like # people like this
Tiffany J April 19, 2023

what is the update to this for 2023?

Like # people like this
Robert Parlock September 15, 2020

Similarly to Mr. Newton my company does work for the DOD which requires our systems which store CUI (Controlled Unclassified Information) be NIST 800-171 compliant. Until the Atlassian Cloud Products are compliant, would not be able to use Atlassian Cloud for the majority of our contracts or we would have to have a separate product just for CUI data which would be cost and time prohibitive.

Like # people like this
Griffin Jones
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 15, 2020

I will surface this to our Risk and Compliance leadership! 

Like atlassian_license likes this
Robert Parlock September 15, 2020

I think if they look at the standard they will find its composed primarily of best security practices so its has benefits beyond just DOD.

Like atlassian_license likes this
Ryan Newton September 15, 2020

I agree with this. Given Atlassian is already compliant with several things like ISO, PCI, SOC, etc. I would believe that it wouldn’t be too difficult to reach NIST 800-171 compliance. 

Like atlassian_license likes this
Christoph Huber September 17, 2020

+1 on NIST and CMMC.

Like # people like this
keith_conner October 19, 2020

Given Atlassian's website states DoD as a customer (https://www.atlassian.com/government), Atlassian must be compliant with DFARS 252.204-7012 and 252.239-7010 if any DoD users have bring CUI to the platform.  DFARS 252.204-7012 requires compliance with the latest version of NIST 800-171.  However, on Sept 29, Atlassian stated only a "roadmap" (without dates -- which isn't a roadmap) to FedRAMP (https://www.atlassian.com/blog/platform/secure-cloud-solutions-for-every-government-team).  Will Atlassian provide dates and targeted FedRAMP levels for each product, please?  Lastly, will Atlassian please also include compliance with the DoD Cloud Computing Security Requirements Guide in its roadmap?  Customers need to see when Atlassian will protect IL4/5 data.  Thank you.

Like # people like this
Michael Corvin October 23, 2020

We also require NIST compliance and the coming CMMC.   On current work we do our server instances of Confluence and Jira are on secured networks.

With the recent announcement that the Sever offerings will be deprecated in 2021 this adds to the problems we have with continued, long term use of Confluence and Jira.

(The additional issue is that the Cloud version of Confluence's "new experience" editor has eliminated KEY functionality that we use extensively.  This has rendered the cloud version UNUSABLE for our use cases.   I have been among the chorus of voices since the 'new experience' rollout began, elsewhere in the community, complaining vociferously about this.)

Like # people like this
Ed Kershenbaum January 20, 2021

Adding our requirement for ITAR, NIST 800-171 and CMMC compliance.   

Latest webinars (Jan 2020) say FedRAMP support will be available in 2023.  We need to see Atlassian commit to these dates given the end of server support, along with documented full 800-171 and CMMC compliance. 

Like # people like this
robhaynes812 September 8, 2021

I've been asked by the CISO of our company (pretty good size) for a POC at Atlassian to discuss this issue.  How do I go about getting one?

Reginald November 2, 2021

Adding my support for NIST 800-171 compliance for DoD work. My company is interested in using Atlassian JIRA Cloud, as well as other Atlassian solutions, but the lack of NIST or CMMC compliance is making this a tough sell.

Likewise, the FedRAMP roadmap needs updated information, as others have pointed out. The lack of clarity regarding Atlassian's status on NIST and CMMC is forcing us to look at other providers, but we would prefer to use Atlassian if possible.

Thanks.

Like Emmie King likes this
David Rodman January 21, 2022

I also work for a firm that has an on premise Confluence implementation containing controlled unclassified information and ITAR data. We are currently in need of additional seats and are not permitted to purchase the under Atlassians policies to force users to move to cloud however without an ITAR solution, we would be in violation of US law prohibiting the move. Atlassian should have thought through the restrictions before implementing them. We are constrained badly by this decision.

Like David Gamache likes this
JJ_Shaw October 5, 2022

We are looking at using JIRA as a common software/project management tool between our parent company located in Ottawa, Canada, and our government-facing subsidiary based in Washington, DC.  We need a U.S. Government security (e.g., NIST, DCSA, etc.) and ITAR-compliant solution.  Hopefully, Atlassian is seriously looking at creating a U.S. Government security regulation compliant system/server for companies performing on government contracts.  There is a huge business opportunity here.   Please let us know your implementation date.

Cloudites Owner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 5, 2022

For those who are involved with CMMC, I've created the self assessment on my cloud portal.

hipaa.atlassian.com/servicedesk/customer/portals.

Jordan Hauser March 23, 2023

Hi all,

I am commenting on this in order to receive notifications if anything is done with this

My company also handles CUI and must be NIST 800-171 compliant and without confirmation we CANNOT move to cloud once server reaches EOL

Dennis April 17, 2023

The compliance drive for this is critical.  Looking for updates on Fedramp/NIST

Tim Comella April 18, 2023

Good thread.  Also interested in seeing an actual FedRamp compliance commitment date from Atlassian.  Supporting data center Jira/Confluence in Federal space this is a blocker to cloud modernization.

David Rodman April 18, 2023

Good thread yes, but it has had no traction from Atlassian for over a year. We will be forced into alternative products with the forced migration to cloud. We currently moved to data center to extend the on premises life of the product.

Like Aaron Stevens likes this
Aaron Stevens April 19, 2023

My company asked my to research Atlassian as cloud service but it is not ITAR or NIST
compliant. So now im thinking of using Google Assured, any thoughts on this choice?

Jordan Hauser April 18, 2023

To others revisiting this thread and having the same worries, I found this plugin for Jira Cloud a few weeks back, but do not know enough if it is sufficient, if anyone knows if this would work please let me know

Jira ITAR Compliance (stratokey.com)

Like Tiffany J likes this
David Rodman April 18, 2023

That looks pretty good and definitely worth looking into further. They have a similar plugin for Confluence as well. This may be the solution.

Like Tiffany J likes this
Hubert Bandurski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 5, 2024

Also commenting as we need JIRA cloud to be NIST 800-171 compliant. 

Is there any progress on this? 

Jordan Hauser February 5, 2024

@Hubert Bandurski  don't think so, this was the most recent article I found while trying to double check on this a few months ago and what solidified us going with DC

It’s official- FedRAMP Moderate has a new date in ... - Atlassian Community

Like Hubert Bandurski likes this
Hubert Bandurski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 5, 2024

@Jordan Hauser Thanks for replying. It seems like that is FedRAMP dates are far way and knowing how things work, we are looking at 2025. 

DC carries additional costs and I am still not sure about NIST 800-171 compliance. 

 

We will have no choice but to move away from JIRA. What is everyone else doing then? 

 

Jordan Hauser February 5, 2024

Afaik: data center is indeed compliant as its hosted on premise, think of it like servers big brother. If you were already using jira server, then you'll be good

 

Yeah costs are ridiculous, but what can you do when they just decide to nix the affordable option other than comply or find a new service?

 

If you are government related/some kind of subcontractor, I recommend looking into Carahsoft. They were very helpful when I was dealing with this exact situation

Like # people like this
TAGS
AUG Leaders

Atlassian Community Events