Atlassian’s path to FedRAMP (previous updates)

@Dave Meyer Looking forward to the update. Will it be a webcast, or an article like this one?

@Dave Meyer Thank you for the update.

Will both Data Center and Cloud be moving through the FedRAMP process or will it be one or the other or individual by product?  e.g. Jira Cloud, Jira Service Management (Cloud) or Jira Software (Data Center), Jira Service Management (Data Center)

Any other updates that can be shared? For example are you expecting Jira to be rated a Moderate or High within FedRAMP? 

@Dean our FedRAMP efforts are focused on our SaaS (Cloud) products. Our initial focus will be Jira Software, Jira Service Management, and Confluence; we are still evaluating whether Jira Service Management can be included in the same timeline.

Our updates to-date have focused on the Moderate impact level. We consider this the first step in the journey to supporting our public sector customers, not the last. Once we have achieved a sufficient level of confidence in our Moderate ATO timeline, we will begin planning subsequent milestones, including FedRAMP High ATO.

@Dave Meyer  thanks for quickly responding to my inquiry.  The "In Process" status would be a good step forward.   Early 2024 - SaaS products - Jira/Confluence is first, is Bitbucket also on the radar? 

The FedRamp process is long and expensive endeavor, but the certification is a wise investment and will payoff with several additional agencies adopting the platform.  

Keep the communication channels open and more frequent communications would be nice, just simple/short updates would help.  I will inform my customer of the efforts Atlassian is making to achieve Fedramp ATO.

Thanks,

Jimmy

Tagging on to what @James Zoller has said we are also a Federal agency with keen interest in Atlassian attaining Jira FedRamp / moderate.  Currently running Data Center but want to evolve to Cloud as part of an overall modernization effort.

@Dean following up on my previous answer to you, I made an error.

I said that we were still evaluating whether to include Jira Service Management Cloud in our initial FedRAMP Moderate ATO.

We finalized this decision and we do plan to include it. So you should expect the scope of our FedRAMP offering at launch to be:

• Jira Software Cloud
• Jira Service Management Cloud
• Confluence Cloud

We already hold an ATO for Trello at the Tailored LI-SaaS baseline.

@James Zoller Bitbucket Cloud is (always) on our radar but I can't offer a firm commitment if and when we will pursue an ATO for Bitbucket Cloud. Appreciate you asking.

I appreciate the increased communication by Atlassian, as I've been monitoring this situation for some time.

I'll second the need for Bitbucket Cloud to be part of the first ATO.  Jira Software is not complete for software development if Bitbucket Cloud isn't part of the ATO.  

@Ryan Retting you got that right, this is the best part of the Atlassian suite of tools;  Jira/Confluence and Bitbucket are fully integrated. I've been designing and developing SW since the 80s, and this was my dream come true/Nirvana; Tickets/artifacts and source all linked, traceable and managed in a complete package.  @Dave Meyer without the source (Bitbucket) Fedramped it would be incomplete. 

In the update, you noted that you expect to achieve "In Process" on the FedRamp marketplace.  What does this really mean in terms of achieving FedRAMP certification?  What is your target for having a FedRAMP offering that will be available? 

In practice, FedRAMP "In Process" designation means that the SAAS solution has generally 1 year from being designated "In Process" to have gone through the assessment and AT LEAST the SAR/SAP is in the PMO's hand for review/final determination.

Since it can be a month, to many many months for the PMO to work its docket of companies, the "In process" designation will remain on the marketplace. A strong majority of companies that are marked as in process at least at the moderate level achieve their ATO as long as there's not any High findings from the assessment or a significant number of moderates.

Though I'm wondering since we are now in 2023, and requirements for rev5 articulate that CSP's now must leverage DISA STIG's over CIS level 1 benchmarks how this will impact the effort. Having worked over 30 fedramp company ATO's. One of the biggest killers for those whom had Impact level requirements was the baseline configuration of DISA STIG's. Most companies couldn't allocate the resources to get baselines to meet the stigs and ALL did not want to allocate long term resources to updating those baselines for STIG's since STIG updates generally happen quarterly where CIS was updated annually.

This is NO KNOCK at any CSP considering I spent many years myself wondering around with DoD branches where they themselves didn't have STIG's in place, compliant or up to date. Its a significant undertaking to keep baselines updated or even created to meet STIG requirements.  More often than not I always see some C-suite say HEY Amazon has a STIG compliant EC2 JUST use that. And nothing works. because you have to tailor a baseline configuration which is mostly permission-based settings to what a company is specifically operating on that image.

In general, this is a positive sign.

@Dave Meyer I would as well like to request a update on where Atlassian is. I just had another fedramp client get told by the PMO they had to remove all their Atlassian confluence and Jira materials from the cloud solution after we had spent substantial time building out Jira roadmaps and extensive ATO package buildouts. And now we have to remove it all out. Were talking a 1000 hours of combined organizational resources.

@David Simpson Thank you for your comment.

I understand your frustration and we’re happy to discuss the issue regarding your customer and the PMO. We acknowledge the significant investment of resources and time that you have put into building out Jira roadmaps and extensive ATO package buildouts.

With regard to our path to FedRAMP Moderate, we are dedicated to providing transparency and updates to our community as we navigate this process. Our next update is planned for the middle of September and will highlight how we’re currently working towards entering our FedRAMP Moderate 3PAO Assessment in mid-2024, with the aim of achieving FedRAMP authorization as soon as possible thereafter.

If you have any further questions or concerns, please do not hesitate to reach out again. We value your feedback and appreciate your support of Atlassian.

Contegix (Platinum Partner) and Atlassian are working closely together to fill the gap while Atlassian finishes the ATO process - providing both FedRAMP Moderate and High PaaS solutions. 

https://community.atlassian.com/t5/Jira-questions/Does-JIRA-comply-with-FedRAMP-for-Federal-Business/qaq-p/954733#M306751

Any updates on this?  Has Atlassian officially started this project, is 2024 still the plan?

I second Bryce's request for an update.  We're about to invest significant time and effort into *something*, and realistic dates are highly critical to planning our ITAR compliance from top to bottom.

@Chris Hammel I opened a case with support and was given this updated information.  Not sure why they make it so hard to find this stuff out.  I am also not sure I 100% trust the dates as I have heard many times over the years that they are working on this.  Fingers crossed.

https://community.atlassian.com/t5/Trust-Security-articles/It-s-official-FedRAMP-Moderate-has-a-new-date-in-cloud/ba-p/2488663

Hi all :)  I wanted to ask if we could get an update on this process.  Per the update on May 2023, Atlassian was looking for an "in process" designation in early 2024.  We are 1 1/2 months into 2024 and would like to know if we're still hoping for "in process" designation in the first half of 2024, the latter half, or it is up in the air due to circumstances.

As always, thank you in advance!! :)