Atlassian’s path to FedRAMP (previous updates)

End of support for Data Center is Feb 15, 2024 (https://www.atlassian.com/migration/assess/journey-to-cloud). Can public sector customers expect no extension to this roadmap?

@Jeff Keister I don't believe that is correct.  "Server" support will end in Feb. 2024, but Data Center support will continue.

Hi @Jeff Keister , my name is Jacob Shepard from Atlassian. I want to be clear that Data Center is not receiving end-of-support.

End of support is only for our Server products. To learn more about Server end-of-support please go here 

As a reminder, you can look at upcoming features for Data Center on the public roadmap.

I would also recommend if you work in the public sector that you join our Government Community

Thanks for clarifying that there are multiple distinct self-hosted options. This has been a point of confusion up to now. This page appears to clarify many of the distinctions. I've now joined the Government Community and will expect to stay on DC at least until FedRAMP is achieved.

Like you, @Jeff Keister our team supports Government and is also watching for Atlassian FedRamp certification.

So will Atlassian change course on what was an epically bad decision to cut off onprem server to SMB's and FedRAMP clients?

If Atlassian cannot get FedRAMP program together this organization is putting everyone in an untenable position by making server version to expensive. and having a cutoff date. Let the community know when this bad policy will be changed.

If DataCenter is the only option Atlassian has an obligation to make it affordable to SMB's whether engaged with FedRAMP directly and/or 3rd party cloud providers whom have FedRAMP requirements.

Hi @Jeff Keister I would also recommend joining the Data Center Community where you can find the most up-to-date information, use cases and more about Data Center products.

Hi @David Simpson 

As a reminder, we do provide Data Center licensing for teams of all sizes that work within the Public Sector space. We recommend that you reach out to our verified partner Carahsoft to learn more.

I would identify the current defined cost of "DataCenter" in NO way comes close to meeting SMB ability to afford. Where Server was previously Under $100.00.

The issue here is COST. Atlassian has appeared to put current FedRAMP customers in an untenable position where not only can they NOT get their authorization, or an Agency dropping Sponsorship because of the cloud products, they may be forced to be migrated to a data center version to re-deploy within an Accreditation Boundary of a CSP and based on Atlassian's own site the starting cost is roughly $27,000.  I'm not clear where that "option" is really compromise to the fact that it's Atlassian that has presented this issue to all its customers and community, especially those engaged with FedRAMP. The loss of revenue to FedRAMP customer waiting or have potentially losing sponsorship is quite high. 

From what it appears to be straight what we hear is, Sorry the PMO is pushing back on all CSP's leveraging Atlassian Cloud Products, but here's a $27,000 alternative. (?) And it will require CSP's and FedRAMP customers to migrate and redo their confluence and Jira ticketing solutions at an extensive staffing Level of Effort.

Confluence Data Center | Atlassian

It would be logical that Atlassian would "adjust" the cost of datacenter to what was the cost of "Server" for those engaged or engaging in FedRAMP, and/or offer DataCenter at the current cost of the CSP's cloud version. 

Additional, Since I've traversed several FedRAMP companies through this exact issue, Atlassian would be in appropriate position to provide a CLEAR timelines and roadmap to set expectations to the community for Moderate, High and JAB.

If there are FedRAMP customers experiencing issues related to this situation and receiving inquiries from agency sponsors and/or the PMO your most logical roadmap is to POA&M this issue with a defined timeline for migration from cloud to Datacenter.

This will of course potentially also trigger a "Major Change" within the FedRAMP AB and require a 3PAO to reassess the solution, redo the ATO package.

@Dave Meyer What is the hold up getting FedRAMP certified and is there anyway this could be made available in 2023 

From my discussion with the FedRAMP PMO is contention is around a specific Atlassian product and that product not meetings expectations.... For some time.
Discussions with several friends at other CSP's have seemed to elude that they are being required to move to onprem Data Center to meet requirements. My assumption is this route would indicate its not happening quickly since these CSP's have reached out to their Atlassian Sales teams and they have indicated they have to invest in Data Center eludes to again that accreditation in 2023 is iffy. But that statement is my personnel opinion and i could be wrong. 

What is a factual statement is we have not heard from Atlassian publicly on WHEN it will happen.

We can see here that Atlassian is looking for a FedRAMP engineering assistance:

Atlassian - Principal Engineer, Team Enterprise - FedRAMP (lever.co)

Hm, I thought that FedRAMP was more about the controls around the product .... I would have thought that this would all be possible within a year? 

Do you think it'll be challenging for us to get Atlassian Approved for DC [moving from Server?]... it seems there are limited options. What do you recommend?

True a ATO package which involves the build out of a System Security Plan which deep dives in to individual controls. From my knowledge Atlassian isn't unique in this situation. Many large vendors have spent years and years attempting to get everything aligned to get an ATO. For MANY vendors it's 3rd party services that solution is made up, that 3rd party service itself is not FedRAMP authorized or not at the same Moderate or High accreditation Perhaps they have a requirement for DOD STIGS over CIS Level 1 benchmarks. ALOT of times its the 3rd party service vendors that CSP leverages that is not FedRAMP authored themselves and they have data in transit/ data at rest going all over the globe. IE data that is traversing outside the accreditation boundary.

Sometimes with some companies I've worked for "cough" the Continuous Monitoring program is in shambles, bad POAM's, agencies not doing reviews. And the FedRAMP team comes in and tells all parties to get their act together. So again Atlassian isn't the only vendor to receive push back from the FedRAMP PMO or the JAB in various situations. Its part of the game.

In my opinion the difference with Atlassian over some other vendor products just HOW deeply the product is integrated into our organizations and how we leverage confluence and Jira for everything.

I may come across as dumping on Atlassian, but I evangelize its use at every FedRAMP CSP I've been involved in.  I have Confluence and Jira information templatized in SSP documentation we leverage with clients. I've built out entire FedRAMP Jira Advanced Roadmaps categorized into individual control families. I previous evangelized strongly for Sharepoint till confluence just really became a superior product for documenting information. Microsoft has really let sharepoint get steamrolled. So Confluence is a great product from a Compliance and Auditing department with the ability to scan a Confluence instance and find pages from staff and mirror those pages as compliance artifacts.

MY IRRITATION is exactly what I have described which is the the public perception that Atlassian taken in which they brought this issue to customers doorstep and when those CSP's have asked for a "price competitive" data center version they have essentially said to take a long walk off a short pier. My view, which is not unusual for all these companies in the market place is that they view FedRAMP as a irritation, a cost they don't want to incur and don't want to maintain. AND the actual market share of FedRAMP customers is not the significant so the apatite to lower cost or compensate CSP's is not there.

Reality is, Atlassian should be offering data center... FOR FREE to any CSP impacted.

Once you incorporate the cost of deploying Atlassian Data center into a AWS or Azure, the product, the staff Level of Effort, Migration. That's just not $27,000, that's significantly more in staff allocation, impact to other company efforts, architecture review and so on.

To your last question, I can say I have personal knowledge of several large CSP's that had been speaking and working with Atlassian sales on getting a price compensation for Data center and was pretty much told that they acknowledge the issue but go jump off a cliff to be blunt.

Server is no longer sold, for the most part EOL is coming up quick. We still have it as a onprem piece and love it. But Server was offered as a cost effective product for SMB's and that's NOT where Atlassian saw their business. Sure you can get cloud for under 10 users for free but its obviously drastically limited.
So its a business roadmap question. Every vendor doesn't want a onprem product. More costly, more time ,more people, more upkeep.

I'm not a lawyer, but I did stay at a Holiday in Express last night so I'm good to be on the Supreme Court this week.... I would hypothetically infer, legally there's an issue here in which if customer bought into Atlassian Cloud products as their FedRAMP solution and now having issues maintaining that obligation that I would be pony'ing up Data Center pro bon for impacted customers at a minimum with unlimited Support for deployment and migration assistance.

I would also say to all CSP's, Cheap out on your FedRAMP and compliance department staffing levels. Don't be surprised when this stuff comes knocking.

Echoing my appreciation for the platform but DC is completely out of the question due to cost for the 30 users I've got. 

Same as above, if the path is on-prem JIRA Software Server lift to on-prem Data Center (at significant additional annual cost for unused and unneeded modules/capabilities) OR switch to competitor (because no acceptable FedRAMP authorized cloud SaaS option nor corresponding on-prem product exists), then the migration path is going to be switch to a competitor and exclude future Atlassian products from roadmap consideration. Government agencies aren't going to go backwards from cloud SaaS fedramp authorized capabilities that Atlassian Data Center on-prem provides, just to keep JIRA software server capabilities.

Confluence on Fedramp - Seems like someone at Atlassian internally has left the organization so they must now "rebuild" their fedramp priority.  Meaning this isn't probably going to happen for years.  Think 2030 if you are realistic.  Sadly Atlassian can't seem to get their collective act together on this topic.  And the sales from this participation is probably very big.

The decision to delay is a compliance punch to the gut.  Both Jira and Confluence are built to integrate comprehensively into process work flows, in an organization.  That organization could be large or small.  Delaying a published date is understandable, not providing a reasonable new timeline and plan is not understandable.  When you build a product that integrates substantially in your customer environments, you should not be surprised when they require compliance.  Have a little thought leadership in understanding how your pivot impacts  your customers and meet them where the gaps form as a partner. As it sits, I have to make some change.  Maybe I go to Data Center licensing, and stomach the staffing requirement, or maybe I find a better partner.

Disappointed to say the least. An updated timeline on FedRamp would be appreciated. 

Once the Atlassian cloud achieves  FedRAMP approval, what marketplace apps will be available to users of the FedRAMP cloud?  Will all current marketplace apps be available? A concern my team has is that there are apps that we rely on for testing that may not be available in the FedRAMP approved cloud.

When is the next update on Atlassian's path to FedRAMP? This update was from Nov 2022 and Atlassian promised to share quarterly updates in the Trust & Security group but I haven't seen any.

This is what I heard:

Here's where we're at since November of last year:
* We've done a major reassessment of our architecture and undertaken far more diligent implementation plans for every Moderate level control.
* We've established a formal internal governance program, led by our CTO, who will be directly accountable to our board for the delivery of our FedRAMP offering
* We are in the process of massively increasing the level of internal investment on FedRAMP We're now actively working on identifying a sponsoring agency from our customer base. As you may know, in partnership with that sponsor we will go through our implementation plan in much more detail with them, with the goal of achieving our in-process designation on the FedRAMP Marketplace. From there, we are expected to achieve ATO within 12 months at the latest.

So we're currently in a place where we feel comfortable engaging at a deeper level with potential sponsors. I expect the next update will come once we have secured a sponsor and have a line-of-sight on when they will submit a letter of attestation on our behalf for us to get the in-process designation.

What is the latest status for the Fedramp certification @Dave Meyer , its been 7 months since your last update.  My HHS customer has asked, we have been actively using the full cloud suite of Atlassian tools, and Atlassian since 2018 for this customer.  Fedramp certification is important to them and us as it may influence whether we can continue to use the cloud tools going forward.  

@James Zoller finalizing our update internally right now. Planning to share June 1.

@Dave Meyer An update will be much appreciated.  Let's try to update a bit more often going forward.  I do not think that is unreasonable given the missed timelines and poor communication to this point.