Atlassian’s path to FedRAMP (previous updates)

Update - 2 October 2023

 

Our latest update on FedRAMP Moderate ATO can be found here.


Prior update posted May 2023. See link above for the latest information.

Hi all,

Thank you for your patience since our last update. We know that transparent communication about Atlassian’s FedRAMP program is critical to your future plans.

Over the past 5 months, Atlassian has re-evaluated our company priorities and taken steps to rebalance our talent to accelerate what we believe are our largest opportunities. I’m happy to share that one of these is FedRAMP.

To that end, Rajeev Rajan, our CTO, will serve as the executive sponsor of the program and we’re working with Coalfire, a leading cybersecurity consulting firm that specializes in FedRAMP authorization to help ensure smooth delivery of our FedRAMP program. We’ve already made significant progress in building out a segregated FedRAMP environment and implementing the controls we need for attestation.

Our current focus is on achieving an “In Process” designation on the FedRAMP Marketplace via attestation from a sponsoring agency by early 2024. Once we have finalized a sponsoring agency and have agreed on a timeline for the sponsor to submit an attestation letter on our behalf, we will share an updated timeline for our full ATO. We expect to share this next update around September.

In the meantime, we encourage you to evaluate Atlassian Data Center, which remains an integral offering in our portfolio. We’ve increased investments in Data Center’s core tenants - security and compliance, performance and scale, and infrastructure and operations, and are expanding our investment to focus on product experience improvements and usability for both admins and end users. For server customers, upgrading to Data Center can take as little as 2 minutes to unlock all these benefits and more. Join our latest webinar to learn more about our investments and how easy it is to get the benefits of Data Center.

That’s all for now folks! In our next update, you’ll hear from our new senior leader for our global public sector product strategy, Joe Elgabalawi.

Kind regards,

Dave Meyer

Head of Product, Enterprise Cloud

 


Original post - November 2022

Hi Atlassian Community,

Since the launch of Atlassian Cloud nearly five years ago, we’ve been laser-focused on building enterprise-grade products, and in the last 12 months, we’ve:

  • Rolled out data residency across all plans

  • Reinforced our compliance efforts with HIPAA and financial services

  • Introduced support for 35K users in a single instance, with 50K poised to launch in early 2023

  • Enhanced our admin controls with features like mobile app management, release tracks, and user activity logs

We also have dozens of other enterprise capabilities available or in active development, including BYOK encryption, enhanced audit logs, and expansion of our data residency program.

In that time we’ve deepened our understanding of what it takes to build world-class solutions for customers in highly regulated industries, especially those in the public sector. As we’ve better understood your expectations and what it takes to meet these needs, we’ve realized that we will not be able to achieve FedRAMP Moderate authorization in 2023. FedRAMP continues to be a top priority for our business and we will share an updated timeline for authorization in the coming months. In line with our company value of “open company, no BS” we wanted to share this update as soon as possible. We understand that this is disappointing news, but we remain committed to a cloud future that is in service of government customers' and suppliers’ long-term success.

Deepening our investments in areas critical to your business

While we rebuild our FedRamp strategy, we are also increasing our investment in Marketplace apps and Data Center to ensure that all elements of our public sector offering can support your teams.

Renewed focus on Marketplace

To deliver a solution that truly meets the needs of many of our government customers and suppliers, we need to support our Marketplace Partners as they build the foundational controls required to achieve authorization. We’ve started addressing some of the known gaps by adding marketplace data controls like data residency, rolling out stricter security requirements, and bringing greater transparency to customers around the security, privacy, data handling, and compliance of Atlassian Marketplace apps. Increased investment - and time to work with our partners - will mean a more complete solution.

Doubling down on Data Center to continue to meet your need

Given the delay of FedRAMP authorization in our cloud products, we understand that the journey to cloud for those still on server will be delayed. We’re seeing growing use of our Data Center deployment option in the public sector, therefore we’ve decided to increase our investment in our Data Center products to support you. To ensure that Data Center continues to evolve and scale with you into the future we’ve:

  • Introduced new licensing options

    • Teams of all sizes within the US public sector can now take advantage of dedicated licensing options for Data Center via our partnership with Carahsoft.

  • Increased investment in security and user experience

    • We’re working on improvements to accessibility, data privacy, and how we address software supply chain risks. This will mean improved resolution times for vulnerabilities and greater transparency on the status of vulnerabilities.

    • Addressing usability feedback and ensuring our products support modern ways of working

  • Continued to invest in performance, administration, and software quality

    • With new customizable controls and features that improve cleanup, monitoring, and integrations

    • More automation, easier administration, and increased scalability and resilience

    • Increased quality and support to ensure our products assist you in reaching your mission-critical goals

  • Strengthened our deployment options

    • To ensure that teams continue to have the technical flexibility to deploy your Data Center applications using infrastructure as a service (IaaS) platforms: AWS, Azure, and Google Cloud. This includes streamlined administration and greater automation, by using our helm chart templates to deploy Data Center in a Kubernetes cluster that runs on top of any approved public cloud provider.

In addition to the improvements mentioned above, server customers can migrate to Data Center in a manner of minutes, unlocking out-of-the-box features, such as advanced auditing, support for CDN, and rate limiting.

We’ll continue to share updates in this group as well as on our roadmap on a quarterly basis. In the meantime, if you have any questions please add them down below.

Dave Meyer

42 comments

Comment

Log in or Sign up to comment
Jeff Keister December 5, 2022

End of support for Data Center is Feb 15, 2024 (https://www.atlassian.com/migration/assess/journey-to-cloud). Can public sector customers expect no extension to this roadmap?

Like # people like this
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 5, 2022

@Jeff Keister I don't believe that is correct.  "Server" support will end in Feb. 2024, but Data Center support will continue.

Like # people like this
Jacob Shepard
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 5, 2022

Hi @Jeff Keister , my name is Jacob Shepard from Atlassian. I want to be clear that Data Center is not receiving end-of-support.

End of support is only for our Server products. To learn more about Server end-of-support please go here 

As a reminder, you can look at upcoming features for Data Center on the public roadmap.

I would also recommend if you work in the public sector that you join our Government Community

Like # people like this
Jeff Keister December 5, 2022

Thanks for clarifying that there are multiple distinct self-hosted options. This has been a point of confusion up to now. This page appears to clarify many of the distinctions. I've now joined the Government Community and will expect to stay on DC at least until FedRAMP is achieved.

Like Jens Schumacher likes this
Tim Comella December 5, 2022

Like you, @Jeff Keister our team supports Government and is also watching for Atlassian FedRamp certification.

David Simpson December 5, 2022

So will Atlassian change course on what was an epically bad decision to cut off onprem server to SMB's and FedRAMP clients?

If Atlassian cannot get FedRAMP program together this organization is putting everyone in an untenable position by making server version to expensive. and having a cutoff date. Let the community know when this bad policy will be changed.

If DataCenter is the only option Atlassian has an obligation to make it affordable to SMB's whether engaged with FedRAMP directly and/or 3rd party cloud providers whom have FedRAMP requirements.

Like # people like this
Jacob Shepard
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 7, 2022

Hi @Jeff Keister I would also recommend joining the Data Center Community where you can find the most up-to-date information, use cases and more about Data Center products.

Like Jeff Keister likes this
Jacob Shepard
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 7, 2022

Hi @David Simpson 

As a reminder, we do provide Data Center licensing for teams of all sizes that work within the Public Sector space. We recommend that you reach out to our verified partner Carahsoft to learn more.

David Simpson December 8, 2022

I would identify the current defined cost of "DataCenter" in NO way comes close to meeting SMB ability to afford. Where Server was previously Under $100.00.

The issue here is COST. Atlassian has appeared to put current FedRAMP customers in an untenable position where not only can they NOT get their authorization, or an Agency dropping Sponsorship because of the cloud products, they may be forced to be migrated to a data center version to re-deploy within an Accreditation Boundary of a CSP and based on Atlassian's own site the starting cost is roughly $27,000.  I'm not clear where that "option" is really compromise to the fact that it's Atlassian that has presented this issue to all its customers and community, especially those engaged with FedRAMP. The loss of revenue to FedRAMP customer waiting or have potentially losing sponsorship is quite high. 

From what it appears to be straight what we hear is, Sorry the PMO is pushing back on all CSP's leveraging Atlassian Cloud Products, but here's a $27,000 alternative. (?) And it will require CSP's and FedRAMP customers to migrate and redo their confluence and Jira ticketing solutions at an extensive staffing Level of Effort.

Confluence Data Center | Atlassian

It would be logical that Atlassian would "adjust" the cost of datacenter to what was the cost of "Server" for those engaged or engaging in FedRAMP, and/or offer DataCenter at the current cost of the CSP's cloud version. 

Additional, Since I've traversed several FedRAMP companies through this exact issue, Atlassian would be in appropriate position to provide a CLEAR timelines and roadmap to set expectations to the community for Moderate, High and JAB.

Like # people like this
David Simpson December 8, 2022

If there are FedRAMP customers experiencing issues related to this situation and receiving inquiries from agency sponsors and/or the PMO your most logical roadmap is to POA&M this issue with a defined timeline for migration from cloud to Datacenter.

This will of course potentially also trigger a "Major Change" within the FedRAMP AB and require a 3PAO to reassess the solution, redo the ATO package.

Francesca Moore January 12, 2023

@Dave Meyer What is the hold up getting FedRAMP certified and is there anyway this could be made available in 2023 

David Simpson January 13, 2023

From my discussion with the FedRAMP PMO is contention is around a specific Atlassian product and that product not meetings expectations.... For some time.
Discussions with several friends at other CSP's have seemed to elude that they are being required to move to onprem Data Center to meet requirements. My assumption is this route would indicate its not happening quickly since these CSP's have reached out to their Atlassian Sales teams and they have indicated they have to invest in Data Center eludes to again that accreditation in 2023 is iffy. But that statement is my personnel opinion and i could be wrong. 

What is a factual statement is we have not heard from Atlassian publicly on WHEN it will happen.

 

We can see here that Atlassian is looking for a FedRAMP engineering assistance:

Atlassian - Principal Engineer, Team Enterprise - FedRAMP (lever.co)

Francesca Moore January 14, 2023

Hm, I thought that FedRAMP was more about the controls around the product .... I would have thought that this would all be possible within a year? 

Do you think it'll be challenging for us to get Atlassian Approved for DC [moving from Server?]... it seems there are limited options. What do you recommend?

David Simpson January 15, 2023

True a ATO package which involves the build out of a System Security Plan which deep dives in to individual controls. From my knowledge Atlassian isn't unique in this situation. Many large vendors have spent years and years attempting to get everything aligned to get an ATO. For MANY vendors it's 3rd party services that solution is made up, that 3rd party service itself is not FedRAMP authorized or not at the same Moderate or High accreditation Perhaps they have a requirement for DOD STIGS over CIS Level 1 benchmarks. ALOT of times its the 3rd party service vendors that CSP leverages that is not FedRAMP authored themselves and they have data in transit/ data at rest going all over the globe. IE data that is traversing outside the accreditation boundary.

Sometimes with some companies I've worked for "cough" the Continuous Monitoring program is in shambles, bad POAM's, agencies not doing reviews. And the FedRAMP team comes in and tells all parties to get their act together. So again Atlassian isn't the only vendor to receive push back from the FedRAMP PMO or the JAB in various situations. Its part of the game.

In my opinion the difference with Atlassian over some other vendor products just HOW deeply the product is integrated into our organizations and how we leverage confluence and Jira for everything.

I may come across as dumping on Atlassian, but I evangelize its use at every FedRAMP CSP I've been involved in.  I have Confluence and Jira information templatized in SSP documentation we leverage with clients. I've built out entire FedRAMP Jira Advanced Roadmaps categorized into individual control families. I previous evangelized strongly for Sharepoint till confluence just really became a superior product for documenting information. Microsoft has really let sharepoint get steamrolled. So Confluence is a great product from a Compliance and Auditing department with the ability to scan a Confluence instance and find pages from staff and mirror those pages as compliance artifacts.

MY IRRITATION is exactly what I have described which is the the public perception that Atlassian taken in which they brought this issue to customers doorstep and when those CSP's have asked for a "price competitive" data center version they have essentially said to take a long walk off a short pier. My view, which is not unusual for all these companies in the market place is that they view FedRAMP as a irritation, a cost they don't want to incur and don't want to maintain. AND the actual market share of FedRAMP customers is not the significant so the apatite to lower cost or compensate CSP's is not there.

Reality is, Atlassian should be offering data center... FOR FREE to any CSP impacted.

Once you incorporate the cost of deploying Atlassian Data center into a AWS or Azure, the product, the staff Level of Effort, Migration. That's just not $27,000, that's significantly more in staff allocation, impact to other company efforts, architecture review and so on.

To your last question, I can say I have personal knowledge of several large CSP's that had been speaking and working with Atlassian sales on getting a price compensation for Data center and was pretty much told that they acknowledge the issue but go jump off a cliff to be blunt.


Server is no longer sold, for the most part EOL is coming up quick. We still have it as a onprem piece and love it. But Server was offered as a cost effective product for SMB's and that's NOT where Atlassian saw their business. Sure you can get cloud for under 10 users for free but its obviously drastically limited.
So its a business roadmap question. Every vendor doesn't want a onprem product. More costly, more time ,more people, more upkeep.

I'm not a lawyer, but I did stay at a Holiday in Express last night so I'm good to be on the Supreme Court this week.... I would hypothetically infer, legally there's an issue here in which if customer bought into Atlassian Cloud products as their FedRAMP solution and now having issues maintaining that obligation that I would be pony'ing up Data Center pro bon for impacted customers at a minimum with unlimited Support for deployment and migration assistance.

I would also say to all CSP's, Cheap out on your FedRAMP and compliance department staffing levels. Don't be surprised when this stuff comes knocking.

Like # people like this
Crystal Naomi Crosby February 2, 2023

Echoing my appreciation for the platform but DC is completely out of the question due to cost for the 30 users I've got. 

Like # people like this
Brad Walls February 2, 2023

Same as above, if the path is on-prem JIRA Software Server lift to on-prem Data Center (at significant additional annual cost for unused and unneeded modules/capabilities) OR switch to competitor (because no acceptable FedRAMP authorized cloud SaaS option nor corresponding on-prem product exists), then the migration path is going to be switch to a competitor and exclude future Atlassian products from roadmap consideration. Government agencies aren't going to go backwards from cloud SaaS fedramp authorized capabilities that Atlassian Data Center on-prem provides, just to keep JIRA software server capabilities.

Like Gary Clement likes this
Matt Mason March 14, 2023

Confluence on Fedramp - Seems like someone at Atlassian internally has left the organization so they must now "rebuild" their fedramp priority.  Meaning this isn't probably going to happen for years.  Think 2030 if you are realistic.  Sadly Atlassian can't seem to get their collective act together on this topic.  And the sales from this participation is probably very big.

Thomas Wilcox March 24, 2023

The decision to delay is a compliance punch to the gut.  Both Jira and Confluence are built to integrate comprehensively into process work flows, in an organization.  That organization could be large or small.  Delaying a published date is understandable, not providing a reasonable new timeline and plan is not understandable.  When you build a product that integrates substantially in your customer environments, you should not be surprised when they require compliance.  Have a little thought leadership in understanding how your pivot impacts  your customers and meet them where the gaps form as a partner. As it sits, I have to make some change.  Maybe I go to Data Center licensing, and stomach the staffing requirement, or maybe I find a better partner.

Like # people like this
David Palmer April 5, 2023

Disappointed to say the least. An updated timeline on FedRamp would be appreciated. 

Like # people like this
Dontrell Murray April 18, 2023

Once the Atlassian cloud achieves  FedRAMP approval, what marketplace apps will be available to users of the FedRAMP cloud?  Will all current marketplace apps be available? A concern my team has is that there are apps that we rely on for testing that may not be available in the FedRAMP approved cloud.

Dontrell Murray April 20, 2023

When is the next update on Atlassian's path to FedRAMP? This update was from Nov 2022 and Atlassian promised to share quarterly updates in the Trust & Security group but I haven't seen any.

Like # people like this
Matt Mason May 4, 2023

This is what I heard:

Here's where we're at since November of last year:
* We've done a major reassessment of our architecture and undertaken far more diligent implementation plans for every Moderate level control.
* We've established a formal internal governance program, led by our CTO, who will be directly accountable to our board for the delivery of our FedRAMP offering
* We are in the process of massively increasing the level of internal investment on FedRAMP We're now actively working on identifying a sponsoring agency from our customer base. As you may know, in partnership with that sponsor we will go through our implementation plan in much more detail with them, with the goal of achieving our in-process designation on the FedRAMP Marketplace. From there, we are expected to achieve ATO within 12 months at the latest.

So we're currently in a place where we feel comfortable engaging at a deeper level with potential sponsors. I expect the next update will come once we have secured a sponsor and have a line-of-sight on when they will submit a letter of attestation on our behalf for us to get the in-process designation.

Like David Morse likes this
James Zoller May 22, 2023

What is the latest status for the Fedramp certification @Dave Meyer , its been 7 months since your last update.  My HHS customer has asked, we have been actively using the full cloud suite of Atlassian tools, and Atlassian since 2018 for this customer.  Fedramp certification is important to them and us as it may influence whether we can continue to use the cloud tools going forward.  

Like # people like this
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2023

@James Zoller finalizing our update internally right now. Planning to share June 1.

Like # people like this
Thomas Wilcox May 22, 2023

@Dave Meyer An update will be much appreciated.  Let's try to update a bit more often going forward.  I do not think that is unreasonable given the missed timelines and poor communication to this point.

Like # people like this
TAGS
AUG Leaders

Atlassian Community Events