Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

JIRA Cloud/BitBucket ITAR/NIST 800-171 Compliance

Hi all,


Out of the JIRA Cloud service and BitBucket, can these services be or are they ITAR + NIST 800-171 compliant? As far as I know BitBucket cloud at least does not leave the United States, but there may be more requirements as to actually being considered an ITAR compliant vendor, and then there is also the case of how Controlled Unclassified Information is directed and trafficked. Thank you in advance!


Our cloud services do not comply with ITAR or NIST800-171 at the moment however we are considering expanding our cloud certification profile and would love to hear what your requirements are.  

Like # people like this

I am currently trying to get my company to utilize Altassian products (Confluence, Jira, etc.) however we need to have all our internal services and systems be NIST 800-171 compliant since we do work with DoD.

The main pushback I am getting is that these cloud products are not NIST 800-171 compliant. I would really love to get the company to use these products because I believe they are 1000% better than what is currently being used.

Like # people like this

Similarly to Mr. Newton my company does work for the DOD which requires our systems which store CUI (Controlled Unclassified Information) be NIST 800-171 compliant. Until the Atlassian Cloud Products are compliant, would not be able to use Atlassian Cloud for the majority of our contracts or we would have to have a separate product just for CUI data which would be cost and time prohibitive.

Like # people like this

I will surface this to our Risk and Compliance leadership! 

Like atlassian_license likes this

I think if they look at the standard they will find its composed primarily of best security practices so its has benefits beyond just DOD.

Like atlassian_license likes this

I agree with this. Given Atlassian is already compliant with several things like ISO, PCI, SOC, etc. I would believe that it wouldn’t be too difficult to reach NIST 800-171 compliance. 

Like atlassian_license likes this

+1 on NIST and CMMC.

Like # people like this

Given Atlassian's website states DoD as a customer (, Atlassian must be compliant with DFARS 252.204-7012 and 252.239-7010 if any DoD users have bring CUI to the platform.  DFARS 252.204-7012 requires compliance with the latest version of NIST 800-171.  However, on Sept 29, Atlassian stated only a "roadmap" (without dates -- which isn't a roadmap) to FedRAMP (  Will Atlassian provide dates and targeted FedRAMP levels for each product, please?  Lastly, will Atlassian please also include compliance with the DoD Cloud Computing Security Requirements Guide in its roadmap?  Customers need to see when Atlassian will protect IL4/5 data.  Thank you.

Like # people like this

We also require NIST compliance and the coming CMMC.   On current work we do our server instances of Confluence and Jira are on secured networks.

With the recent announcement that the Sever offerings will be deprecated in 2021 this adds to the problems we have with continued, long term use of Confluence and Jira.

(The additional issue is that the Cloud version of Confluence's "new experience" editor has eliminated KEY functionality that we use extensively.  This has rendered the cloud version UNUSABLE for our use cases.   I have been among the chorus of voices since the 'new experience' rollout began, elsewhere in the community, complaining vociferously about this.)

Like # people like this

Adding our requirement for ITAR, NIST 800-171 and CMMC compliance.   

Latest webinars (Jan 2020) say FedRAMP support will be available in 2023.  We need to see Atlassian commit to these dates given the end of server support, along with documented full 800-171 and CMMC compliance. 

Like # people like this

I've been asked by the CISO of our company (pretty good size) for a POC at Atlassian to discuss this issue.  How do I go about getting one?

Adding my support for NIST 800-171 compliance for DoD work. My company is interested in using Atlassian JIRA Cloud, as well as other Atlassian solutions, but the lack of NIST or CMMC compliance is making this a tough sell.

Likewise, the FedRAMP roadmap needs updated information, as others have pointed out. The lack of clarity regarding Atlassian's status on NIST and CMMC is forcing us to look at other providers, but we would prefer to use Atlassian if possible.


Like Emmie King likes this

I also work for a firm that has an on premise Confluence implementation containing controlled unclassified information and ITAR data. We are currently in need of additional seats and are not permitted to purchase the under Atlassians policies to force users to move to cloud however without an ITAR solution, we would be in violation of US law prohibiting the move. Atlassian should have thought through the restrictions before implementing them. We are constrained badly by this decision.


Log in or Sign up to comment

Atlassian Community Events