Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

JIRA Cloud/BitBucket ITAR/NIST 800-171 Compliance

Hi all,


Out of the JIRA Cloud service and BitBucket, can these services be or are they ITAR + NIST 800-171 compliant? As far as I know BitBucket cloud at least does not leave the United States, but there may be more requirements as to actually being considered an ITAR compliant vendor, and then there is also the case of how Controlled Unclassified Information is directed and trafficked. Thank you in advance!


Our cloud services do not comply with ITAR or NIST800-171 at the moment however we are considering expanding our cloud certification profile and would love to hear what your requirements are.  

Like # people like this

I am currently trying to get my company to utilize Altassian products (Confluence, Jira, etc.) however we need to have all our internal services and systems be NIST 800-171 compliant since we do work with DoD.

The main pushback I am getting is that these cloud products are not NIST 800-171 compliant. I would really love to get the company to use these products because I believe they are 1000% better than what is currently being used.

Like # people like this

Similarly to Mr. Newton my company does work for the DOD which requires our systems which store CUI (Controlled Unclassified Information) be NIST 800-171 compliant. Until the Atlassian Cloud Products are compliant, would not be able to use Atlassian Cloud for the majority of our contracts or we would have to have a separate product just for CUI data which would be cost and time prohibitive.

Like # people like this

I will surface this to our Risk and Compliance leadership! 

Like atlassian_license likes this

I think if they look at the standard they will find its composed primarily of best security practices so its has benefits beyond just DOD.

Like atlassian_license likes this

I agree with this. Given Atlassian is already compliant with several things like ISO, PCI, SOC, etc. I would believe that it wouldn’t be too difficult to reach NIST 800-171 compliance. 

Like atlassian_license likes this

+1 on NIST and CMMC.

Like atlassian_license likes this

Given Atlassian's website states DoD as a customer (, Atlassian must be compliant with DFARS 252.204-7012 and 252.239-7010 if any DoD users have bring CUI to the platform.  DFARS 252.204-7012 requires compliance with the latest version of NIST 800-171.  However, on Sept 29, Atlassian stated only a "roadmap" (without dates -- which isn't a roadmap) to FedRAMP (  Will Atlassian provide dates and targeted FedRAMP levels for each product, please?  Lastly, will Atlassian please also include compliance with the DoD Cloud Computing Security Requirements Guide in its roadmap?  Customers need to see when Atlassian will protect IL4/5 data.  Thank you.

Like # people like this

We also require NIST compliance and the coming CMMC.   On current work we do our server instances of Confluence and Jira are on secured networks.

With the recent announcement that the Sever offerings will be deprecated in 2021 this adds to the problems we have with continued, long term use of Confluence and Jira.

(The additional issue is that the Cloud version of Confluence's "new experience" editor has eliminated KEY functionality that we use extensively.  This has rendered the cloud version UNUSABLE for our use cases.   I have been among the chorus of voices since the 'new experience' rollout began, elsewhere in the community, complaining vociferously about this.)

Like # people like this

Adding our requirement for ITAR, NIST 800-171 and CMMC compliance.   

Latest webinars (Jan 2020) say FedRAMP support will be available in 2023.  We need to see Atlassian commit to these dates given the end of server support, along with documented full 800-171 and CMMC compliance. 

Like # people like this

I've been asked by the CISO of our company (pretty good size) for a POC at Atlassian to discuss this issue.  How do I go about getting one?

Reginald I'm New Here Nov 02, 2021

Adding my support for NIST 800-171 compliance for DoD work. My company is interested in using Atlassian JIRA Cloud, as well as other Atlassian solutions, but the lack of NIST or CMMC compliance is making this a tough sell.

Likewise, the FedRAMP roadmap needs updated information, as others have pointed out. The lack of clarity regarding Atlassian's status on NIST and CMMC is forcing us to look at other providers, but we would prefer to use Atlassian if possible.


I also work for a firm that has an on premise Confluence implementation containing controlled unclassified information and ITAR data. We are currently in need of additional seats and are not permitted to purchase the under Atlassians policies to force users to move to cloud however without an ITAR solution, we would be in violation of US law prohibiting the move. Atlassian should have thought through the restrictions before implementing them. We are constrained badly by this decision.


Log in or Sign up to comment

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you