Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

JIRA Cloud/BitBucket ITAR/NIST 800-171 Compliance

Hi all,

 

Out of the JIRA Cloud service and BitBucket, can these services be or are they ITAR + NIST 800-171 compliant? As far as I know BitBucket cloud at least does not leave the United States, but there may be more requirements as to actually being considered an ITAR compliant vendor, and then there is also the case of how Controlled Unclassified Information is directed and trafficked. Thank you in advance!

19 comments

Comment

Log in or Sign up to comment
Griffin Jones
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 08, 2020

Our cloud services do not comply with ITAR or NIST800-171 at the moment however we are considering expanding our cloud certification profile and would love to hear what your requirements are.  

Like # people like this

I am currently trying to get my company to utilize Altassian products (Confluence, Jira, etc.) however we need to have all our internal services and systems be NIST 800-171 compliant since we do work with DoD.

The main pushback I am getting is that these cloud products are not NIST 800-171 compliant. I would really love to get the company to use these products because I believe they are 1000% better than what is currently being used.

Like # people like this

what is the update to this for 2023?

Like # people like this

Similarly to Mr. Newton my company does work for the DOD which requires our systems which store CUI (Controlled Unclassified Information) be NIST 800-171 compliant. Until the Atlassian Cloud Products are compliant, would not be able to use Atlassian Cloud for the majority of our contracts or we would have to have a separate product just for CUI data which would be cost and time prohibitive.

Like # people like this
Griffin Jones
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 15, 2020

I will surface this to our Risk and Compliance leadership! 

Like atlassian_license likes this

I think if they look at the standard they will find its composed primarily of best security practices so its has benefits beyond just DOD.

Like atlassian_license likes this

I agree with this. Given Atlassian is already compliant with several things like ISO, PCI, SOC, etc. I would believe that it wouldn’t be too difficult to reach NIST 800-171 compliance. 

Like atlassian_license likes this

+1 on NIST and CMMC.

Like # people like this

Given Atlassian's website states DoD as a customer (https://www.atlassian.com/government), Atlassian must be compliant with DFARS 252.204-7012 and 252.239-7010 if any DoD users have bring CUI to the platform.  DFARS 252.204-7012 requires compliance with the latest version of NIST 800-171.  However, on Sept 29, Atlassian stated only a "roadmap" (without dates -- which isn't a roadmap) to FedRAMP (https://www.atlassian.com/blog/platform/secure-cloud-solutions-for-every-government-team).  Will Atlassian provide dates and targeted FedRAMP levels for each product, please?  Lastly, will Atlassian please also include compliance with the DoD Cloud Computing Security Requirements Guide in its roadmap?  Customers need to see when Atlassian will protect IL4/5 data.  Thank you.

Like # people like this

We also require NIST compliance and the coming CMMC.   On current work we do our server instances of Confluence and Jira are on secured networks.

With the recent announcement that the Sever offerings will be deprecated in 2021 this adds to the problems we have with continued, long term use of Confluence and Jira.

(The additional issue is that the Cloud version of Confluence's "new experience" editor has eliminated KEY functionality that we use extensively.  This has rendered the cloud version UNUSABLE for our use cases.   I have been among the chorus of voices since the 'new experience' rollout began, elsewhere in the community, complaining vociferously about this.)

Like # people like this

Adding our requirement for ITAR, NIST 800-171 and CMMC compliance.   

Latest webinars (Jan 2020) say FedRAMP support will be available in 2023.  We need to see Atlassian commit to these dates given the end of server support, along with documented full 800-171 and CMMC compliance. 

Like # people like this

I've been asked by the CISO of our company (pretty good size) for a POC at Atlassian to discuss this issue.  How do I go about getting one?

Adding my support for NIST 800-171 compliance for DoD work. My company is interested in using Atlassian JIRA Cloud, as well as other Atlassian solutions, but the lack of NIST or CMMC compliance is making this a tough sell.

Likewise, the FedRAMP roadmap needs updated information, as others have pointed out. The lack of clarity regarding Atlassian's status on NIST and CMMC is forcing us to look at other providers, but we would prefer to use Atlassian if possible.

Thanks.

Like Emmie King likes this

I also work for a firm that has an on premise Confluence implementation containing controlled unclassified information and ITAR data. We are currently in need of additional seats and are not permitted to purchase the under Atlassians policies to force users to move to cloud however without an ITAR solution, we would be in violation of US law prohibiting the move. Atlassian should have thought through the restrictions before implementing them. We are constrained badly by this decision.

Like David Gamache likes this

We are looking at using JIRA as a common software/project management tool between our parent company located in Ottawa, Canada, and our government-facing subsidiary based in Washington, DC.  We need a U.S. Government security (e.g., NIST, DCSA, etc.) and ITAR-compliant solution.  Hopefully, Atlassian is seriously looking at creating a U.S. Government security regulation compliant system/server for companies performing on government contracts.  There is a huge business opportunity here.   Please let us know your implementation date.

Cloudites Owner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Oct 05, 2022

For those who are involved with CMMC, I've created the self assessment on my cloud portal.

hipaa.atlassian.com/servicedesk/customer/portals.

Hi all,

I am commenting on this in order to receive notifications if anything is done with this

My company also handles CUI and must be NIST 800-171 compliant and without confirmation we CANNOT move to cloud once server reaches EOL

The compliance drive for this is critical.  Looking for updates on Fedramp/NIST

Good thread.  Also interested in seeing an actual FedRamp compliance commitment date from Atlassian.  Supporting data center Jira/Confluence in Federal space this is a blocker to cloud modernization.

Good thread yes, but it has had no traction from Atlassian for over a year. We will be forced into alternative products with the forced migration to cloud. We currently moved to data center to extend the on premises life of the product.

Like Aaron Stevens likes this

My company asked my to research Atlassian as cloud service but it is not ITAR or NIST
compliant. So now im thinking of using Google Assured, any thoughts on this choice?

To others revisiting this thread and having the same worries, I found this plugin for Jira Cloud a few weeks back, but do not know enough if it is sufficient, if anyone knows if this would work please let me know

Jira ITAR Compliance (stratokey.com)

Like Tiffany J likes this

That looks pretty good and definitely worth looking into further. They have a similar plugin for Confluence as well. This may be the solution.

Like Tiffany J likes this
Hubert Bandurski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Feb 05, 2024

Also commenting as we need JIRA cloud to be NIST 800-171 compliant. 

Is there any progress on this? 

@Hubert Bandurski  don't think so, this was the most recent article I found while trying to double check on this a few months ago and what solidified us going with DC

It’s official- FedRAMP Moderate has a new date in ... - Atlassian Community

Like Hubert Bandurski likes this
Hubert Bandurski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Feb 05, 2024

@Jordan Hauser Thanks for replying. It seems like that is FedRAMP dates are far way and knowing how things work, we are looking at 2025. 

DC carries additional costs and I am still not sure about NIST 800-171 compliance. 

 

We will have no choice but to move away from JIRA. What is everyone else doing then? 

 

Afaik: data center is indeed compliant as its hosted on premise, think of it like servers big brother. If you were already using jira server, then you'll be good

 

Yeah costs are ridiculous, but what can you do when they just decide to nix the affordable option other than comply or find a new service?

 

If you are government related/some kind of subcontractor, I recommend looking into Carahsoft. They were very helpful when I was dealing with this exact situation

Like Elliot Wilen likes this
TAGS
AUG Leaders

Atlassian Community Events