Hi all,
Out of the JIRA Cloud service and BitBucket, can these services be or are they ITAR + NIST 800-171 compliant? As far as I know BitBucket cloud at least does not leave the United States, but there may be more requirements as to actually being considered an ITAR compliant vendor, and then there is also the case of how Controlled Unclassified Information is directed and trafficked. Thank you in advance!
I am currently trying to get my company to utilize Altassian products (Confluence, Jira, etc.) however we need to have all our internal services and systems be NIST 800-171 compliant since we do work with DoD.
The main pushback I am getting is that these cloud products are not NIST 800-171 compliant. I would really love to get the company to use these products because I believe they are 1000% better than what is currently being used.
Similarly to Mr. Newton my company does work for the DOD which requires our systems which store CUI (Controlled Unclassified Information) be NIST 800-171 compliant. Until the Atlassian Cloud Products are compliant, would not be able to use Atlassian Cloud for the majority of our contracts or we would have to have a separate product just for CUI data which would be cost and time prohibitive.
I will surface this to our Risk and Compliance leadership!
I think if they look at the standard they will find its composed primarily of best security practices so its has benefits beyond just DOD.
I agree with this. Given Atlassian is already compliant with several things like ISO, PCI, SOC, etc. I would believe that it wouldn’t be too difficult to reach NIST 800-171 compliance.
+1 on NIST and CMMC.
Given Atlassian's website states DoD as a customer (https://www.atlassian.com/government), Atlassian must be compliant with DFARS 252.204-7012 and 252.239-7010 if any DoD users have bring CUI to the platform. DFARS 252.204-7012 requires compliance with the latest version of NIST 800-171. However, on Sept 29, Atlassian stated only a "roadmap" (without dates -- which isn't a roadmap) to FedRAMP (https://www.atlassian.com/blog/platform/secure-cloud-solutions-for-every-government-team). Will Atlassian provide dates and targeted FedRAMP levels for each product, please? Lastly, will Atlassian please also include compliance with the DoD Cloud Computing Security Requirements Guide in its roadmap? Customers need to see when Atlassian will protect IL4/5 data. Thank you.
We also require NIST compliance and the coming CMMC. On current work we do our server instances of Confluence and Jira are on secured networks.
With the recent announcement that the Sever offerings will be deprecated in 2021 this adds to the problems we have with continued, long term use of Confluence and Jira.
(The additional issue is that the Cloud version of Confluence's "new experience" editor has eliminated KEY functionality that we use extensively. This has rendered the cloud version UNUSABLE for our use cases. I have been among the chorus of voices since the 'new experience' rollout began, elsewhere in the community, complaining vociferously about this.)
Adding our requirement for ITAR, NIST 800-171 and CMMC compliance.
Latest webinars (Jan 2020) say FedRAMP support will be available in 2023. We need to see Atlassian commit to these dates given the end of server support, along with documented full 800-171 and CMMC compliance.
I've been asked by the CISO of our company (pretty good size) for a POC at Atlassian to discuss this issue. How do I go about getting one?
Adding my support for NIST 800-171 compliance for DoD work. My company is interested in using Atlassian JIRA Cloud, as well as other Atlassian solutions, but the lack of NIST or CMMC compliance is making this a tough sell.
Likewise, the FedRAMP roadmap needs updated information, as others have pointed out. The lack of clarity regarding Atlassian's status on NIST and CMMC is forcing us to look at other providers, but we would prefer to use Atlassian if possible.
Thanks.
I also work for a firm that has an on premise Confluence implementation containing controlled unclassified information and ITAR data. We are currently in need of additional seats and are not permitted to purchase the under Atlassians policies to force users to move to cloud however without an ITAR solution, we would be in violation of US law prohibiting the move. Atlassian should have thought through the restrictions before implementing them. We are constrained badly by this decision.
We are looking at using JIRA as a common software/project management tool between our parent company located in Ottawa, Canada, and our government-facing subsidiary based in Washington, DC. We need a U.S. Government security (e.g., NIST, DCSA, etc.) and ITAR-compliant solution. Hopefully, Atlassian is seriously looking at creating a U.S. Government security regulation compliant system/server for companies performing on government contracts. There is a huge business opportunity here. Please let us know your implementation date.
For those who are involved with CMMC, I've created the self assessment on my cloud portal.
hipaa.atlassian.com/servicedesk/customer/portals.
Hi all,
I am commenting on this in order to receive notifications if anything is done with this
My company also handles CUI and must be NIST 800-171 compliant and without confirmation we CANNOT move to cloud once server reaches EOL
The compliance drive for this is critical. Looking for updates on Fedramp/NIST
Good thread. Also interested in seeing an actual FedRamp compliance commitment date from Atlassian. Supporting data center Jira/Confluence in Federal space this is a blocker to cloud modernization.
Good thread yes, but it has had no traction from Atlassian for over a year. We will be forced into alternative products with the forced migration to cloud. We currently moved to data center to extend the on premises life of the product.
My company asked my to research Atlassian as cloud service but it is not ITAR or NIST
compliant. So now im thinking of using Google Assured, any thoughts on this choice?
To others revisiting this thread and having the same worries, I found this plugin for Jira Cloud a few weeks back, but do not know enough if it is sufficient, if anyone knows if this would work please let me know
Jira ITAR Compliance (stratokey.com)
That looks pretty good and definitely worth looking into further. They have a similar plugin for Confluence as well. This may be the solution.
Also commenting as we need JIRA cloud to be NIST 800-171 compliant.
Is there any progress on this?
@Hubert Bandurski don't think so, this was the most recent article I found while trying to double check on this a few months ago and what solidified us going with DC
It’s official- FedRAMP Moderate has a new date in ... - Atlassian Community
@Jordan Hauser Thanks for replying. It seems like that is FedRAMP dates are far way and knowing how things work, we are looking at 2025.
DC carries additional costs and I am still not sure about NIST 800-171 compliance.
We will have no choice but to move away from JIRA. What is everyone else doing then?
Afaik: data center is indeed compliant as its hosted on premise, think of it like servers big brother. If you were already using jira server, then you'll be good
Yeah costs are ridiculous, but what can you do when they just decide to nix the affordable option other than comply or find a new service?
If you are government related/some kind of subcontractor, I recommend looking into Carahsoft. They were very helpful when I was dealing with this exact situation