Jira and Atlassian FedRAMP Compliance
Cloud solutions and services proliferated across the public sector over the past decade. The benefits of the cloud, like scalability and cost-efficiency, have been hard for public entities to ignore, especially during the pandemic. There’s been a consistent increase in federal cloud spending as government agencies work to realize these advantages for themselves.
The cloud also comes with data security and privacy concerns. The Federal Risk and Authorization Management Program (FedRAMP) was introduced in 2011 to encourage agencies to adopt a cloud-first approach while ensuring security. Any cloud-based offering therefore needs to be FedRAMP compliant for it to be used by fed agencies.
This includes Atlassian's wide range of powerful cloud-based tools, from Jira to Confluence and beyond. Atlassian has a growing community of users with over 200,000 customers and more than 5,000 apps in the marketplace. But where exactly is Atlassian on their FedRAMP certification journey, and how can government agencies best leverage the rich variety of Atlassian products?
Let’s start by explaining just what FedRAMP compliance entails before covering how to build a FedRAMP-compliant Atlassian ecosystem.
The Importance of FedRAMP Compliance
FedRAMP is an American federal government program that standardizes security assessment, authorization, and monitoring for cloud service offerings (CSO). The framework prescribed by FedRAMP allows government agencies and the technology industry to partner effectively. For cloud service providers (CSP), a FedRAMP certification instills confidence in its customers, enabling them to collaborate in public sector projects. For federal agencies, a FedRAMP certification indicates that necessary security guidelines are being followed by their vendors and government data will be protected.
Using FedRAMP, a CSO is reviewed against a standard baseline. This means that once the offering is authorized by one government agency, all other agencies can use the same authorization without further vetting.
How To Become FedRAMP Authorized
There are two paths you can take as a CSP to get your cloud service offering FedRAMP authorized. You can either go through the FedRAMP Joint Authorization Board (JAB) or work with an individual agency. Both paths involve three stages: preparation, authorization, and continuous monitoring.
During the preparation and authorization stages, there will be a readiness assessment and a full security assessment of the CSO based on the FedRAMP legal framework. A third-party organization accredited by the program conducts the assessment. The FedRAMP Program Management Office (PMO) also performs a thorough technical review of the CSO. On confirmation of adherence, the CSO is granted authorization to operate (ATO).
The final stage of continuous monitoring ensures that FedRAMP authorization isn’t just a one-time process. The CSP must submit regular reports, such as an annual assessment and monthly vulnerability scans, to demonstrate their sustained adherence to FedRAMP guidelines.
FedRAMP authorization is granted at three different security levels: low, moderate, and high impact. Organizations that would like to offer their technology services to federal agencies must understand the specific certification level they need. The levels are determined based on how well the CSO meets the security objectives of confidentiality, integrity, and availability.
Low impact indicates a basic level of security for data such as usernames and passwords and excludes the storage and use of personally identifiable information (PII). High impact is for especially sensitive information like financial, healthcare, or unclassified defense data. Moderate impact lies in between and is applicable for many CSPs, as this certification level means that PII data can be protected.
Are Atlassian Products FedRAMP Compliant?
Currently, Trello is the only Atlassian product that is FedRAMP compliant straight out of the box. Atlassian has been charting out plans to make their other flagship products easily available to government agencies. It’s expecting to achieve a Moderate FedRAMP ATO for Jira Software and Confluence on Atlassian Cloud in 2023. However, it’s important to remember that FedRAMP is one of the most complex IT certifications, featuring 14 laws and regulations along with 19 standard and guidance documents.
So while the certification may be on its way, you currently need a workaround for federal agencies to take advantage of the Atlassian ecosystem. Although Atlassian doesn’t offer products that are FedRAMP compliant by default, you can still use them within a FedRAMP-compliant environment.
Building a FedRAMP-Compliant Atlassian Ecosystem
Using Atlassian Server or Data Center, rather than Atlassian Cloud, is one way to access the Atlassian product suite. As Server is in the process of sunsetting, with its end-of-life date fast approaching in February 2024, Data Center is the preferable option for forward-thinking organizations. Your organization can deploy the Data Center on-premises or using a third-party cloud provider, either in a clustered or a non-clustered configuration.
Unless your organization has the capability to establish a FedRAMP-compliant environment on its own, look to a FedRAMP-authorized CSP that already implements the security controls mandated by government agencies. But don’t go with just any FedRAMP-authorized CSP. If the CSP lacks experience with Atlassian’s products, your organization will still need to set up and configure its Data Center deployment in the cloud. To avoid this, choose a CSP that has experience with FedRAMP-compliant Data Center deployments so your team can get up and running with Atlassian as quickly as possible.
Ensure FedRAMP Compliance with Contegix
Government agencies who want to take advantage of the Atlassian tool suite need compliant cloud services provided by a company that has application-specific experience with the Atlassian ecosystem. Contegix SecureCloud is a secure, reliable FedRAMP Moderate Platform-as-a-Service (PaaS) that delivers highly available and economical cloud solutions to government agencies. It features a multi-tenant environment in the cloud with the capability of building single-tenant environments for clients that require them.
Contegix is an experienced Atlassian Platinum Solution Partner with years of expertise serving large government agencies and building FedRAMP-compliant Atlassian Data Center deployments. Its array of services are unmatched by any other Atlassian Platinum Partner and range from managed application administration to private and public cloud deployments of Server and Data Center. If you’re looking for a team that can perfectly align your Atlassian deployment with your organization’s business objectives in a FedRAMP-compliant environment, look no further.
Contact Contegix today to learn more about how its team can help you securely leverage Atlassian’s great products in the cloud.