Atlassian Government Cloud shared responsibility model
Atlassian Government Cloud operates under a shared responsibility model for FedRAMP Moderate. This means that some security and compliance controls are managed by Atlassian, some by the customer, and some are shared.
For a comprehensive list of FedRAMP Moderate Controls, visit fedramp.gov. The content on this page is a condensed version of the Atlassian Government Cloud FedRAMP Customer Responsibilities Matrix (CRM). To request access to the CRM, contact Atlassian Support.
Each table outlines a FedRAMP control family and notes whether Atlassian has full or shared responsibility with our customers. For controls with customer responsibility, you will find details and links to documentation. For more about how our apps work, see our full list of apps and features available for Atlassian Government Cloud.
If you are an Atlassian Government Cloud customer, you can request access to the Atlassian Government Cloud FedRAMP Moderate authorization package. When you submit a FedRAMP Package Access Request Form, Atlassian’s FedRAMP Package ID is FR2412062433.
Access Control (AC) Control Family | Controls (if applicable) |
---|---|
Atlassian Responsibility: We provide platform controls, an initial admin account, SAML single-sign on integration, and audit logs. |
|
Customer Responsibility: Manage access permissions for users, vendors, and partners in the following ways:
|
AC-2(a, b, c, d, e, f, g, h, i, j, k, l) |
Manage individual user accounts in the following ways:
| AC-2(1),(2), (3 a, b, c, d), (4), (5), (7 a, b, c, d), (9), (12 a, b) (13) |
Ensure that only authorized individuals have admin permissions. | AC-3 |
Define and document Separation of Duties (SoD) for individuals with authorized access. | AC-5(a,b) |
Grant user accounts only the access permissions necessary to perform their job. | AC-6 |
Configure your identity provider to enforce a limit on unsuccessful login attempts. | AC-7(a,b) |
Ensure that your Lightweight Directory Access Protocol (LDAP) system displays the message for users to acknowledge usage conditions under FedRAMP. | AC-8(a,b) |
Document usage restrictions, configuration, connection requirements, and implementation guidance for each remote access connection. | AC-17 (a,b) |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. | AC-17(2) |
Route all remote access connections through managed network access control points. | AC-17(3) |
Refer to our documentation for more information: |
|
Awareness & Training (AT) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Audit & Accountability (AU) Control Family | Controls (if applicable) |
---|---|
Atlassian Responsibility: We provide audit logs with apps and administration activities. |
|
Customer Responsibility: Monitor your organization’s data deletions, data access, data changes, permission changes, and admin activities. |
AU-2(a) |
Refer to our documentation for more information: |
|
Assessment, Authorization, and Monitoring (CA) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Configuration Management (CM) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Contingency Planning (CP) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Identification & Authentication (IA) Control Family | Controls (if applicable) |
---|---|
Atlassian Responsibility: We provide SAML single sign-on configuration. |
|
Customer Responsibility: Integrate hardware-based smartcards with single sign-on using SAML 2.0. |
IA-2(12), IA-8, IA-8(1), IA-8(2 a,b), IA-8(4) |
Manage user identifiers in the following ways:
| IA-4(a,b,c,d) |
Manage passwords and authenticators in the following ways:
| IA-5(a,b,c,d,f,g,h,i) |
Protect your authenticators in your identity provider from unauthorized access and changes. | IA-5(6) |
Obfuscate passwords during the authentication process. | IA-6 |
Configure your identity provider to re-authenticate users after the session has been active for 12 hours or after 15 minutes of inactivity. | IA-11 |
Refer to our documentation for more information: |
|
Incident Response (IR) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Maintenance (MA) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian & AWS |
Customer Responsibility: None |
Media Protection (MP) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian & AWS |
Customer Responsibility: None |
Physical & Environmental Protection (PE) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian & AWS |
Customer Responsibility: None |
Planning (PL) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Personnel Security (PS) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Risk Assessment (RA) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
System & Services Acquisition (SA) Control Family | Controls (if applicable) |
---|---|
Atlassian Responsibility: We provide SAML single sign-on configuration. |
|
Customer Responsibility: Use only FIPS 201-approved PIV/CAC credentials. |
SA-4(10) |
System & Communications Protection (SC) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
System & Information Integrity (SI) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Supply Chain Risk Management (SR) Control Family |
---|
Atlassian Responsibility: Inherited from Atlassian |
Customer Responsibility: None |
Was this helpful?