We’re renaming ‘products’ to ‘apps’

Atlassian 'products’ are now ‘apps’. You may see both terms used across our documentation as we roll out this terminology change. Here’s why we’re making this change

Atlassian Government Cloud shared responsibility model

Atlassian Government Cloud operates under a shared responsibility model for FedRAMP Moderate. This means that some security and compliance controls are managed by Atlassian, some by the customer, and some are shared.

For a comprehensive list of FedRAMP Moderate Controls, visit fedramp.gov. The content on this page is a condensed version of the Atlassian Government Cloud FedRAMP Customer Responsibilities Matrix (CRM). To request access to the CRM, contact Atlassian Support.

Each table outlines a FedRAMP control family and notes whether Atlassian has full or shared responsibility with our customers. For controls with customer responsibility, you will find details and links to documentation. For more about how our apps work, see our full list of apps and features available for Atlassian Government Cloud.

If you are an Atlassian Government Cloud customer, you can request access to the Atlassian Government Cloud FedRAMP Moderate authorization package. When you submit a FedRAMP Package Access Request Form, Atlassian’s FedRAMP Package ID is FR2412062433.

Access Control (AC) Control Family

Controls (if applicable)

Atlassian Responsibility:

We provide platform controls, an initial admin account, SAML single-sign on integration, and audit logs.

 

Customer Responsibility:

Manage access permissions for users, vendors, and partners in the following ways:

  • Manage access via customer-defined groups with specific permissions (e.g., hiring manager, recruiter, administrator).

  • Give users access permissions based on valid authorizations and intended usage.

  • Implement processes to receive notification of account changes within these timeframes: 24 hours for unnecessary accounts, 8 hours for terminated or transferred users, and 8 hours for changes in system usage or access needs.

  • Modify, disable, and remove accounts based on terminated and transferred users.

  • Conduct annual reviews of user accounts.

  • Establish processes for reissuing credentials.

 

AC-2(a, b, c, d, e, f, g, h, i, j, k, l)

Manage individual user accounts in the following ways:

  • Grant user accounts permission based on their roles.

  • Determine temporary and emergency accounts.

  • Configure your identity provider to disable expired accounts within 24 hours.

  • Monitor new, reactivated, disabled, and removed user accounts.

  • Monitor account usage and establish processes for reporting incidents.

  • Disable user accounts of individuals posing significant risks within one hour.

AC-2(1),(2), (3 a, b, c, d), (4), (5), (7 a, b, c, d), (9), (12 a, b) (13)

Ensure that only authorized individuals have admin permissions.

AC-3

Define and document Separation of Duties (SoD) for individuals with authorized access.

AC-5(a,b)

Grant user accounts only the access permissions necessary to perform their job.

AC-6

Configure your identity provider to enforce a limit on unsuccessful login attempts.

AC-7(a,b)

Ensure that your Lightweight Directory Access Protocol (LDAP) system displays the message for users to acknowledge usage conditions under FedRAMP.

AC-8(a,b)

Document usage restrictions, configuration, connection requirements, and implementation guidance for each remote access connection.

AC-17 (a,b)

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC-17(2)

Route all remote access connections through managed network access control points.

AC-17(3)

Refer to our documentation for more information:

 

Awareness & Training (AT) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Audit & Accountability (AU) Control Family

Controls (if applicable)

Atlassian Responsibility:

We provide audit logs with apps and administration activities.

 

Customer Responsibility:

Monitor your organization’s data deletions, data access, data changes, permission changes, and admin activities.

 

AU-2(a)

Refer to our documentation for more information:

 

Assessment, Authorization, and Monitoring (CA) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Configuration Management (CM) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Contingency Planning (CP) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Identification & Authentication (IA) Control Family

Controls (if applicable)

Atlassian Responsibility:

We provide SAML single sign-on configuration.

 

Customer Responsibility:

Integrate hardware-based smartcards with single sign-on using SAML 2.0.

 

IA-2(12), IA-8, IA-8(1), IA-8(2 a,b), IA-8(4)

Manage user identifiers in the following ways:

  • Provision a unique identifier for each user.

  • Implement processes that ensure user identifiers aren’t reused for a minimum of two years.

IA-4(a,b,c,d)

Manage passwords and authenticators in the following ways:

  • Verify that users don’t use commonly used, expected, or compromised passwords.

  • Store only encrypted authenticators in your identity provider.

  • Require a user with a recovered account to create a new password.

  • Allow users to select long passwords and passphrases with spaces and special characters.

IA-5(a,b,c,d,f,g,h,i)

Protect your authenticators in your identity provider from unauthorized access and changes.

IA-5(6)

Obfuscate passwords during the authentication process.

IA-6

Configure your identity provider to re-authenticate users after the session has been active for 12 hours or after 15 minutes of inactivity.

IA-11

Refer to our documentation for more information:

 

Incident Response (IR) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Maintenance (MA) Control Family

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Media Protection (MP) Control Family

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Physical & Environmental Protection (PE) Control Family

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Planning (PL) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Personnel Security (PS) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Risk Assessment (RA) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

System & Services Acquisition (SA) Control Family

Controls (if applicable)

Atlassian Responsibility:

We provide SAML single sign-on configuration.

 

Customer Responsibility:

Use only FIPS 201-approved PIV/CAC credentials.

 

SA-4(10)

System & Communications Protection (SC) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

System & Information Integrity (SI) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Supply Chain Risk Management (SR) Control Family

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Still need help?

The Atlassian Community is here for you.