Atlassian Government Cloud shared responsibility model

Atlassian Responsibility:

We provide platform controls, an initial admin account, SAML single-sign on integration, and audit logs.

Customer Responsibility:

Manage access permissions for users, vendors, and partners in the following ways:

• Manage access via customer-defined groups with specific permissions (e.g., hiring manager, recruiter, administrator).

• Give users access permissions based on valid authorizations and intended usage.

• Implement processes to receive notification of account changes within these timeframes: 24 hours for unnecessary accounts, 8 hours for terminated or transferred users, and 8 hours for changes in system usage or access needs.

• Modify, disable, and remove accounts based on terminated and transferred users.

• Conduct annual reviews of user accounts.

• Establish processes for reissuing credentials.

AC-2(a, b, c, d, e, f, g, h, i, j, k, l)

Manage individual user accounts in the following ways:

• Grant user accounts permission based on their roles.

• Determine temporary and emergency accounts.

• Configure your identity provider to disable expired accounts within 24 hours.

• Monitor new, reactivated, disabled, and removed user accounts.

• Monitor account usage and establish processes for reporting incidents.

• Disable user accounts of individuals posing significant risks within one hour.

AC-2(1),(2), (3 a, b, c, d), (4), (5), (7 a, b, c, d), (9), (12 a, b) (13)

Ensure that only authorized individuals have admin permissions.

AC-3

Define and document Separation of Duties (SoD) for individuals with authorized access.

AC-5(a,b)

Grant user accounts only the access permissions necessary to perform their job.

AC-6

Configure your identity provider to enforce a limit on unsuccessful login attempts.

AC-7(a,b)

Ensure that your Lightweight Directory Access Protocol (LDAP) system displays the message for users to acknowledge usage conditions under FedRAMP.

AC-8(a,b)

Document usage restrictions, configuration, connection requirements, and implementation guidance for each remote access connection.

AC-17 (a,b)

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC-17(2)

Route all remote access connections through managed network access control points.

AC-17(3)

Refer to our documentation for more information:

• Understand user provisioning

• Edit a group

• View audit log activities

• Give users admin permissions

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

We provide audit logs with apps and administration activities.

Customer Responsibility:

Monitor your organization’s data deletions, data access, data changes, permission changes, and admin activities.

AU-2(a)

Refer to our documentation for more information:

• What activities does the audit log include?

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

We provide SAML single sign-on configuration.

Customer Responsibility:

Integrate hardware-based smartcards with single sign-on using SAML 2.0.

IA-2(12), IA-8, IA-8(1), IA-8(2 a,b), IA-8(4)

Manage user identifiers in the following ways:

• Provision a unique identifier for each user.

• Implement processes that ensure user identifiers aren’t reused for a minimum of two years.

IA-4(a,b,c,d)

Manage passwords and authenticators in the following ways:

• Verify that users don’t use commonly used, expected, or compromised passwords.

• Store only encrypted authenticators in your identity provider.

• Require a user with a recovered account to create a new password.

• Allow users to select long passwords and passphrases with spaces and special characters.

IA-5(a,b,c,d,f,g,h,i)

Protect your authenticators in your identity provider from unauthorized access and changes.

IA-5(6)

Obfuscate passwords during the authentication process.

IA-6

Configure your identity provider to re-authenticate users after the session has been active for 12 hours or after 15 minutes of inactivity.

IA-11

Refer to our documentation for more information:

• Configure SAML single sign-on

• Understand user provisioning

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian & AWS

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

We provide SAML single sign-on configuration.

Customer Responsibility:

Use only FIPS 201-approved PIV/CAC credentials.

SA-4(10)

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None

Atlassian Responsibility:

Inherited from Atlassian

Customer Responsibility:

None