Security and compliance on the AGC

Atlassian Government Cloud (AGC) apps on the Atlassian Marketplace do not require FedRAMP compliance. App authorization in AGC is considered a customer responsibility, as stated in the Marketplace Shared Responsibility Model.

However, we do require AGC apps to comply with a set of requirements consistent with customer expectations on FedRAMP compliance. See Security requirements for Atlassian Government Cloud (AGC) apps for details.

App authorization

When customers authorize an app, they conduct a security assessment focusing on the flow of data between the app and Atlassian. The outcome of this assessment will depend on an individual customer's risk criteria, likely determined by:

• What type of data may egress from AGC products to your app’s servers?

• In which direction(s) does data flow between your application and AGC products?

• What other compliance standards does your app meet? (for example, SOC 2, ISO 27001)?

• How does your application handle authentication and authorization?

See How customers authorize AGC apps for more details.

ATO and FedRAMP compliance

Jira Software, Jira Service Management, and Confluence on the AGC have FedRAMP Moderate authorization. For more information, refer to Atlassian's Fedramp compliance documentation.

AGC-compatible apps can be sold and installed on the AGC even without FedRAMP compliance or Authority to Operate (ATO).

Marketplace apps are assessed separately from Atlassian Government Cloud and authorized individually by customers as external services. External service authorization involves approving cloud service offerings (CSOs) that interact with federal data.

While apps do not require FedRAMP authorization, customers will evaluate the app’s security posture and data flows between AGC and the app to determine its authorization. See App authorization for more information.

Authorization criteria will vary significantly by customer. Some may authorize your app, while others may impose restrictions.