Marketplace apps deployed in Atlassian Government Cloud (AGC) will not require FedRAMP compliance. App authorization in AGC is considered a customer responsibility, as stated in the Marketplace Shared Responsibility Model.
App authorization consists of a security assessment, with a focus on the types of data that flow between the app and Atlassian, and will depend on each individual customer’s risk criteria. Authorization will most likely be determined by how vendors answer the following questions:
What type of data may egress from our Atlassian Government Cloud products to your app’s servers?
In which direction(s) does data flow between your application and our Atlassian Government Cloud products?
What other compliance standards does your app meet? (i.e. SOC 2, ISO 27001, etc)
How does your application handle authentication and authorization?
There will be a significant variance in each individual customers’s risk criteria and approach to authorization. Some customers may not ask any questions regarding app security, while others may engage their internal security teams to run a detailed security assessment.
Jira Software, Jira Service Management, and Confluence on the AGC have FedRAMP Moderate authorization. For more information, refer to Atlassian's Fedramp compliance documentation.
AGC-compatible apps can be sold and installed on the AGC even without FedRAMP compliance or Authority to Operate (ATO).
Marketplace apps are assessed separately from Atlassian Government Cloud and authorized individually by customers as external services. External service authorization involves approving cloud service offerings (CSOs) that interact with federal data.
While apps do not require FedRAMP authorization, customers will evaluate the app’s security posture and data flows between AGC and the app to determine its authorization. See App authorization for more information.
Authorization criteria will vary significantly by customer. Some may authorize your app, while others may impose restrictions.
Rate this page: