Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

FBI CJIS Security Policy

GC
GC
Contributor
September 3, 2021

With the end-of-life approaching for Confluence and Jira server products, we are looking at the cloud offerings from Atlassian.  We really enjoying using the products, but only have a small license count, that makes the datacenter license impractical.  

We are a government organization, subject to the FBI CJIS Security Policy (CSP): https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Has Atlassian worked with any other government customers to meet CSP requirements?

Some of the requirements are: (a) the policy requires that prior to having direct or indirect access to our data we would complete successful (no felonies...) background checks on any cloud provider staff or contractors or other cloud provider partners, (b) that those staff would take an FBI security training on how to deal with the handling of criminal justice information, (c) the cloud service provider would agree to operate according to the CJIS security policy, (d) including the cloud provider being willing to be audited by the FBI for compliance with the policy.  

Answer
Watch
Like # people like this
2376 views

2 answers

1 accepted

Suggest an answer

Log in or Sign up to answer
0 votes
Answer accepted
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 3, 2021

Thank you for your question, 

We are working with multiple agencies and an sponsor toward obtaining an ATO at the Moderate level for Jira & Confluence, that doesn't meet the requirements you are describing.  We currently don't have plans in our roadmap for the type of offering required to satisfy what you enumerate. 

If you want to reach out to me on email I will be happy to help you establish contact with our commercial team to look into what alternatives may be available on our Data Center product line.  my email is fselvas at Atlassian dot Com 

Filiberto Selvas 

View More Comments
DRFavreau
DRFavreau
Contributor
April 2, 2023

What's the update on this? It's been two years.

Like Rob Yardman likes this
Reply
2 votes
Michael Corvin
Michael Corvin
Contributor
September 3, 2021

The deprecation of the self-hosted server versions of Confluence, Jira and Crowd is similarly a massive problem for our small company, partners, our NASA and other Government customers. The inability to meet NIST and the coming CMMC security requirements with the cloud offering makes it a nonstarter for us.   We need solutions that we host within our security boundaries.

The data center offering is totally out of scale for us as it is for GC.

Additionally, the cloud version of Confluence can no longer meet our use cases due to loss of functionality compared to the last server version.

As a result, I expect we will be forced to replace Confluence and Jira with other solutions for future projects and missions.  After over a decade of using them and development of tools to provide automation this is an extremely aggravating situation and will cost us a lot of time and effort.

View More Comments
Vidya Balasubramanian
Vidya Balasubramanian
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 3, 2021
Hi Michael,
Thank you for sharing details.
As Fili indicated we are working towards a FedRAMP Moderate authorization. FedRAMP Moderate is built on NIST 800-53 controls. It appears the FedRAMP Moderate environment would support the needs of CJIS Security policy controls - here’s the control mapping from NIST 800-53 to CJIS to further that point . 
 https://www.fbi.gov/file-repository/csp-v5_5-to-nist-controls-mapping-1.pdf .
As Fili has mentioned we currently don't have plans in our roadmap for the type of offering required beyond the CJIS security policy controls to satisfy what you enumerate. 
Thanks,
Vidya
Like
Mark Montminy
Mark Montminy
Contributor
September 4, 2021

No amount of certification is going to move certain business segments to the cloud. If you're using Atlassian to host classified data in a SCIF it's not ever going to the cloud no matter how many certs are obtained.

Now one could argue that losing a handful of 25 to 100 user licenses isn't a big deal. Except that company's like to standardize around tools. I don't want my team to have to administer multiple wiki's, issue trackers, etc.

If I'm going to have to replace my small instances with another product, I'm most likely going to replace my big instances with the same other product.

The easiest fix to this problem is for Atlassian to offer licensing options below 500 users for Data Center.

Or come up with a more flexible means of allocating those 500 users across instances.

Let company's buy licenses for the company not the instance, then allow them to divvy up those licenses across instances. Keep it simple and leave it at the same tiering levels used by server. Then none of the product license or addon structure needs to change.

The license management in myatlassian just scales to allow a company to split up the licenses they own across instances. Then I can buy a 2000 tier, peel 500 off for one instance, 250 for another two, leaving me with 1000 for my main.

Now my small instances remain reasonably cost-effective.

I don't care about the demise of Server. I like the move back to a simple on-prem / cloud model that existed before DC. I don't even mind the moderate increase in cost since we're getting functionality from DC for it (even though some won't benefit). What I do mind is DC pricing itself out of reach for small instances. I've got 3 instances that will have to leave Atlassian over this, and if we do the rest will likely follow over time.

Like Brian Hill likes this
Vidya Balasubramanian
Vidya Balasubramanian
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 7, 2021

Thanks for the detailed explanation.  Please feel free to reach out to me or Fili on email and we will be happy to help you establish contact with our commercial team to look into what alternatives may be available on our Data Center product line.  Fili's  email is fselvas at Atlassian dot Com and mine is vbalasubramanian@atlassian.com.

Thanks,

Vidya

Like
GC
GC
Contributor
November 3, 2021

Vidya- My colleague has reached out to Filiberto numerous times without reply.  Please advise.  -Gordon

Like
Filiberto Selvas
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2021

@GC , I apologize, I don't recall seeing any messages.  Can you contact me at fselvas at Atlassian dot com?  or give me here your email and I will reach out to you 

Like
GC
GC
Contributor
November 3, 2021

I have sent an email - it should be with you shortly.  Thanks Filiberto!

Like
GC
GC
Contributor
November 4, 2021

It looks like we got connected, thanks again!

Like
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.