At around this time last year, Atlassian Government Cloud (AGC) received its FedRAMP Moderate certification. This is great news for government teams and contractors using Jira or other Atlassian products. It means you can finally move your Jira work to AGC while keeping your data safe and in line with federal requirements.
The Atlassian FedRAMP authorization focuses on what matters most to the US government. This includes cloud security, protecting sensitive data, continuous monitoring, and other security concerns.
In this post, we’ll look at what FedRAMP is and which Atlassian products are FedRAMP certified. We’ll also cover how FedRAMP affects your data security and why you need to authorize Marketplace apps.
What Is FedRAMP?
FedRAMP stands for the Federal Risk and Authorization Management Program.
It is a US federal government program that evaluates, authorizes, and continuously monitors cloud products or services that the government wants to use. The products get reviewed for security and potential risks before government teams and partners are allowed to adopt them.
When a cloud product meets FedRAMP requirements, it receives an authorization at one of three impact levels:
- Low. Meaning the adverse effect is limited.
- Moderate (Serious adverse effect).
- High (Severe adverse effect).
These levels measure the potential impact of a security incident on the confidentiality, integrity, and availability of data.
What’s The Current Atlassian FedRAMP Status?
Atlassian received its FedRAMP Moderate authorization status in March 2025 and is listed on the FedRAMP Marketplace.
This authorization applies specifically to Atlassian Government Cloud and its products. It does not extend to the commercial Atlassian Cloud environment and marketplace apps.
But what does FedRAMP Moderate authorization actually mean?
FedRAMP Moderate authorization simply means the US government has approved that Atlassian Government Cloud actually meets its federal security standards. It is authorized to handle Controlled Unclassified Information (CUI).
CUI refers to sensitive but unclassified data, like PII, financial records, trade secrets, sensitive HR records, and internal policy documents.
Important note: Government Cloud is not intended for classified information. Classified workloads require separate compliance frameworks and secure environments.
This Moderate authorization requires that Atlassian:
- Has a dedicated platform. This is where Atlassian Government Cloud comes in.
- Strictly adheres to NIST’s SP 800-53 Rev 5 security standard. This framework covers controls like access control, encryption, multi-factor authentication, audit logging, incident response, and more.
- Continuously monitors security.
- Has a shared responsibility model.
The list goes on. Why is all this important for government teams and contractors?
How Atlassian Protects Government Data
Having a dedicated Atlassian Government cloud infrastructure keeps your government data separate from the commercial cloud environment.
In practice, this means:
- You’ll have separate Atlassian Government apps, services, administration, and migration tools.
- No data “comingle” with commercial customer data.
- Data can only enter or leave the AGC environment upon approval.
- Access is restricted to only the US government and its contractors.
- The platform is hosted on AWS East/West to meet federal data residency and reliability requirements.
- The platform is continuously monitored and undergoes regular audits to stay aligned with NIST controls.
So, if you’re planning to adopt Atlassian Government Cloud, go ahead. It isn’t just secure. Adopting it means you’ll maintain compliance with federal security and governance requirements required to drive mission access.
Is Jira FedRAMP Certified?
Jira is FedRAMP Moderate authorized only when used in the Atlassian Government Cloud.
If you have an Atlassian account you use to log into the commercial cloud apps, then your version of Jira does not have FedRAMP authorization. A cross-partition gateway separates the two platforms.
An Atlassian Government account is a separate platform specifically built for government use. Because of the unique security challenges the government faces, this platform requires a FedRAMP Moderate Authority to Operate (ATO). This ATO also applies to every app and service AGC offers.
These apps include:
- Confluence
- Jira software
- Jira Service Management (JSM)
Quick note: Commercial Atlassian Cloud apps do not require FedRAMP moderate authorization because they are designed for “the private sector” and general business use.
Table: Atlassian Government Cloud vs Commercial Cloud
Here’s a side-by-side comparison of how Atlassian Government Cloud differs from the commercial account:
| Feature | Atlassian Government Cloud | Commercial Atlassian account |
| FedRAMP status | FedRAMP Moderate controls and requirements are met. | Not authorized |
| Who can use it? | It is used only by the US government, contractors, or anyone doing government-related work. Built for federal cloud migration. | Anyone in the public or private companies can use this account. |
| Compliance focus | FedRAMP Moderate and TX-RAMP authorized. | Commercial security frameworks like SOC2, ISO 27001, and GDPR |
| Shared responsibility model | Atlassian handles infrastructure compliance.Your agency is responsible for configuration management, data classification, user access management, incident reporting, and system documentation. | Atlassian manages the “security of the cloud,” but you are responsible for the “security in the cloud.” |
| Data isolation | Your government data, apps, and services live in its own isolated government cloud environment. | Data is locked behind the “tenant ID,” so others can’t see it. |
| Data residency | Strictly in the United States via AWS. | Teams can access it globally from around the world. |
| Marketplace apps | It is limited to AGC-compatible apps. | You’ll have full access to a wide range of third-party apps that are available to install instantly. |
| Cost | It is 25% more expensive than our Cloud Enterprise plan. | Contact sales for info about the cloud enterprise plan. |
What’s Ahead?
Currently, Atlassian has indicated they’re working towards FedRAMP High and Impact level 5, which is critical for agencies like the Department of War.
For the community, this is a good time to:
- Understand the compliance needs of regulated customers
- Explore how existing tools or services can align with these standards
- Stay close to Atlassian’s updates around government and enterprise security
Jira FedRAMP Use Cases in Federal & Public Sector
Interested in how federal teams are actually using Jira inside Atlassian Government Cloud?
Here are some of the most common use cases across federal and public sector organizations:
- Case management. To reach a solution quickly, various teams use Jira to manage cases through structured stages from intake, documentation, investigation, and resolution.
- IT service management (ITSM). With Jira Service Management, IT teams can manage hardware, software, and service requests through standardized processes.
- Program management. For example, let’s say your agency is overseeing dozens of concurrent projects. Each has its own budget, timeline, and objectives. Jira can help PMs optimize project tracking while accommodating different workflows.
For instance, you can use portfolio-level templates to:- Flag problems that fall behind
- Allocate resources based on need
- Compare progress across teams
- Give updated reports to leadership
- Compliance and legal reviews. There are usually multiple approvals required when new regulations are updated or policy changes are made. You can have Jira workflows that include specific gates, such as “Pending Legal Review” or “Policy Approval Required.” This allows teams to track exactly where a task stands.
This structure supports:- Faster document routing
- Reduced email-based follow-ups
- Clear timelines for sign-offs
- Cross-agency collaboration. Different teams, departments, and key stakeholders can stay organized using shared projects, reports, and real-time tracking. People can coordinate work using role-based permissions, comments, attachments, and more.
To streamline workflows and boost your efficiency, you’ll often need approved marketplace apps to customize your experience within the Government Cloud.
How To Find and Authorize Marketplace Apps in Atlassian Government Cloud
Not all Marketplace apps are readily available on Atlassian Government Cloud, as vendors must create compatible versions.To find compatible AGC apps, you can browse the Atlassian Government Cloud collection on the Marketplace. This collection provides a complete list of apps that are approved for use within AGC.
Pro tip: If a marketplace app that’s critical to your workflow isn’t available in AGC, contact the vendor directly. Let them know that you would like to use it with an Atlassian Government app.
Conduct a Security Assessment (It’s a Requirement)
While marketplace apps must be AGC compatible, they do not require FedRAMP compliance. They are also not required to store customer data in the US.
However, customers have to conduct a security assessment for each Marketplace app they want to install. This assessment is required by the Federal Information Security Modernization Act (FISMA) and the Risk Management Framework (RMF) Assessment and Authorization (A&A) Process. It ensures that external services interacting with your system protect the confidentiality, integrity, and availability of data.
What you’ll be doing is:
- Verify where the app’s data is stored
- Assess the app’s security posture
- Evaluate how data flows between AGC and the app
Important note: Look for the “Runs on Atlassian” badge under Trust Signals in the Marketplace listing. This badge indicates that the app supports data residency controls and does not egress data outside the Atlassian Government environment.
If an app does not have this badge, it doesn’t mean you can’t use it. It simply means additional review may be required.
Read this page for a quick checklist on what needs to be done to authorize an ACG app.
Bonus: Use Issue Templates to Create Repeatable Jira Workflows in Atlassian Government Cloud
By now, you understand why Atlassian’s FedRAMP Moderate authorization is essential. You need a separate Atlassian Government Cloud that protects sensitive data, is continuously monitored, and uses only compatible marketplace apps.If you’re building project templates in Jira (which standardizes workflows across various teams, departments, and projects), you can streamline your Jira workflow further with Easy Issue Templates for repetitive Jira work items.
Easy Issue Templates for Jira
This tool lets your teams create reusable issue templates for projects with recurring work items or processes.
Instead of natively cloning work items, which only partially solves the problem, Easy Issue Templates for Jira allows you to:
- Design scalable epic → task → subtask hierarchies, plus complex ones.
- Predefine required fields, instructions, descriptions, summaries, etc with saved data.
- Use pre-filled fields, checklists, and variables to ensure every issue contains the exact information required for your mission.
- Reduce configuration errors by enforcing standardized issue creation
Most specifically, the Easy Issue Template for Jira aligns with key AGC requirements. It’s developed on Forge, holds a “Run on Atlassian” trust badge, and has SOC 2 Type II compliance.
How to Move to the Cloud for Government Teams
To migrate to AGC faster, you can generally follow these steps:
- Assessment phase. You must evaluate everything in your current setup, including apps, customizations, and data size, before you can begin migration. This involves using the Atlassian MAGIC framework to identify what needs to move to the cloud.
- Planning phase. As soon as you finish assessing the current setup, assemble a migration team that includes key stakeholders. This team will help you define your objectives, create a timeline, and develop a migration strategy.
- Preparation phase. During this phase, you can set up your cloud environment and prepare for stage tests.
- Testing phase. This is the phase where you run pre-migration tests. The goal is to validate data integrity, user permissions, workflows, and system performance. When you identify an issue, resolve it as quickly as possible.
- Migration phase. When everything from your data and users to configurations is ready, it’s time to move to the cloud.
- Launch phase. Finally, let your team know the migration is complete. Walk them through best practices and tips for successfully rolling out Atlassian Government Cloud in your organization.
Quick tip: Get in touch with your Atlassian representative or partner as soon as possible and work with them throughout this migration.
For more detailed information, visit this Atlassian page to kick off your journey to the cloud.
FAQs about Atlassian FedRAMP
Is Jira FedRAMP certified?
Atlassian’s FedRAMP Moderate authorization requires the Government Cloud platform, and all products within it are certified. That includes Jira, Confluence, and Jira Service Management. Only the commercial version of Jira is not FedRAMP authorized.
Are Marketplace apps allowed in FedRAMP environments?
Yes, but only marketplace apps that are compatible with Atlassian Government Cloud can be installed. In addition, all agencies must review and authorize an app before using it.
What is the difference between Government Cloud and commercial cloud?
Atlassian Government Cloud is built only for US government agencies and contractors. It also runs in a FedRAMP Moderate authorized environment. In contrast, the commercial Atlassian cloud is designed for other businesses and does not operate under FedRAMP requirements. Anyone else in the world can use it.
How do government agencies migrate to Atlassian Cloud?
For a government agency to migrate to the Cloud, you need an Atlassian Government Cloud account. It is advisable to contact your Atlassian representative and work with them throughout this migration journey.
Conclusion
Atlassian’s FedRAMP Moderate Authority to Operate doesn’t really change the way you work. That’s the best part. You still get the same familiar features in Jira, but now they operate in an environment that is safe enough for the US government.
The FedRAMP authorization ensures that sensitive data in your Atlassian Government Cloud account is protected and continuously monitored.
In addition, you can also use compatible marketplace apps like Easy Issue Templates for Jira to simplify and automate repetitive Jira issues and speed up work.For agencies planning a federal cloud migration, now’s the time to start. The sooner you begin your migration, the easier it will be on your team when the data center’s end-of-life deadline fast approaches.
