FedRAMP
The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP)®, a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements.
Following the passage of the FedRAMP Authorization Act and the release of OMB Memorandum M-24-15, FedRAMP underwent a major modernization—effectively establishing a very different program under the same name. As part of this overhaul, the FedRAMP Program Management Office (PMO) onboarded a cohort of federal technical experts to bring the technical review in-house, and the program launched FedRAMP 20x, a new cloud-native initiative that replaces traditional paperwork-based reviews with automated, continuously validated authorization processes.
Important terminology update: As of May 4, 2026, FedRAMP changed the single official label for all FedRAMP authorizations to FedRAMP Certification (or FedRAMP Certified), aligning with the FedRAMP Authorization Act's definition of an authorization as a certification that a cloud product or service has completed a FedRAMP authorization process. Any cloud service with a FedRAMP Certification is FedRAMP authorized for the purposes of meeting statutory or regulatory requirements, including adequacy for use by an agency to authorize the operation of that cloud service within a federal information system.
At the same time, the previous impact "levels" (Low, Moderate, High) were replaced with FedRAMP Certification Classes (A, B, C, and D). FedRAMP retired the term "levels" and numbers to avoid confusion with the DoD Impact Level (IL) system, and to better reflect that a baseline defines the scope of the assessment and certification—not the total quality or security of the cloud service. FedRAMP continues to use four baselines, which map to the new classes as follows:
| Certification Class | Previous baseline(s) |
|---|---|
| Class A | New pilot baseline |
| Class B | Low-Impact SaaS (Li-SaaS) and Low |
| Class C | Moderate |
| Class D | High |
A transition period applies, during which the old and new labels are linked; full details and expectations will be provided in FedRAMP's Consolidated Rules for 2026.
FedRAMP authorization continues to require an assessment by an independent third-party assessment organization (3PAO) that is accredited by the program. The technical review is now conducted by the federal technical experts within the FedRAMP PMO.
FedRAMP remains based on the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 standard, augmented by FedRAMP-specific controls and control enhancements. Importantly, a FedRAMP Certification is not itself a guarantee that a cloud service is appropriate for use at a given NIST FIPS 199 security category — FedRAMP does not make that determination on behalf of an agency. Instead, agencies use a FedRAMP Certification Package to authorize a cloud service at the security category they deem appropriate, following the Risk Management Framework.
Jira, Confluence, and Jira Service Management have achieved FedRAMP Certification (formerly known as FedRAMP Moderate Authorization, now Certification Class C). Please reach out to our government team if you're interested in learning more.
Relevant products
Project and issue tracking
Jira
document collaboration
Confluence Cloud
high-velocity itsm
Jira Service Management
Our team is here to help
Have more questions about our compliance program?
Do you have cloud certifications? Can you complete my security & risk questionnaire? Where can I download more information?
Trust & security community
Join the Trust & Security group on the Atlassian Community to hear directly from our Security team and share information, tips, and best practices for using Atlassian products in a secure and reliable way.
Atlassian support
Reach out to one of our highly-trained support engineers to get answers to your questions.