Can You Meet CMMC with Google Workspace?

Can You Meet CMMC 2.0 With Google Workspace?

Organizations within the Defense Industrial Base (DIB) need to start working towards CMMC 2.0 compliance now so that they’ll be ready when the June 2028 deadline arrives. Yet, is this something that you can achieve using Google Workspace? The short answer is yes, but you may need one-off implementations and third-party software to meet your compliance and productivity needs. The fact is that Microsoft’s Government Community Cloud (GCC) High environment still offers more robust security, compliance, and productivity features for government contractors who must secure Controlled Unclassified Information (CUI) to comply with CMMC 2.0. Keep reading to learn more about Google Workspace’s compliance features and the benefits of migrating to a Microsoft cloud environment.

Is Google Workspace DFARS 7012 Compliant?

Until recently, one of Google Workspace’s biggest downsides was that they were not entirely compliant with DFARS 7012 as they did not mention compliance with DFARS 7012 clause E, which covers media preservation and protection in the event of a cyber incident. The good news is that Google has put significant work into improving its compliance, and customers can now use Google Cloud and Google Workspace to Comply with DFARS using their defined FedRAMP moderate and FedRAMP high controls. By enabling Assured Workloads and Assured Controls, DoD contractors can meet the requirements of DFARS 252.204-7012 by creating compliant boundaries or system enclaves within their Google Cloud environments. Google even gives an in-depth explanation of their commitment to meeting each clause of DFARS 7012, including how they help customers preserve data in the event of a cyber-attack. Unfortunately, not all Google services are FedRAMP compliant, and it is up to users to turn off services within the Google Cloud environment that have not yet been FedRAMP authorized.

Is Google Workspace NIST 800-171 Compliant?

When assessing whether it’s possible to achieve CMMC compliance while operating in a Google Cloud environment, a good place to start is by evaluating whether Google meets the requirements of NIST 800-171, as CMMC 2.0 is currently aligned with NIST 800-171 Revision 2 (R2).

Historically, there have been concerns regarding Google’s ability to maintain NIST compliance, and as recently as May 2022, a CMMC Third-Party Assessor Organization (C3PAO) found four deviations from NIST 800-171. This presented a significant challenge for government contractors, as they would need to implement third-party tools to meet compliance requirements while using Google Workspace.

To address these concerns, Google has taken corrective actions, and in June 2024, a Letter of Attestation from authorized C3PAO Coalfire confirmed that the tested Google Services, including Google Workspace, align with the requirements established in NIST 800-171 Revision 3 (R3).

However, it’s important to note that CMMC 2.0 still follows NIST 800-171 R2, and R3 has not yet been codified into CMMC requirements. While Google’s alignment with NIST 800-171 R3 is a positive step forward, it does not yet guarantee full CMMC compliance until CMMC formally adopts R3, which is expected to take at least another year.

For government contractors seeking CMMC compliance today, Google Workspace’s current compliance with R3 does not automatically ensure CMMC 2.0 certification, as assessments are still based on R2 requirements. Contractors should carefully evaluate their security implementations and consider additional compliance measures to maintain their CMMC standing while using Google Workspace.

Is Google Workspace ITAR Compliant?

One of the biggest downsides of trying to secure CUI in a Google Workspace environment is that Google Workspace may not be sufficient for organizations that must maintain International Traffic in Arms Regulations (ITAR) compliance. While Google claims that Assured Workloads can be used to help organizations meet the requirements of ITAR’s end-to-end encryption carveout, this doesn’t tell the whole story. While Google’s Client-Side encryption feature meets ITAR requirements for end-to-end encryption, this may not be enough if you have to export controlled CUI or NOFORN information. If you wish to try, you will need Google Assured Workloads and Cloud Key Management to secure the environment.

So, Is Google Workspace CMMC 2.0 Compliant?

Given all of the information we’ve gone over above, you may still be uncertain whether Google Workspace is CMMC 2.0 compliant. So, what is our verdict? While organizations can technically achieve CMMC compliance while working in a Google Cloud environment, this is not something we recommend. This is because achieving CMMC 2.0 compliance with Google Workspace can be complex and will require workarounds, third-party software, and the deployment of Google Assured Workloads to properly secure the CUI your organization processes, stores, and transmits. Another reason we would caution against DoD contractors using Google Workspace is that Google has only achieved the U.S. Department of Defense’s Impact Level 4 authorization. Organizations that handle mission-critical data and highly sensitive CUI and must maintain Impact Level 5 (IL5) certification then cannot rely on Google Cloud. Furthermore, even if you’re only required to maintain Impact Level 4, continuing to use Google Workspace limits your future opportunities that may require you to achieve IL5 certification.

The Benefits of Migrating From Google to GCC or GCC High

While Google Workspace offers a comprehensive suite of cloud-based productivity applications and services, its security and compliance features are insufficient to ensure organizations within the DIB can maintain CMMC 2.0 certification. The best way for your organization to ensure it has the resources it needs to secure CUI and maintain its compliance obligations would be to instead migrate to Microsoft Government Community Cloud (GCC) High. Not only does GCC High have IL5 certification, but it provides government contractors with additional benefits including:

• Enhanced Security and Compliance Features: The biggest downside of operating in Google’s cloud environment is that they offer minimal security and compliance features. Alternatively, Microsoft GCC High is specifically designed to meet the unique security needs of government contractors and agencies. By choosing GCC High, you will have access to all of the security features Microsoft offers including advanced threat protection, device management, and encryption, giving you the tools you need to properly protect the CUI your organization handles.

• Unified Collaboration: Not only will choosing GCC High enhance your organization’s security posture, but its robust collaboration tools like Teams can also streamline collaboration by allowing you to host meetings, share your screen, and collaborate on documents from a single platform.

• Boost Productivity: While Google Workspace can be a useful tool, the fact is that it does not provide as comprehensive a list of productivity tools as Microsoft does. Alternatively, with GCC High, you’ll have access to all of the tools in Office 365, which can streamline operations and boost productivity.

Are You Considering Migrating to Microsoft GCC High? Contact Agile IT Today!

For DoD contractors using Google Workspace, your best option would be to migrate to a Microsoft cloud environment if you must achieve CMMC compliance. This is because Microsoft offers enhanced security features specifically designed to help organizations within the DIB achieve compliance. However, while moving from Google Workspace, Gmail, and Google Drive to Microsoft 365 is rather straightforward, moving to GCC and GCC High is more complex, and failing to properly migrate can leave CUI in unsecured places and increase the risk of non-compliance. The good news is that you do not have to handle this process alone. Agile IT has implemented, migrated, and managed GCC High for hundreds of clients and has a deep understanding of Google to GCC High migrations. To find out what you need to make the move, contact us request a quote today, or schedule a call to learn how our AgileDefend service can help you enhance your compliance posture and protect your valuable data and how our AgileThrive service keeps you compliant.