Back

Can you Meet CMMC with Google Workspace?

TLDR Can you meet CMMC with Google WorkspaceNo Not out of the box and not with their own included solutions However to fully understand ...

3 min read
Published on Nov 17, 2022
can-you-meet-cmmc-with-google-workspace

TL;DR: Can you meet CMMC with Google Workspace?

No. Not out of the box, and not with their own included solutions. However, to fully understand why, we need to break this down into the individual components required to meet CMMC with Google. It comes down to four issues:

Is Google Workspace DFARS 7012 Compliant?

No. And they seem to go to great lengths to bury this fact, talking about FedRAMP High P-ATOs, NIST 800-171, but never actually mentioning DFARS 7012. The issue with Google and DFARS 7012 Compliance and Cloud Service Providers lies within Paragraphs C-G covering cyber incident reporting. Paragraph E, which covers media preservation and protection in the event of a cyber incident, requires the preservation of images of all affected information systems and packet/monitoring data for at least 90 days from the initial report to the DoD. Nowhere does Google mention compliance with this requirement.

Is Google Workspace NIST 800-171 Compliant?

Not exactly. In May 2022, Coalfire published their Letter of Attestation for NIST 800-171 in Google Cloud Platform and Google Workspaces. In that letter, they called out four deviations from NIST 800-171.

  1. NIST SP-800-171 controls: 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules (mapped and associated NIST SP 800-53 rev4 controls: AC-8)
  2. NIST SP-800-171 controls: 3.1.10 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity (mapped and associated NIST SP 800-53 rev4 controls: AC-11)
  3. NIST SP-800-171 controls: 3.5.6 – Disable identifiers after a defined period of inactivity (mapped and associated NIST SP 800-53 rev4 controls: AC-2 (3) and IA-4)
  4. NIST SP-800-171 controls: 3.5.7/3.5.8 – Enforce a minimum password complexity and change of characters when new passwords are created, Prohibit password reuse for a specified number of generations (mapped and associated NIST SP 800-53 rev4 controls: IA-5(1))

In order to meet these requirements, you will need to incorporate third-party tools into your environment to fully meet NIST 800-171, which opens its own can of worms based on the compliance capabilities of those tools as well.

Is Google Workspace ITAR Compliant?

Again, not exactly. Google explains that its Client-Side encryption feature meets ITAR requirements for end-to-end encryption. However, if you have export-controlled CUI or NOFORN information, this may not be enough. If you do wish to try, you will need Google Assured Workloads, and Cloud Key Management to secure the environment.

So, Is Google Workspaces CMMC Compliant

The answer is technically no at this time. But with the expectation that CMMC will be moving out of the Defense Industrial Base and into other cabinet-level agencies and even civilian industries, there may come a time when CMMC does not sit on top of DFARS requirements. Even then, the above four deviations will need to be addressed at the organizational level to fully meet the controls in NIST 800-171.

Migrating from Google to GCC or GCC High

Moving from Google Workspace, Gmail, and Google Drive to Microsoft 365 is rather straightforward, however moving to GCC and GCC High is more complex, and failing to properly migrate can leave CUI in unsecured places, and increase the risk of non-compliance. Agile IT has implemented, migrated, and managed GCC High for hundreds of clients, and has a deep understanding of Google to GCC High migrations. To find out what you need to make the move, request a quote, or schedule a call.

Related Posts

NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read
Outlook Organization Tips

Outlook Organization Tips to Take Back Your Outlook Mailbox

Struggling with a cluttered Outlook mailbox? Discover quick and efficient organization tips to streamline your email management.

Dec 17, 2024
6 min read
Managing your Organization's Data-Backup on the Cloud

Managing your Organization's Data-Backup on the Cloud

Learn how to efficiently manage your organization's data backup on the cloud. Discover strategies for optimizing backup processes, reducing storage costs, and ensuring data availability and disaster recovery.

Dec 10, 2024
4 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation