TL;DR: Can you meet CMMC with Google Workspace?
No. Not out of the box, and not with their own included solutions. However, to fully understand why, we need to break this down into the individual components required to meet CMMC with Google. It comes down to four issues:
- DFARS Compliance in Google Workspace
- NIST 800-171 Compliance in Google Workspace
- ITAR Compliance in Google Workspace
- CMMC Compliance in Google Workspace
Is Google Workspace DFARS 7012 Compliant?
No. And they seem to go to great lengths to bury this fact, talking about FedRAMP High P-ATOs, NIST 800-171, but never actually mentioning DFARS 7012. The issue with Google and DFARS 7012 Compliance and Cloud Service Providers lies within Paragraphs C-G covering cyber incident reporting. Paragraph E, which covers media preservation and protection in the event of a cyber incident, requires the preservation of images of all affected information systems and packet/monitoring data for at least 90 days from the initial report to the DoD. Nowhere does Google mention compliance with this requirement.
Is Google Workspace NIST 800-171 Compliant?
Not exactly. In May 2022, Coalfire published their Letter of Attestation for NIST 800-171 in Google Cloud Platform and Google Workspaces. In that letter, they called out four deviations from NIST 800-171.
- NIST SP-800-171 controls: 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules (mapped and associated NIST SP 800-53 rev4 controls: AC-8)
- NIST SP-800-171 controls: 3.1.10 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity (mapped and associated NIST SP 800-53 rev4 controls: AC-11)
- NIST SP-800-171 controls: 3.5.6 – Disable identifiers after a defined period of inactivity (mapped and associated NIST SP 800-53 rev4 controls: AC-2 (3) and IA-4)
- NIST SP-800-171 controls: 3.5.7/3.5.8 – Enforce a minimum password complexity and change of characters when new passwords are created, Prohibit password reuse for a specified number of generations (mapped and associated NIST SP 800-53 rev4 controls: IA-5(1))
In order to meet these requirements, you will need to incorporate third-party tools into your environment to fully meet NIST 800-171, which opens its own can of worms based on the compliance capabilities of those tools as well.
Is Google Workspace ITAR Compliant?
Again, not exactly. Google explains that its Client-Side encryption feature meets ITAR requirements for end-to-end encryption. However, if you have export-controlled CUI or NOFORN information, this may not be enough. If you do wish to try, you will need Google Assured Workloads, and Cloud Key Management to secure the environment.
So, Is Google Workspaces CMMC Compliant
The answer is technically no at this time. But with the expectation that CMMC will be moving out of the Defense Industrial Base and into other cabinet-level agencies and even civilian industries, there may come a time when CMMC does not sit on top of DFARS requirements. Even then, the above four deviations will need to be addressed at the organizational level to fully meet the controls in NIST 800-171.
Migrating from Google to GCC or GCC High
Moving from Google Workspace, Gmail, and Google Drive to Microsoft 365 is rather straightforward, however moving to GCC and GCC High is more complex, and failing to properly migrate can leave CUI in unsecured places, and increase the risk of non-compliance. Agile IT has implemented, migrated, and managed GCC High for hundreds of clients, and has a deep understanding of Google to GCC High migrations. To find out what you need to make the move, request a quote, or schedule a call.