Is Google Workspace CMMC, DFARS, and ITAR Compliant?

    By
    4 Minutes Read

    Yes - Google Workspace is CMMC compliant. However, you'll need to seriously evaluate the many caveats and one-off implementations that the platform requires to meet current compliance requirements. 

    Within the defense supply chain, contracts are filled with clauses that mandate the implementation of minimum-security baselines to protect different data types - Defense Federal Acquisition Regulation Supplement (DFARS) 7012, 7019, 7020, 7021, and the upcoming CMMC 2.0 requirements. As a result, DoD contractors are searching for cloud service offerings that can provide productivity and collaboration without compromising the ability to meet regulatory obligations. Unfortunately, many providers and potential customers find that achieving these goals is easier said than done. In this blog, we'll discuss the following commonly asked questions:

    • Is Google Workspace CMMC/NIST compliant? 
    • Is Google Workspace DFARS compliant? 
    • Is Google Workspace ITAR compliant? 

    Google Workspace and Compliance  

    Google workspace’s ability to satisfy the requirements of NIST SP 800-171 and CMMC 2.0 was evaluated by a Certified 3rd Party Assessment Organization (3PAO). As a result of that assessment, Google Workspace was awarded a letter of attestation by the 3PAO which documented the platform's ability to satisfy NIST 800-171 and CMMC 2.0 requirements.  

    Additionally, in July 2022, Google Workspace announced that it earned a DoD Impact Level 4 (IL4) authorization. For organizations to inherit the shared responsibility benefits of the Workspace’s IL4 authorization, they would need to deploy Google’s Assured Workloads. Without this product deployed, the organization’s Google Workspace environment is only a DoD IL2 environment.

    Let's discuss how this impacts DoD contractors that handle CUI / ITAR (export-controlled data). In this section, we will use the results of the IL4 authorization and the NIST 800-171 letter of attestation to analyze Google Workspace's capability to satisfy: 

    • The requirements of CMMC 2.0 / NIST 800-171
    • DFARS 7012 requirements 
    • International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) restrictions  

    Is Google Workspace CMMC/NIST compliant? 

     The 3PAO letter of attestation called out findings with four of the CMMC 2.0 / NIST 800-171 cybersecurity practices:
     

    1. CMMC AC.L2-3.1.9 / NIST 3.1.9Provide privacy and security notices consistent with applicable CUI rules.
      1. Google Workspace is actually incapable of displaying notices at user login, making it incapable of meeting CMMC AC.L2-3.1.9 / NIST 3.1.9. The organization would have to find a compatible and compliant 3rd party technology in order to successfully implement this control.

    2. CMMC IA.L2-3.5.6/ NIST 3.5.6 - Disable identifiers after a defined period of inactivity.
      1. Workspace would require the organization to put manual processes in place to disable identifiers inactive outside of the organization's determined limits. Both controls can be fulfilled by the organization but not automated through the capabilities within Google Workspace.  

    3. CMMC IA.L2- 3.5.7 / NIST 3.5.7 - Enforce a minimum password complexity and change of characters with new passwords are created.

    4. CMMC IA.L2- 3.5.8 / NIST 3.5.8Prohibit password reuse for a specified number of generations.  

    Contrary to the findings of the NIST 800-171 attestation letter, Google Workspace can meet both CMMC IA.L2- 3.5.7 / NIST 3.5.7 and CMMC IA.L2- 3.5.8 / NIST 3.5.8. Admins in Google Workspace are capable of enforcing and monitoring password requirements for all users. The list of custom configuration capabilities includes things like password length, strength, and period allowed for re-usage. Because of this, the admin can configure the password policy in Workspace to mimic their organizationally defined password values to meet help them satisfy both of the controls listed above.

    Ultimately, satisfying CMMC 2.0 / NIST 800-171 requirements with Google Workspace is possible but depends on the organization's ability to compensate for the identified control deficiencies in CMMC AC.L2-3.1.9 / NIST 3.1.9 and CMMC IA.L2-3.5.6/ NIST 3.5.6. 

    cui

    Does Google Workspace meet DFARS Requirements? 

    Paragraphs b-g of DFARS 252.204-7012 include requirements for organizations regarding their information system and the cloud services they use. For example, paragraph b requires DIB organizations to successfully ensure that adequate security is applied to their information system and cloud services, with adequate security being defined as the implementation of NIST 800-171, and cloud services require a FedRAMP moderate authorization or equivalent. 

    As was discovered when evaluating the CMMC 2.0 / NIST 800-171 capabilities of Google Workspace, organizations choosing Google Workspace DFARS compliance have some work to do to achieve compliance. Because Google Workspace is authorized to the FedRAMP HIGH baseline, it also meets the cloud services security requirements of DFARS 7012. 

    However, this is the only paragraph of the clause which Google Workspace can meet without the deployment of Google Assured Workloads. Without assured workloads deployed, the organization does not inherit the control implementations found in the IL4 authorization, many of which allow Workspace to satisfy the incident response, incident reporting, malicious software, media preservation, and forensic analysis requirements found in paragraphs c-g of the DFARS 7012 clause.

    dfars7012

    Is Google Workspace ITAR compliant? 

    Prior to December 26, 2019, Google advised against organizations with ITAR data using their platform because of their business model and staffing. There was no assurance that the data would be stored strictly on U.S soil or that the data would only be accessed by cleared U.S. Citizens (both requirements of export-controlled data). The rules changed a little bit on December 26, 2019, and so did the Google Workspace capabilities. A published interim final rule by the Directorate of Defense Trade Controls (DDTC) amended the International Traffic in Arms Regulations (ITAR) requirements to harmonize with the Export Administration Regulations (EAR). This rule would create ITAR section 120.54 to largely mirror EAR section 734.18, which defines activities that are not exported, re-export, or retransferred. This interim rule made the "ITAR Carve out", giving organizations more flexibility with ITAR requirements, allowing Google Workspace to be ITAR compliant and capable, with extra help.   

    As a result, Google workspace can be leveraged by organizations to meet ITAR requirements if:  

    • Google Client-side encryption (CSE) or another 3rd party CSE solution is leveraged to encrypt the data at the client host 
    • Google Cloud Key management or another 3rd party key management solution is implemented and controlled only by the organization or authorized proxies (MSP/MSSP, etc.) 

    AND 

    • The organization leverages the security and capabilities of the Google Assured Workload product -including performing actions such as dictating their data storage locations. 

    This approach to export-controlled restrictions has quite a few caveats, but it is achievable for DIB contractors. It comes with a more significant workload and more "gotcha" possibilities than its competition.

    Conclusion 

    There is no denying that from the compliance perspective, the Google Workspace platform has benefitted from acquiring its DoD IL4 authorization. With the capabilities found within Assured Workloads, Google Workspace has been put in the conversation when DIB contractors are discussing compliant cloud platforms. However, these conversations must also include the many caveats and one-off implementations which the platform requires to meet these requirements. And although the capability exists, the necessary processes to make the Google Workspace platform compliant come with extra workloads and potential cost considerations. All of which may lead organizations to discover that the effort and cost needed exceeds that provided by the competition.

    Looking for content on Microsoft 365 for CMMC? Start here.

     

    Jason Sproesser

    Author