FedRAMP

The U.S. Federal government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. Congress codified FedRAMP in 2022, as “a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.”

All federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).

Google Cloud’s FedRAMP Compliance

The FedRAMP Board (formerly known as the Joint Authorization Board) is the primary governing body for FedRAMP. It includes the Department of Defense (DoD), Department of Homeland Security (DHS), the General Services Administration (GSA), and other agencies as determined by the GSA Administrator and the FedRAMP director.

The FedRAMP Board has issued a FedRAMP High Provisional Authority to Operate (P-ATO) to Google Cloud and the underlying infrastructure. Google Cloud routinely submits additional services to the Board for FedRAMP High authorization.

If you’re interested in using Google Cloud services to meet your FedRAMP High compliance obligations, you must use Assured Workloads Data Boundary for FedRAMP High and Assured Support. The FedRAMP Moderate control baseline is a subset of the FedRAMP High control baseline. Therefore, if you're pursuing a FedRAMP Moderate ATO for your solution deployed on Google Cloud, you can use any FedRAMP High authorized Google Cloud service in your FedRAMP Moderate authorization boundary.

Google can provide you with the following Google Cloud FedRAMP compliance documentation under a non-disclosure agreement (NDA):

Customer Responsibility Matrix (CRM)
System Security Plan (SSP)

Our sales team or your Google Cloud representative can help provide access to this documentation. Government customers may also request Google’s FedRAMP package through the FedRAMP Program Management Office using its package request form.

If you buy Google Cloud services through a Google partner, purchase terms and conditions flow down from our partners.

Google Workspace FedRAMP compliance

You can use Google Workspace in compliance with various U.S. federal government and global standards for cloud security and privacy. In addition to maintaining a FedRAMP High P-ATO, Google Workspace is also certified against ISO 27017, 27018, 27001, and is audited against the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) standards. For more information, see Google Cloud compliance offerings.

The entire authorized Google Workspace security boundary is documented, assessed, and managed against the FedRAMP High baseline of security and privacy controls. FedRAMP Moderate control baseline is a subset of the FedRAMP High control baseline. Therefore, if you're pursuing a FedRAMP Moderate ATO for your Google Workspace implementation, any FedRAMP High authorized Google Workspace service can be included in your FedRAMP Moderate authorization boundary. For more information, see Google Workspace FedRAMP configuration guide.

Google Cloud VMware Engine (GCVE) FedRAMP High Readiness

In 2023, the FedRAMP Program Management Office (PMO) completed the review of Google Cloud VMware Engine (GCVE) High Readiness Assessment Report (RAR) provided by a FedRAMP accredited third party assessment organization (3PAO). Based on the positive results of the review, with no notable capability weaknesses found, GCVE has been accepted as a FedRAMP High Ready offering (FedRAMP Package ID FR2405153785).

Achieving FedRAMP High Ready indicates to the U.S. federal government that GCVE has a high likelihood of achieving a FedRAMP Authorization. GCVE is also certified against ISO 27017, 27018, 27001, PCI DSS and is audited against the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) standards.

Hosting FedRAMP Moderate and High Workloads on Google Cloud

Google Cloud’s investment in our security-by-default infrastructure ensures that security controls are built-in and pre-configured to enable you to achieve various compliance levels without a traditional isolated government cloud infrastructure.

As mentioned previously, you must use Assured Workloads if you're looking to deploy your solution using Google Cloud in your FedRAMP Moderate and High environments. Assured Workloads allows you to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from the existing Google Cloud public infrastructure. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages.

FedRAMP-authorized services made available through Assured Workloads implement FedRAMP security controls and allow you to use the capabilities of Google Cloud to meet your organizational needs. Assured Workloads also provides visibility into the compliance state of FedRAMP workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to your auditors.

In addition to the Google Cloud FedRAMP High P-ATO controls, Assured Workloads implements the following key FedRAMP High controls by default:

Guardrails to restrict FedRAMP High customer data location to the U.S.
Technical support staff limited to FedRAMP-adjudicated personnel located in the U.S.
FIPS-140 validated encryption at rest and in transit
Personnel access controls for those with temporary access privileges to customer data
Only FedRAMP compliant products and services allowed
Logical segmentation of in-scope compliance boundary to support FedRAMP High requirements

Hosting FedRAMP Moderate and High Data on Google Workspace

Google Workspace maintains a FedRAMP High P-ATO, which you can leverage to host FedRAMP Moderate and High data. If you’re looking to deploy Google Workspace in your FedRAMP Moderate and High environments, you should enable the FedRAMP High-authorized services. Learn how to turn a service on or off for Google Workspace.

Moreover, Google Workspace Business and Enterprise editions have built-in security controls and feature sets that enable you to meet FedRAMP High compliance requirements and align your own ATO. As a Google Workspace user, you can configure your environment to meet FedRAMP data residency controls by using a Data Region policy.

Process for Achieving a FedRAMP Authority to Operate (ATO)

If you’re interested in hosting government data on Google Cloud, you may also be interested in pursuing your own Authority to Operate (ATO). You should consider the following milestones for achieving an ATO on Google Cloud:

Determine whether the in-scope data requires FedRAMP Moderate or FedRAMP High authorization.
Select Assured Workloads for the in-scope Google Cloud services. FedRAMP Moderate is included in the free tier whereas FedRAMP High requires a premium subscription.
Decide on your FedRAMP boundary within Google Cloud.
Configure your workloads in accordance with the shared responsibility model, Customer Responsibility Matrix, in-scope Google Cloud services, and FedRAMP guidelines.
Undergo an audit with a FedRAMP accredited third party assessment organization (3PAO)
Submit your package to the Federal Agency for review and authorization.

For more information on the ATO process, refer to the FedRAMP website. For extra FedRAMP ATO support from Google Cloud, visit our Google Cloud Consulting page.

FAQs

What does Google Cloud think about the Office of Management and Budget's FedRAMP draft memorandum?

The Office of Management and Budget's recent FedRAMP draft memorandum, which endorses a modern cloud approach based on logical and software-based separation instead of physical separation, is a strong step in the right direction. Google Cloud has pioneered this approach, and believes it empowers customers to scale and innovate securely.

How can I get FedRAMP compliance for my solution that uses Google Cloud?

FedRAMP allows for varying levels of inheritance from cloud service offerings using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a customer deploying applications on Google Cloud.

For example, if your organization prefers to build the entire application stack, you will also create more customer responsibility/obligation during evaluation by your Authorizing Official. If you use Platform as a Service or Software as a Service, there is likely to be a lesser compliance burden.

Once you have selected your FedRAMP-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with FedRAMP experts in our Google Cloud Consulting organization.

How does Google offer FedRAMP-authorized services when it doesn’t have a GovCloud offering?

Google is one of the first hyperscale commercial cloud providers to achieve a FedRAMP High authorization on a commercial public cloud offering, and is one of the largest providers of FedRAMP services available on the market today. In the past, hyperscale providers have separated their “govclouds” from their commercial cloud offerings to meet FedRAMP High requirements. This approach can deliver compliance, but these separate environments often don’t come with all the benefits that Google cloud infrastructure can provide.

Google Cloud’s FedRAMP High authorization enables government agencies processing high impact workloads to adopt technology at a much higher velocity and at the same scale as commercial customers, while leveraging Google’s unique public cloud infrastructure, including both its capabilities and capacity. With Assured Workloads or Assured Controls, customers can confidently secure and configure sensitive workloads to support their compliance and security requirements in the cloud. Choose your security settings, and Google can put the necessary cloud controls in place.

How do I configure Google Workspace to be FedRAMP High compliant?

The list of Google Workspace editions that are FedRAMP authorized are listed below. Refer to the configuration guide for deploying Google Workspace to support compliance with FedRAMP High security controls.

Do I need Assured Workloads to achieve a FedRAMP ATO?

Yes, Assured Workloads is required to achieve either a FedRAMP Moderate or FedRAMP High ATO. Assured Workloads gives Google Cloud the ability to identify customer federal workloads and apply technical guardrails to match changes in federal regulations. Google Cloud has committed to supporting FedRAMP compliance requirements, including those introduced in NIST 800-53 Revision 5 and future releases for workloads running within Assured Workloads.

Moreover, Assured Workloads is the only way for Google Cloud to meet FedRAMP High heightened support and data residency requirements. Assured Workloads isn't applicable to Google Workspace, which has its own Assured Controls.

What FedRAMP controls can I inherit from Google Cloud?

One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already in place in our underlying infrastructure and Assured Workloads. Therefore, when you submit your FedRAMP package to a federal agency for authorization, you will also include Google’s SSP, which outlines controls that Google Cloud manages. Reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).

How does FedRAMP relate to GovRAMP (formerly StateRAMP)?

GovRAMP is a cybersecurity program established in 2021 to address the needs of procurement and security officials with state and local governments in the U.S. Like FedRAMP, it's built upon the NIST 800-53 framework and is modeled in part after FedRAMP. GovRAMP also relies on FedRAMP accredited 3PAOs to conduct assessments. Google Cloud is ready to support GovRAMP government customers with enhanced data residency and support capabilities via Assured Workloads.

How can I find a 3PAO?

The FedRAMP Marketplace maintains a list of recognized 3PAOs.

Do I need to perform penetration testing?

Google Cloud’s SSP covers Google-owned resources for penetration testing, and you may inherit this control by using Google Cloud. A penetration test of your own FedRAMP environment built using Google Cloud will also need to be conducted during the 3PAO assessment.

Can Google help with the FedRAMP compliance process?

Yes. FedRAMP allows for varying levels of inheritance from cloud service offerings using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a customer deploying applications on Google Cloud.

How do I set up my FedRAMP workload to eliminate 3DES as a weak encryption algorithm?

In alignment with NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, customers are seeking to deprecate the use of 3DES. Google Cloud doesn’t use 3DES, but in order to support all our customers, it’s still available on Google endpoints. Within our Assured Workloads organization policies, the TLS Version Restriction Org Policy now provides enhanced security for Google Cloud customers by mitigating the use of less secure 3DES cipher suites. When the policy is enabled on the customer workloads, requests employing 3DES encryption-based cipher suites will be denied access to Google Cloud resources. The TLS Version Restriction Org Policy is enforced by default for FedRAMP Assured Workloads.