Google Cloud FedRAMP implementation guide

Last reviewed 2024-02-27 UTC

This guide is intended for security officers, compliance officers, IT admins, and other employees who are responsible for Federal Risk and Authorization Management Program (FedRAMP) implementation and compliance on Google Cloud. This guide helps you understand how Google is able to support FedRAMP compliance and which Google Cloud tools, products, and services to configure to help meet your responsibilities under FedRAMP.


Google Cloud supports FedRAMP compliance, and provides specific details on the approach to security and data protection in the Google security whitepaper and in the Google Infrastructure Security Design Overview. Although Google provides a secure and compliant cloud infrastructure, you are ultimately responsible for evaluating your own FedRAMP compliance. You're also responsible for ensuring that the environment and applications that you build on top of Google Cloud are properly configured and secured according to FedRAMP requirements.

This document outlines the FedRAMP Authority to Operate (ATO) phases at a high level, explains the Google Cloud shared responsibility model, highlights customer-specific responsibilities, and suggests how to meet these requirements and guidelines on Google Cloud.


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes how the Federal Information Security Modernization Act (FISMA) applies to cloud computing. It establishes a repeatable approach to security assessment, authorization, and continuous monitoring for cloud-based services.

Using FedRAMP's standards and guidelines, you can secure sensitive, mission-essential, and mission-critical data in the cloud, making it possible to detect cybersecurity vulnerabilities quickly.

At a high level, FedRAMP has the following goals:

  • Ensure that cloud services and systems used by government agencies have adequate safeguards.
  • De-duplicate efforts and reduce risk management costs.
  • Enable government agencies to rapidly and cost effectively procure information systems and services.

In adherence to FedRAMP, federal government agencies must do the following:

  • Ensure that all cloud systems which process, transmit, and store government data use the FedRAMP security controls baseline.
  • Use the security assessment plan when granting security authorizations under FISMA.
  • Enforce FedRAMP requirements through contracts with cloud service providers (CSPs).

Authority to Operate (ATO)

Successful implementation and execution of the FedRAMP accreditation process culminates with an Authority to Operate (ATO) in the cloud. There are two paths for FedRAMP ATO: P-ATO and Agency ATO.

P-ATO, or Provisional Authority to Operate, is granted by the FedRAMP Joint Authorization Board (JAB). The JAB is composed of CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). The board defines the baseline FedRAMP security controls and establish the FedRAMP accreditation criteria for third-party assessment organizations (3PAOs). Organizations and agencies request to have their information system security package processed by the JAB, and the JAB then issues P-ATO to use cloud services.

With Agency ATO, the internal organization or agency designates authorizing officials (AOs) to conduct a risk review of the information system security package. The AO can engage 3PAOs or non-accredited, independent assessors (IAs) to review the information system security package. The AO, and later the agency or organization, then authorizes the information system's use of cloud services. The security package is also sent to the FedRAMP Program Management Office (PMO) for review; GSA is the PMO for FedRAMP. After review, the PMO publishes the security package for other agencies and organizations to use.

Security assessment plan

Authorizing Officials (AOs) at agencies and organizations must incorporate the FedRAMP Security Assessment Plan (SAP) into their internal authorization processes to ensure that they meet FedRAMP requirements for cloud services use. The SAF is implemented in four phases:

Four phases of the security assessment plan.

You or your AO categorize your information system as a Low, Moderate, or High impact system according to FIPS PUB 199 security objectives for confidentiality, integrity, and availability.

Based on the system's FIPS categorization, select the FedRAMP security controls baseline that correlates with the FIPS 199 categorization level of low, moderate, or high. You must then implement the security controls captured in the respective controls baseline. Alternative implementations and justification for why a control can't be met or implemented is also acceptable.

Capture the details of the security controls implementation in a System Security Plan (SSP). We recommend that you select the SSP template according to the FedRAMP compliance level—Low, Moderate, or High.

The SSP does the following:

  • Describes the security authorization boundary.
  • Explains how the system implementation addresses each FedRAMP security control.
  • Outlines system roles and responsibilities.
  • Defines expected system user behavior.
  • Exhibits how the system is architected and what the supporting infrastructure looks like.

You use the FedRAMP authorization review template to track your ATO progress.

For more details about the implementation phases, see the FedRAMP's agency authorization process.

Cloud responsibility model

Conventional infrastructure technology (IT) required organizations and agencies to purchase, physical data center or colocation space, physical servers, networking equipment, software, licenses, and other devices for building systems and services. With cloud computing, a CSP invests in the physical hardware, data center, and global networking, while also providing virtual equipment, tools, and services for customers to use.

Three cloud computing models exist: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS):

  • In the IaaS model, CSPs essentially supply a virtual data center in the cloud, and they deliver virtualized computing infrastructure such as servers, networks, and storage. Although CSPs manage the physical equipment and data centers for these resources, you are responsible for configuring and securing any of the platform or application resources that you run on the virtualized infrastructure.

  • In the PaaS model, CSPs not only provide and manage the infrastructure and virtualization layer, they also provide customers with a pre-developed, pre-configured platform for creating software, applications, and web services. PaaS makes it easy for developers to create applications and middleware without worrying about security and configuration of the underlying hardware.

  • In the SaaS model, CSPs manage the physical and virtual infrastructure and the platform layer while delivering cloud-based applications and services for customers to consume. Internet applications that run directly from the web browser or by going to a website are SaaS applications. With this model, organizations and agencies don't have to worry about installing, updating, or supporting applications; they simply manage system and data access policies.

The following figure highlights CSP responsibilities and your responsibilities both on-premises and across cloud computing models:

CSP and customer responsibilities.

FedRAMP responsibility

You can view the cloud IT stack relative to four layers: the physical infrastructure layer, the cloud infrastructure layer, the cloud platform layer, and the cloud software layer. The following diagram shows these layers.

Layers in the cloud IT stack.

The numbered layers in the diagram correspond to the following:

  1. Software as a service. Google Workspace is also certified as FedRAMP Moderate. In order to inherit these SaaS security controls, you can request a copy of Google's ATO package from the JAB and include a copy of Google's attestation letter in your package.
  2. Platform as a service. In addition to Google Cloud's FedRAMP certified physical infrastructure, additional PaaS products and services are covered by FedRAMP, including App Engine, Cloud Storage, and database services. Use these pre-certified products and services wherever possible.
  3. Infrastructure as a service. In addition to Google Cloud's FedRAMP certified physical infrastructure, additional IaaS products and services are covered by FedRAMP, including Google Kubernetes Engine (GKE) and Compute Engine. Use these pre-certified products and services wherever possible.
  4. Physical infrastructure. Google Cloud is certified by JAB as FedRAMP Moderate. In order to inherit these physical security controls, you can request a copy of Google's ATO package and include Google's attestation letter in your package.

With respect to FedRAMP ATO, each layer of the cloud IT stack is considered an independent control boundary, and each control boundary requires a separate ATO. This means that despite Google Cloud's FedRAMP compliance and having dozens of Google Cloud services that are covered by FedRAMP, you are still required to implement FedRAMP security baseline controls and the SAF process to qualify your cloud systems and workloads as FedRAMP compliant.

There are two types of FedRAMP security controls across Low, Moderate, and High compliance baselines: controls implemented by the information system, and controls implemented by the organization. As your organization or agency builds out FedRAMP-compliant systems on Google Cloud, you inherit the physical infrastructure security controls that Google meets under its FedRAMP certification. You also inherit any physical infrastructure, IaaS, and PaaS security controls that are built into Google's FedRAMP compliant products and services, and into all SaaS controls when using Google Workspace. However, you are required to implement all other security controls and configurations at the IaaS, PaaS, and SaaS levels, as defined by the FedRAMP security controls baseline.

FedRAMP implementation recommendations

As mentioned, you inherit some security controls from the CSP. For other controls, you must specifically configure them and create organization-defined policies, rules, and regulations to meet each control.

This section recommends aids for implementing NIST 800-53 security controls in the cloud by using organization-defined policies with Google Cloud tools, services, and best practices.

Access control

To manage access control in Google Cloud, define organization admins who will manage information system accounts in the cloud. Place those admins in access control groups using Cloud Identity, Admin Console, or some other identity provider (for example, Active Directory or LDAP), ensuring that third-party identity providers are federated with Google Cloud. Use Identity and Access Management (IAM) to assign roles and permissions to administrative groups, implementing least privilege and separation of duties.

Develop an organization-wide access control policy for information system accounts in the cloud. Define the parameters and procedures by which your organization creates, enables, modifies, disables, and removes information system accounts.

Account management, separation of duties, and least privilege

In the access control policy, define the parameters and procedures by which your organization will create, enable, modify, disable, and remove information system accounts. Define the conditions under which information system accounts should be used.

Also, identify the time period of inactivity in which users will be required to log out of a system (for example, after *x* minutes, hours, or days). Use Cloud Identity, Admin Console, or application configurations to force users to sign out or re-authenticate after the defined time period.

Define what actions should be taken when privileged role assignments are no longer appropriate for a user in your organization. Google's *Policy Intelligence has an IAM Recommender feature that helps you remove unwanted access to Google Cloud resources by using machine learning to make smart access control recommendations.

Define conditions under which groups accounts are appropriate. Use Cloud Identity or Admin Console to create groups or service accounts. Assign roles and permissions to shared groups and service accounts by using IAM. Use service accounts whenever possible. Specify what atypical use of an information system account is for your organization. When you detect atypical use, use tools such as Google Cloud Observability or *Security Command Center to alert information system admins.

Follow these guidelines to aid in implementing these security controls: AC-02, AC-02 (04), AC-02 (05), AC-02 (07), AC-02 (09), AC-02 (11), AC-02 (12), AC-05, AC-06 (01), AC-06 (03), AC-06 (05), AU-2, AU-3, AU-6, AU-12, SI-04, SI-04 (05), SI-04 (11), SI-04 (18), SI-04 (19), SI-04 (20), SI-04 (22), SI-04 (23).

Information flow enforcement and remote access

In the organization-wide access control policy, define information-flow control policies for your organization. Identify prohibited or restricted ports, protocols, and services. Define requirements and restrictions for interconnections to internal and external systems. Use tools such as Virtual Private Cloud to create firewalls, logically isolated networks, and subnetworks. Help control the flow of information by implementing Cloud Load Balancing, *Traffic Director, and VPC Service Controls.

When setting information-flow control policies, identify controlled network access points for your organization. Use tools such as Identity-Aware Proxy to provide context-based access to cloud resources for remote and onsite users. Use Cloud VPN or Cloud Interconnect to provide secure, direct access to VPCs.

Set organization-wide policies for executing privileged commands and accessing secure data over remote access. Use IAM and VPC Service Controls to restrict access to sensitive data and workloads.

Follow these guidelines to aid in implementing these security controls: AC-04, AC-04 (08), AC-04 (21), AC-17 (03), AC-17 (04), CA-03 (03), CA-03 (05), CM-07, CM-07(01), CM-07(02).

Logon attempts, system-use notification, and session termination

In the access control policy, specify how long a user should be delayed from accessing a login prompt when 3 unsuccessful login attempts have been attempted in a 15-minute period. Define conditions and triggers under which user sessions are terminated or disconnected.

Use Cloud Identity Premium Edition or Admin Console to manage mobile devices that connect to your network, including BYOD. Create organization-wide security policies that apply to mobile devices. Outline requirements and procedures for purging and wiping mobile devices after consecutive unsuccessful login attempts.

Develop organization-wide language and system-use notifications that provide privacy policies, terms of use, and security notices to users who are accessing the information system. Define the conditions under which organization-wide notifications are displayed before granting users access. Pub/Sub is a global messaging and event ingestion system that you can use to push notifications to applications and end users. You can also use *Chrome Enterprise Suite, including *Chrome Browser and *Chrome OS, with the *Push API and *Notifications API to send notifications and updates to users.

Follow these guidelines to aid in implementing these security controls: AC-07, AC-07 (02), AC-08, AC-12, AC-12 (01).

Permitted actions, mobile devices, information sharing

In the access control policy, define user actions that can be performed on an information system without identification and authentication. Use IAM to regulate user access to view, create, delete, and modify specific resources.

Develop organization-wide policies for information sharing. Determine circumstances under which information can be shared and when user discretion is required for sharing information. Employ processes to assist users with sharing information and collaborating across the organization. Google Workspace has a great feature set for controlled collaboration and engagement across teams.

Follow these guidelines to aid in implementing these security controls: AC-14, AC-19 (05), AC-21.

Awareness and training

Create security policies and associated training materials to disseminate to users and security groups across your organization at least annually. Google offers Professional Services options for educating users on cloud security, including but not limited to a Cloud Discover Security engagement and a Google Workspace Security Assessment.

Update security policies and training at least annually.

Follow these guidelines to aid in implementing security control AT-01.

Auditing and accountability

Create organization-wide auditing policies and accountability controls that address procedures and implementation requirements for auditing personnel, events, and actions that are tied to cloud information systems.

In the organization-wide auditing policy, outline events that should be audited in your organization's information systems, and the auditing frequency. Examples of logged events include successful and unsuccessful account login events, account management events, object access, policy change, privilege functions, process tracking, and system events. For web applications, examples include admin activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. Define additional events of interest for your organization.

For the auditing policy, we also recommend that you specify indications of inappropriate or unusual activity for your organization. Monitor, log, and flag these activities regularly (at least weekly).

Use Google Cloud Observability to manage logging, monitoring, and alerting for your Google Cloud, on-premises, or other cloud environments. Use Google Cloud Observability to configure and track security events in your organization. You can also use Cloud Monitoring to set custom metrics to monitor for organization-defined events in audit records.

Enable information systems to alert admins of audit processing failures. You can implement these alerts by using tools like Pub/Sub and alerting.

Set standards for alerting admins within a set time period (for example, within 15 minutes), in the event of a system or functional failure, to include when audit records reach a set threshold or volume capacity. Determine an organization-wide granularity of time measurement, by which audit records should be time-stamped and logged. Define the level of tolerance for time-stamped records in the information system audit trail (for example, nearly real-time or within 20 minutes).

Set VPC resource quotas to establish the capacity thresholds for audit record storage. Configure budget alerts to notify admins when a percentage of a resource limit has been reached or exceeded.

Define organization-wide storage requirements for audit data and records, to include audit log availability and retention requirements. Use Cloud Storage to store and archive audit logs, and BigQuery to perform further log analysis.

Follow these guidelines to aid in implementing these security controls: AU-01, AU-02, AU-04, AU-05, AU-05 (01), AU-06, AU-07 (01), AU-08, AU-08 (01), AU-09 (04), AU-09 (04), AU-12, AU-12 (01), AU-12 (03), CA-07.

Security assessment and authorization

Develop an organization-wide security assessment and authorization policy that defines the procedures and implementation requirements of organization security assessments, security controls, and authorization controls.

In the security assessment and authorization policy, define the level of independence required for security assessment teams to conduct impartial assessments of information systems in the cloud. Identify the information systems that need to be assessed by an independent assessor.

Security assessments should minimally cover the following:

  • In-depth monitoring
  • Vulnerability scanning
  • Malicious user testing
  • Insider threat assessment
  • Performance and load testing

Your organization should define additional requirements and forms of security assessment.

Make sure that your security assessment and authorization policy specifies security system classifications and requirements, including requirements for unclassified and non-national security systems.

In the information flow control policies for your organization, outline requirements and restrictions for interconnections to internal and external systems. Set VPC firewall rules to allow and deny traffic to information systems, and use VPC Service Controls to protect sensitive data by using security parameters.

Set organization-wide auditing and accountability policies that enforce continuous monitoring requirements (CA-07).

Follow these guidelines to aid in implementing these security controls: CA-01, CA-02, CA-02 (01), CA-02 (02), CA-02 (03), CA-03 (03), CA-03 (05), CA-07, CA-07 (01), CA-08, CA-09.