FedRAMP
The U.S. Federal government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. Congress codified FedRAMP in 2022, as “a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.”
All federal agency cloud deployments and service models, other than certain on-premise private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).
Customers interested in using Google Cloud services in alignment with FedRAMP Moderate or High levels hosting must use Assured Workloads and Assured Support (High only).
Google Cloud’s FedRAMP Compliance
The FedRAMP Board (formerly known as the Joint Authorization Board) is the primary governing body for FedRAMP, and includes the Department of Defense (DoD), Department of Homeland Security (DHS), the General Services Administration (GSA), and other agencies as determined by the GSA Administrator and the FedRAMP director.
The FedRAMP Board has issued FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) to Google Cloud infrastructure and to specific Google Cloud Services Offerings (CSOs). Google Cloud routinely submits additional services for FedRAMP Moderate and High approvals to the Board.
Google Cloud can provide the following additional FedRAMP compliance documentation to customers under non-disclosure agreement (NDA):
- FedRAMP Customer Responsibility Matrix (CRM)
- Google Cloud’s System Security Plan (SSP)
- Penetration test reports and other documents
Our sales team or your Google Cloud representative can help provide access to this documentation. Government customers may also request Google’s FedRAMP package through the FedRAMP Program Management Office using its package request form.
For customers who buy through a Google partner, purchase terms and conditions flow down from our partners.
Google Workspace FedRAMP compliance
Customers can use Google Workspace in compliance with various U.S. federal government and global standards for cloud security and privacy. In addition to maintaining a FedRAMP High authorization, Google Workspace is also certified against ISO 27017, 27018, 27001, and is audited against the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) standards.
Google Cloud VMware Engine (GCVE) FedRAMP High Readiness
In 2023, the FedRAMP Program Management Office (PMO) completed the review of Google Cloud VMware Engine (GCVE) High Readiness Assessment Report (RAR) provided by a third party assessment organization (3PAO). Based on the positive results of the review, with no notable capability weaknesses found, GCVE has been accepted as a FedRAMP High Ready offering (FedRAMP Package ID FR2405153785).
Achieving FedRAMP High Ready indicates to the US federal government that GCVE has a high likelihood of achieving a FedRAMP Authorization. GCVE is also certified against ISO 27017, 27018, 27001, PCI-DSS and is audited against the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) standards.
Hosting FedRAMP Moderate and High Workloads on Google Cloud
Google Cloud’s investment in our security-by-default infrastructure ensures that security controls are built-in and pre-configured to enable customers to achieve various compliance levels without a traditional isolated government cloud architecture.
Customers looking to deploy their solutions using Google Cloud in their FedRAMP Moderate and High environments must use Assured Workloads. Assured Workloads allows customers to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from its public cloud data centers. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages.
FedRAMP-authorized services made available through Assured Workloads implement FedRAMP security controls and allow customers to use the capabilities of Google Cloud to meet their organizational needs. Assured Workloads also provides visibility into the compliance state of FedRAMP workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to auditors of your compliance state.
In addition to the controls satisfied by the Google Cloud infrastructure FedRAMP High ATO, Assured Workloads implements the following key FedRAMP High controls by default for customers handling FedRAMP High government data:
- Guardrails to restrict FedRAMP High customer data location to the U.S.
- Technical support staff limited to FedRAMP-adjudicated personnel located in the U.S.
- FIPS-140-2 compliant encryption at rest and in transit
- Personnel access controls for those with routine access to customer data
- Only FedRAMP compliant products and services allowed
- Logical segmentation of in-scope compliance boundary to support FedRAMP Moderate and High requirements
Hosting FedRAMP Moderate and High Data on Google Workspace
Google Workspace maintains a FedRAMP High ATO, which customers can leverage to host FedRAMP Moderate and High data. Customers looking to deploy Google Workspace in their FedRAMP Moderate and High environments should enable the FedRAMP-authorized services that meet the respective authorization. Learn how to turn a service on or off for Google Workspace.
Additionally, Google Workspace Business and Enterprise editions have built-in security controls and feature sets that enable customers to meet FedRAMP High and align their own ATO. Google Workspace users can configure their environments to meet FedRAMP data residency controls by using a Data Region policy.
Process for Achieving a FedRAMP Authority to Operate (ATO)
Customers that are interested in hosting government data on Google Cloud may also be interested in pursuing their own Authority to Operate (ATO). Organizations should consider the following milestones for achieving an ATO on Google Cloud:
- Determine whether the in-scope data requires FedRAMP Moderate or FedRAMP High
- Select Assured Workloads (FedRAMP Moderate is included in the free tier, FedRAMP High requires a premium subscription) for the in-scope Google Cloud services
- Decide on your FedRAMP boundary within Google Cloud
- Configure your workloads in accordance with the shared responsibility model, Customer Responsibility Matrix, in-scope Google Cloud services, and FedRAMP guidelines
- Undergo an audit with a third party assessment organization (3PAO)
- Submit your package to the FedRAMP Board or Federal Agency for review and authorization
For more information on the ATO process, please refer to the FedRAMP website. For additional FedRAMP ATO support from Google Cloud, please visit our Google Cloud Consulting page.