Google Workspace’s Viability for Meeting CMMC Compliance
Note: A live version of this article will be maintained at https://cmmcguide.atxdefense.com as information changes.
This article explains how Google Workspace can meet various requirements for Cybersecurity Maturity Model Certification (CMMC) compliance. This article presumes a basic understanding of CMMC, NIST Special Publication 800-171 controls, and various considerations related to the handling of Controlled Unclassified Information (CUI). For an introduction to CMMC and information on how to configure Google Workspace to meet foundational CMMC requirements, check out https://cmmcguide.atxdefense.com
Google Workspace Editions Compliant with FedRAMP High
Google Workspace has been authorized at the FedRAMP High level since November 2021. Google lists the following editions of Workspace as compliant with FedRAMP High:
ATX Defense recommends Google Workspace Enterprise Standard or Enterprise Plus because Context-Aware Access , Security Sandbox , and the Security Center help customers meet CMMC requirements. Customers requiring US data sovereignty with Assured Controls Plus or Client-side Encryption (CSE) must use Google Workspace Enterprise Plus.
Google Workspace and Data Residency/Sovereignty
There is no specific requirement in CMMC for data to be stored only in the United States (data residency) or accessed exclusively by US persons (data sovereignty). However, all FedRAMP High versions of Google Workspace allow customers to specify data residency within the United States - even Google Workspace Business Standard at $12/user/mo. For comparison, Microsoft requires using its higher-priced Government Community Cloud (GCC) to guarantee data residency.
Google Workspace and Overseas Support
All versions of Google Workspace are subject to foreign national support unless the customer purchases Google Workspace Enterprise Plus ($30/user/mo) with Assured Controls Plus ($30/user/mo, launching Q1 2024).?
Can Google employees who are foreign nationals access CUI Basic data without specific handling or dissemination requirements for legal purposes such as support requests and disaster response? The CUI law does not mention a prohibition on foreign national access to CUI (32 CFR Part 2002 ). In publishing the rule, the National Archives and Records Administration (the organization responsible for the CUI program), said in Section 2002.2 that “the rule does not specify who may be an authorized holder [of CUI] and we decline to add specific criteria. There are no simple, universal rules for authorized holders such as those the comment suggests (U.S. citizens, those with clearances, etc.)”?
32 CFR 2002 leaves specific determinations to agencies, which is found in DoDI 5200.48 for DoD. It discusses release to foreign nationals:
b. CUI not controlled as NOFORN may be released or disclosed to non-U.S. citizens employed by the DoD if:
(1) Access to such information is within the scope of their assigned duties.
(2) Access to such information would help accomplish a lawful and authorized DoD mission or purpose and would not be detrimental to the interests of the DoD or the U.S. Government.
(3) There are no contract restrictions prohibiting access to such information.
(4) Access to such information is in accordance with DoDIs 8500.01 and 5200.02 and export control regulations, as applicable.
The NOFORN limited dissemination control exists to prevent sharing certain CUI data with foreign nationals. If the data is not marked NOFORN, is not subject to export control regulations, and does not have other contract prohibitions, foreign national access to DoD CUI is allowed if part of assigned duties. Foreign nationals can even receive classified data marked appropriately and with need-to-know! Google employees are not "employed by the DoD," but DoDI 5200.48 affirms that there is no blanket prohibition on foreign national access to CUI data. Google employees can only access customer data in case of a customer request, disaster, or investigation, which are lawful and authorized purposes. Additionally, Access Transparency in Google Workspace Enterprise Plus provides logs of Google staff actions when accessing user content.?
With this interpretation, all versions of Google Workspace are acceptable for CUI unless specific handling or dissemination requirements prevent access by foreign nationals.?
Google Workspace and DFARS 7012 Compliance
Google Workspace is an “external cloud service provider” as defined in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Using a FedRAMP High-compliant edition of Google Workspace exceeds the mandated FedRAMP Moderate baseline.
DFARS 252.204-7012 paragraphs (c) through (g) require the external cloud service provider to take certain actions in the event of an incident. FedRAMP High compliance requires certain actions around incident response and reporting, but Google has not publicly stated how it complies with (c) through (g). Under NDA, Google has attested that it meets or exceeds the standards found in (c) through (g), but public confirmation from Google would assuage valid concerns held by customers without an NDA. Ideally, Google would undertake a third-party review for 7012 compliance and make the results accessible as Microsoft has done .
Google Workspace and ITAR
Google Workspace can accommodate CUI Specified - Export Controlled (CUI/SP-EXPT) data, more commonly known as International Trafficking in Arms (ITAR) data administered by the Department of State Directorate of Defense Trade Controls (DDTC), or by Export Administration Regulations (EAR) data administered by the Department of Commerce’s Bureau of Industry and Security (BIS).
Google’s ITAR website explains how Google Workspace is ITAR-compliant using Client-side encryption (CSE), which is only available in Google Workspace Enterprise Plus. However, the Google Workspace Terms of Service prohibit using Workspace for “materials or activities that are subject to the International Traffic in Arms Regulations (ITAR) maintained by the United States Department of State.” Google is aware of this issue and is working on a permanent solution that addresses this discrepancy. In the interim, Google will modify the TOS for customers upon request to remove the ITAR prohibition. This requires working through a reseller (e.g. ATX Defense) rather than purchasing from Google directly.?
CSE allows customers to manage their encryption keys, meaning that no third party (e.g., Google) has access to all encryption keys. This meets ITAR’s end-to-end encryption carve-out for exports, reexports, retransfers, or temporary imports (see 22 C.F.R. 120.54(a)(5) ) as implemented in March 2020 for data that leaves the United States or is accessed (as defined in 22 C.F.R. 120.55) by a non-US citizen. Google does not offer a key management service to enable CSE but recommends six companies as key service partners. It’s important to note that the user experience with CSE-encrypted files is degraded as Google cannot access the underlying data. Important collaboration features like multi-user collaborative editing and commenting are not currently supported. However, CSE can used on only the subset of files requiring additional protection.?
Alternatively, or in addition to CSE, customers using Google Workspace Enterprise Plus may add Assured Controls for Google Workspace , which geographically limits Google staff support actions to US persons. 22 C.F.R. 120.54(a)(2) states that “transmitting or otherwise transferring technical data to a US person in the United States from a person in the United States” is not considered an “export, reexport, retransfer, or temporary import.” Therefore, CSE is not required for customers using Google Workspace Enterprise Plus with Assured Controls.
领英推荐
Google Workspace and NOFORN
NOFORN is a limited dissemination control that prevents sharing the marked data with non-US citizens. Normal Google Workspace licenses are subject to non-US citizen support and cannot be used for customers with NOFORN data. Assured Controls for Google Workspace limit interaction to US persons , which could include green card holders who are not US citizens. Therefore, Google Workspace is unsuitable for customers handling NOFORN data unless CSE is applied to the relevant documents to make them inaccessible to Google support.?
Google Workspace and FIPS 140-2 Encryption
Many CMMC requirements call for FIPS 140-2 encryption using a module validated by the NIST Cryptographic Module Validation Program . Many vendors offer third-party solutions for adding encryption to emails sent from Google Workspace or Microsoft 365.?
With Google Workspace, it’s easy to mandate FIPS 140-2 encryption on outgoing emails at no additional cost and without enabling complicated client-side encryption schemes like S/MIME .?
All versions of Google Workspace allow customers to require a secure connection for email . This will force Gmail to use Transport Layer Security (TLS) for encrypting email, which is supported by all Government email addresses that receive CUI.?
Google uses modules that are FIPS 140-2 validated, meaning that emails sent using TLS meet CMMC requirements for encryption without third-party services.?
The following references show how Google uses FIPS 140-2 validated modules:
For data at rest, Google asserts that “all data that is stored by Google is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256. We use a common cryptographic library, Tink, which includes our FIPS 140-2 validated module (named BoringCrypto) to implement encryption consistently across Google Cloud.”
Google also asserts that it manages the keys used for encryption at rest, which means this CMMC requirement is automatically inherited when using Google Workspace.
“Migrating” Between Google Workspace Versions
Migrating from one version of Google Workspace to another (e.g. Business Standard to Enterprise Plus) or adding Assured Controls Plus is seamless. There is no requirement for data migration between editions or when adding Assured Controls Plus.?
This starkly compares to Microsoft’s approach, which states , “you can only imagine the baggage associated with a migration from Commercial. It often includes the re-homing of device and software registrations, MDM enrollments, encryption technologies, etc.”?
This is the justification Microsoft uses to persuade customers to start with its ITAR-compliant GCC High edition ($1150/user/year) instead of a more appropriate edition for customers without such requirements. Leading Microsoft resellers also recommend using GCC High for any level of CMMC compliance, claiming that “Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 and Level 3 should deploy to Microsoft 365 GCC High.”
Neither Google nor ATX Defense recommends purchasing a Google Workspace edition beyond what business operations need. Customers who do not have ITAR or other special circumstances requiring US sovereignty should start with Google Workspace Enterprise Standard ($20/user/mo) and seamlessly migrate to Enterprise Plus ($30/user/mo) when needed to enable CSE or other advanced features. Customers handling export-controlled or other data requiring US sovereignty can add Assured Controls Plus ($30/user/mo starting Q1 2024) without migration or downtime. This is an example of how a 100-person company would save 80% with the Google Workspace tiered approach vs. Microsoft’s “all-in ” approach:
Note: GCC High used instead of GCC for comparison based on recommendations from Microsoft and its resellers
No ITAR or other data sovereignty requirements:
Google Workspace Enterprise Standard
$240/user/yr x 100 users = $24,000/yr
Microsoft GCC High
$1150/user/yr x 100 users = $115,000/yr
ITAR or other data sovereignty requirements:
Google Workspace Enterprise Plus with Assured Controls Plus
$720/user/yr x 100 users = $72,000/yr
Microsoft GCC High
$1150/user/yr x 100 users = $115,000/yr
Head of DoD Policy
11 个月Thanks Zach Walker for taking the time to research and draft this helpful and informative post!
CEO @ GnomeGuard Group | Cybersecurity, Compliance
11 个月This article was a little rough to read. The bias is just all over the place. I'd also disagree strongly with the foreign national section. Do you know of any joint assessments where this determination was made by an assessor for a company that's passed? It also lacks critical thinking. As an example, what use case do you see a company paying for GCC High without ITAR or data sovereignty requirements? The reality is, that company isn't even going to make it through the approval process to even be able to purchase those licenses. Your example is a literal fantasy. TLDR; Microsoft has passed their joint assessment for CMMC and Google is likely maybe probably possibly could be who knows hiding their joint assessment failure behind an NDA.
Brain rental service for ISO certifications/accreditations.
11 个月I'm troubled by the claim that the ambiguity in the CUI/CMMC space is "by design." Is that so folks have to hire consultants to decipher it?
Leader | Volunteer | Mentor | STEMinist
11 个月The amount of items in this article that you mistate information about Microsoft or blatantly lie are ridiculous. Myself and others gave you recommendations prior to publication that you ignored so I must come to the conclusion that you focus more on selling Google services than giving honest advice to customers.
CEO at Sentinel Blue | Paramedic | Host of The Watchers Podcast
11 个月Google Workspace being compared to Microsoft 365's E5 in your price comparison is like comparing a can of tomatoes with a chef prepared pasta dish. It's useful to know that Google can be a tool in the tool belt for CMMC, but it's not fully comparable in feature set to the Microsoft 365 suite and your article doesn't really discuss that. Running my own exchange server is also much cheaper than a Microsoft 365 E5; but my exchange server has 3% of the full functionality of the E5.