Is Google Workspace CMMC Compliant?

If you’ve stumbled upon this blog, you may be facing one of two scenarios: 

1. You’re using Google Workspace and facing CMMC certification (with fear in your eyes and dread in your heart)
2. You’re thinking about migrating to Google Workspace (with a look of optimism and hope that it could ease the CMMC pain)

You’re likely also worried about the high costs of mobile compliance using Microsoft Office 365 and you know the move to Google Workspace could result in major cost savings – in some cases it could save you up to 50%*.

So let’s get to it – Can a Google Workspace be CMMC compliant? 

Quick answer: Yes!

In this blog, we’ll dive deeper into this topic and address the top questions about Google Workspace, CMMC requirements and CMMC compliance, including:

• Why was CMMC created and why government contractors need CMMC
• What even is CMMC? 
• CMMC timeline
• What aspects of Google Workspace are already compliant with CMMC
• How to start the compliance process 

How did we get here? What’s the driving need?  

Based on recent headlines, it’s not hard to see that cybersecurity posture has changed and the number of cyber threats targeting national security has continued to grow. Some notable attacks include the 2020 SolarWinds hack, one of the most sophisticated attacks on the U.S. government, conducted by Russian state-backed hackers. Or how about the 2021 Colonial Pipeline ransomware attack? While that attack primarily targeted a private company, it had widespread consequences and showcased the importance of uncovering vulnerabilities within our critical infrastructure's supply chain.

The impact of these attacks across multiple services, brought on by bad actors, caused a chain reaction and a growing need for guidance—a standardized framework to help the government and those working with it to better protect sensitive information and technical data, referred to as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

What’s CMMC? (the gist – not the nitty gritty)

Enter CMMC! The U.S. Department of Defense (DoD) requires defense contractors and subcontractors to adhere to a comprehensive list of security controls to work with government organizations and protect FCI and CUI. Its goal is to enhance the resilience of the supply chain and mitigate risks of cyberattacks and breaches that could compromise defense systems and national security. 

DIB organizations need cloud service offerings and providers that enable them to meet contractual commitments by implementing minimum-security baselines. The goal is to protect different data types without creating obstacles to staying productive and collaborative.

Two of these baseline regulations are NIST SP 800-171 and DFARS 252.204-7012. 

The DoD is seeking to formalize and verify compliance with NIST SP 800-171 through the CMMC 2.0 program. 

Within the three levels of cybersecurity maturity 2.0 program, there are a total of 110 controls. Here's a breakdown:

Level 1 (Foundational):

• 17 controls, focused on basic cyber hygiene practices, primarily for safeguarding FCI.

Level 2 (Advanced):

• 110 controls, mirroring NIST SP 800-171, aimed at protecting CUI. This level is the most applicable to defense contractors handling sensitive information.

Level 3 (Expert):

• 24 controls, advanced controls selected from NIST SP 800-172, as detailed in table 1 to § 170.14(c)(4.

‍

CMMC timeline

The CMMC journey began years ago. The goal was to establish a formal certification process, with version 1.0 being released in January 2020. Fast forward to November 2021, the DoD revised the program into CMMC 2.0, simplifying it into three levels and aligning more closely with NIST SP 800-171.

Just this month, the CMMC final rule was released for public inspection on October 11, 2024, and officially published in the Federal Register on October 15, 2024. This marks a significant milestone in the DoD’s efforts to strengthen cybersecurity across the defense industrial base (DIB). The finalized rule clarifies what types of assets are in and out of scope for contractors, including specific guidance on endpoints leveraging virtual desktop infrastructure (VDI). The CMMC program now provides clear documentation on security requirements for safeguarding CUI. Contractors are expected to comply with these standards to remain eligible for DoD contracts. Failing to comply could result in the loss of contracts and a decline in revenue.

Additionally, all DoD contractors with the DFARS 252.204-7012 clause in their contracts must comply with the applicable CMMC level requirements. This is due to the title 48 rule that integrate CMMC standards into the Pentagon’s solicitations and contracts.

While no organization has received a CMMC certification to date, Google is pursuing similar regulations and cyber assessments for Google Workspace to prepare for the CMMC 2.0 Program.

What data security standards is Google Workspace already compliant with?  

Google has already laid the groundwork and ensured that Google Workspace has met the requirements of common cybersecurity regulations and assessments – all of which will help better prepare you to meet CMMC compliance. Here’s the list of those security qualifications:  

FedRAMP High: 

• Google Workspace has been authorized at FedRAMP High level since November 2021.

DFARS Compliance: 

• Customers can use Google Cloud and Google Workspace to comply with CSP applicable DFARS 252.239-7010 and 252.204-7012 clauses using Google’s defined FedRAMP moderate and FedRAMP high controls.
• Google Workspace's FedRAMP certification satisfies DFARS 252.204-7012 for safeguarding Covered Defense Information and Cyber Incident Reporting

NIST 800-171 

• All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171 requirements. 

International Trafficking in Arms Regulations (ITAR)

• Google Workspace supports customers with ITAR-controlled software or technical data by providing the Assured Controls Plus feature; ensuring ITAR compliance. 

Note: If you’re looking to confirm Google’s compliance with another standard, you can find the full list of the Google Cloud services that have undergone an independent third-party assessments here - https://cloud.google.com/security/compliance/nist800-171 

Getting you CMMC compliance ready 

The journey to CMMC compliance is unique for every SMB in the DIB because your starting point depends on the responsibilities you inherit from your cloud provider.

So, the first step is understanding where in the CMMC journey you’re starting. 

To help you navigate this process, look for solution providers who have already done some of the heavy lifting for you! For example, ATX Defense, an Austin-based consulting firm focused on serving the defense and national security community, delivers customs tools built upon Google Workspace called CMMC Space. ATX Defense is the first certified Google partner to exclusively focus on CMMC compliance for small businesses.

Pairing ATX Defense CMMC Space with Hypori Halo enables seamless integration, real-time collaboration, from personal mobile devices. ATX Defense will manage your entire Google Workspace environment, while Hypori Halo provides secure mobile access without the added expense of managing and securing 2^nd mobile devices. This partnership offers you the most cost-effective and secure solution for using Google Workspace with CUI.

Ready to ensure your Google Workspace environment is CMMC compliant? Learn more about our joint offering with ATX Defense by requesting a demo here.

‍

‍*cost savings varies based on the organization, mobile requirements and other factors.