Understanding if Google Workspace is CMMC and DFARS Compliant?

Google Workspace complies with the CMMC. To satisfy current compliance requirements, you must carefully consider the numerous restrictions and special deployments that the system mandates.

Defense Federal Acquisition Regulation Supplement (DFARS) 7012, 7019, 7020, 7021, and the impending CMMC 2.0 standards are just a few of the contracts in the military supply chain that mandate the installation of lower limit benchmarks to protect various data types. Because of this, DoD contractors are looking for cloud service options that can boost productivity and teamwork without jeopardizing their capacity to comply with regulatory requirements. Unfortunately, many suppliers and prospective clients believe these objectives are easier stated than done. 

Being a DoD contractor eyeing a big defense contract, you must be wondering if Google Workspace is CMMC/NIST, DFARS, and ITAR compliant. If you are looking for cybersecurity compliant cloud solution for your business, you must consider hiring CMMC consulting personnel when implementing any solution. 

Google Workspace and Compliance  

A Certified 3rd Party Assessment Organization assessed Google workspace’s capacity to meet the demands of NIST SP 800-171 and CMMC 2.0. Following that evaluation, the 3PAO granted Google Workspace a letter of attestation, which confirmed the platform’s capacity to meet the criteria of NIST 800-171 and CMMC 2.0.

Google Workspace also disclosed in July 2022 that it received a DoD Impact Level 4 (IL4) clearance. Organizations must implement Google’s Assured Workloads to benefit from the shared accountability features of the Workspace’s IL4 authorization. The organization’s Google Workspace environment is only a DoD IL2 environment without this product deployed.

Is Google Workspace CMMC/NIST compliant? 

Four CMMC 2.0/NIST 800-171 cybersecurity policies were found to have issues, according to the 3pAO letter of attestation:

Offer privacy and CMMC compliance cybersecurity notices in accordance with applicable CUI regulations, per CMMC AC.L2-3.1.9 and NIST 3.1.9.

Google Workspace does not meet CMMC AC.L2-3.1.9 / NIST 3.1.9 because it is unable to show notices upon user login. To successfully implement this control, the company would need to locate a suitable and compliant 3rd party technology.

Suspend identifiers after a predetermined amount of inactivity, per CMMC IA.L2-3.5.6 and NIST 3.5.6.

Workspace would necessitate establishing human procedures to disable inactive IDs beyond the organization’s established boundaries. Although neither control can be streamlined using Google Workspace’s features, the organization can nonetheless fulfill both of them.

NIST and CMMC IA.L2- 3.5.7 3.5.7 – Require a minimum level of password complexity and character diversity when generating new passwords.

Password reuse should be prohibited for several generations, per CMMC IA.L2-3.5.8 and NIST 3.5.8.

CMMC IA.L2- 3.5.7 / NIST 3.5.7 and CMMC IA.L2- 3.5.8 / NIST 3.5.8 can both be satisfied by Google Workspace, in contrast to the conclusions of the NIST 800-171 attestation letter. Users’ password requirements can be enforced and tracked by administrators in Google Workspace. The capabilities for custom configuration include things like credential length, complexity, and reuse time limits. As a result, the admin can modify the Workspace password policy to imitate the organizationally determined password values to satisfy both of the aforementioned controls.

In the end, Google Workspace may be used to satisfy CMMC 2.0 / NIST 800-171 criteria. 

However, that depends on the organization’s capacity to make up for the identified control shortcomings in CMMC AC.L2-3.1.9 / NIST 3.1.9 and CMMC IA.L2-3.5.6 / NIST 3.5.6.