Compliance programs

Assured Workloads provides compliance programs to create regulated boundaries in Google Cloud. A compliance program is a set of security controls that, when combined together, meets the regulatory baseline for a compliance statute or regulation. These security controls include mechanisms to enforce data residency, data sovereignty, personnel access, and more.

This page provides more information about each compliance program available in Assured Workloads, which are available in two tiers: Free and Premium.

Free Tier

FedRAMP Moderate

The FedRAMP Moderate compliance program sets support access controls for first-level support personnel who have completed enhanced background checks. This means that Assured Workloads support cases are restricted to FedRAMP adjudicated first-level support staff. Additional Google Cloud FedRAMP Moderate compliance information can be found on the FedRAMP compliance card.

HIPAA (Preview)

The HIPAA compliance program supports data location controls to support US-only regions.

The HIPAA compliance program is available at the Preview launch stage.

HITRUST (Preview)

The HITRUST compliance program sets support access controls for first-level support personnel who are located in the US. This means that Assured Workloads support cases are restricted to support staff located in the US. Data location controls are set to support US-only regions.

The HITRUST compliance program is available at the Preview launch stage.

Premium Tier

FedRAMP High

The FedRAMP High compliance program sets support access controls for first- and second-level support personnel who have completed enhanced background checks and are located in the US. This means that Assured Workloads support cases are restricted to FedRAMP adjudicated first and second level support staff located in the US. Data location controls are set to support US-only regions. For more information about Google Cloud FedRAMP High compliance, see FedRAMP compliance card.

Criminal Justice Information Systems (CJIS)

The CJIS compliance program sets support access controls for first- and second-level support personnel who have completed state sponsored background checks and are located in the US. This means that Assured Workloads support cases are restricted to CJIS-adjudicated first- and second-level support staff located in the US. Escorted session controls are also used to supervise and monitor support actions by non-adjudicated staff. Data location controls are set to support US-only regions. Additional Google Cloud CJIS compliance information can be found on the CJIS compliance card.

Impact Level 4 (IL4)

The IL4 compliance program sets support access controls for first- and second-level support personnel who have completed enhanced background checks, are US Persons, and are located in the US. This means that Assured Workloads support cases are restricted to IL4-adjudicated US Persons first- and second-level support staff located in the US. Data location controls are set to support US-only regions. For more information about Google Cloud IL4 compliance, see the IL4 compliance card.

International Traffic in Arms Regulations (ITAR)

The ITAR compliance program sets support access controls for first- and second-level support personnel who are US Persons, and are located in the US. This means that Assured Workloads support cases are restricted to US Persons for first- and second-level support staff located in the US. Data location controls are set to support US-only regions. For more information about Google Cloud ITAR compliance, see the following pages:

• ITAR compliance card
• Restrictions and limitations when using ITAR

Australia Regions with Assured Support

The Australia Regions with Assured Support compliance program sets support access and technical support to personnel who are located in 5 specific countries (United States, Canada, Australia, New Zealand, and United Kingdom). Data location controls are set to support available Australia regions.

Canada Regions and Support

The Canada Regions and Support compliance program sets support access controls for first- and second-level support personnel who are legally eligible to work in Canada and, physically located within the country of Canada. Data location controls are set to support Canada-only regions.

EU Regions and Support

The EU Regions and Support compliance program sets support access controls for first- and second-level support personnel who are EU personnel based in the EU. See EU regions for a list of the available regions.

EU Regions and Support with Sovereignty Controls

The EU Regions and Support with Sovereignty controls compliance program sets support access controls for first- and second-level support personnel who are based in the EU, and provides data residency and data sovereignty guarantees for EU-based customers. Data location controls are set to support EU-only regions. For more information, see Restrictions and limitations in EU Regions and Support with Sovereignty Controls.

Israel Regions and Support

The Israel Regions and Support compliance program sets support access controls for first- and second-level support personnel who are either security-cleared Israeli Personnel located in Israel or US Persons who have completed enhanced background checks located in the US. Data location controls are set to support Israel-only regions.

US Regions and Support

The US Regions and Support compliance program sets support access controls for first- and second-level support personnel who are US Persons and are located in the US. Data location controls are set to support US-only regions.

What's next

• Learn more about controlling access to data by personnel.
• Learn how to create an IAM group.
• Learn which products are supported for each compliance program.