FedRAMP compliance on Google Cloud

Disclaimer

This guide is for informational purposes only. Google does not intend the information or recommendations in this guide to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of the services as appropriate to support its legal compliance obligations.

Intended audience

For customers who are subject to the requirements of the U.S. Federal Government's Federal Risk and Authorization Management Program (FedRAMP), Google Cloud supports FedRAMP Moderate compliance. This guide is intended for security officers, compliance officers, IT administrators, and other employees who are responsible for FedRAMP Moderate implementation and compliance on Google Cloud. After reading this guide, you will understand how Google is able to support FedRAMP Moderate compliance.

Overview

It is important to note that there are two types of FedRAMP authorizations for cloud services:

  • A Provisional Authority to Operate (P-ATO) through the Joint Authorization Board (JAB)
  • An Agency Authority to Operate (ATO)

P-ATO process

A FedRAMP P-ATO is an initial approval of the CSP authorization package by the JAB that an Agency can leverage to grant an ATO for the acquisition and use of the cloud service within their Agency. The JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. A P-ATO means that the JAB has reviewed the cloud service's authorization package and provided a provisional approval for Federal Agencies to leverage when granting an ATO for a cloud system. For a cloud service to enter the JAB process, it must first be prioritized through FedRAMP Connect.

Agency ATO process

As part of the Agency authorization process, a CSP works directly with the Agency sponsor who reviews the cloud service's security package. After completing a security assessment, the head of an Agency (or their designee) can grant an ATO. For more information about these two authorization paths, please visit our Get Authorized page.

The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).

Google offers Service Specific Terms through Assured Workloads for customers who require FedRAMP Moderate compliance support. Google Cloud was built under the guidance of a more than 700 person security engineering team, which is larger than most on-premises security teams. Specific details on our approach to security and data protection including details on organizational and technical controls regarding how Google protects your data, can be found in the Google Security Whitepaper and Google Infrastructure Security Design Overview.

In addition to documenting our approach to security and privacy design, Google undergoes independent third party audits on a regular basis to provide customers with external verification. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google is able to provide customers under NDA with our approved FedRAMP Moderate System Security Plan (SSP) upon request.

Customer responsibilities

One of the key responsibilities for a customer is to determine whether or not Google's FedRAMP Moderate authorization is adequate to cover the customer's purposes.

While Google provides a secure and compliant infrastructure (as described above) for the storage and processing of FedRAMP Moderate regulated data, the customer is responsible for ensuring that the environment and applications that they build on top of Google Cloud are properly configured and secured according to FedRAMP Moderate requirements. This is often referred to as the shared security model in the cloud.

Essential best practices

  • Accept Google Cloud FedRAMP terms. You can do this inherently when deploying a FedRAMP Moderate Assured Workloads.
  • Disable or otherwise ensure that you do not use Google Cloud Products that are not explicitly covered by Google's FedRAMP Moderate P-ATO (see Covered Products) when working with FedRAMP Moderate regulated data.
  • Google Cloud is able to provide customers with guidance for the shared security model through our FedRAMP customer package, which includes the following:
    • FedRAMP Moderate Security Controls Guide
    • FedRAMP SSP High Baseline Template
    • FedRAMP SSP Moderate Baseline Template
    • NIST Cybersecurity Framework Guide
  • In addition, Google Cloud's FedRAMP Implementation Guide and Security Model Architecture provide supplementary recommendations for shared security on Google Cloud.

Covered products

The Google Cloud FedRAMP Moderate covers Google Cloud's entire infrastructure (all regions, all zones, all network paths, all points of presence), and in-scope FedRAMP Moderate products.

Unique features

Google Cloud's security practices allow us to have a FedRAMP Moderate ATO covering Google Cloud's entire infrastructure, not a set aside portion of our cloud. As a result, you are not restricted to a specific region which has scalability, operational and architectural benefits. You can also benefit from multi-regional service redundancy as well as the ability to use Preemptible VMs to reduce costs.

The security and compliance measures that allow us to support FedRAMP Moderate compliance are deeply ingrained in our infrastructure, security design, and products. As such, we can offer FedRAMP Moderate regulated customers the same products at the same pricing that is available to all customers, including sustained use discounts.

Conclusion

Google Cloud is the cloud infrastructure where customers can securely store, analyze and gain insights from FedRAMP Moderate regulated information, without having to worry about the underlying infrastructure.

Additional Resources