Building global momentum with government and security compliance certifications
Mike Daniels
Vice President, Global Public Sector, Google Cloud
Over the course of the COVID-19 pandemic, it’s proven more important than ever for public sector agencies to embrace digital services to transform how they work and serve their communities. Operating virtually has only heightened the importance of organizational security and compliance for public sector agencies around the world— who must still meet strict regulatory requirements while adjusting to new ways of connecting to their citizens.
We recently made a public commitment to act as your security transformation partner, and to be the most Trusted Cloud. To deliver on this promise, we’ve been significantly expanding our list of compliance certifications and adding security and compliance resources to help address current and emerging public sector requirements:
Expanding our list of FedRAMP High certified products and providing new capabilities for North American public sector agencies
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and monitoring for cloud products and services offered to U.S. Federal government agencies. Over the years, we have collaborated closely with the FedRAMP Joint Authorization Board (JAB) to expand our scope of products under FedRAMP authorizations to operate (ATOs). We are proud to announce today that we recently added Cloud DNS to our list of FedRAMP High compliant products.
With the addition of Cloud DNS, our U.S. public sector customers can leverage a broader set of Google Cloud technologies with the assurance they are meeting the highest level of civilian classification - without the limits of a traditional government cloud. To learn more about Google Cloud’s FedRAMP ATOs, including the products listed under our FedRAMP Moderate ATO, visit the FedRAMP Marketplace. You may also learn more on the FedRAMP page of our Compliance resource center.
Customers who want to quickly and easily meet FedRAMP High controls can leverage Assured Workloads for Government, a first-of-its kind service that allows Google Cloud Platform (GCP) customers to quickly and easily create controlled environments where U.S. data location and personnel access controls are enforced in any of our U.S. cloud regions. Assured Workloads for Government provides customers with a guided process for building compliance-centric workloads, and supports compliance with Department of Defense (IL4), the FBI’s Criminal Justice Information Services Division (CJIS), and FedRAMP High requirements. Currently in beta, these supported compliance regimes will be generally available later this month.
In Canada, Google Cloud was also awarded Protected B certification for secure cloud services by the Canadian Federal government. As a result, we can now serve even more of Canada's government services and citizens, helping to make government systems more secure, agile, and cost-effective.
Assisting with data protection and security requirements in APAC
In the Asia-Pacific region, governments are placing more rigorous requirements around the use of digital technologies, including cloud services. In response, we’ve not only demonstrated our own compliance as a Cloud Service Provider (CSP), but have also collaborated closely with our public sector customers in the region to help them understand their compliance requirements and our shared responsibilities. A few recent examples include:
India – India’s Ministry of Electronics and Information Technology (MeitY) provides requirements and guidelines for CSPs to register their services with the Indian government to be considered eligible to work with public sector entities in India. Google Cloud underwent an audit of our conformance with the requirements of MeitY to formally achieve MeitY empanelment (registration). Based on the evaluation, MeitY issued a letter confirming our empanelment for Google Platform Services. The MeitY letter of empanelment may be requested here.
Japan – Similarly, in Japan, we achieved registration for the Information System Security Management and Assessment Program (ISMAP), a Japanese government system for assessing the security of cloud service providers to participate in public sector projects. Google Cloud Platform and Google Workspace were assessed for ISMAP compliance and subsequently successfully registered as an ISMAP compliant CSP. Our registration can be viewed at the Information Technology Promotion Agency (IPA) website.
Australia – In July 2020, the Australian Signals Directorate (ASD) updated the Information Security Registered Assessor’s Program (IRAP) framework, which assesses the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements. Previously, IRAP certification meant an organization would be listed on the ASD's Cloud Services List (CCSL). The Cloud Security Guidance package replaced the CCSL and today provides guidance on how to perform a comprehensive assessment of CSPs to make a risk-informed decision about their suitability to handle organizations’ data. Earlier this year, an independent third-party assessor evaluated Google Cloud Platform and Google Workspace against the new IRAP requirements, and confirmed both to be strongly aligned with IRAP’s PROTECTED level control requirements. These requirements include guidelines for cybersecurity roles, detecting and managing cybersecurity incidents, physical and personnel security, system hardening, networking, and cryptography.
Indonesia – We recently published the Google Cloud GR 71 mapping to help our public sector customers in Indonesia evaluate their GR 71 compliance as it relates to their use of Google Cloud services. GR 71 regulates the activities of Electronic System Operators (ESOs), generally defined as any person, government administrator, business entity, or member of society that provides, administers, and/or operates an electronic system individually or collectively for users. With the mapping document, we aim to help our customers in Indonesia interpret the GR 71, and provide an overview of our approach to information security, risk management, and the shared responsibility model.
Thailand –The Information Security Standard for Meeting Control Systems, prescribed by the Thai Ministry of Digital Economy and Society (MDES), is a guideline for providers of meeting control systems (like Google Meet) to establish reliability of the meeting systems, in compliance with MDES’ notification Re: Security Standards of Meetings via Electronic Means, B.E. 2563. The Electronic Transaction Development Agency (ETDA) awarded us certification against the requirements of B.E. 2563 for Google Meet.
Evolving with region-specific regulatory requirements in Europe
In Europe, we recently received attestations of compliance with the German Federal Office for Information Security (BSI)’s Cloud Computing Compliance Criteria Catalogue (“C5:2020”) for GCP and Google Workspace. The C5:2020 was previously known as the Cloud Computing Compliance Controls Catalog (“C5”); with the issuance of C5:2020, we worked with an independent third party auditor to assess our services against the new requirements. Current and potential public sector customers can use the C5:2020 attestation, available on demand via our Compliance reports manager, as verification of compliance and as part of their assessments for using Google Cloud services.
Prioritizing security and compliance of the cloud
In addition to public sector compliance, we continue to maintain our industry-leading audits and certifications for customers, including recertification of our compliance against ISO/IEC 27001/27017/27018 and SOC 1/2/3. We also recently added Apigee certificates for BSI C5, PCI-DSS, and SOC 1/2/3, as well as the AppSheet SOC 2 report, to our self-serve portal.
Compliance is critical to building trust in the public sector, and we’re committed to working closely with customers, regulators, and industry organizations to strengthen their compliance frameworks as digital transformation continues to be the norm across governments and industries. For the latest information on our ongoing compliance efforts across the globe, visit our Compliance resource center.