Google Cloud Platform is now FedRAMP High authorized

At Google Cloud, we’re committed to providing public sector agencies with technology to help improve citizen services, increase operational effectiveness, and better meet their missions. We  build our products with security and data protection as core design principles, and we regularly validate these products against the most rigorous regulatory requirements and standards.  

To that end, we are proud to announce that Google Cloud Platform (GCP) has received FedRAMP High authorization to operate (ATO) for 17 products in five cloud regions, and we’ve expanded our existing FedRAMP Moderate authorization to 64 products in 17 cloud regions. This means that public sector agencies now have the ability to run compliant workloads at the highest level of civilian classification.

How FedRAMP certification works
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services offered to US federal government agencies. Most federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate (Low, Moderate, or High) risk impact level. While Google Cloud already maintains an authorization for both GCP and G Suite at the Moderate impact level, achieving High status on GCP means we can provide greater access to technology for our most security-sensitive customers. And while the FedRAMP ATO is required for federal agencies, it is also a security benchmark for other industries, including financial services, health, and manufacturing. If you’re a GCP customer, you can enjoy the benefit of a FedRAMP High-authorized infrastructure at no additional cost and without any change in your services. 

Obtaining FedRAMP High required documenting at length how our infrastructure and platforms help our customers keep their data safe. We carefully translated the principles of our BeyondCorp model, including zero-trust networking, that we have implemented at Google into the NIST 800-53r4 security controls, which were then documented and assessed by a third-party organization. As part of this process, we also completed FIPS 140-2 L1 overall and L3 physical FIPS validation of the internal version of Google's Titan Security Key authenticator. We worked closely with the FedRAMP Joint Authorization Board to document Google’s monitoring, patching, and vulnerability scanning infrastructure in order to meet the rigorous continuous monitoring requirements of FedRAMP High. 

Receiving a FedRAMP High ATO means we can support agency missions that require some of the highest levels of data protection for unclassified workloads. These could include health care delivery, emergency response, space operations, and many others. 

Supporting the public sector with cloud innovation
These new certifications reflect our continued investment and support for customers in the U.S. public sector, and is another example of momentum we’re seeing as government agencies move to the cloud. For example, we recently teamed up with researchers from NASA-FDL to help identify life beyond earth with our machine-learning capabilities, and the Library of Congress team spoke at Google Cloud Next ‘19 on how they’re making books accessible to the visually impaired. We are also helping the U.S. Air Force modernize its modeling and simulation training infrastructure.  

At the state and local level, the State of Arizona plans to migrate thousands of employees and contractors to G Suite to improve security and collaboration. It anticipates millions of dollars in cost savings over the next three years. And New York City Cyber Command is partnering with Google Cloud to automate and speed log analysis and other initiatives to protect New Yorkers from malicious cyber activity, while also safeguarding data privacy on mobile devices and across public WiFi networks. 

Welcoming new public sector leaders
Today’s news reinforces our commitment to the public sector. Earlier this year, I joined Google Cloud to lead our public sector efforts. We’ve also added Brent Mitchell to lead Google Cloud’s state and local government strategy, and Lesta Brady to head up our federal civilian sales strategy. And we recently announced a new Global Public Sector organization within Google Cloud, with a charter of engaging with public sector customers worldwide—and have welcomed new leaders in Canada, EMEA, and Latin America into this organization. Finally, I’m excited today to announce that long-time Googler and Chief Internet Evangelist Vint Cerf and his group of technology specialists will be joining my team to bring their expertise to public sector customers globally. His team will continue to evangelize the potential of the internet and the solutions it can enable, which is critically important for public sector decision-makers to understand as part of the delivery of their services. 

We look forward to continuing to help federal, state, and local government agencies innovate, and will pursue additional global certifications to meet their needs. You can learn more here about our public sector work.