U.S. Cybersecurity Maturity Model Certification (CMMC)

The U.S. Department of Defense (DoD) currently requires that all covered defense contractors and subcontractors implement the security controls outlined in NIST SP 800-171 r2. This requirement is designed to protect Controlled Unclassified Information (CUI) as part of the covered entities DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractual commitments. Federal contractors (including defense contracts) that handle Federal Contract Information (FCI) are obligated to comply with the security requirements in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

In order to formalize this requirement and provide the DoD a means to verify compliance with NIST SP 800-171 r2, the 32 CFR part 170 CMMC Program rule was published by the DoD to officially launch the Cybersecurity Maturity Model Certification (CMMC) program on October 15, 2024 and went into effect on December 16, 2024. In addition to the new 32 CFR part 170 CMMC Program rule, DoD has a proposed acquisition rule (48 CFR part 204 CMMC Acquisition rule) to amend DFARS and address the requirements related to the new 32 CFR part 170 CMMC Program rule. It is anticipated that the 48 CFR part 204 CMMC Acquisition rule will update DFARS 252.204-7021 to require covered contractors and subcontractors to achieve and maintain the required level of CMMC certification for the duration of the contract. This means that in the coming months, once made final, contractors may begin seeing the updated DFARS 252.204-7021 clause requiring CMMC compliance included in DoD contracts. While DFARS 252.204-7021 and corresponding CMMC requirements are being phased into contracts, DoD contractors who already handle FCI and/or CUI may opt to voluntarily pursue their CMMC compliance status. Google Cloud is prepared to support DoD contractors to achieve their CMMC compliance requirements.

What are the 3 Levels of CMMC?

The CMMC program has three levels: Level 1 is designed to verify 15 requirements aligned with FAR 52.204-21. Level 2 is designed to verify 110 NIST SP 800-171 r2 requirements. Level 3 adds on to that, verifying an additional 24 NIST SP 800-172 requirements. More details outlined below.

Level 1: Basic Safeguarding of FCI

Focus: Protecting FCI (e.g. basic information like contract numbers and delivery schedules). This level is designed to be simpler for smaller organizations to meet, if those organizations are not going to be managing information critical to national security.
Requirements: 15 basic cybersecurity practices. Examples: changing passwords regularly and using antivirus software.
Assessment: Annual self-assessment.
Applicability: Required for all contractors handling FCI in some capacity. This is the most common level.

Level 2: Broad Protection of CUI

Focus: Protecting CUI (e.g. sensitive data subject to safeguarding or dissemination controls). This level is designed to protect information critical to national security.
Requirements: 110 security requirements aligned with NIST SP 800-171 r2. Examples: Maintain a System Security Plan (SSP), identify, log, and monitor CUI assets, and implement a vulnerability scanning program to identify and remediate security weaknesses.
Assessment: Defined by the contract. Some contracts may require self-assessment, while others may require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO).
Applicability: Required for contractors handling CUI.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Focus: Protecting highly sensitive CUI on critical programs. Focused on additional safeguards to protect against Advanced Persistent Threats (APTs).
Requirements: All Level 2 requirements, plus additional practices from NIST SP 800-172 for enhanced security. Examples: Develop a comprehensive incident response plan, implement a comprehensive Continuous Monitoring program, and assess and manage supply chain security risk.
Assessment: Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Applicability: Required for contractors working on the most sensitive government projects. This is the least common level.
Prerequisite: Before a contractor may pursue CMMC Level 3, they must already have CMMC Level 2.

Essentially, the higher the CMMC level, the more sensitive the data being handled and the stricter the cybersecurity requirements. The level required for a specific contract depends on the type of information involved and the project's sensitivity.

Google Cloud and Google Workspace support CMMC

Customers can use Google Cloud and Google Workspace to comply with CSP applicable CMMC requirements across all levels by leveraging Google’s FedRAMP baseline and configuring their systems to support FedRAMP compliance. Google Cloud and Google Workspace maintain both FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) for defined services. All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171 r2 requirements for CSPs. Customers must use the FedRAMP Customer Responsibility Matrix (CRM), which is part of Google’s FedRAMP System Security Plan, when configuring their systems to support FedRAMP compliance.

Upon request, Google can also provide customers with an implementation guide to support CMMC enclave setup and a Certified Third Party Audit Organization (C3PAO) CMMC compliance attestation letter to support requirement verification. The Google sales team or your Google Cloud representative can help facilitate access to applicable documentation.

For DoD contractors requiring CMMC Level 1 compliance, all Google Cloud products can support your compliance needs. To achieve CMMC Level 2 and/or Level 3 compliance, DoD contractors managing CUI must leverage cloud solutions that offer a minimum of FedRAMP Moderate authorized cloud services. Customers seeking to meet this baseline using Google Cloud services can leverage FedRAMP authorized services listed here.

Google Cloud customers must select the FedRAMP Moderate or FedRAMP High regulatory control package for deployment within the software-defined boundary. As mentioned above, customers should use the FedRAMP CRM, which is part of Google’s FedRAMP SSP, when configuring their systems to support FedRAMP compliance.

Google Workspace customers must ensure that they are only using those services that are FedRAMP Moderate or FedRAMP High within the scope of their compliance with CMMC. If needed, a customer can turn off a service that has not yet been FedRAMP-authorized.

Customers who require their data to be stored exclusively within the U.S. must utilize FedRAMP High services (configured with either Assured Workloads or Assured Controls Plus) and the FedRAMP CRM. This will ensure their Customer Data is stored in Google data center regions located within the United States. Customers may also choose to use Google solutions for IL2, IL4, or IL5 to meet data residency needs. Google recommends that customers follow the Google Workspace FedRAMP configuration guide to support compliance with CMMC.