Jump to
U.S. Cybersecurity Maturity Model Certification (CMMC)

U.S. Cybersecurity Maturity Model Certification (CMMC)

The U.S. Department of Defense (DoD) currently requires that all covered defense contractors and subcontractors implement the security controls outlined in NIST SP 800-171. This requirement is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as part of the covered entities DFARS 252.204-7012 contractual commitments. 

In order to formalize this requirement and provide the DoD a means to verify compliance with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC) program is being developed by the DoD. All DoD contractors with the DFARS 252.204-7012 clause in their contracts will need to achieve the CMMC level required in the DoD contract as a condition of contract award when the rule is final. 

CMMC 2.0 Background 

On December 26, 2023, the DoD released a Proposed Rule for public comment. Commenting period is open for 60 days and then will be reviewed by rule makers for final rule publication. Based on this timeline, industry analysts estimate that final rule publication will occur in early 2025, with the first round of contractors to be CMMC certified after that publication. The date is subject to change, based on the government’s decision making timelines.

CMMC and Google Cloud

CMMC 2.0 has three levels available for organizations to pursue, depending on DoD requirements. While organizations cannot undergo an official CMMC assessment until the final rule has been published, Google Cloud is preparing for CMMC Level 2 by participating in mock assessments with our designated C3PAO supporting our FedRAMP authorization processes for both Google Cloud services and Google Workspace. Once CMMC 2.0 is final, Google will proceed with the formal certification process as defined for Cloud Service Providers (CSPs).

While no organization has received a CMMC certification to date,Google has sought NIST SP 800-171 assessments to help prepare for the CMMC 2.0 Program. These assessment reports can be found on our NIST SP 800-171 page. 

Under the current draft of CMMC, contractors utilizing cloud solutions to store CUI must use CSPs that maintain a FedRAMP Moderate authorization at minimum. To help prepare for CMMC, Defense Industrial Base (DIB) contractors using Google Cloud services should refer to our FedRAMP Customer Responsibility Matrix (CRM) that is part of our FedRAMP System Security Plan (SSP) to understand the shared responsibility model as it relates to anticipated CMMC compliance. Our sales team or your Google Cloud representative is here to answer your questions and supply referenced documentation.

Resources

Related offerings

NIST icon
NIST SP 800-171
See which Google Cloud services have undergone an independent third-party assessment that confirmed compliance with NIST 800-171.
FedRAMP icon
FedRAMP
Google Cloud maintains FedRAMP High and FedRAMP Moderate P-ATOs for Google Cloud and Google Workspace products.
Disa icon
DISA
Adding recently Provisionally authorized IL5 services by DISA.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Get started for free

Take the next step

Start your next project, explore interactive tutorials, and manage your account.

Contact sales