U.S. Defense Information Systems Agency Provisional Authorization
The United States Defense Information Systems Agency (DISA) manages the evaluation and authorization of cloud services for the U.S. Department of Defense (DoD). DISA Cloud Service Support has granted Google Cloud a DoD Impact Level 4 and Impact Level 5 provisional authorization (PA). An assessment at Impact Level 4 (IL4) allows for processing and storage of controlled unclassified information in specific products on Google Cloud. An assessment at Impact Level 5 (IL5) allows for data processing and storage of DoD higher sensitivity controlled unclassified information, mission-critical information, and national security systems information.
Google’s IL2 PA for Google Cloud and Workspace is in place. Google Cloud and Workspace customers seeking IL2 compliance must use Assured Workloads for IL2.
*Note: Impact Level (IL) platforms will restrict customer domain sign-in for less secure protocols (e.g. TLS 1.1/1.0).
Google Cloud's DISA IL4 and IL5 provisional authorizations require customers to use Assured Workloads. Workspace's DISA IL4 and IL5 provisional authorizations require customers to use Assured Controls, Assured Support and either Enhanced or Premium Support. For more information on the configuration process for IL4 and IL5 provisional authorizations, please contact sales.
Google Cloud and IL4 and IL5
Services in scope
Please refer to our FedRAMP compliance card for the list of services in scope for IL2.
One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already taken care of by our underlying infrastructure and Assured Workloads. Thus, when you submit your IL4 or IL5 package for authorization, you will also include Google’s SSP, which outlines controls that Google takes care of for you. Please reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).
In Google Cloud, customers are able to leverage encryption capabilities already present on authorized products for their associated data, both at rest and in use, with little to no action required to implement in most cases.Google Cloud's storage system and network both carry a IL4 and IL5 PA, which reduces the amount of responsibility Google Cloud customers need to manage.
Data stored at rest in authorized systems is encrypted automatically using FIPS 140-2 certified libraries (i.e., cert #3678, #3383, #3384). Encryption keys used in this system are also stored and protected according to NIST 800-57 and held security inside Google’s proprietary KMS system. Customers can control this system via Cloud KMS.
Data transmission within a Google Cloud VPC is also authorized at IL4 and IL5 and is automatically protected with encryption, authentication and authorization. No further action is required for connections inside a VPC. Connections to Google APIs utilize TLS 1.2 or greater for the encryption of traffic. Customers are responsible for other connections in and out of the environment (either at Layer 3 or 7) that go through customer controlled resources (e.g., Cloud Load Balancer or Cloud VPN).
Google is one of the first hyperscale commercial cloud providers to achieve IL4 and IL5 on a commercial public cloud offering, and is one of the largest providers of IL4 and IL5 services.