U.S. Defense Information Systems Agency Provisional Authorization

The United States Defense Information Systems Agency (DISA) manages the evaluation and authorization of cloud services for the U.S. Department of Defense (DoD). DISA Cloud Service Support has granted Google Cloud a DoD Impact Level 4 and Impact Level 5 provisional authorization (PA). An assessment at Impact Level 4 (IL4) allows for processing and storage of controlled unclassified information in specific products on Google Cloud. An assessment at Impact Level 5 (IL5) allows for data processing and storage of DoD higher sensitivity controlled unclassified information, mission-critical information, and national security systems information.

Google’s IL2 PA for Google Cloud and Workspace is in place. Google Cloud and Workspace customers seeking IL2 compliance must use Assured Workloads for IL2.

*Note: Impact Level (IL) platforms will restrict customer domain sign-in for less secure protocols (e.g. TLS 1.1/1.0).

Google Cloud's DISA IL4 and IL5 provisional authorizations require customers to use Assured Workloads. Workspace's DISA IL4 and IL5 provisional authorizations require customers to use Assured Controls, Assured Support and either Enhanced or Premium Support. For more information on the configuration process for IL4 and IL5 provisional authorizations, please contact sales.

Google Cloud and IL4 and IL5

Google Cloud was awarded an IL5 provisional authority in 2022, making it the one of the first hyperscalers to receive DISA approval for a software-defined community cloud. A software-defined isolation approach means more flexibility than traditional government clouds in terms of region deployment, scalability, and cost.

IL4 and IL5 workloads are deployable via Assured Workloads, which enables security controls that meet heightened data residency and support requirements. Assured Workloads also enforces developer guardrails that help large organizations stay in compliance.

Once you have selected your IL4 or IL5-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with IL4 and IL5 experts in our Professional Services organization. Additionally, Google provides customers with a IL4 Springboard Deployment guide with Terraform code.

Services in scope

Cloud Key Management Service

Identity and Access Management

Persistent Disk

Virtual Private Cloud

Google Cloud

BigQuery

Cloud HSM

Cloud Identity

Cloud Key Management Service

Google Kubernetes Engine

Identity and Access Management

Persistent Disk

Virtual Private Cloud

Google Workspace

Google Chat (including Google Drive Bot, and Meet Bot)

Cloud Data Loss Prevention

Cloud Key Management Service

Google Kubernetes Engine (GKE)

Identity & Access Management

Memorystore for Memcache

Memorystore for Redis

Virtual Private Cloud

Please refer to our FedRAMP compliance card for the list of services in scope for IL2.

FAQ

One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already taken care of by our underlying infrastructure and Assured Workloads. Thus, when you submit your IL4 or IL5 package for authorization, you will also include Google’s SSP, which outlines controls that Google takes care of for you. Please reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).

In Google Cloud, customers are able to leverage encryption capabilities already present on authorized products for their associated data, both at rest and in use, with little to no action required to implement in most cases.Google Cloud's storage system and network both carry a IL4 and IL5 PA, which reduces the amount of responsibility Google Cloud customers need to manage.

Data stored at rest in authorized systems is encrypted automatically using FIPS 140-2 certified libraries (i.e., cert #3678, #3383, #3384). Encryption keys used in this system are also stored and protected according to NIST 800-57 and held security inside Google’s proprietary KMS system. Customers can control this system via Cloud KMS.

Data transmission within a Google Cloud VPC is also authorized at IL4 and IL5 and is automatically protected with encryption, authentication and authorization. No further action is required for connections inside a VPC. Connections to Google APIs utilize TLS 1.2 or greater for the encryption of traffic. Customers are responsible for other connections in and out of the environment (either at Layer 3 or 7) that go through customer controlled resources (e.g., Cloud Load Balancer or Cloud VPN).

Google is one of the first hyperscale commercial cloud providers to achieve IL4 and IL5 on a commercial public cloud offering, and is one of the largest providers of IL4 and IL5 services.

Overview of Assured Workloads
Guidance and Terraform for Deploying an IL4 Assured Workloads Environment
NIST Cybersecurity Framework and Google Cloud
Google Cloud Deployment Guide
Google Cloud Security Model
DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)

Controlled unclassified information (CUI) Registry and CUI category list

NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
CNSSI 1253 Security Categorization and Control Selection for National Security Systems