U.S. Department of Defense (DoD) Provisional Authorization

DISA is an agency of the DoD that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD PA that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).

DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD PAs when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.

In 2022, Google Cloud was awarded a DoD IL5 provisional authorization, making it one of the first hyperscalers to receive a DoD provisional authorization for a software-defined community cloud. A software-defined isolation approach means more flexibility than traditional government clouds in terms of region deployment, scalability, and cost.

ILx Package Requests DoD ILx Packages are based on FedRAMP High packages with additional DoD specific controls. ILx packages are not authorized to be shared by Google, and must be supplied by DISA to any other parties. If a government entity is seeking details on the DoD PA package above what is covered by the FedRAMP P-ATO package, they can reach out to the Cloud Assessment Division at DISA Ft Meade RE Mailbox Cloud Team: disa.meade.re.mbx.cloud-team@mail.mil

IL2 data includes non-controlled unclassified information, which is all data cleared for public release and some low confidentiality unclassified information that is not designated as controlled unclassified information (CUI). This impact level accommodates non-CUI categorization based on CNSSI 1253 Security Categorization and Control Selection for National Security Systems up to low confidentiality and moderate integrity (L-M-x).

The December 15, 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that, “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.

Section 5.1.1, DoD use of FedRAMP Security Controls of the Cloud Computing SRG outlines that IL2 information may be hosted in a CSO that minimally holds a FedRAMP Moderate or High provisional authorization. Only FedRAMP Moderate or High baseline controls will be assessed for DoD IL2 PAs. For an IL2 PA, DoD allows full reciprocity with FedRAMP Moderate or High provisional authorization to operate (P-ATO) issued by the FedRAMP Board (formerly known as the Joint Authorization Board JAB). To learn more about Google Cloud’s FedRAMP compliance, refer to our FedRAMP page. 

IL4 and IL5 workloads are deployable via Assured Workloads, which enables security controls that meet heightened data residency and support requirements. Assured Workloads also enforces developer guardrails that help large organizations stay in compliance. 

Once you have selected your IL4 or IL5-authorized services, Google can help you configure your solution through service-specific configuration guides when directly engaging with our Professional Services organization. Additionally, Google provides customers with an IL4 Springboard Deployment guide with Terraform code.

Customers looking to deploy their solutions using Google Cloud in their IL4 and IL5 environments must use Assured Workloads. Assured Workloads allows customers to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from its public cloud data centers. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages. 

IL4 and IL5-authorized services made available through Assured Workloads implement IL4 and IL5 security controls and allow customers to use the capabilities of Google Cloud to meet their organizational needs. Assured Workloads also provides visibility into the compliance state of IL4 and IL5 workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to auditors of your compliance state.

In addition to the controls satisfied by the Google Cloud infrastructure IL5 provisional authorization, Assured Workloads implements the following key IL4 and IL5 controls by default for customers handling IL4 and IL5 government data: 

1. Set guardrails to restrict IL4 and IL5 customer data location to the U.S.
2. Restrict technical support staff to IL4 and IL5-adjudicated personnel located in the U.S.
3. Enforce the use of FIPS-140 validated encryption at rest and in transit.
4. Implement IL4 and IL5-required personnel access controls for those with routine access to customer data.
5. Restrict developers to using only IL4 and IL5 compliant products and services.
6. Logical segmentation of in-scope compliance boundary to support IL4 and IL5 requirements.

Google Workspace Enterprise Plus edition has achieved the U.S. Department of Defense’s (DoD) Impact Level 4 provisional authorization. Customers looking to deploy Google Workspace for their productivity and collaboration solution should use the add-on product feature Assured Controls that will allow organizations to precisely control cloud service provider access.

Google Workspace Enterprise Plus with Assured Controls includes built-in security controls and feature sets that enable DoD customers to achieve IL4 compliance and issue their own Authority to Operate (ATO). Key Google Workspace features that support IL4 compliance include:

• The ability to restrict data to U.S. regions only using data regions.
• The ability to limit Google staff support actions to U.S. Persons only using Assured Controls Access Management.
• Advanced data encryption at rest and in transit to meet the encryption needs for sensitive data. Learn more via our Google Workspace encryption paper.
• Google Workspace security center that provides advanced security information and analytics into security issues affecting your domain. 

Department of defense customers are able to request Google Workspace IL4 documentation via eMASS or via their DISA liaison. Google Workspace cannot provide this documentation directly to customers.

• Overview of Assured Workloads
• Guidance and Terraform for Deploying an IL4 Assured Workloads Environment
• NIST Cybersecurity Framework and Google Cloud
• Google Cloud Deployment Guide
• Google Cloud Security Model
• DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
• Controlled unclassified information (CUI) Registry and CUI category list
• NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• CNSSI 1253 Security Categorization and Control Selection for National Security Systems