U.S. Department of Defense (DoD) Provisional Authorization

DISA is responsible for developing and maintaining the DoD Cloud Service Provider (CSP) Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD PA that allows a cloud service provider (CSP) to host DoD missions. It maps to the DoD Risk Management Framework (RMF) and incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM).

DoD IL2, IL4, IL5, and IL6 accommodate various data categorizations based on CNSSI 1253 Security Categorization and Control Selection for National Security Systems. CNSSI 1253 explicitly defines the association of three possible impact levels (low, moderate, or high) with three security objectives (confidentiality, integrity, and availability). CNSSI 1253 then provides the appropriate security baselines for each of the possible system categorizations using controls from NIST SP 800-53. The DoD mission owner must address availability in the contract.

In 2022, Google Cloud was awarded a DoD IL5 PA, making it the first hyperscaler to receive a DoD IL5 PA for a software-defined community cloud. A software-defined isolation approach grants customers more flexibility than traditional physically separated cloud architectures (commonly referred to as government clouds) in terms of region deployment, service availability, scalability, and cost.

DoD ILx package requests: DoD ILx authorization packages are based on FedRAMP High packages with additional DoD specific controls. Google isn’t authorized to share DoD ILx packages; they must be shared directly by DISA to any other parties. If you’re a government entity seeking details on the DoD PA package beyond what’s covered by the FedRAMP P-ATO package, you can contact the DISA Cloud Assessment Division.

For access to the Google Services IL package, submit a request through the DoD Enterprise Mission Assurance Support Service (eMASS) cybersecurity and authorization information repository.

DoD IL2 data includes all data cleared for public release and some low confidentiality unclassified information that isn’t designated as CUI. This impact level accommodates non-CUI categorization based on CNSSI 1253 up to low confidentiality, moderate integrity, and customer-defined availability (L-M-x).

For IL2, DoD allows full reciprocity with FedRAMP Moderate or High provisional authorization to operate (P-ATO). To learn more about Google Cloud’s FedRAMP compliance, refer to our FedRAMP page.

According to DISA, data categorized at IL2 is permitted only in U.S. data centers authorized for the CSO. Non-U.S. locations of the Google Cloud FedRAMP authorized regions aren't included under reciprocity, and must be explicitly authorized by the DISA authorizing official. DoD IL2 workloads should be deployed on Google Cloud using Data Boundary via Assured Workloads.

IL4 and IL5 accommodate CUI categorizations up to moderate confidentiality, moderate integrity, and customer-defined availability (M-M-x) based on CNSSI 1253. Once you have selected your IL4 or IL5-authorized services, you must deploy them using Data Boundary via Assured Workloads.

Assured Workloads also provides visibility into the compliance state of DoD IL4 and IL5 workloads through Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide attestations to auditors of your compliance with IL4 and IL5 security requirements.

Data Boundary via Assured Workloads also implements the following key DoD IL4 and IL5 controls by default for customers handling DoD IL4 or IL5 government data:

1. Sets guardrails to restrict your DoD IL4 and IL5 data location to the U.S.
2. Restricts technical support staff to DoD IL4 and IL5-adjudicated personnel located in the U.S.
3. Enforces the use of FIPS 140 validated encryption at rest and in transit.
4. Implements DoD IL4 and IL5-required access controls for personnel with potential access to customer data.
5. Restricts developers to using only DoD IL4 and IL5 compliant products and services.
6. Logically segments of in-scope compliance boundary to support DoD IL4 and IL5 requirements.

The Naval Nuclear Propulsion Program, created under Executive Order 12344, is a joint Department of Energy and Department of Navy organization overseeing all aspects of naval nuclear propulsion. The program comprises military and civilian personnel who design, build, operate, maintain, and manage the US Navy's nuclear-powered ships and the many facilities that support the nuclear-powered naval fleet.

The Naval Reactors Program Cloud Authorization Framework published in May 2019 (NR Framework) provides guidelines for organizations seeking authorization of cloud-based systems intended to store or process Naval Nuclear Propulsion Information (NNPI). Table 7-2 in the NR Framework outlines 17 extra Unclassified NNPI (U-NNPI) security controls that aren't part of the DoD IL5 control baseline. These controls must be assessed for cloud-based systems processing U-NNPI.

An accredited third-party assessment organization (3PAO) has examined Google Cloud control evidence for all 17 U-NNPI security controls and verified through a letter of attestation that Google Cloud meets all U-NNPI security control requirements.

Google Cloud can help you meet your U-NNPI compliance requirements under the following conditions:

• You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to storing or processing U-NNPI on Google Cloud.
• You must use the Assured Workloads Data Boundary for DoD IL5 to restrict potential U-NNPI access in customer-initiated support scenarios to Google personnel who are US persons located in the United States and who have completed enhanced background checks.

NNPI is categorized as CUI. Moreover, Table 1 and Exhibit 1 in OPNAVINST N9210.3 Safeguarding of Naval Nuclear Propulsion Information (NNPI) of 7 June 2010 provide the different classification levels and handling controls for NNPI, including access requirements for U-NNPI.

U-NNPI which is marked and handled as Not Releasable to Foreign Nationals (NOFORN), has the following access restrictions:

• U.S. citizenship
• Need to know (NTK)

It's your responsibility to ensure that only U.S. citizens who need to know have access to U-NNPI stored or processed in your Google Cloud services. Google employees don't access your IL5 Customer Data and the encryption keys are solely under your control.

IL6 designation applies to the storage and processing of information classified up to the US Government SECRET level.

To support DoD IL6 requirements, Google provides Google Distributed Cloud air-gapped and Google Distributed Cloud air-gapped appliance, which lets you host, control, and manage infrastructure and services directly on your premises. Neither option requires connectivity to Google Cloud and both are securely delivered to your premises. Google Distributed air-gapped is a rack-based solution, while Google Distributed air-gapped appliance is a portable, standalone device.

Google Distributed Cloud air-gapped and appliance maintain a DoD IL6 PA at the high confidentiality, high integrity, and customer-defined availability (H-H-x) information categorization per CNSSI 1253. Both enable direct connectivity to the DoD Secret Internet Protocol Router Network (SIPRNet). Any connectivity beyond the SIPRNet connections must be approved by the DoD cloud authorizing official. You can contact DISA for more information about Google Distributed Cloud air-gapped and appliance DoD IL6 PA, including cloud services in DoD IL6 audit scope.

Google Workspace Enterprise Plus edition supports DoD IL2 workloads and has achieved a DoD IL4 PA. You must use Assured Controls Plus if you’re looking to deploy Google Workspace for a productivity and collaboration solution that requires compliance with DoD IL4.

Google Workspace Enterprise Plus with Assured Controls Plus includes built-in security controls and feature sets to help you meet DoD IL4 compliance requirements and obtain your own Authority to Operate (ATO). Key Google Workspace features that support DoD IL4 compliance include:

• The ability to restrict data to U.S. regions only using data regions.
• The ability to limit Google staff support actions to U.S. Persons only using Assured Controls Access Management.
• Advanced data encryption at rest and in transit to meet the encryption needs for sensitive data. Learn more from our Google Workspace encryption paper.
• Google Workspace security center that provides advanced security information and analytics into security issues affecting your domain.

If you’re a DoD customer, you can access Google Workspace DoD IL4 documentation via eMASS or you can request it from your DISA liaison. Google cannot provide this documentation directly to customers.

Google Cloud and Google Workspace services in-scope for IL4/5 are listed in FedRAMP and DoD compliance scope.

• Overview of Assured Workloads
• NIST Cybersecurity Framework and Google Cloud
• Google Cloud Deployment Guide
• Google Cloud Security Model
• DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
• Controlled unclassified information (CUI) Registry and CUI category list
• NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• CNSSI 1253 Security Categorization and Control Selection for National Security Systems