Jump to

U.S. Defense Information Systems Agency Provisional Authorization

The United States Defense Information Systems Agency (DISA) manages the evaluation and authorization of cloud services for the U.S. Department of Defense (DoD). DISA Cloud Service Support has granted Google Cloud a DoD Impact Level 5 (IL5) provisional authorization (PA). An authorization at IL5 allows for processing and storage of controlled unclassified information and national security system (NSS) information using Google Cloud specific products.

Google Cloud's DISA IL2, IL4, and IL5 PAs requires customers to use Assured Workloads and Premium Support. Google Workspace's DISA IL4 PA requires customers to use Assured Controls and Assured Support. For more information on the configuration process, please contact our sales team.

Google Cloud’s DISA IL Compliance

DISA is an agency of DoD that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD PA that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).

DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD PAs when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.

In 2022, Google Cloud was awarded an IL5 provisional authority, making it the one of the first hyperscalers to receive DISA approval for a software-defined community cloud. A software-defined isolation approach means more flexibility than traditional government clouds in terms of region deployment, scalability, and cost.

ILx Package Requests DoD ILx Packages are based on FedRAMP High packages with additional DoD specific controls. ILx packages are not authorized to be shared by Google, and must be supplied by DISA to any other parties. If a government entity is seeking details on the DoD PA package above what is covered by the FedRAMP P-ATO package they can reach out to the Cloud Assessment Division at: DISA Ft Meade RE Mailbox Cloud Team: disa.meade.re.mbx.cloud-team@mail.mil

Google Cloud and IL2

IL2 data includes non-controlled unclassified information, which is all data cleared for public release and some low confidentiality unclassified information that is not designated as controlled unclassified information (CUI). This impact level accommodates non-CUI categorization based on CNSSI 1253 Security Categorization and Control Selection for National Security Systems up to low confidentiality and moderate integrity (L-M-x).

The December 15, 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that, “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline as all information IL and considers the High Baseline at some.

Section 5.1.1, DoD use of FedRAMP Security Controls of the Cloud Computing SRG outlines that IL2 information may be hosted in a CSO that minimally holds a FedRAMP Moderate or High provisional authorization. Only FedRAMP Moderate or High baseline controls will be assessed for DoD IL2 PAs. For an IL2 PA, DoD allows full reciprocity with FedRAMP Moderate or High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). To learn more about Google Cloud’s FedRAMP compliance, please refer to our FedRAMP page

Hosting IL4 or IL5 Workloads on Google Cloud

IL4 and IL5 workloads are deployable via Assured Workloads, which enables security controls that meet heightened data residency and support requirements. Assured Workloads also enforces developer guardrails that help large organizations stay in compliance. 

Once you have selected your IL4 or IL5-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with IL4 and IL5 experts in our Professional Services organization. Additionally, Google provides customers with a IL4 Springboard Deployment guide with Terraform code.

Customers looking to deploy their solutions using Google Cloud in their IL4 and IL5 environments must use Assured Workloads. Assured Workloads allows customers to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from its public cloud data centers. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages. 

IL4 and IL5-authorized services made available through Assured Workloads implement IL4 and IL5 security controls and allow customers to use the capabilities of Google Cloud to meet their organizational needs. Assured Workloads also provides visibility into the compliance state of IL4 and IL5 workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to auditors of your compliance state.

In addition to the controls satisfied by the Google Cloud infrastructure IL5 provisional authority, Assured Workloads implements the following key IL4 and IL5 controls by default for customers handling IL4 and IL5 government data: 

  1. Set guardrails to restrict IL4 and IL5 customer data location to the U.S.
  2. Restrict technical support staff to IL4 and IL5-adjudicated personnel located in the U.S.
  3. Enforce use of FIPS-140-2 compliant encryption at rest and in transit.
  4. Implement IL4 and IL5-required personnel access controls for those with routine access to customer data.
  5. Restrict developers to using only IL4 and IL5 compliant products and services.
  6. Logical segmentation of in-scope compliance boundary to support IL4 and IL5 requirements.

Google Workspace and IL4

Google Workspace Enterprise Plus edition has achieved the U.S. Department of Defense’s (DOD) Impact Level 4 authorization. Customers looking to deploy Google Workspace for their productivity and collaboration solution should use the add-on product feature Assured Controls that will allow organizations to precisely control cloud service provider access.

Google Workspace Enterprise Plus with Assured Controls includes built-in security controls and feature sets that enable DoD customers to achieve IL4 compliance and issue their own Authority to Operate (ATO). Key Google Workspace features that support IL4 compliance include:

  • The ability to restrict data to U.S. regions only using data regions
  • The ability to limit Google staff support actions to U.S. Persons only using Assured Controls Access Management
  • Advanced data encryption at rest and in transit to meet the encryption needs for sensitive data. Learn more via our Google Workspace encryption paper.
  • Google Workspace security center that provides advanced security information and analytics, into security issues affecting your domain. 

Department of defense customers are able to request Google Workspace IL4 documentation via eMASS or via their DISA liaison. Please note, Google Workspace cannot provide this documentation directly to customers.

Services in scope

Calendar

Docs

Drive

Forms

Gmail

Google Chat (including Google Drive Bot, and Meet Bot)

Google Meet

Sheets

Slides

Customers can refer to the implementation guidelines to get a list of Workspace services that are approved for IL4. 

FAQ

One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already taken care of by our underlying infrastructure and Assured Workloads. Thus, when you submit your IL4 or IL5 package for authorization, you will also include Google’s SSP, which outlines controls that Google takes care of for you. Please reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).

In Google Cloud, customers are able to leverage encryption capabilities already present on authorized products for their associated data, both at rest and in use, with little to no action required to implement in most cases. Google Cloud's storage system and network both carry a IL4 and IL5 PA, which reduces the amount of responsibility Google Cloud customers need to manage.

Data stored at rest in authorized systems is encrypted automatically using FIPS 140-2 certified libraries (i.e., cert #3678, #3383, #3384). Encryption keys used in this system are also stored and protected according to NIST 800-57 and held security inside Google’s proprietary KMS system. Customers can control this system via Cloud KMS.

Data transmission within a Google Cloud VPC is also authorized at IL4 and IL5 and is automatically protected with encryption, authentication and authorization. No further action is required for connections inside a VPC. Connections to Google APIs utilize TLS 1.2 or greater for the encryption of traffic. Customers are responsible for other connections in and out of the environment (either at Layer 3 or 7) that go through customer controlled resources (e.g., Cloud Load Balancer or Cloud VPN).

Google is one of the first hyperscale commercial cloud providers to achieve IL4 and IL5 on a commercial public cloud offering, and is one of the largest providers of IL4 and IL5 services.

  • NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
  • NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
  • NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
  • NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • CNSSI 1253 Security Categorization and Control Selection for National Security Systems