FedRAMP
The U.S. Federal government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. Congress codified FedRAMP in 2022, as “a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.”
All federal agency cloud deployments and service models, other than certain on-premise private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).
Customers interested in using Google Cloud services in alignment with FedRAMP Moderate or High levels hosting must use Assured Workloads and Assured Support (High only).
Google Cloud’s FedRAMP Compliance
The FedRAMP Board (formerly known as the Joint Authorization Board) is the primary governing body for FedRAMP, and includes the Department of Defense (DoD), Department of Homeland Security (DHS), the General Services Administration (GSA), and other agencies as determined by the GSA Administrator and the FedRAMP director.
The FedRAMP Board has issued FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) to Google Cloud infrastructure and to specific Google Cloud Services Offerings (CSOs). Google Cloud routinely submits additional services for FedRAMP Moderate and High approvals to the Board.
Google Cloud can provide the following additional FedRAMP compliance documentation to customers under non-disclosure agreement (NDA):
- FedRAMP Customer Responsibility Matrix (CRM)
- Google Cloud’s System Security Plan (SSP)
- Penetration test reports and other documents
Our sales team or your Google Cloud representative can help provide access to this documentation. Government customers may also request Google’s FedRAMP package through the FedRAMP Program Management Office using its package request form.
For customers who buy through a Google partner, purchase terms and conditions flow down from our partners.
Google Workspace FedRAMP compliance
Customers can use Google Workspace in compliance with various U.S. federal government and global standards for cloud security and privacy. In addition to maintaining a FedRAMP High authorization, Google Workspace is also certified against ISO 27017, 27018, 27001, and is audited against the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) standards.
Google Cloud VMware Engine (GCVE) FedRAMP High Readiness
In 2023, the FedRAMP Program Management Office (PMO) completed the review of Google Cloud VMware Engine (GCVE) High Readiness Assessment Report (RAR) provided by a third party assessment organization (3PAO). Based on the positive results of the review, with no notable capability weaknesses found, GCVE has been accepted as a FedRAMP High Ready offering (FedRAMP Package ID FR2405153785).
Achieving FedRAMP High Ready indicates to the US federal government that GCVE has a high likelihood of achieving a FedRAMP Authorization. GCVE is also certified against ISO 27017, 27018, 27001, PCI-DSS and is audited against the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) standards.
Hosting FedRAMP Moderate and High Workloads on Google Cloud
Google Cloud’s investment in our security-by-default infrastructure ensures that security controls are built-in and pre-configured to enable customers to achieve various compliance levels without a traditional isolated government cloud architecture.
Customers looking to deploy their solutions using Google Cloud in their FedRAMP Moderate and High environments must use Assured Workloads. Assured Workloads allows customers to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from its public cloud data centers. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages.
FedRAMP-authorized services made available through Assured Workloads implement FedRAMP security controls and allow customers to use the capabilities of Google Cloud to meet their organizational needs. Assured Workloads also provides visibility into the compliance state of FedRAMP workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to auditors of your compliance state.
In addition to the controls satisfied by the Google Cloud infrastructure FedRAMP High ATO, Assured Workloads implements the following key FedRAMP High controls by default for customers handling FedRAMP High government data:
- Guardrails to restrict FedRAMP High customer data location to the U.S.
- Technical support staff limited to FedRAMP-adjudicated personnel located in the U.S.
- FIPS-140-2 compliant encryption at rest and in transit
- Personnel access controls for those with routine access to customer data
- Only FedRAMP compliant products and services allowed
- Logical segmentation of in-scope compliance boundary to support FedRAMP Moderate and High requirements
Hosting FedRAMP Moderate and High Data on Google Workspace
Google Workspace maintains a FedRAMP High ATO, which customers can leverage to host FedRAMP Moderate and High data. Customers looking to deploy Google Workspace in their FedRAMP Moderate and High environments should enable the FedRAMP-authorized services that meet the respective authorization. Learn how to turn a service on or off for Google Workspace.
Additionally, Google Workspace Business and Enterprise editions have built-in security controls and feature sets that enable customers to meet FedRAMP High and align their own ATO. Google Workspace users can configure their environments to meet FedRAMP data residency controls by using a Data Region policy.
Process for Achieving a FedRAMP Authority to Operate (ATO)
Customers that are interested in hosting government data on Google Cloud may also be interested in pursuing their own Authority to Operate (ATO). Organizations should consider the following milestones for achieving an ATO on Google Cloud:
- Determine whether the in-scope data requires FedRAMP Moderate or FedRAMP High
- Select Assured Workloads (FedRAMP Moderate is included in the free tier, FedRAMP High requires a premium subscription) for the in-scope Google Cloud services
- Decide on your FedRAMP boundary within Google Cloud
- Configure your workloads in accordance with the shared responsibility model, Customer Responsibility Matrix, in-scope Google Cloud services, and FedRAMP guidelines
- Undergo an audit with a third party assessment organization (3PAO)
- Submit your package to the FedRAMP Board or Federal Agency for review and authorization
For more information on the ATO process, please refer to the FedRAMP website. For additional FedRAMP ATO support from Google Cloud, please visit our Google Cloud Consulting page.
FAQs
What does Google Cloud think about the Office of Management and Budget's FedRAMP draft memorandum?
The Office of Management and Budget's recent FedRAMP draft memorandum, which endorses a modern cloud approach based on logical and software-based separation instead of physical separation, is a strong step in the right direction. Google Cloud has pioneered this approach, and believes it empowers customers to scale and innovate securely.
How can I get FedRAMP compliance for my solution that uses Google Cloud?
FedRAMP allows for varying levels of inheritance for cloud service providers (CSPs) using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a CSP.
For example, if your organization prefers to build the entire stack of your application, you will also create more customer responsibility/obligation during evaluation by your Authorizing Official. If you use Platform as a Service or Software as a Service, there is likely to be a lesser compliance burden.
Once you have selected your FedRAMP-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with FedRAMP experts in our Google Cloud Consulting organization.
How does Google offer FedRAMP-authorized services when it doesn’t have a GovCloud offering?
Google is one of the first hyperscale commercial cloud providers to achieve FedRAMP High on a commercial public cloud offering, and is one of the largest providers of FedRAMP services available on the market today. In the past, hyperscale providers have separated their “govclouds” from their commercial cloud offerings to meet FedRAMP High requirements. This approach can deliver compliance, but these separate environments often don’t come with all the benefits that Google cloud infrastructure can provide.
Google Cloud’s FedRAMP High authorization enables government agencies processing high impact workloads to adopt technology at a much higher velocity and at the same scale as commercial customers, and leverage Google’s unique public cloud infrastructure, including both its capabilities and its capacity. With Assured Workloads or Assured Controls, customers can confidently secure and configure sensitive workloads to support their compliance and security requirements in the cloud. Choose your security settings, and Google can put the necessary cloud controls in place.
How do I configure Google Workspace to be FedRAMP High compliant?
The list of Google Workspace editions that are FedRAMP authorized are listed below. Here is the configuration guide for deploying Google Workspace to support compliance with FedRAMP High security controls.
Do I need Assured Workloads to achieve a FedRAMP ATO?
Yes, Assured Workloads is required to achieve either a FedRAMP Moderate or FedRAMP High ATO. Assured Workloads gives Google Cloud the ability to identify customer federal workloads and apply technical guardrails to match changes in federal regulation. Google Cloud has committed to maintaining FedRAMP compliance requirements, including those introduced in NIST 800-53 Revision 5 and future releases for workloads running within Assured Workloads.
Additionally, Assured Workloads is the only way for Google Cloud to meet FedRAMP High’s heightened support and data residency requirements. Assured Workloads is not applicable for Google Workspace, which has its own controls.
What FedRAMP controls can I inherit from Google Cloud?
One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already in place in our underlying infrastructure and Assured Workloads. Thus, when you submit your FedRAMP package to the FedRAMP Board for authorization, you will also include Google’s SSP, which outlines controls that Google Cloud manages. Please reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).
How does this relate to StateRAMP?
The StateRAMP (State Risk and Authorization Management Program) group is a nonprofit membership organization that established the StateRAMP certification. Like FedRAMP, it is built upon the NIST 800-53 framework and is modeled in part after FedRAMP. StateRAMP also relies on FedRAMP Authorized 3PAOs to conduct assessments. Google Cloud is ready to support StateRAMP government customers with enhanced data residency and support capabilities via Assured Workloads.
How can I find a 3PAO?
The FedRAMP Marketplace maintains a list of qualified 3PAOs.
Do I need to perform penetration testing?
Google Cloud’s SSP covers Google-owned resources for penetration testing, and customers may inherit this control by using Google Cloud. A penetration test of the customer’s own FedRAMP environment built using Google Cloud will also need to be conducted during the 3PAO assessment.
Can Google help with the FedRAMP compliance process?
FedRAMP allows for varying levels of inheritance for cloud service providers (CSPs) using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a CSP.
For example, if your organization prefers to build the entire stack of your application, you will also create more customer responsibility/obligation during evaluation by your Authorizing Official. If you use Platform as a Service or Software as a Service, there is likely to be a lesser compliance burden.
Once you have selected your FedRAMP-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with FedRAMP experts in our Google Cloud Consulting organization.
Are Assured Workloads and Google Cloud Console authorized?
Assured Workloads is a Google Cloud feature which customers can use to turn on specific project configurations to meet their compliance regime(s). Customers are able to set organization policies to meet compliance requirements on their own without the use of Assured Workloads as well. Products discretely integrate with Assured Workloads and enforce the organization policies themselves.
Google Cloud Console is a simple web-based user interface that contains features to assist Customers with deployment. It is a framework, i.e., not a service, built on Google Cloud infrastructure that provides customers an interface to manage their Google Cloud assets. Cloud Console customers interact with the individual Google Cloud services’ APIs directly, and use the services’ APIs to render the UI. Cloud Console by itself does not have an API for customers to interact with. Instead, customers interact with the individual Google Cloud services’ APIs directly; Cloud Console uses those service APIs to render the UI.
How do I set up my FedRAMP workload to eliminate 3DES as a weak encryption algorithm?
In alignment with NIST SP 800-131A Rev. 2, Transitioning the Use of Crypto Algorithms and Key Lengths, customers are seeking to deprecate the use of 3DES. Google Cloud does not use 3DES, but in order to support all our customers, it’s still available on Google endpoints. If your FedRAMP solution requires the removal of 3DES, please contact support to assist in its removal from your Assured Workloads environment.
Services in scope
Google Cloud services in scope for FedRAMP High
FedRAMP Package ID FR1805751477
*Note that all Google Cloud services covered by FedRAMP High are also covered by FedRAMP Moderate
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
Admin Console (including Admin SDK, Directory Sync)
AI Platform Neural Architecture Search (NAS)
AI Platform Training and Prediction (formerly Cloud Machine Learning Engine)
Anthos Config Management (ACM)
BigQuery Data Transfer Service
Cloud External Key Manager (Cloud EKM)
Cloud Life Sciences (formerly Google Genomics)
Cloud Load Balancing (L7 ILB/XLB)
Cloud Load Balancing (Network Load Balancing)
Cloud Logging (includes Error Reporting)
Cloud NAT (Network Address Translation)
Cloud Profiler (formerly Stackdriver Profiler)
Cloud Trace (formerly Stackdriver Trace)
Filestore (Basic HDD and Basic SSD tiers)
Google Cloud Identity-Aware Proxy
Google Security Operations SOAR
Identity & Access Management (IAM)
Key Access Justifications (KAJ)
Looker Studio (including Pro, formerly Google Data Studio)
Security Command Center Premium
Sensitive Data Protection (including Cloud Data Loss Prevention)
Vertex AI Workbench User Managed Notebooks (formerly AI Platform Notebooks)
Google Cloud services under JAB review for FedRAMP High
Google Cloud services in scope for FedRAMP Moderate
FedRAMP Package ID FR1805751477
*Note that all Google Cloud services covered by FedRAMP High are also covered by FedRAMP Moderate
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
AI Platform Training and Prediction (formerly Cloud Machine Learning Engine)
BigQuery Data Transfer Service
Care Studio (Cloud Healthcare Search)
Cloud Life Sciences (formerly Google Genomics)
Cloud NAT (Network Address Translation)
Cloud Trace (formerly Stackdriver Trace)
Filestore (Basic HDD and Basic SSD tiers)
Google Cloud Identity-Aware Proxy
Google Security Operations SIEM
Google Security Operations SOAR
Identity & Access Management (IAM)
Key Access Justifications (KAJ)
Looker Studio (including Pro formerly Google Data Studio)
Security Command Center (including Web Security Scanner) (formerly Cloud Security Scanner)
Sensitive Data Protection (including Cloud Data Loss Prevention)
Vertex AI Neural Architecture Search
Vertex AI Workbench User Managed Notebooks (formerly AI Platform Notebooks)
Google Cloud services under JAB review for FedRAMP Moderate
Google Workspace Editions (FedRAMP High)
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
Google Workspace Business Plus
Google Workspace Business Standard
Google Workspace Editions (FedRAMP Moderate)
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
Google Workspace Business Starter
Google Workspace Enterprise Essentials
Google Workspace Enterprise Plus
Google Workspace for Education
Google Workspace for Education Fundamentals
Google Workspace for Education Plus
Google Workspace for Education Standard
Google Workspace for Governments
Google Workspace for Nonprofits
Google Workspace Services (FedRAMP High)
FedRAMP Package ID F1206081364
*Note that Admin Console and Cloud Identity are now part of the Google Services package (FR1805751477)
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
Google Workspace services under JAB review for FedRAMP High
Google Workspace Services (FedRAMP Moderate)
Google Workspace Services (FedRAMP Moderate)
FedRAMP Package ID F1206081364
*Note that Admin Console and Cloud Identity are now part of the Google Services package (FR1805751477)
*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.
Android and Chrome Device Management
Chrome Sync (for Google Workspace for Education domains only)
Drive REST API (replaced Documents List API)
Google Workspace services under JAB review for FedRAMP Moderate
Authorized Google Cloud Regions for FedRAMP
All Google Cloud regions covered by FedRAMP High are also covered by FedRAMP Moderate.
Oregon (us-west1) - FedRAMP High
Los Angeles (us-west2) - FedRAMP High
Salt Lake City (us-west3) - FedRAMP High
Las Vegas (us-west4) - FedRAMP High
Iowa (us-central1) - FedRAMP High
Oklahoma (us-central2) - FedRAMP High
South Carolina (us-east1) - FedRAMP High
Northern Virginia (us-east4) - FedRAMP High
Columbus (us-east5) - FedRAMP High
Dallas (us-south1) - FedRAMP High
Montreal (northamerica-northeast1) - FedRAMP Moderate
São Paulo (southamerica-east1) - FedRAMP Moderate
Belgium (europe-west1) - FedRAMP Moderate
London (europe-west2) - FedRAMP Moderate
Frankfurt (europe-west3) - FedRAMP Moderate
Netherlands (europe-west4) - FedRAMP Moderate
Finland (europe-north1) - FedRAMP Moderate
Mumbai (asia-south1) - FedRAMP Moderate
Singapore (asia-southeast1) - FedRAMP Moderate
Taiwan (asia-east1) - FedRAMP Moderate
Tokyo (asia-northeast1) - FedRAMP Moderate
Sydney (australia-southeast1) - FedRAMP Moderate
Zurich (europe-west6) - FedRAMP Moderate
Warsaw (europe-central2) - FedRAMP Moderate
Jakarta (asia-southeast2) - FedRAMP Moderate
Osaka (asia-northeast2) - FedRAMP Moderate
Seoul (asia-northeast3) - FedRAMP Moderate
Related Offerings
- NIST 800-53See which Google Cloud services have undergone an independent third-party assessment and are operating in compliance with NIST 800-53 controls.
- ISO 27001The ISO/IEC 27000 family of standards helps keep information secure. Google Cloud Platform and Google Workspace are ISO/IEC 27001 compliant.
- ISO 27017ISO/IEC 27017:2015 gives guidelines for information security controls. Google Cloud Platform and Google Workspace are ISO/IEC 27017 compliant.
- ISO 27018ISO/IEC 27018 relates to the protection of PII in public clouds. Google Cloud Platform and Google Workspace are ISO/IEC 27018 compliant.
Take the next step
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Learn security best practices
See our best practicesSolve common problems
Watch security use-case videosWork with a partner
See our security partners
