![]() However, this is the only paragraph of the clause which Google Workspace can meet without the deployment of Google Assured Workloads. Because Google Workspace is authorized to the FedRAMP HIGH baseline, it also meets the cloud services security requirements of DFARS 7012. For example, paragraph b requires DIB organizations to successfully ensure that adequate security is applied to their information system and cloud services, with adequate security being defined as the implementation of NIST 800-171, and cloud services require a FedRAMP moderate authorization or equivalent.Īs was discovered when evaluating the CMMC 2.0 / NIST 800-171 capabilities of Google Workspace, organizations choosing Google Workspace DFARS compliance have some work to do to achieve compliance. ![]() Paragraphs b-g of DFARS 252.204-7012 include requirements for organizations regarding their information system and the cloud services they use. Does Google Workspace meet DFARS Requirements? Ultimately, satisfying CMMC 2.0 / NIST 800-171 requirements with Google Workspace is possible but depends on the organization's ability to compensate for the identified control deficiencies in CMMC AC.L2-3.1.9 / NIST 3.1.9 and CMMC IA.L2-3.5.6/ NIST 3.5.6. Because of this, the admin can configure the password policy in Workspace to mimic their organizationally defined password values to meet help them satisfy both of the controls listed above. The list of custom configuration capabilities includes things like password length, strength, and period allowed for re-usage. Admins in Google Workspace are capable of e nforcing and monitoring password requirements for all users. Both controls can be fulfilled by the organization but not automated through the capabilities within Google Workspace.ĬMMC IA.L2- 3.5.7 / NIST 3.5.7 - Enforce a minimum password complexity and change of characters with new passwords are created.ĬMMC IA.L2- 3.5.8 / NIST 3.5.8 – Prohibit password reuse for a specified number of generations.Ĭontrary to the findings of the NIST 800-171 attestation letter, Google Workspace can meet both CMMC IA.L2- 3.5.7 / NIST 3.5.7 and CMMC IA.L2- 3.5.8 / NIST 3.5.8. Workspace would require the organization to put manual processes in place to disable identifiers inactive outside of the organization's determined limits.The organization would have to find a compatible and compliant 3rd party technology in order to successfully implement this control.ĬMMC IA.L2-3.5.6/ NIST 3.5.6 - Disable identifiers after a defined period of inactivity. Google Workspace is actually incapable of displaying notices at user login, making it incapable of meeting CMMC AC.L2-3.1.9 / NIST 3.1.9.The 3pAO letter of attestation called out findings with four of the CMMC 2.0 / NIST 800-171 cybersecurity practices:ĬMMC AC.L2-3.1.9 / NIST 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules. International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) restrictions.The requirements of CMMC 2.0 / NIST 800-171.In this section, we will use the results of the IL4 authorization and the NIST 800-171 letter of attestation to analyze Google Workspace's capability to satisfy: Let's discuss how this impacts DoD contractors that handle CUI / ITAR (export-controlled data). Without this product deployed, the organization’s Google Workspace environment is only a DoD IL2 environment. For organizations to inherit the shared responsibility benefits of the Workspace’s IL4 authorization, they would need to deploy Google’s Assured Workloads. As a result of that assessment, Google Workspace was awarded a letter of attestation by the 3PAO which documented the platform's ability to satisfy NIST 800-171 and CMMC 2.0 requirements.Īdditionally, in July 2022, Google Workspace announced that it earned a DoD Impact Level 4 (IL4) authorization. Google workspace’s ability to satisfy the requirements of NIST SP 800-171 and CMMC 2.0 was evaluated by a Certified 3rd Party Assessment Organization (3PAO). Is Google Workspace CMMC/NIST compliant?. ![]() In this blog, we'll discuss the following commonly asked questions: As a result, DoD contractors are searching for cloud service offerings that can provide productivity and collaboration without compromising the ability to meet regulatory obligations. Unfortunately, many providers and potential customers find that achieving these goals is easier said than done. Within the defense supply chain, contracts are filled with clauses that mandate the implementation of minimum-security baselines to protect different data types - Defense Federal Acquisition Regulation Supplement (DFARS) 7012, 7019, 7020, and 7021 and the upcoming CMMC 2.0 requirements. ![]() However, you'll need to seriously evaluate the many caveats and one-off implementations that the platform requires to meet current compliance requirements. Yes - Google Workspace is CMMC compliant. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |