FedRAMP
Among many other services, AI, security, and analytics are now mission-ready for FedRAMP High workloads
Following Google Distributed Cloud Hosted’s Top Secret/Secret permission, Google Public Sector today revealed it has accomplished another major milestone: more than 100 other cloud services have now received FedRAMP High authorization.
With Assured Workloads in FedRAMP High settings, U.S. federal customers may now take advantage of cutting-edge enterprise-grade Google Cloud features spanning cybersecurity, analytics, AI, and more. With the new permission, government agencies can now choose from a more contemporary selection of cloud suppliers to support their digital transformation and assist them fulfil their missions through enhanced data analytics capabilities, platform enhancement, infrastructure modernization, and app modernization.
Approved for Cost, Speed, and Innovation Benefits on Commercial Cloud
Significantly, isolated federal clouds are not the only places where the new FedRAMP High permission can be used. This authorization gives government agencies new ways to take advantage of Google’s best-in-class AI capabilities in secure environments across Google Cloud’s current product portfolio. It also aligns with the Office of Management and Budget’s (OMB) guidance for adopting commercial cloud-based solutions. Security restrictions are integrated into the system by default thanks to Google Cloud’s commitment in secure-by-default infrastructure, negating the need for a conventional, separate government cloud.
With Assured Workloads, users can securely secure and customise sensitive workloads to meet compliance and security needs thanks to Google Cloud’s FedRAMP-authorized services. No physical infrastructure separate from Google’s public cloud data centres is used by Assured Workloads. Rather, it provides an equivalent cost, speed, and innovation benefits of an enterprise-grade commercial cloud with a Software Defined Community Cloud.
FedRAMP
The federal Risk and Authorization Management Programme standardises cloud-based product and service authorization, security evaluation, and monitoring. It was created by the U.S. Federal government. Government-wide programme that provides a standardised, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies,” it defined by Congress in 2022.
Except for some on-premise private clouds, all federal agency cloud deployments and service models must adhere to it standards at the proper risk impact level (Low, Moderate, or High).
Customers must choose Assured Workloads and Assured Support (High only) if they want to use Google Cloud services that are compliant with FedRAMP Moderate or High levels hosting.
Google Cloud’s Compliance with FedRAMP
The Department of Defence (DoD), the Department of Homeland Security (DHS), the General Services Administration (GSA), and other agencies as determined by the GSA Administrator and the FedRAMP director comprise the FedRAMP Board, which was formerly known as the Joint Authorization Board.
FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) have been granted by the FedRAMP Board to Google Cloud infrastructure and certain Google Cloud Services Offerings (CSOs). Google Cloud regularly applies to the Board for FedRAMP Moderate and High clearances for additional services.
Customers under a non-disclosure agreement (NDA) can obtain the following additional FedRAMP compliance paperwork from Google Cloud:
- Customer Responsibility Matrix (CRM) for FedRAMP
- The System Security Plan (SSP) for Google Cloud
- Reports on penetration tests and other materials
- You can obtain access to this content with the assistance of google cloud’s sales team or your Google Cloud agent.
- Government clients can also use the FedRAMP Programme Management Office’s package request form to request Google’s FedRAMP package.
- Purchase terms and conditions flow down from google cloud’s partners for customers who make purchases through a Google partner.
FedRAMP compliance for Google Workspace
Users of Google Workspace can use it in accordance with numerous international and U.S. federal government regulations for cloud security and privacy.Google Workspace has FedRAMP High authorization and ISO 27017, 27018, and 27001 certifications. It’s also audited to AICPA Service Organisation Control (SOC) standards.
FedRAMP High Readiness for GCVE
The Google Cloud VMware Engine (GCVE) High Readiness Assessment Report (RAR), which was supplied by a third-party assessment organisation (3PAO), was reviewed by the FedRAMP Programme Management Office (PMO) in 2023. Given the review’s excellent findings and the absence of any significant capability flaws, GCVE has been approved as a FedRAMP High Ready offering (FedRAMP Package ID FR2405153785).
The US federal government is informed that GCVE has a strong chance of receiving a FedRAMP Authorization when it achieves it’s strong Ready status. Additionally, GCVE is audited in accordance with the Service Organisation Control (SOC) requirements of the American Institute of Certified Public Accountants (AICPA) and certified against ISO 27017, 27018, 27001, and PCI-DSS.
FedRAMP high vs Moderate
The security measures are integrated and pre-configured to allow customers to achieve different compliance levels without requiring a traditional separated government cloud architecture, thanks to Google Cloud’s commitment in google cloud’s security-by-default infrastructure.
Assured Workloads are required for customers wishing to use Google Cloud to deploy their products in FedRAMP Moderate and High settings. With Google Cloud services, users may use Assured Workloads to securely configure and safeguard sensitive workloads in order to meet compliance and security requirements. Assured Workloads’ public cloud data centres are not connected to any physical infrastructure. Rather, it provides a Software Defined Community Cloud with advantages in terms of cost, speed, and innovation.
FedRAMP security measures are implemented by FedRAMP-authorized services made available through Assured Workloads, enabling clients to leverage Google Cloud’s capabilities to suit their organisational requirements. Through Assured Workloads Monitoring, Assured Workloads additionally offers insight into it’s workload compliance. With the use of this technology, you may identify and address compliance issues and give auditors control attestations regarding the status of your compliance.
Assured Workloads provides the following essential FedRAMP High controls by default for clients handling FedRAMP High government data, in addition to the controls fulfilled by the Google Cloud infrastructure FedRAMP High ATO.
Barriers to keep FedRAMP High customer data within the United States; technical support personnel restricted to FedRAMP-adjudicated workers within the United States; encryption consistent with FIPS-140-2 both in transit and at rest; and personnel access controls for individuals with regular access to customer data
Only it-compliant goods and services are permitted. The FedRAMP Moderate and High standards are supported by the logical segmentation of the in-scope compliance boundary.
FedRAMP High and Moderate Data Hosting on Google Workspace
Customers can host FedRAMP Moderate and High data by utilising Google Workspace’s FedRAMP High ATO. When deploying Google Workspace in FedRAMP Moderate and High environments, customers must activate the it-authorized services that fulfil the corresponding permission requirements. Find out how to enable or disable a Google Workspace service.
Furthermore, FedRAMP High compliance and alignment with the customer’s own ATO are made possible by the integrated security controls and feature sets included in Google Workspace Business and Enterprise editions. Google Workspace customers can meet it’s data residency requirements using a Data Region policy.
How to Get FedRAMP ATO
Government data on Google Cloud may be considered by clients seeking an Authority to Operate (ATO). The following benchmarks should be taken into account by organisations in order to obtain an ATO on Google Cloud:
- Ascertain whether FedRAMP Moderate or FedRAMP High Select Assured Workloads are needed for the in-scope data (FedRAMP Moderate is part of the free tier, while FedRAMP High requires a premium membership). Services on Google Cloud
- Choose your Google Cloud FedRAMP border.
- Set up your workloads in compliance with it requirements, the Customer Responsibility Matrix, the Shared Responsibility Model, and the services that are within the scope of Google Cloud.
- Engage a third-party assessment organisation (3PAO) to conduct an audit.
- Send your package for approval and review to the Federal Agency or FedRAMP Board.
