这是indexloc提供的服务,不要输入任何密码

FedRAMP

The U.S. Federal government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. Congress codified FedRAMP in 2022, as “a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.”

All federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).

Google Cloud’s FedRAMP Compliance

The FedRAMP Board (formerly known as the Joint Authorization Board) is the primary governing body for FedRAMP. It includes the Department of Defense (DoD), Department of Homeland Security (DHS), the General Services Administration (GSA), and other agencies as determined by the GSA Administrator and the FedRAMP director.

The FedRAMP Board has issued a FedRAMP High Provisional Authority to Operate (P-ATO) to Google Cloud and the underlying infrastructure. Google Cloud routinely submits additional services to the Board for FedRAMP High authorization.

If you’re interested in using Google Cloud services to meet your FedRAMP High compliance obligations, you must use Assured Workloads Data Boundary for FedRAMP High and Assured Support. The FedRAMP Moderate control baseline is a subset of the FedRAMP High control baseline. Therefore, if you're pursuing a FedRAMP Moderate ATO for your solution deployed on Google Cloud, you can use any FedRAMP High authorized Google Cloud service in your FedRAMP Moderate authorization boundary.

Google can provide you with the following Google Cloud FedRAMP compliance documentation under a non-disclosure agreement (NDA):

  • Customer Responsibility Matrix (CRM)
  • System Security Plan (SSP)
  • Penetration test reports

Our sales team or your Google Cloud representative can help provide access to this documentation. Government customers may also request Google’s FedRAMP package through the FedRAMP Program Management Office using its package request form

If you buy Google Cloud services through a Google partner, purchase terms and conditions flow down from our partners.

Google Workspace FedRAMP compliance

You can use Google Workspace in compliance with various U.S. federal government and global standards for cloud security and privacy. In addition to maintaining a FedRAMP High P-ATO, Google Workspace is also certified against ISO 27017, 27018, 27001, and is audited against the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) standards. For more information, see Google Cloud compliance offerings.

The entire authorized Google Workspace security boundary is documented, assessed, and managed against the FedRAMP High baseline of security and privacy controls. FedRAMP Moderate control baseline is a subset of the FedRAMP High control baseline. Therefore, if you're pursuing a FedRAMP Moderate ATO for your Google Workspace implementation, any FedRAMP High authorized Google Workspace service can be included in your FedRAMP Moderate authorization boundary. For more information, see Google Workspace FedRAMP configuration guide.

Google Cloud VMware Engine (GCVE) FedRAMP High Readiness

In 2023, the FedRAMP Program Management Office (PMO) completed the review of Google Cloud VMware Engine (GCVE) High Readiness Assessment Report (RAR) provided by a FedRAMP accredited third party assessment organization (3PAO). Based on the positive results of the review, with no notable capability weaknesses found, GCVE has been accepted as a FedRAMP High Ready offering (FedRAMP Package ID FR2405153785).

Achieving FedRAMP High Ready indicates to the U.S. federal government that GCVE has a high likelihood of achieving a FedRAMP Authorization. GCVE is also certified against ISO 27017, 27018, 27001, PCI DSS and is audited against the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) standards.

Hosting FedRAMP Moderate and High Workloads on Google Cloud

Google Cloud’s investment in our security-by-default infrastructure ensures that security controls are built-in and pre-configured to enable you to achieve various compliance levels without a traditional isolated government cloud infrastructure. 

As mentioned previously, you must use Assured Workloads if you're looking to deploy your solution using Google Cloud in your FedRAMP Moderate and High environments. Assured Workloads allows you to confidently secure and configure sensitive workloads to support compliance and security requirements using Google Cloud services. Assured Workloads does not rely on physical infrastructure distinct from the existing Google Cloud public infrastructure. Instead, it delivers a Software Defined Community Cloud that offers cost, speed, and innovation advantages.

FedRAMP-authorized services made available through Assured Workloads implement FedRAMP security controls and allow you to use the capabilities of Google Cloud to meet your organizational needs. Assured Workloads also provides visibility into the compliance state of FedRAMP workloads via Assured Workloads Monitoring. This tool can help you spot and remediate compliance violations, and provide control attestations to your auditors.

In addition to the Google Cloud FedRAMP High P-ATO controls, Assured Workloads implements the following key FedRAMP High controls by default: 

  1. Guardrails to restrict FedRAMP High customer data location to the U.S.
  2. Technical support staff limited to FedRAMP-adjudicated personnel located in the U.S.
  3. FIPS-140 validated encryption at rest and in transit
  4. Personnel access controls for those with temporary access privileges to customer data 
  5. Only FedRAMP compliant products and services allowed
  6. Logical segmentation of in-scope compliance boundary to support FedRAMP High requirements

Hosting FedRAMP Moderate and High Data on Google Workspace

Google Workspace maintains a FedRAMP High P-ATO, which you can leverage to host FedRAMP Moderate and High data. If you’re looking to deploy Google Workspace in your FedRAMP Moderate and High environments, you should enable the FedRAMP High-authorized services. Learn how to turn a service on or off for Google Workspace

Moreover, Google Workspace Business and Enterprise editions have built-in security controls and feature sets that enable you to meet FedRAMP High compliance requirements and align your own ATO. As a Google Workspace user, you can configure your environment to meet FedRAMP data residency controls by using a Data Region policy.

Process for Achieving a FedRAMP Authority to Operate (ATO)

If you’re interested in hosting government data on Google Cloud, you may also be interested in pursuing your own Authority to Operate (ATO). You should consider the following milestones for achieving an ATO on Google Cloud:

  • Determine whether the in-scope data requires FedRAMP Moderate or FedRAMP High authorization.
  • Select Assured Workloads for the in-scope Google Cloud services. FedRAMP Moderate is included in the free tier whereas FedRAMP High requires a premium subscription.
  • Decide on your FedRAMP boundary within Google Cloud.
  • Configure your workloads in accordance with the shared responsibility model, Customer Responsibility Matrix, in-scope Google Cloud services, and FedRAMP guidelines.
  • Undergo an audit with a FedRAMP accredited third party assessment organization (3PAO)
  • Submit your package to the Federal Agency for review and authorization.

For more information on the ATO process, refer to the FedRAMP website. For extra FedRAMP ATO support from Google Cloud, visit our Google Cloud Consulting page. 

FAQs

The Office of Management and Budget's recent FedRAMP draft memorandum, which endorses a modern cloud approach based on logical and software-based separation instead of physical separation, is a strong step in the right direction. Google Cloud has pioneered this approach, and believes it empowers customers to scale and innovate securely.

FedRAMP allows for varying levels of inheritance from cloud service offerings using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a customer deploying applications on Google Cloud. 

For example, if your organization prefers to build the entire application stack, you will also create more customer responsibility/obligation during evaluation by your Authorizing Official. If you use Platform as a Service or Software as a Service, there is likely to be a lesser compliance burden.

Once you have selected your FedRAMP-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with FedRAMP experts in our Google Cloud Consulting organization.

Google is one of the first hyperscale commercial cloud providers to achieve a FedRAMP High authorization on a commercial public cloud offering, and is one of the largest providers of FedRAMP services available on the market today. In the past, hyperscale providers have separated their “govclouds” from their commercial cloud offerings to meet FedRAMP High requirements. This approach can deliver compliance, but these separate environments often don’t come with all the benefits that Google cloud infrastructure can provide.

Google Cloud’s FedRAMP High authorization enables government agencies processing high impact workloads to adopt technology at a much higher velocity and at the same scale as commercial customers, while leveraging Google’s unique public cloud infrastructure, including both its capabilities and capacity. With Assured Workloads or Assured Controls, customers can confidently secure and configure sensitive workloads to support their compliance and security requirements in the cloud. Choose your security settings, and Google can put the necessary cloud controls in place.

The list of Google Workspace editions that are FedRAMP authorized are listed below. Refer to the configuration guide for deploying Google Workspace to support compliance with FedRAMP High security controls. 

Yes, Assured Workloads is required to achieve either a FedRAMP Moderate or FedRAMP High ATO. Assured Workloads gives Google Cloud the ability to identify customer federal workloads and apply technical guardrails to match changes in federal regulations. Google Cloud has committed to supporting FedRAMP compliance requirements, including those introduced in NIST 800-53 Revision 5 and future releases for workloads running within Assured Workloads.

Moreover, Assured Workloads is the only way for Google Cloud to meet FedRAMP High heightened support and data residency requirements. Assured Workloads isn't applicable to Google Workspace, which has its own Assured Controls.


One of the benefits of using Google Cloud for your government workloads is that a number of required controls are already in place in our underlying infrastructure and Assured Workloads. Therefore, when you submit your FedRAMP package to a federal agency for authorization, you will also include Google’s SSP, which outlines controls that Google Cloud manages. Reach out to your sales team to obtain a copy of Google Cloud’s SSP (requires an NDA).

StateRAMP is a cybersecurity program established in 2021 to address the needs of procurement and security officials with state and local governments in the U.S. Like FedRAMP, it is built upon the NIST 800-53 framework and is modeled in part after FedRAMP. StateRAMP also relies on FedRAMP accredited 3PAOs to conduct assessments. Google Cloud is ready to support StateRAMP government customers with enhanced data residency and support capabilities via Assured Workloads.

The FedRAMP Marketplace maintains a list of recognized 3PAOs.

Google Cloud’s SSP covers Google-owned resources for penetration testing, and you may inherit this control by using Google Cloud. A penetration test of your own FedRAMP environment built using Google Cloud will also need to be conducted during the 3PAO assessment.

Yes. FedRAMP allows for varying levels of inheritance from cloud service offerings using FedRAMP-authorized infrastructure, platforms, and services. This initial analysis of control vs. inheritance will ultimately determine how much compliance responsibility you will hold as a customer deploying applications on Google Cloud. 

For example, if your organization prefers to build the entire application stack, you will also create more customer responsibility/obligation during evaluation by your Authorizing Official. If you use Platform as a Service or Software as a Service, there is likely to be a lesser compliance burden.

Once you have selected your FedRAMP-authorized services, Google can help you configure your solution through service-specific configuration guides or direct engagement with FedRAMP experts in our Google Cloud Consulting organization.

Assured Workloads is a FedRAMP High-authorized Google Cloud service that you can use to turn on specific project configurations to meet your compliance regime(s). You are able to set organization policies to meet compliance requirements on your own without the use of Assured Workloads as well. Products discretely integrate with Assured Workloads and enforce the organization policies.

Google Cloud Console is a FedRAMP High-authorized service with a simple web-based user interface that contains features to assist customers with deployment. The Google Cloud Console requires no setup or installation, and you can access it directly in a browser. Cloud Console customers interact with the individual GCP services’ APIs directly, and use the services’ APIs to render the UI. Cloud Console by itself does not have an API for customers to interact with. Instead, customers interact with the individual GCP services’ APIs directly.

In alignment with NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, customers are seeking to deprecate the use of 3DES. Google Cloud does not use 3DES, but in order to support all our customers, it’s still available on Google endpoints. If your FedRAMP solution requires the removal of 3DES, contact support to assist in its removal from your Assured Workloads environment.

Services in scope

FedRAMP Package ID FR1805751477

*Note that all Google Cloud services covered by FedRAMP High are also covered by FedRAMP Moderate

*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.

Access Approval

Access Context Manager

Access Transparency

Admin Console (including Admin SDK, Directory Sync)

Agent Assist

Agentspace (as part of Vertex AI Search)

AI Platform Data Labeling

AI Platform Neural Architecture Search (NAS)

AI Platform Training and Prediction (formerly Cloud Machine Learning Engine)

AlloyDB

Anthos Config Management (ACM) (feature of GKE Enterprise)

API Keys

Apigee

App Engine standard environment without bundled services

Application Integration

Artifact Analysis

Artifact Registry

Assured Open Source Software (AOSS)

Assured Workloads

AutoML Natural Language

AutoML Tables

AutoML Translation

AutoML Video

AutoML Vision

Backup for GKE

Batch

BeyondCorp Enterprise

BigQuery

BigQuery Data Transfer Service

Bigtable

Binary Authorization

Care Studio

Certificate Authority Service

Certificate Manager

Cloud Armor (base)

Cloud Asset Inventory

Cloud Billing

Cloud Build

Cloud CDN

Cloud Composer

Cloud Console

Cloud Console App

Cloud Data Fusion

Cloud Deploy

Cloud Deployment Manager

Cloud DNS

Cloud Endpoints

Cloud Error Reporting

Cloud External Key Manager (EKM)

Cloud Functions for Firebase

Cloud Healthcare API

Cloud HSM

Cloud Identity

Cloud IDS

Cloud Interconnect

Cloud Key Management Service

Cloud Life Sciences (formerly Google Genomics)

Cloud Load Balancing (L4 ILB)

Cloud Load Balancing (L7 ILB / Regional XLB)

Cloud Load Balancing (Network Load Balancing)

Cloud Logging (includes Error Reporting)

Cloud Monitoring

Cloud Network Address Translation (NAT)

Cloud Natural Language API

Cloud NGFW (Cloud Firewall) (Standard & Essential)

Cloud Profiler (Stackdriver Profiler)

Cloud Resource Manager

Cloud Router

Cloud Run

Cloud Run Functions

Cloud Scheduler

Cloud SDK

Cloud Service Mesh

Cloud Shell

Cloud Source Repositories

Cloud SQL

Cloud Storage

Cloud Storage for Firebase

Cloud Tasks

Cloud Trace (formerly Stackdriver Trace)

Cloud Translation

Cloud Vision API

Cloud VPN

Cloud Workstations

Compute Engine

Connect

Container Registry

Conversational Agents (Dialogflow CX)

Conversational Insights (CCAI Insights)

Data Catalog

Database Migration Service

Dataform

Dataflow

Dataproc

Datastore

DataStream

Document AI

Earth Engine

Eventarc (Standard)

Filestore (Basic HDD and Basic SSD tiers)

Firebase Authentication

Firestore

Generative AI on Vertex AI

GKE Hub

GKE Identity Service (Anthos Identity Service)

Google Cloud Identity-Aware Proxy

Google Cloud Marketplace

Google Kubernetes Engine

Google SecOps (Chronicle SIEM)

Google SecOps SOAR

Identity & Access Management (IAM)

Identity Platform

Identity-Aware Proxy (IAP)

Infrastructure Manager

Integration Connectors

Key Access Justifications (KAJ)

Knative Serving (Cloud Run for Anthos)

Looker (Google Cloud Core)

Looker Studio (including Pro, formerly Google Data Studio)

Memorystore for Memcache

Memorystore for Redis

Network Connectivity Center

Network Intelligence Center

Network Service Tiers

Persistent Disk

Pub/Sub

reCAPTCHA Enterprise

Secret Manager

Secure Source Manager

Security Command Center (Standard/Premium)

Sensitive Data Protection (including Cloud Data Loss Prevention)

Serverless VPC Access

Service Infrastructure (formerly Service Control; includes Service Management API and Service Consumer Management API)

Spanner

Speech-to-Text

Storage Transfer Service

Talent Solution

Text-to-Speech

Traffic Director (part of Cloud Service Mesh)

Vertex AI Forecast

Vertex AI Model Registry

Vertex AI Search

Vertex AI Vector Search

Vertex AI Workbench User Managed Notebooks (formerly AI Platform Notebooks)

Vertex Batch Predictions

Vertex ML Metadata

Vertex Model Monitoring

Vertex Online Predictions

Vertex Pipelines

Vertex Training

Video Intelligence API

Virtual Private Cloud

VPC Service Controls

Web Risk API

Workflows

Workforce Identity Federation (BYOID)

*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.

Google Workspace Business Plus

Google Workspace Business Standard

Google Workspace Enterprise Plus

Google Workspace Enterprise Standard

FedRAMP Package ID F1206081364

*Note that Admin Console and Cloud Identity are now part of the Google Services package (FR1805751477)

*Note that all Google Workspace services covered by FedRAMP High are also covered by FedRAMP Moderate.

*Note: FedRAMP Moderate and FedRAMP High platforms implement controls restricting TLS 1.1/1.0 connections at the domain level.

Appsheet

Appsheet (Excluding Tables)

Calendar

Docs

Drive

Forms

Gemini

Gemini (Google Workspace Enterprise)

Gemini in Docs

Gemini in Drive

Gemini in Gmail

Gemini in Meet

Gemini in Meet (Generative Images in Meet Backgrounds)

Gemini in Meet (Live Translated Captions)

Gemini in Meet (Studio Look)

Gemini in Sheets

Gemini in Slides

Gmail

Google Chat

Google Meet

Google Voice

Keep

New Sites

Sheets

Slides

Vault

All Google Cloud regions covered by FedRAMP High are also covered by FedRAMP Moderate.

Oregon (us-west1) - FedRAMP High

Los Angeles (us-west2) - FedRAMP High

Salt Lake City (us-west3) - FedRAMP High

Las Vegas (us-west4) - FedRAMP High

Iowa (us-central1) - FedRAMP High

Oklahoma (us-central2) - FedRAMP High

South Carolina (us-east1) - FedRAMP High

Northern Virginia (us-east4) - FedRAMP High

Columbus (us-east5) - FedRAMP High

Dallas (us-south1) - FedRAMP High

Montreal (northamerica-northeast1) - FedRAMP Moderate

São Paulo (southamerica-east1) - FedRAMP Moderate

Belgium (europe-west1) - FedRAMP Moderate

London (europe-west2) - FedRAMP Moderate

Frankfurt (europe-west3) - FedRAMP Moderate

Netherlands (europe-west4) - FedRAMP Moderate

Finland (europe-north1) - FedRAMP Moderate

Mumbai (asia-south1) - FedRAMP Moderate

Singapore (asia-southeast1) - FedRAMP Moderate

Taiwan (asia-east1) - FedRAMP Moderate

Tokyo (asia-northeast1) - FedRAMP Moderate

Sydney (australia-southeast1) - FedRAMP Moderate

Zurich (europe-west6) - FedRAMP Moderate

Warsaw (europe-central2) - FedRAMP Moderate

Jakarta (asia-southeast2) - FedRAMP Moderate

Osaka (asia-northeast2) - FedRAMP Moderate

Seoul (asia-northeast3) - FedRAMP Moderate

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
send_spark
    DocsSupport
    Console
    Sign in
    Security
    Threat IntelSecOpsCloud securityConsultingSecurity resources
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Google Cloud products
    • Browse over 100 products. New customers get $300 in free credits to run, test, and deploy workloads. All customers can use 25+ products for free, up to monthly usage limits.
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud