With the Cybersecurity Maturity Model Certification (CMMC) rulemaking in progress, it is time for organizations to take a closer look at compliance security requirements. Google Workspace is Google’s cloud software and collaboration tools, formerly known as G Suite. Many organizations that currently use Google Workspace think they will be able to continue using this service while being compliant. Unfortunately, that may not be the case for organizations adhering to CMMC, NIST, DFARs, and ITAR…
The basic edition of Google Workspace offers some of the most common computing features. This includes email, calendars, document editing, video meetings, and cloud storage. What isn’t included, and what many organizations using Google Workspace are lacking, is significant security controls.
Google Workspace is typically the choice of small organizations looking for the cheapest option. These menial security measures offered make Google Workspace so cost-friendly. Although, they are also what keeps it from being an acceptable platform for most compliance security requirements.
CMMC & NIST
CMMC and The National Institute of Standards and Technology (NIST) 800-171 are two common frameworks where Google Workspace falls short. Both regulations require data compliance and appropriate security controls for all non-federal information systems with access to Controlled Unclassified Information (CUI). These compliance mandates are required by all Department of Defense (DoD) contractors. The security requirements in these mandates are seen as best practice for any organization working with sensitive information.
A Third-Party Assessment Organization (3PAO) conducted an assessment for Google to determine their level of compliance. Five deviations from CMMC/NIST controls were observed:
- CMMC AC.2.009 / NIST 3.1.8 – Limit Unsuccessful Logon Attempts
- CMMC AC.2.005 / NIST 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules
- CMMC IA.2.078 / NIST 3.5.7 – Enforce a minimum password complexity and change of characters when new passwords are created
- CMMC IA.2.079 / NIST 3.5.8 – Prohibit password reuse for a specified number of generations
- CMMC MP.3.122 / NIST 3.8.4 – Mark media with necessary CUI marking and distribution limitations
These shortcomings make it difficult for contractors to achieve compliance. In addition, they can potentially be hazardous by leading to breaches or compromised CUI. Some of these shortcomings would require third-party security tools – adding cost and complexity. It is possible that Google may to address these holes in the future, however, this is not mentioned in the report.
Google Workspace does not comply with several cyber incident reporting requirements outlined within the Defense Federal Acquisition Regulation Supplement (DFARS). For example, Google Workspace is unable to provide a detailed cyber incident report to the government. This report must include a forensic image of the system that experienced a breach. Meaning, Google customers with government contracts that contain the “7012 Clause” are in a “gray” situation if they store CUI data using Google Workspace. The inability to provide an incident report when requested will damage the organization.
First and foremost, Google cannot guarantee that information within their cloud services will stay within the United States. Also, they cannot guarantee that those providing their services, such as administrators and technicians, are US citizens or have a permanent residence within the US.
In fact, Google routinely hires system administrators that are not considered “US Persons.” This does not comply with many organizations’ requirements to protect CUI within their cloud. Additionally, they cannot guarantee that administrators and technicians have completed the appropriate background checks required for access to CUI/ITAR data. So, while Microsoft meets all these requirements, Google recommends against using their services for any ITAR information.
To summarize, Google Workspace can be a great option for a small organization with basic needs. But it can get complicated when the need for compliance comes into play. Ultimately, your business risks losing contracts and subcontracts if you choose to continue using Google Workspace. Even worse, with cyber attacks more prevalent than ever, your organization is at higher risk of an attack without proper security in place.
If you’re currently using Google Workspace or are otherwise interested in migrating to a cloud service that will ensure that your organization is secure and compliant, contact us below.