Bravo Consulting Group


Does Google’s G Suite Meet CMMC, NIST, DFARS, and ITAR Compliance Standards?

Does Google’s G Suite Meet CMMC, NIST, DFARS, and ITAR Compliance Standards?

Another compliance requirement deadline is approaching fast, and many companies who currently use G Suite – Google’s cloud software – think they will be able to continue to use this service while being CMMC compliant. Unfortunately, that may not be the case…

The basic edition of G Suite offers some of the most common computing features, such as email, calendars, document editing, video meetings, and cloud storage. What isn’t included, and what many companies using G Suite are lacking, is any kind of significant security controls.

G Suite is typically the choice of small companies looking for the cheapest option, but the menial security measures offered that make G Suite so cost-friendly are also what keeps it from being an acceptable platform for most compliance requirements.


The Cybersecurity Maturity Model Certification (CMMC) and The National Institute of Standards and Technology (NIST) 800-171 are two common frameworks where G Suite falls short. Both regulations require data compliance and several appropriate security controls for all non-federal information systems with access to Controlled Unclassified Information (CUI) data . These compliance mandates are required by all DoD contractors and are seen as best practice for any organization working with sensitive information.

When a Third-Party Assessment Organization (3PAO) conducted an assessment for Google to determine their level of compliance, the five following deviations from CMMC/NIST controls were observed:

  1. CMMC AC.2.009 / NIST 3.1.8 – Limit Unsuccessful Logon Attempts
  2. CMMC AC.2.005 / NIST 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules
  3. CMMC IA.2.078 / NIST 3.5.7 – Enforce a minimum password complexity and change of characters with new passwords are created
  4. CMMC IA.2.079 / NIST 3.5.8 – Prohibit password reuse for a specified number of generations
  5. CMMC MP.3.122 / NIST 3.8.4 – Mark media with necessary CUI marking and distribution limitations

These shortcomings can make it difficult for contractors to achieve compliance and can potentially be hazardous by leading to breaches or compromised CUI. Some of these shortcomings would require third-party security tools – adding cost and complexity. Finally, it is possible that Google may plan to address these holes in the future, however , this is not mentioned in the 3PAO report.


G Suite does not comply with several cyber incident reporting requirements outlined within the Defense Federal Acquisition Regulation Supplement (DFARS). For example, G Suite is unable to provide a detailed cyber incident report to the government, including a forensic image of the system that experienced a breach. This means that Google customers with government contracts that contain the “7012 Clause” are in a “gray” situation if they store CUI data using G Suite, seeing that they will be unable to provide a report when requested.


First and foremost, Google cannot guarantee that information within their cloud services will stay within the United States. Also, they cannot guarantee that those providing their services, such as administrators and technicians, are US citizens or have a permanent residence within the US.

In fact, Google routinely hires system administrators that are not considered “US Persons,” which doesn’t comply with many organization’s requirements to protect CUI within their cloud. Along with that, they can’t guarantee that these administrators and technicians have completed the appropriate background checks required for access to CUI/ITAR data. So, while Microsoft meets all these requirements, Google recommends against using their services for any ITAR information.

To summarize, Google’s G Suite can be a great option for a small business with basic needs, but it can get a little hairy when the need for compliance comes into play. Ultimately, your business risks losing contracts and subcontracts if you chose to continue using G Suite because of its failure to comply with several regulations. Even worse, using G Suite can run your business the risk of being hacked or targeted for a cyber attack, an occurrence that is becoming more and more common in today’s increasingly digital environment.

If you’re currently using G Suite or are otherwise interested in migrating to a cloud service that will ensure that your company is compliant and secure, contact us below

0 comments on “Does Google’s G Suite Meet CMMC, NIST, DFARS, and ITAR Compliance Standards?

Leave a Reply

Your email address will not be published. Required fields are marked *