Skip to content
We are often asked whether or not Google Workspace is a viable option for small business defense contractors pursuing a Cybersecurity Maturity Model Certification (CMMC), specifically those handling Controlled Unclassified Information (CUI) and targeting CMMC Level 2. In this post, we’ll highlight some very important considerations for using Google Workspace in a CUI-handling environment.
We’ll preface this post by stating that we are not Google Workspace resellers nor were we paid by anyone to create this post; this is merely our opinion on the topic, having helped thousands of small business federal contractors meet their cybersecurity requirements since 2015. Hopefully it helps you if you are weighing Google Workspace versus other options.
What is Google Workspace?
Google Workspace (formerly known as the “G-Suite”) is Google’s app suite for business productivity and management. It is currently among the biggest competitors to Microsoft 365 (M365), with apps included for cloud storage, email, documentation management, team collaboration, and now artificial intelligence (AI). It seems to us that small businesses (including those outside of the Defense Industrial Base (DIB)) that are choosing to use Google Workspace do so given competitive or lower price points (more on this later), existing familiarity with Google products, and a general preference towards the Google product interface.
We also want to mention here that while Google Workspace encompasses the suite of productivity apps we just mentioned, Google Cloud is a suite of various cloud services used for storage, computing, data analytics, and some management tools. The two go hand-in-hand, so we’ll largely refer to the collective grouping of them as Google Workspace, but we’ll be sure to differentiate where necessary for CMMC clarity.
Can I use Google Workspace for CMMC Level 1?
Defense contractors only handling Federal Contract Information (FCI) and targeting CMMC Level 1 can use Google Workspace to handle their FCI. There are no FedRAMP requirements (more on this later) for cloud service providers (CSP) handling (processing, storing, or transmitting) FCI. You’ll still want to ensure you reference Google’s CMMC documentation for any CMMC Level 1 requirements you are fully/partially attempting to inherit from Google.
Note that simply using Google Workspace will not make you CMMC Level 1 compliant, but it’s also not going to prevent you from becoming compliant. You’ll still need to implement all 17 safeguards across all in-scope FCI assets and document how you’ve done so. It’s possible you’ll end up needing to procure additional solutions to satisfy some requirements (e.g., endpoint protection or vulnerability scanning). If your organization permits its staff to install Google Workspace on their personal devices to handle FCI, you’ll face additional challenges as well, namely with data sanitization and endpoint protection. If you choose to continue permitting bring your own device (BYOD) for handling FCI, you’ll need to spend time investigating how to apply the protections only to the Google Workspace apps (e.g., via containerization), as it’s highly unlikely your employees will be comfortable with you having full administrative control over their personal device.
Can I use Google Workspace for CMMC Level 2?
Defense contractors using Google Workspace for handling CUI have a lot to consider. Using Google Workspace will not make you CMMC Level 2 compliant, but it’s also not going to prevent you from becoming compliant. In other words, it is possible to achieve a CMMC Level 2 certification using Google Workspace, but there are some crucial considerations. To better answer this question, we’ve broken down considerations for using Google Workspace to handle CUI across different categories of importance.
DFARS 252.204-7012 / FedRAMP
The DFARS 252.204-7012 contract clause is what mandates the protection of CUI via implementation of NIST SP 800-171, along with establishing an incident response capability. Contractors handling CUI need to meet paragraphs (b) through (g) of this clause, which includes ensuring protection of their own information systems and any cloud services they use to handle CUI. Specifically, contractors must ensure that any cloud services they use that process, store, or transmit CUI have done the following:
- Attained at least a FedRAMP Moderate authorization or equivalent (demonstrating adequate security per paragraph (b) of DFARS 252.204-7012)
- Complied with the requirements in paragraphs (c) through (g) of DFARS 252.204-7012, including having capabilities for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment
To address the first bullet and comply with paragraph (b), both Google Cloud and Google Workspace have achieved FedRAMP High authorization, but only for a specific set of “in-scope” services. This also only applies to the following Google Workspace “editions”:
- Google Workspace Business Plus
- Google Workspace Business Standard
- Google Workspace Enterprise Plus
- Google Workspace Enterprise Standard
So, if you are using any Google Workspace edition not in this list or any out-of-scope services to handle CUI, you’ll need to stop and adjust accordingly. Google does share that it is possible to turn off services that are not in-scope. Whether or not doing so will impact how you do business is what you’ll need to determine. Additionally, if you want to see Google’s FedRAMP compliance documentation, namely their System Security Plan (SSP) and Customer/Shared Responsibility Matrix (CRM/SRM), you can request it from their sales team or from your Google Cloud rep. You’ll be required to sign an NDA before receiving this documentation.
As for the second bullet and ensuring compliance with paragraphs (c) through (g), this is only achievable through Google Cloud if you operate within the “Assured Workloads data boundary.” This is considered an add-on and will require separate licensing, and Google requires interested contractors to contact them for pricing. If you have not committed to Google Workspace, we recommend you get a quote for Assured Workloads before doing so. Once you’ve configured Assured Workloads, you can inherit the protections as Google outlines them in the helpful table under the Google Cloud and Google Workspace Commitment by DFARS 7012 clause requirement section on this page.
One important caveat to this is that Google only commits to meeting these DFARS 7012 requirements for “properly configured” Assured Workloads. What constitutes as proper configuration is outlined in this Help Center post.
This covers important considerations for ensuring your use of Google Workspace conforms with DFARS 252.204-7012. For NIST 800-171/CMMC Level 2 considerations, read on!
NIST 800-171 / CMMC Level 2
NIST 800-171 revision 2 is the current standard for CMMC Level 2. It contains 110 security controls with 320 assessment objectives (i.e., “organization actions”) that must be addressed explicitly and covered with at least one form of compelling evidence. Your System Security Plan (SSP) is the document that must clearly describe how you’ve implemented each of these objectives and clearly reference your compelling evidence. It is the chief document that CMMC assessors will review and assess against as part of your CMMC Level 2 C3PAO assessment.
When working with external service providers (managed service providers, cloud service providers, etc.) such as Google, a very important step in implementing NIST 800-171 and preparing for a CMMC assessment is identifying shared responsibility. Say your company is looking at purchasing a product or service from a vendor. You’ll need to analyze how that product/service helps or hinders you towards becoming CMMC compliant; in other words, determining how the product/service directly aligns with NIST 800-171A. As part of that determination, you’ll discover which assessment objectives the vendor fully or partially covers for you, if any.
This is another key consideration for contractors comparing Google Workspace to alternatives. To really know which assessment objectives are fully or partially covered by Google, we refer to their implementation guides. The implementation guide for Google Workspace was released in February 2025, and the implementation guide for Google Cloud was released in June 2025. This is where the rubber meets the road and how you can determine if Google Workspace is “worth it” to you for CMMC. We highly recommend reading through both to get a feel for what is covered, fully or partially, and what is not, to give you an idea of the level of effort necessary to meet the requirements.
Remember that if Google’s documentation states that they do not help cover a particular control/objective, or they only partially cover a control/objective, you cannot claim in your SSP that the vendor provides full coverage — in other words, full “inheritance” — for this control. You can only claim inheritance (and prepare to show proof) of controls/objectives that Google (or any other vendor) explicitly states they help cover. CMMC assessors will be checking for this during your assessment and looking for discrepancies.
Reading through the implementation guides, it can be seen that using Google Workspace will likely require you to procure additional tools that are not included, which will add to your price total. For example, Google Workspace’s endpoint protection seems very limited (and several years outdated) and does not appear that it will meet malicious code protection requirements upon your assets (workstations, servers, mobile devices, etc.) “out of the box.” So, purchasing an additional endpoint protection solution is likely necessary. We have the same concerns for, say, aggregation of operating system logs into a central analysis tool (e.g., a SIEM). The additional costs of filling these gaps will need to be taken into account when deciding among Google Workspace or its alternatives.
If you are thinking of leaning on managed service providers to help cover these gaps, you’ll also want to inquire if these service providers are skilled with Google Workspace and configuring additional tools in such an environment. This may present additional challenges when selecting a service provider.
Wrapping up
In conclusion, this post highlighted considerations for defense contractors looking at using Google Workspace within their CUI-handling environment. We are not trying to sway you towards or away from any particular vendor; rather, showing you what to expect.
If you have any questions about this blog post, CMMC, or anything else, please feel free to contact us. Or, grab a seat in our next CMMC Workshop, where we will walk you through how to select the right service provider.
Thanks for reading!
-Nathan
Related Posts
What the heck is shared responsibility in CMMC?
Most Department of Defense (DoD) contractors, especially small businesses, rely on the help of External Service Providers (ESP) for their operational
CMMC framework overview
The US Department of Defense (DoD) has finalized its Cybersecurity Maturity Model Certification (CMMC) program, which will hold its supply
Objective evidence considerations for CMMC compliance
Department of Defense (DoD) contractors that handle Controlled Unclassified Information (CUI) are required, under DFARS clause 252.204-7012, to implement the