U.S. Defense Federal Acquisition Regulation Supplement (DFARS)

When a cloud solution is being used to process data on the DoD's behalf, or the DoD is contracting with a Cloud Service Provider to host or process data in a cloud, the defense contractor must comply with DFARS 252.239-7010, Cloud Computing Services. DFARS 252.239-7010 requires the cloud service provider to comply with the DoD Cloud Computing Security Requirements Guide.

Defense contractors whose information systems process, store, or transmit covered defense information (CDI) must comply with the DFARS Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers.

Google Cloud and Google Workspace support defense contractor compliance with DFARS 252.204-7012 and 252.239-7010 with various controls. 

Google Cloud and Google Workspace maintain both FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) for defined services. All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171.  Customers must use the FedRAMP Customer Responsibility Matrix (CRM), which is part of Google’s FedRAMP System Security Plan, when configuring their systems to support FedRAMP compliance. 

For all FedRAMP services, Google relies on its FedRAMP Incident Response Plan (IRP), which is part of Google’s FedRAMP System Security Plan authorized as part of its FedRAMP ATOs. Google follows FedRAMP and DoD incident reporting and notification procedures as applicable. In accordance with its incident response standard procedures, Google preserves and protects any applicable malicious software, media, forensic analysis, and damage assessments completed as part of its investigation. 

Customers who require their customer data reside within the U.S. must use FedRAMP High services (with Assured Workloads or Assured Controls configured) to store their Customer Data in Google regions located within the United States. Google Cloud and Google Workspace achieve the remaining DFARS requirements through FedRAMP Moderate authorized services. Our sales team or your Google Cloud representative can help facilitate access to this documentation.

Google Cloud and Google Workspace can support customer compliance with the DoD Cloud Computing Security Requirements Guide, with the Google Cloud services authorized at IL2, IL4, and IL5 levels, and the Google Workspace services authorized at  IL2 and IL4 levels, with IL5 in progress. Learn more about what services are supported by visiting our DISA compliance page.