This is an overview of the settings and features that Google Workspace administrators can apply to support compliance with FedRAMP High security controls.
Google Workspace configuration
Cloud security is recognized in the industry as a shared responsibility by the customer and the cloud service provider (CSP). For its part, Google Workspace complies with U.S. Federal Government and global standards for cloud security and privacy. For instance, Google Workspace maintains a FedRAMP HIGH authorization; is certified against ISO 27017, 27018, 27001; and is audited against the AICPA Service Organization Control (SOC) standards. Learn more about Google Workspace compliance offerings and reports.
Google Workspace provides FedRAMP High compliance to Federal Government customers and other agencies that are required to operate in FedRAMP High boundary.
Editions and offerings covered by FedRAMP High:
- Google Workspace Enterprise Plus and Enterprise Standard editions
- Google Workspace Business Plus and Business Standard editions
- Google Workspace for Government offering
Google Workspace Business and Enterprise editions have built-in security controls and feature sets that enable Government customers to meet FedRAMP High and align their own Authority to Operate. Google Workspace also provides data regions and client-side encryption (available with Enterprise editions) to help customers meet regulatory requirements.
The next sections describe features and controls that you can use to address the FedRAMP High Policy requirements.
Services covered by FedRAMP High
For users who are required to be within FedRAMP High boundary, give them access only to the services that meet FedRAMP High authorization. Learn how to turn a service on or off for Google Workspace.
Services covered by FedRAMP High authorization:
- Calendar
- Docs
- Drive
- Forms
- Gmail
- Google Chat
- Google Meet
- Keep
- New Sites
- Sheets
- Slides
- Vault
Data location (United States)
Google owns and operates the following data centers within the Continental United States (CONUS) that host Google Workspace services:
- Berkeley County, South Carolina
- Council Bluffs, Iowa
- Douglas County, Georgia
- Jackson County, Alabama
- Lenoir, North Carolina
- Mayes County, Oklahoma
- Montgomery County, Tennessee
- The Dalles, Oregon
Google can store the encrypted Google Workspace primary data-at-rest in a geographic location: United States or Europe. Select the United States for your users who need to stay with the FedRAMP High boundary.
We recommend that public sector agencies set the data region policy for all their users. If you have Enterprise Plus, Education Plus, or Education Standard, you can set a data region for an organizational unit or configuration group. Learn more about data regions and choosing a geographic location for your data.
Data regions also cover user indices for Gmail, Calendar, Drive, Docs, Sheets, and Slides. Learn about data region policies
Assured Controls
Assured Controls is an optional add-on for Google Workspace that allows organizations to precisely control cloud service provider access. Access Management gives customers the ability to geographically limit Google staff support actions to U.S. Persons within our support teams, a useful control for highly regulated industries such as the public sector.
If you’d like to learn more, contact your Google Sales representative or Carahsoft.
