What Google’s New Cloud Security Authorizations Mean for Its Government Customers

 The new Google building in the south lake union area of Seattle.

The new Google building in the south lake union area of Seattle. 400tmax/istockphoto

Company officials called the updates the result of a significant engineering effort.

Google achieved two new public-sector authorizations that insiders say will prove instrumental in their work helping the government modernize its information technology, security and compliance.

On the heels of a long and complex engineering effort, the Google Workspace product reached FedRAMP High authorization, officials announced Wednesday, and the tech giant also earned an Impact Level 4, or IL4, designation from the Defense Information Systems Agency.

“Our approach has been different from what we’ve seen other cloud providers do,” Google Cloud Director of Risk and Compliance Jeanette Manfra and Senior Product Manager Christopher Johnson told Nextgov via email.

The Federal Risk and Authorization Management Program, or FedRAMP is a mechanism meant to ensure that the right level of information security is abided by when government agencies tap into cloud products and cloud services. FedRAMP High covers sensitive federal information like health care and law enforcement data. Johnson and Manfra noted that this new approval will allow customers to collaborate at a high level of security without having to purchase and deploy a separate “government cloud” instance. The tools are completely cloud native within one single marketplace. 

“It also means they can operate seamlessly with relevant government agencies without additional overhead,” Manfra and Johnson wrote.

DISA, the component that handles the Pentagon’s cloud security requirements, issues authorizations by impact levels. The various levels reflect the sensitivity of the information that would be stored or processed in the cloud and the potential impact of an event that resulted in it being compromised. Google achieved IL4, which accommodates controlled unclassified information, or CUI.

“Unlike other providers, who offer limited authorized services on a small number of isolated ‘government cloud’ regions, Google Cloud has obtained the IL4 authorization for 7 US public cloud regions, assuring that customers always have access to and seamless compatibility with our latest, most innovative cloud services,” Manfra and Johnson wrote. 

Through the updates made—which again, deliberately did not result in a separate government cloud environment—Google’s customers no longer need a bespoke environment for federal data and systems to have better security outcomes, the officials added. 

“This took more time to achieve the authorization, but we believe it's going to allow us to have a far more secure and efficient environment for federal customers and the entire federal supply chain into the future because we are doing this at scale and leveraging our public cloud,” they wrote.  

Looking ahead, the two confirmed that the company “is committed to expanding [its] authorizations across multiple classification domains, including IL5 and beyond.”