U.S. Cybersecurity Maturity Model Certification (CMMC)

The U.S. Department of Defense (DoD) requires that all defense industrial base (DIB) contractors and subcontractors implement the security controls outlined in NIST SP 800-171 r2 to protect Controlled Unclassified Information (CUI) as outlined in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Federal contractors (including defense contractors) handling Federal Contract Information (FCI) must also comply with the security requirements in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

To formalize and verify compliance with NIST SP 800-171 r2, the DoD launched the CMMC program on October 15, 2024, via the 32 CFR part 170 CMMC Program rule, effective December 16, 2024. A proposed acquisition rule (48 CFR part 204) will amend DFARS 252.204-7021 to require CMMC certification for covered contractors. Once finalized, this will phase CMMC compliance into DoD contracts. Google Cloud and Google Workspace are ready to support contractors in meeting these requirements.

What are the 3 levels of CMMC?

The CMMC program has three levels:

Level 1: Basic safeguarding of FCI

  • Focus: Protecting FCI, for example, basic information like contract numbers and delivery schedules. This level is designed to be simpler for smaller organizations to meet if those organizations aren’t going to be managing information critical to national security. 
  • Requirements: 15 basic cybersecurity practices, for example, changing passwords regularly and using antivirus software.
  • Assessment: Annual self-assessment.
  • Applicability: Required for all contractors handling FCI in some capacity. This is the most common level.

Level 2: Broad Protection of CUI

  • Focus: Protecting CUI, for example, sensitive data subject to safeguarding or dissemination controls. This level is designed to protect information critical to national security.
  • Requirements: 110 security requirements aligned with NIST SP 800-171 r2, for example, maintain a System Security Plan (SSP), identify, log, and monitor CUI assets, and implement a vulnerability scanning program to identify and remediate security weaknesses.
  • Assessment: Defined by the contract. Some contracts may require self-assessment, while others may require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO).
  • Applicability: Required for contractors handling CUI.

Level 3: Higher-level protection of CUI against advanced persistent threats

  • Focus: Protecting highly sensitive CUI on critical programs. Focused on additional safeguards to protect against advanced persistent threats (APTs).
  • Requirements: All Level 2 requirements, plus additional practices from NIST SP 800-172 for enhanced security, for example, develop a comprehensive incident response plan, implement a comprehensive Continuous Monitoring program, and assess and manage supply chain security risk.
  • Assessment: Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  • Applicability: Required for contractors working on the most sensitive government projects. This is the least common level.
  • Prerequisite: Before a contractor may pursue CMMC Level 3, they must already have CMMC Level 2.

Essentially, the higher the CMMC level, the more sensitive the data being handled and the stricter the cybersecurity requirements.

Google Cloud and Google Workspace support for CMMC

You can use Google Cloud and Google Workspace to meet your organization’s CMMC compliance requirements across all levels relying on Google’s FedRAMP High authorized services. Google Cloud and Google Workspace both maintain FedRAMP High Authority to Operate (ATO) for in-scope services.

Google provides the following guidance documentation to help you meet your CMMC compliance requirements:

  • Google Workspace CMMC Implementation Guide
  • Google Cloud CMMC Implementation Guide

Moreover, Google provides the following attestation letters produced by an independent third-party assessment organization:

  • Google Workspace C3PAO CMMC attestation letter (Google Cloud expected by August 2025)
  • Google Cloud and Google Workspace NIST SP 800-171 compliance attestation letter

For Google Cloud, you must use the Assured Workloads data boundary for FedRAMP High and utilize the CMMC Customer Responsibility Matrix (CRM) when configuring systems to support CMMC compliance. Contact the Google sales team or your Google Cloud representative to obtain any documentation referenced above, such as the CRM.

For Google Workspace, you must use FedRAMP High authorized services for CMMC compliance, as well as Assured Controls Plus to enable data storage exclusively within the United States. If needed, you can turn off a service that has not yet been FedRAMP authorized.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
send_spark
    DocsSupport
    Console
    Sign in
    Security
    Threat IntelSecOpsCloud securityConsultingSecurity resources
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Featured Products
    • Business Intelligence
    • Hybrid and Multicloud
    • Industry Specific
    • Media Services
    • Mixed Reality
    • Productivity and Collaboration
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud