U.S. Defense Federal Acquisition Regulation Supplement (DFARS)
The U.S. Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that are required for companies who contract with the Department of Defense (DoD).
Department of Defense contractors and Defense Industrial Base (DIB) customers are required to comply with applicable DFARS clause requirements for adequate security. These customers can use Google Cloud and Google Workspace to comply with Cloud Service Provider (CSP) applicable DFARS 252.239-7010 and 252.204-7012 clauses using our defined FedRAMP moderate and FedRAMP high services.
Complying with DFARS 252.239-7010
When a cloud solution is being used to process data on the DoD's behalf, or the DoD is contracting with a CSP to host or process data in a cloud, the defense contractor must comply with DFARS 252.239-7010, Cloud Computing Services. DFARS 252.239-7010 requires the cloud service provider to comply with the DoD Cloud Computing Security Requirements Guide.
Google Cloud and Google Workspace can support customer compliance with the DoD Cloud Computing Security Requirements Guide, with the Google Cloud services authorized at IL2, IL4, and IL5 levels, and the Google Workspace services authorized at IL2 and IL4 levels, with IL5 in progress. Learn more about what services are supported by visiting our DISA compliance page.
Complying with DFARS 252.204-7012
Defense contractors whose information systems process, store, or transmit covered defense information (CDI) must comply with the DFARS Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers.
Google Cloud and Google Workspace support DFARS
Customers can use Google Cloud and Google Workspace to comply with CSP applicable DFARS 252.239-7010 and 252.204-7012 clauses using our defined FedRAMP moderate and FedRAMP high controls.
Google Cloud and Google Workspace maintain both FedRAMP Moderate and FedRAMP High Authority to Operate (ATO) for defined services. All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171. Customers must use the FedRAMP Customer Responsibility Matrix (CRM), which is part of Google’s FedRAMP System Security Plan, when configuring their systems to support FedRAMP compliance. Our sales team or your Google Cloud representative can help facilitate access to applicable documentation.
For all FedRAMP services, Google relies on its FedRAMP Incident Response Plan (IRP), which is part of Google’s FedRAMP System Security Plan (SSP) authorized as part of its FedRAMP ATOs. In accordance with its incident response standard procedures, Google preserves and protects any applicable malicious software, media, forensic analysis, and damage assessments completed as part of its investigation.
Customers who require their data to be stored exclusively within the U.S. must utilize FedRAMP High services (configured with either Assured Workloads or Assured Controls) and the FedRAMP CRM. This will ensure their data is stored in Google data center regions located within the United States. Customers may also choose to use Google solutions for IL2, IL4, or IL5 to ensure data residency of customer data.
Using Google to comply with DFARS 252.204-7012
DoD contractors and DIB customers can use Google Cloud and Google Workspace to meet the requirements of DFARS 252.204-7012. By enabling Assured Workloads or Assured Controls, these organizations can facilitate the creation of compliant boundaries or system enclaves within their Google Cloud environments. As outlined below, Google commits to accepting the DFARS 252.204-7012 flowdown requirements that are applicable to the (CSP) for our FedRAMP moderate and FedRAMP high services.
Customers must select the FedRAMP Moderate or FedRAMP High regulatory control package for deployment within the software-defined boundary. As mentioned above, Customers should use the FedRAMP CRM, which is part of Google’s FedRAMP SSP, when configuring their systems to support FedRAMP compliance.
Google Workspace customers must ensure that they are only using those services that are FedRAMP moderate or FedRAMP high within the scope of their compliance with DFARS 252.204-7012. If needed, a customer can turn off a service that has not yet been FedRAMP-authorized. Google recommends that customers follow the Google Workspace FedRAMP configuration guide to support compliance with DFARS 252.204-7012. Please note that while data location and Assured Controls are not explicitly required to achieve compliance with DFARS 252.204-7012, they may be considered as optional add-ons for those customers with more restrictive requirements.
Google Cloud and Google Workspace Commitment by DFARS 7012 clause requirement
DFARS 7012 Clause Requirements | Google Cloud and Google Workspace Commitment |
(b) Requirements pertaining to provision of Adequate security | Google Cloud and Google Workspace maintain both FedRAMP Moderate and FedRAMP High ATO for covered services. All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171. Customers must use the FedRAMP CRM, which is part of Google’s FedRAMP SSP, when configuring their systems to support FedRAMP compliance. Customers can request the FedRAMP SSP and CRM from a Google Cloud sales specialist. |
c) Cyber incident reporting requirement | Google reports data incidents in alignment with its FedRAMP responsibilities and contractual obligations. Google’s Cloud Data Processing terms includes a section on data security (section 7, Data Security), including Data Incident Notification, which states that Google will notify customers promptly and without undue delay after becoming aware of a Data Incident (section 7.2.1). Google’s notification will describe: the nature of the incident including the Customer resources impacted; the measures Google has taken, or plans to take, to address the incident and mitigate its potential risk; the measures, if any, Google recommends that customer takes to address the incident; and details of a contact point where more information can be obtained (section 7.2.2). Google does not assess Customer Data in order to investigate and identify Data Incidents. However, upon customer’s request, Google can provide additional reasonable cooperation and assistance to help Customer ensure compliance with its obligations relating to security and personal data breaches under applicable law. Google commits to promptly informing affected customers that are in scope for DFARS with properly-configured Assured Workloads and Assured Controls of Data Incidents within a 72 hour timeframe. For more information on Google's approach to incident response, please see our Data Incident response process. |
(d) Malicious software | If Google or Customer identify malicious software connected to Google Cloud or Google Workspace customers in scope for DFARS, Google will work with Customers to submit malicious software to the DoD Cyber Crime Center (DC3), as appropriate. Google's infrastructure is designed with security measures in place to help prevent the deployment of malicious code, eliminate individuals from unilaterally impacting the environment, and enforce consistent controls across all its services. |
(e) Media preservation and protection | In the event of a data incident, the Incident Management Team follows the Google FedRAMP IRP protocol to guarantee data collection and preservation as part of the standard incident investigation process. During this process, Google will safeguard and maintain physical or virtual systems, or physical media, if deemed necessary for the incident response. Customers are responsible for collecting and storing any monitoring or packet capture data. Google Cloud and Google Workspace customers are also advised to use Cloud Logging to retain customer audit log data for a minimum of six months (or at least 90 days to meet DFARS 252.204-7012 obligations). Customers can request the FedRAMP SSP and CRM (which includes the IRP) from a Google Cloud sales specialist. |
(f) Access to additional information or equipment necessary for forensic analysis | Upon Customer’s request, Google can provide additional reasonable cooperation and assistance to help Customer ensure compliance with its obligations relating to security and personal data breaches under applicable law. |
(g) Cyber incident damage assessment activities | As part of the FedRAMP IRP, Google evaluates the extent of any damage from a known incident. This information is available upon request as part of a DoD damage assessment. |
DFARS 7012 Clause Requirements
Google Cloud and Google Workspace Commitment
(b) Requirements pertaining to provision of Adequate security
Google Cloud and Google Workspace maintain both FedRAMP Moderate and FedRAMP High ATO for covered services. All FedRAMP Moderate and FedRAMP High Services align with NIST 800-171.
Customers must use the FedRAMP CRM, which is part of Google’s FedRAMP SSP, when configuring their systems to support FedRAMP compliance. Customers can request the FedRAMP SSP and CRM from a Google Cloud sales specialist.
c) Cyber incident reporting requirement
Google reports data incidents in alignment with its FedRAMP responsibilities and contractual obligations.
Google’s Cloud Data Processing terms includes a section on data security (section 7, Data Security), including Data Incident Notification, which states that Google will notify customers promptly and without undue delay after becoming aware of a Data Incident (section 7.2.1). Google’s notification will describe: the nature of the incident including the Customer resources impacted; the measures Google has taken, or plans to take, to address the incident and mitigate its potential risk; the measures, if any, Google recommends that customer takes to address the incident; and details of a contact point where more information can be obtained (section 7.2.2).
Google does not assess Customer Data in order to investigate and identify Data Incidents. However, upon customer’s request, Google can provide additional reasonable cooperation and assistance to help Customer ensure compliance with its obligations relating to security and personal data breaches under applicable law.
Google commits to promptly informing affected customers that are in scope for DFARS with properly-configured Assured Workloads and Assured Controls of Data Incidents within a 72 hour timeframe.
For more information on Google's approach to incident response, please see our Data Incident response process.
(d) Malicious software
If Google or Customer identify malicious software connected to Google Cloud or Google Workspace customers in scope for DFARS, Google will work with Customers to submit malicious software to the DoD Cyber Crime Center (DC3), as appropriate.
Google's infrastructure is designed with security measures in place to help prevent the deployment of malicious code, eliminate individuals from unilaterally impacting the environment, and enforce consistent controls across all its services.
(e) Media preservation and protection
In the event of a data incident, the Incident Management Team follows the Google FedRAMP IRP protocol to guarantee data collection and preservation as part of the standard incident investigation process. During this process, Google will safeguard and maintain physical or virtual systems, or physical media, if deemed necessary for the incident response. Customers are responsible for collecting and storing any monitoring or packet capture data.
Google Cloud and Google Workspace customers are also advised to use Cloud Logging to retain customer audit log data for a minimum of six months (or at least 90 days to meet DFARS 252.204-7012 obligations). Customers can request the FedRAMP SSP and CRM (which includes the IRP) from a Google Cloud sales specialist.
(f) Access to additional information or equipment necessary for forensic analysis
Upon Customer’s request, Google can provide additional reasonable cooperation and assistance to help Customer ensure compliance with its obligations relating to security and personal data breaches under applicable law.
(g) Cyber incident damage assessment activities
As part of the FedRAMP IRP, Google evaluates the extent of any damage from a known incident. This information is available upon request as part of a DoD damage assessment.
As outlined above, Google products covered under FedRAMP authorizations align with DFARS 252.204-7012 requirements applicable to CSPs to enable the defense contractors to meet their obligations under DFARS 252.204-7012.
Related offerings
- NIST 800-171See which Google Cloud services have undergone an independent third-party assessment that confirmed compliance with NIST 800-171.
- U.S. Cybersecurity Maturity Model CertificationProviding an update of where Google Cloud is with CMMC certification.
- FedRAMPGoogle Cloud maintains FedRAMP High and FedRAMP Moderate P-ATOs for Google Cloud and Google Workspace products.
- DISAAdding recently Provisionally authorized IL5 services by DISA.
Take the next step
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Learn security best practices
See our best practicesSolve common problems
Watch security use-case videosWork with a partner
See our security partners
