March 23rd, 2018
Google Cloud Platform (GCP), like all our products, is built with security as a core design and development principle. We go to great lengths to document how our infrastructure and platforms can help our customers keep their data safe. But third-party validation helps! That's why we're excited to announce that GCP and Google’s underlying common infrastructure have received the FedRAMP Rev. 4 Provisional Authorization to Operate (P-ATO) at the Moderate Impact level from the FedRAMP Joint Authorization Board (JAB).
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP compliance is an involved process with a high-quality bar for cloud data security, and a JAB Provisional Authorization requires a rigorous technical review process.
Google runs on the same infrastructure that we make available to our customers. With this authorization, we’re demonstrating our commitment to extending the benefit of GCP security to the United States federal, state and local government customers. While the ATO formally meets requirements applicable to U.S. government agencies, the detailed FedRAMP documentation and audit validation is a useful standard regarding our approach to security. This authorization also enables vendors seeking their own FedRAMP certification to inherit IaaS and PaaS controls from GCP. This significantly reduces their costs and barriers for FedRAMP authorization on top of GCP. GCP’s certification encompasses data centers in many countries, so customers can take advantage of this certification from multiple Google Cloud regions.
G Suite and parts of GCP have had current FedRAMP Moderate authorizations from the U.S. General Services Administration (GSA). This JAB P-ATO expands these authorizations and makes 49 GCP products now FedRAMP-approved. Google’s FedRAMP status is posted on the FedRAMP Marketplace, and the complete list of validated products and services can be found on our compliance page. And we’ll continue to update you as we add more services to the authorization.
Agencies and federal contractors can request access to the JAB P-ATO package by submitting a FedRAMP Package Access Request Form and begin to move through the authorization process to achieve an ATO using GCP.
We know our customers and regulators expect independent verification of our security, privacy, and compliance controls, and we’re committed to continued investment in third-party certifications and validations while maintaining our focus on best-in-class security. For more information on our ongoing compliance efforts, visit our compliance page.