The U.S. Department of Defense (DoD) currently requires that all covered defense contractors and subcontractors implement the security controls outlined in NIST SP 800-171. This requirement is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as part of the covered entities DFARS 252.204-7012 contractual commitments.
In order to formalize this requirement and provide the DoD a means to verify compliance with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC) program is being developed by the DoD. All DoD contractors with the DFARS 252.204-7012 clause in their contracts will need to achieve the CMMC level required in the DoD contract as a condition of contract award when the rule is final.
CMMC 2.0 Background
On December 26, 2023, the DoD released a Proposed Rule for public comment. Commenting period is open for 60 days and then will be reviewed by rule makers for final rule publication. Based on this timeline, industry analysts estimate that final rule publication will occur in early 2025, with the first round of contractors to be CMMC certified after that publication. The date is subject to change, based on the government’s decision making timelines.
CMMC and Google Cloud
CMMC 2.0 has three levels available for organizations to pursue, depending on DoD requirements. While organizations cannot undergo an official CMMC assessment until the final rule has been published, Google Cloud is preparing for CMMC Level 2 by participating in mock assessments with our designated C3PAO supporting our FedRAMP authorization processes for both Google Cloud services and Google Workspace. Once CMMC 2.0 is final, Google will proceed with the formal certification process as defined for Cloud Service Providers (CSPs).
While no organization has received a CMMC certification to date,Google has sought NIST SP 800-171 assessments to help prepare for the CMMC 2.0 Program. These assessment reports can be found on our NIST SP 800-171 page.
Under the current draft of CMMC, contractors utilizing cloud solutions to store CUI must use CSPs that maintain a FedRAMP Moderate authorization at minimum. To help prepare for CMMC, Defense Industrial Base (DIB) contractors using Google Cloud services should refer to our FedRAMP Customer Responsibility Matrix (CRM) that is part of our FedRAMP System Security Plan (SSP) to understand the shared responsibility model as it relates to anticipated CMMC compliance. Our sales team or your Google Cloud representative is here to answer your questions and supply referenced documentation.
Start building on Google Cloud with $300 in free credits and 20+ always free products.