CMMC shared responsibility in Google Workspace

CMMC compliance in any cloud environment is shared between the provider and the customer, and Google formalizes that split in a Customer Responsibility Matrix (CRM). The CRM defines which CMMC controls can be inherited fully from Google, which are shared, and which fall entirely to the customer.

Google takes responsibility for the design, delivery, and maintenance of the underlying service and the common infrastructure it runs on. As a result, a number of Physical Protection, Media Protection, and System and Communications Protection controls can be inherited or partially inherited from Google.

Once your domain is established and validated, you use the Admin Console to configure services and meet the controls you own across families such as Access Control and Audit and Accountability.

According to the Google Workspace CMMC Implementation Guide released in February 2024, a Google Workspace Enterprise Plus environment with Assured Controls Plus offers:

• 42 inherited controls
• 47 shared controls
• 21 customer controls

Note that these refer to the high-level requirements of NIST 800-171 Rev 2, which make up the security standard of CMMC Level 2. To achieve compliance, you must fully meet all 110 requirements and 320 assessment objectives. 

The inherited half of the model is made up of technical controls, or technology that automates a security function like firewalls, MFA, and encryption tools. The customer-owned half of the model is mostly focused on people and process controls that govern human behavior, including how they use those tools. They include:

• Security awareness training that reflects CMMC requirements and is delivered on a recurring basis.
• Documented security policies that are enforced and regularly reviewed and accepted by employees, not just written and shelved.
• Administrative requirements that demonstrate organizational maturity around incident response, configuration change, and risk assessments.  

For more specifics on Google’s implementation of inherited and shared controls, Google's CRM can be provided by the Google sales team or your Google Workspace customer representative upon request.

Google Workspace licensing for CMMC

The license (or edition) you choose determines whether the CMMC Level 2 path is even available to you, because the controls that matter for CUI are gated behind specific tiers.

The deciding factor is the Assured Controls Plus add-on. It delivers the US data residency and data sovereignty controls that CUI handling depends on, and it is only available on Enterprise Plus.

The Business and Enterprise Standard editions cannot add Assured Controls Plus, which is why they are not a viable path for Level 2 for all categories of CUI (even though several Business and Enterprise editions have in-scope services covered by FedRAMP High Authorization).

A few key takeaways:

1. Google Workspace Business Standard can meet Level 1. Because FCI carries no FedRAMP baseline or data residency or sovereignty requirements for cloud services, the edition decision there is driven by the FAR 52.204-21 safeguards you need to implement, not by the authorization or certifications of that tier. That means Google Workspace Business Standard can help meet the CMMC Level 1 standard, with proper configuration and shared responsibility. 

2. For Level 2, Enterprise Plus is the edition that matters. Beyond everything in Enterprise Standard, it adds the capabilities most relevant to protecting CUI: client-side and S/MIME encryption for email, files, and meetings; enhanced data residency and export controls; automatic AI classification of files in Drive; data loss prevention and context-aware access; eDiscovery and Vault retention; advanced security reporting and investigation tools; and the Assured Controls add-on for advanced compliance requirements.

3. The CMMC-relevant enterprise pricing is quote-based (not publicly available). Google publishes Business-edition prices, but not for Enterprise editions. Instead, Google Workspace Enterprise Plus is quoted by either Google Workspace Sales or partners. The Assured Controls Plus add-on is quoted the same way with no list price. That means you should plan to scope the full configuration with your account representative or a partner rather than off a published rate on a third-party site, especially if comparing pricing to another vendor. 

4. Assured Controls Plus is the relevant tier, not base Assured Controls. Access Management, which enables you to restrict access to data to U.S.-based personnel with background checks only, is an exclusive Plus capability. The base Assured Controls add-on does not, on its own, deliver the data sovereignty that CUI Specified requires.

Google Workspace vs. Google Cloud for CMMC

Google offers two distinct paths that support CMMC, and contractors sometimes conflate them.

• Google Cloud can support CMMC, but it requires the Assured Workloads data boundary for FedRAMP High paired with the CMMC CRM to configure systems for compliance. This is the path for custom infrastructure and application workloads.
• Google Workspace requires the use of FedRAMP High authorized services together with Assured Controls Plus to confine data storage to the United States. This is the path for core productivity and collaboration services such as Gmail and Google Drive.

Most defense contractors evaluating "Google for CMMC" are really evaluating Google Workspace, because the question is where their everyday CUI (which exists in email attachments, documents, shared drives) will live. 

But if you also run application workloads on Google Cloud, you must scope and configure that environment separately.

Google Workspace vs Microsoft GCC High for CMMC

For DIB organizations handling CUI, the realistic platform decision usually comes down to two options: Microsoft 365 GCC High or Google Workspace Enterprise Plus. They reach CMMC compliance through fundamentally different architectures, and that difference shapes both how you get compliant and what it costs.

Google Workspace runs as a single, multi-tenant cloud. Every customer is on the same instance and receives the same security posture, capacity, and feature updates at the same pace. That can deliver high reliability and low costs, but the platform has no built-in data residency or US-person access restriction. You only get those with the Assured Controls Plus add-on, which confines data storage and Google support access to the United States.

GCC High takes the opposite approach. It runs on Azure Government, a logically and physically isolated cloud that’s separate from Azure Commercial and purpose-built for sovereignty. US data residency and screened-US-person access are inherent to the environment, with no add-on required.

In other words, Google achieves sovereignty through a configuration and add-on layered onto a shared, commercial-grade cloud, while Microsoft achieves it through a dedicated, isolated government cloud. Neither is automatically the right answer. The better fit depends on your CUI categories, budget, and existing stack.

The practical takeaway: both vendors offer a similar collaboration and productivity suite, with Google Workspace Enterprise Plus roughly equivalent to Microsoft 365 E5 across email, calendar, sites, conferencing, chat, MDM, eDiscovery, and archiving. The real decision is:

• Architectural: Are your data sovereignty requirements better met by an add-on on a shared cloud or by a dedicated isolated one?
• Price: Which best supports your CMMC needs? Google can be more affordable since it does not require a separate government cloud environment, but depending on the add-ons and third-party tools required to fill in the CMMC gaps, cost savings may not be substantial. 

What neither platform gives you is a reference architecture. Those are provided by partners. 

Jeff Brown, Lead Google Workspace US Public Sector team, explained in a podcast interview: “You need to have the recipe or cookbook. You have to know, through our partners, exactly how to deploy Google Workspace to meet all of the CMMC requirements.”

FedRAMP Authorization and other capabilities gets you an eligible foundation, but meeting all CMMC requirements still depends on knowing exactly how to configure the environment. This is where a partner with a purpose-built automated provisioning tool comes in.

Looking for a head-to-head between cloud platforms instead? See our comparison of Google Workspace, Microsoft 365 Commercial, and GCC High for CMMC, DFARS, and ITAR.

How to simplify CMMC compliance in Google Workspace with Secureframe Defense

Standing up a Google Workspace environment to Level 2 is a configuration-heavy project: provisioning a CUI enclave, enforcing the right technical settings, capturing evidence, and documenting all of it in an SSP—and not just before an assessment but continuously over time. 

Secureframe Defense is built to do that work with you rather than hand you a checklist or disparate tool that only helps with part of the readiness process or before the assessment.

Once a customer connects their Google Workspace tenant, Secureframe Defense automatically provisions CMMC Level 2 configurations on their behalf wherever the Google Workspace APIs allow, and walks them through the steps that still require manual action. The same happens if connecting a VDI or Secureframe Federal MDM to secure either virtual or physical devices to access CUI in that Google Workspace tenant. 

Specifically, here’s how the Google Workspace integration works:

• Connects and authenticates against the tenant. A customer admin authorizes Secureframe with the admin permissions needed to read and write configurations on their behalf.
• Continuously syncs identity data. Users, groups, admin roles, audit logs, and environment configurations are pulled from Google Workspace on an ongoing basis.
• Provisions CUI segregation in Drive. Secureframe creates and continuously validates a CUI-designated Drive folder with the required role groups (CUI, Workspace Admin, Super Admin) so CUI stays segregated and access-controlled.
• Enforces technical configurations where APIs allow. Rather than asking customers to make changes by hand, Secureframe writes the required CMMC settings—MFA, logging, conditional access, sharing restrictions.
• Enforces separation of duties. Conflicting role assignments are prevented; for example, a super admin cannot also hold a CUI data-access role, supporting the separation of duties CMMC requires.
• Guides the manual steps. For settings Google Workspace does not expose to an API, or when CUI already exists in the tenant, Secureframe provides step-by-step instructions with confirmation points and shows which requirements still need attention.
• Captures evidence automatically. When Secureframe enforces a configuration, that evidence flows into automated CMMC tests, and Secureframe continuously monitors that compliant configurations stay enforced.
• Generates SSP boilerplate. Pre-written implementation statements tied to the default configurations keep your SSP accurate as long as those defaults remain in place.

The result is a Google Workspace environment that is configured to Level 2, documented automatically, and continuously monitored to isolate and secure CUI. That means your team can spend its time on the process controls only you can own (like training), not on poring over Google documentation and configuring hundreds of settings on your own.

Talk to an expert to learn more about deploying a CUI environment with Secureframe Defense without the usual complexity, cost, and timeline.