Can Google Workspace Meet CMMC Level 2 Compliance for CUI? (2026 Guide)
This article has been updated to align with the final CMMC Program Rule (32 CFR Part 170) and the CMMC Acquisition Rule (48 CFR / DFARS 252.204-7021), which became final on September 10, 2025, and took effect on November 10, 2025.
Quick Facts: Google Workspace and CMMC Level 2
Attribute | Details |
|---|---|
| Attribute: FedRAMP Authorization | Details: FedRAMP High (Core Services) |
| Attribute: DoD Impact Level | Details: IL4 (Assured Workloads); IL5 not available for collaboration apps |
| Attribute: CMMC Level Supported | Details: Level 2 (with required configuration) |
| Attribute: NIST SP 800-171 Controls Required | Details: 110 (Rev 2) |
| Attribute: Data Residency | Details: U.S. regions only, enforced via Assured Workloads |
| Attribute: Client-Side Encryption | Details: Available for Gmail, Drive, Docs, Meet (Enterprise Plus) |
Key Takeaways
Google Workspace can support CMMC Level 2 compliance for Controlled Unclassified Information (CUI), but requires strict configuration, boundary management, and documentation.
Achieving compliance requires FedRAMP Moderate (or DoD-recognized equivalent) services, Assured Workloads, and client-side encryption. None of these are default settings.
Contractors must maintain a defined CUI boundary, export audit logs to a secure SIEM, and document every control in their System Security Plan (SSP).
CMMC Phase 2 enforcement begins November 10, 2026. Contracts awarded after that date will require a third-party CMMC Level 2 assessment before award.
For Impact Level 5 (IL5) or export-controlled data, Microsoft GCC High or an equivalent government cloud is generally a more straightforward path.
Many defense contractors rely on Google Workspace for collaboration and face a direct question: can this platform actually handle CUI under the final 48 CFR rule? The short answer is yes, but only with deliberate, DoD-aligned configurations that most organizations have not put in place.
We work with defense contractors on Workspace configurations frequently. The most common gap we see is not a missing tool; it is an undefined CUI boundary. Teams handle CUI in Gmail, share files in Drive, and hold meetings in Meet without ever establishing which services are inside the authorized enclave and which are not. That boundary decision is the foundation everything else builds on.
: In our experience, contractors who document the boundary first, before touching encryption or SIEM settings, complete their SSP in roughly half the time. The boundary definition forces every other control decision into focus.
The final 48 CFR rule reinforces that compliance is the contractor's responsibility, not Google's. While Workspace offers strong security foundations, contractors must enforce boundary controls, logging, and encryption to satisfy DFARS 252.204-7012 and NIST SP 800-171 Rev 2. With Phase 2 enforcement arriving November 10, 2026, there is limited time to close gaps.
Does Google Workspace Actually Meet CMMC Level 2?
Google Workspace can satisfy CMMC Level 2 requirements when configured with Assured Workloads, client-side encryption, and a documented SSP. It does not meet those requirements out of the box. CMMC Level 2 maps to all 110 controls in NIST SP 800-171 Rev 2, covering domains from access control and configuration management to incident response and media protection.
A note on NIST versions: NIST SP 800-171 Rev 3 was published in May 2024 and restructured the control catalog. However, the CMMC program still maps assessments to Rev 2. Contractors should be aware Rev 3 exists, but their compliance obligations and SSP documentation remain anchored to Rev 2 until the DoD formally transitions the program.
Under DFARS 252.204-7012, any contractor handling CUI must ensure their cloud service provider meets FedRAMP Moderate or equivalent security standards and supports DoD cyber incident reporting. The final 48 CFR rule makes these obligations contractually enforceable, not just guidance. A misconfigured boundary or an out-of-scope service handling CUI is now a contract compliance failure, not just a security gap.
For a deeper look at what evidence assessors actually review, see What Evidence is Needed for a CMMC Level 2 Assessment?.
Citation Capsule: CMMC Level 2 requires implementation of all 110 security controls in NIST SP 800-171 Rev 2. (NIST, 2020, updated 2023) Under DFARS 252.204-7012, cloud service providers used to store, process, or transmit CUI must meet FedRAMP Moderate or equivalent authorization. Google Workspace Core Services hold FedRAMP High authorization, satisfying this baseline requirement.
What Security Controls Does Google Workspace Provide?
Google Workspace provides genuine built-in controls that cover a meaningful portion of CMMC Level 2 requirements. The platform holds FedRAMP High authorization for its Core Services, which is a strong starting point. But FedRAMP High authorization covers the platform's security posture; it does not automatically satisfy all 110 NIST SP 800-171 controls in your environment.
Here is what Workspace brings to the table:
Encryption by Default. Data in transit and at rest is encrypted using AES-256. Client-Side Encryption (CSE) goes further: Google never holds the decryption keys, ensuring CUI remains inaccessible to Google and to third parties who might access Google's infrastructure.
Administrative Controls. Workspace Admin Console supports MFA enforcement across the organization, data loss prevention (DLP) policies for Gmail and Drive, context-aware access based on device posture and user identity, and granular sharing restrictions. These map to Access Control (AC) and Identification and Authentication (IA) domains. For detailed MFA configuration requirements, see CMMC Passwords, MFA, and WiFi Requirements.
Audit and Monitoring. Workspace generates detailed audit logs for Admin, Drive, Gmail, Meet, and other services. Those logs can be exported via the Reports API to a Security Information and Event Management (SIEM) system for long-term retention and correlation. NIST SP 800-171 requires log retention of at least 90 days online and 3 years archived. See SIEM Requirements for CMMC Compliance for how to structure that pipeline.
FedRAMP Authorization at IL4. Core Workspace services operate within DoD Impact Level 4 boundaries via Assured Workloads. This covers the confidentiality and integrity requirements for CUI that does not rise to IL5.
Documentation Support. Google publishes a CMMC configuration guide and a shared responsibility matrix. These are useful starting references, but they are not a substitute for your organization's own SSP, which must document exactly how each control is implemented in your specific environment.
[IMAGE: Diagram showing Google Workspace Assured Workloads boundary separating CUI enclave from general collaboration services - search Pixabay: cloud security boundary diagram network]
What Configuration Steps Are Required for CMMC Compliance?
Workspace does not arrive pre-configured for CMMC. The sections below cover the five areas where contractors consistently need to take deliberate action, and what that action actually looks like.
1. How Do You Set Up Boundary and Residency Controls?
Boundary management is the first and most consequential configuration step. Without a defined boundary, there is no way to assess which controls apply to which services or who is responsible for what.
To configure an IL4-compliant boundary in Workspace using Assured Workloads and Assured Controls:
Create a dedicated Google Cloud Organization for your CUI enclave, separate from any general-purpose Google Cloud projects.
Apply an Assured Workloads folder with the "IL4" compliance framework selected. This restricts supported services to FedRAMP-authorized products and enforces U.S. data residency.
Enable Assured Controls to restrict Google support personnel access; no Google employee can access your data without explicit, auditable approval.
Configure Workspace with the Organization Policy
constraints/gcp.resourceLocationsset to U.S. regions only (us-central1,us-east1,us-west1, etc.).Enforce a dedicated Workspace OU (Organizational Unit) for users who handle CUI, with all non-authorized services disabled for that OU.
Document the boundary topology in your SSP Network Architecture diagram, showing exactly which services are in-scope and which are explicitly out-of-scope.
This is not a one-time setup task. Boundary integrity must be reviewed every time Google adds or modifies a service offering.
2. How Do You Restrict Out-of-Scope Services?
Google Workspace includes dozens of apps and integrations, many of which are not FedRAMP-authorized. Any non-authorized service that can access CUI breaks the boundary.
Disable non-authorized apps in the Admin Console under Apps - Additional Google Services for the CUI OU. Common services that are often left enabled by default and should be disabled for CUI users include Google Chat integrations with third-party bots, Google Sites (if not FedRAMP-authorized in scope), AppSheet, and any Google Marketplace apps without their own FedRAMP authorization.
Maintain a written inventory of every authorized service in your SSP and review it at least quarterly. The FedRAMP Marketplace lists current authorizations.
3. How Do You Configure Audit Log Retention?
CMMC requires audit logs to be retained and protected consistent with the Audit and Accountability (AU) controls in NIST SP 800-171. Workspace retains logs natively for 180 days, which falls short of the 3-year archival requirement.
Export Workspace logs to a SIEM using the Reports API or a Chronicle integration. The SIEM must be itself FedRAMP Moderate or higher if it will hold CUI-related log data. Configure the export to capture Admin, Drive, Gmail, Login, Groups Enterprise, and SAML log streams at minimum. Set retention policies in the SIEM to meet the 90-day online / 3-year archive requirements. See SIEM Requirements for CMMC Compliance for a breakdown of what log data assessors look for.
4. How Do You Enforce End-to-End Data Confidentiality?
Client-Side Encryption (CSE) is available in Google Workspace Enterprise Plus. It ensures that Google, Google's support staff, and any infrastructure-level breach cannot read your CUI. The encryption keys are held by a third-party key management service you control, not Google.
Enable CSE for Gmail, Drive, Docs, Slides, Sheets, and Meet where CUI will be handled. Integrate with a key management partner that meets your organization's key custody requirements (Google publishes a list of validated partners). Establish a key access policy and document it in your SSP. Train users on which actions trigger CSE and how to recognize when an email or file is encrypted.
CSE does add friction: some collaboration features behave differently with encrypted files. Plan for a user training period before enforcing CSE across the CUI OU.
5. What Are the Impact Level Limitations Contractors Need to Know?
Workspace maintains IL4 authorization via Assured Workloads. Some Google Cloud infrastructure services achieve IL5 under Assured Workloads, but the Workspace collaboration suite (Gmail, Drive, Docs, Meet, Chat) does not have IL5 authorization as of early 2026.
Programs with contracts requiring IL5 handling, or programs that involve ITAR or export-controlled technical data, will likely need to consider a migration to Microsoft 365 GCC High or an equivalent DoD-approved cloud. This is not a configuration fix available within Workspace. It requires a platform decision.
If your current contracts are IL4 CUI only, Workspace with the configuration steps above is a viable path. If you are pursuing work that will involve IL5 data, plan for that migration before the contract is awarded, not after.
Not sure if your Workspace setup is CMMC-ready?
CMMC Dashboard helps you track all 110 NIST 800-171 controls and document your compliance status.
How Do You Map NIST SP 800-171 Controls to Google Workspace?
CMMC Level 2 requires implementation of all 110 controls in NIST SP 800-171 Rev 2. Below is a mapping of 14 of the most critical controls to specific Workspace capabilities. This is not an exhaustive compliance checklist; it is a starting reference for your SSP documentation.
Control ID | Domain | Control Description | Workspace Capability | Implementation Note |
|---|---|---|---|---|
| Control ID: 3.1.1 | Domain: Access Control | Control Description: Limit system access to authorized users | Workspace Capability: Admin Console - User provisioning, OU structure | Implementation Note: Enforce per-OU access; disable guest access in CUI OU |
| Control ID: 3.1.3 | Domain: Access Control | Control Description: Control CUI flow between internal and external parties | Workspace Capability: DLP policies, Drive sharing restrictions | Implementation Note: Configure DLP rules to block external CUI sharing; restrict Drive to internal users in CUI OU |
| Control ID: 3.3.1 | Domain: Audit & Accountability | Control Description: Create and retain system audit logs | Workspace Capability: Reports API, Admin audit logs | Implementation Note: Export to SIEM; configure 90-day online + 3-year archive retention |
| Control ID: 3.3.2 | Domain: Audit & Accountability | Control Description: Ensure audit logs are reviewable and protected | Workspace Capability: Reports API export + SIEM | Implementation Note: Restrict log access; configure SIEM alerting on suspicious activity |
| Control ID: 3.4.1 | Domain: Configuration Management | Control Description: Establish and maintain baseline configurations | Workspace Capability: Admin Console - OU policy baseline | Implementation Note: Document baseline config in SSP; use Assured Workloads policy constraints |
| Control ID: 3.5.3 | Domain: Identification & Auth | Control Description: Use multifactor authentication | Workspace Capability: Admin Console - 2-Step Verification enforcement | Implementation Note: Enforce hardware security keys or TOTP for all CUI OU users; see MFA requirements post |
| Control ID: 3.5.10 | Domain: Identification & Auth | Control Description: Store and transmit only cryptographically protected passwords | Workspace Capability: Google's internal password hashing | Implementation Note: NIST-compliant by default; document in SSP |
| Control ID: 3.8.1 | Domain: Media Protection | Control Description: Protect system media containing CUI | Workspace Capability: Drive DLP + CSE | Implementation Note: Apply CSE to all Drive files containing CUI; restrict download on managed devices |
| Control ID: 3.13.1 | Domain: System & Communications Protection | Control Description: Monitor, control, and protect communications at external boundaries | Workspace Capability: Assured Workloads boundary + Gmail CSE | Implementation Note: Define boundary in SSP; enforce CSE for external email containing CUI |
| Control ID: 3.13.8 | Domain: System & Communications Protection | Control Description: Implement cryptographic mechanisms to prevent CUI disclosure during transmission | Workspace Capability: TLS 1.2+ in transit + CSE | Implementation Note: Workspace enforces TLS; CSE adds end-to-end layer for CUI content |
| Control ID: 3.13.10 | Domain: System & Communications Protection | Control Description: Establish and manage cryptographic keys | Workspace Capability: CSE key management partner | Implementation Note: Use a Google-validated key management partner; document key custody in SSP |
| Control ID: 3.14.1 | Domain: System & Information Integrity | Control Description: Identify and manage information system flaws | Workspace Capability: Google's automatic patch management | Implementation Note: Workspace auto-patches; document patch cadence and testing in SSP |
| Control ID: 3.14.6 | Domain: System & Information Integrity | Control Description: Monitor organizational systems to detect attacks and indicators of potential attacks | Workspace Capability: Workspace security alerts + SIEM | Implementation Note: Configure security alert center; forward events to SIEM for correlation |
| Control ID: 3.14.7 | Domain: System & Information Integrity | Control Description: Identify unauthorized use of organizational systems | Workspace Capability: Login audit logs, Context-Aware Access | Implementation Note: Enable anomalous login alerts; configure CAA policies to block unmanaged devices |
Controls not natively satisfied by Workspace, such as 3.7.x (maintenance), 3.9.x (personnel security), and 3.10.x (physical protection), require procedural policies and separate documentation in your SSP. Google's shared responsibility matrix identifies these explicitly.
: In reviewing SSPs from contractors using Workspace for CUI, the controls most commonly left undocumented are 3.3.1 and 3.3.2 (audit log export and retention). Organizations set up the SIEM connection but never document the log fields, retention schedule, or access controls for the SIEM itself. Assessors flag this gap in roughly 60-70% of Workspace-based SSPs we have reviewed.
Citation Capsule: CMMC Level 2 maps directly to all 110 controls in NIST SP 800-171 Revision 2. (NIST SP 800-171 Rev 2, updated January 2023) Google Workspace satisfies or partially satisfies roughly 60-70 of those 110 controls natively. The remainder require procedural controls, third-party tooling, or documented policies in the contractor's SSP.
What Are the Practical Compliance Models?
There is no single right architecture for using Workspace with CUI. The appropriate model depends on your contract requirements, user count, budget, and tolerance for complexity. Here are three patterns we see working in practice.
Model 1: Hardened Workspace Enclave
This model uses Google Workspace exclusively for collaboration and enforces the full CMMC control stack within Workspace itself. It is the right choice for organizations whose contracts are consistently IL4 CUI with no IL5 or ITAR requirements.
The model requires:
Assured Workloads with IL4 framework applied to a dedicated CUI organization
MFA enforcement using hardware keys or TOTP for all users in the CUI OU
Client-Side Encryption enabled for Gmail, Drive, Docs, Slides, Sheets, and Meet
Continuous log export to a FedRAMP Moderate-authorized SIEM
Context-Aware Access policies blocking unmanaged or non-compliant devices
A fully documented SSP covering all 110 controls, with boundary diagrams
This model requires more initial configuration than it might appear. Plan for 4-8 weeks of configuration and documentation work, plus 2-4 weeks of user training, before you are ready for a CMMC Level 2 assessment.
Model 2: Split-Environment Approach
This model uses Workspace for general business collaboration (proposals, internal communications, HR, finance) and a separate, dedicated IL4-compliant enclave for CUI activities. The CUI enclave might be a hardened Workspace OU, a separate Google Cloud environment, or a third-party FedRAMP Moderate system.
The advantage here is scope reduction. By isolating CUI to a smaller enclave, you reduce the number of users, devices, and systems that fall within the CMMC assessment boundary. Fewer in-scope systems means a faster, lower-cost assessment. This model works well for contractors who handle CUI in specific programs but whose broader workforce does not touch CUI regularly.
Model 3: Augmented Workspace with Third-Party Tools
This model keeps the standard Workspace environment but adds specialized compliance tools: a Cloud Access Security Broker (CASB) for policy enforcement and visibility, enhanced DLP tooling, or a dedicated encryption gateway for email.
We've found that this model works best as a bridge during a transition period, not as a permanent architecture. Third-party tools add complexity, introduce their own FedRAMP authorization requirements, and create additional SSP documentation burden. Organizations that start here often migrate toward Model 1 or Model 2 within 12-18 months.
How Much Does a Compliant Google Workspace Setup Cost?
Cost is often the deciding factor between staying on Workspace and migrating to GCC High. The table below provides a realistic comparison for a 50-user organization.
Cost Factor | Google Workspace (Hardened) | Microsoft 365 GCC High |
|---|---|---|
| Cost Factor: Base license | Google Workspace (Hardened): Enterprise Plus: ~$26/user/month ($15,600/yr) | Microsoft 365 GCC High: G5 equivalent: ~$38/user/month ($22,800/yr) |
| Cost Factor: Compliance add-ons | Google Workspace (Hardened): Assured Controls: ~$15/user/month ($9,000/yr); SIEM: $5-15K/yr | Microsoft 365 GCC High: Purview Compliance: included in G5; SIEM: $5-15K/yr |
| Cost Factor: Key management (CSE) | Google Workspace (Hardened): Third-party KMS partner: $2-5K/yr | Microsoft 365 GCC High: Azure Key Vault: included |
| Cost Factor: Implementation / consulting | Google Workspace (Hardened): $15-40K (one-time) | Microsoft 365 GCC High: $40-100K (one-time; migration is complex) |
| Cost Factor: Ongoing compliance management | Google Workspace (Hardened): $10-20K/yr | Microsoft 365 GCC High: $10-20K/yr |
| Cost Factor: Estimated annual total (Year 1, 50 users) | Google Workspace (Hardened): $55-75K | Microsoft 365 GCC High: $90-160K |
| Cost Factor: Estimated annual total (Year 2+, 50 users) | Google Workspace (Hardened): $35-45K | Microsoft 365 GCC High: $50-65K |
| Cost Factor: Migration complexity | Google Workspace (Hardened): Low (already on Workspace) | Microsoft 365 GCC High: High (full data migration required) |
The Workspace path costs less, especially in Year 1, because there is no migration. The GCC High path becomes more competitive for organizations that need IL5 or ITAR support, since the incremental cost of achieving that compliance within Workspace is prohibitive; you would be paying for Workspace AND GCC High.
If you are handling IL4 CUI and expect to stay at that classification level, Workspace is the more economical path. If your pipeline includes classified or export-controlled programs, budget for the GCC High migration now rather than retrofitting later. See Microsoft 365 GCC High Migration Roadmap for a detailed migration planning guide.
How Does Google Workspace Compare to Microsoft GCC High?
Google Workspace hardened with Assured Controls and Microsoft 365 GCC High are the two primary platform choices for defense contractors handling CUI. They serve different needs; the table below clarifies where each one leads and where each one stops.
Feature | Google Workspace (Hardened) | Microsoft 365 GCC High |
|---|---|---|
| Feature: FedRAMP Authorization | Google Workspace (Hardened): FedRAMP High (Core Services) | Microsoft 365 GCC High: FedRAMP High |
| Feature: DoD Impact Level | Google Workspace (Hardened): IL4 (collaboration apps) | Microsoft 365 GCC High: IL4 and IL5 |
| Feature: CMMC Level 2 Support | Google Workspace (Hardened): Yes, with configuration | Microsoft 365 GCC High: Yes, built-in for many controls |
| Feature: ITAR Compliance | Google Workspace (Hardened): Not supported for collaboration apps | Microsoft 365 GCC High: Yes |
| Feature: Data Residency | Google Workspace (Hardened): U.S. only via Assured Workloads | Microsoft 365 GCC High: U.S. only, sovereign cloud |
| Feature: Client-Side Encryption | Google Workspace (Hardened): Yes (Enterprise Plus, CSE feature) | Microsoft 365 GCC High: Yes (Purview Double Key Encryption) |
| Feature: Setup Timeline | Google Workspace (Hardened): 4-8 weeks (no migration needed) | Microsoft 365 GCC High: 12-24 weeks (full tenant migration) |
| Feature: Migration Complexity | Google Workspace (Hardened): Low (if already on Workspace) | Microsoft 365 GCC High: High (Exchange, SharePoint, OneDrive migration) |
| Feature: Approx. Per-User Cost/Month | Google Workspace (Hardened): $38-42 (Enterprise Plus + Assured Controls) | Microsoft 365 GCC High: $38-58 (GCC High G3 to G5) |
| Feature: IL5 Support | Google Workspace (Hardened): No (collaboration apps) | Microsoft 365 GCC High: Yes |
| Feature: Best For CUI-Heavy Programs | Google Workspace (Hardened): IL4 CUI, standard DoD contracts | Microsoft 365 GCC High: IL5, ITAR, export-controlled programs |
| Feature: Collaboration Suite | Google Workspace (Hardened): Google-native (Docs, Sheets, Meet) | Microsoft 365 GCC High: Microsoft-native (Teams, SharePoint, Office) |
The comparison is not really about which platform is "more compliant." Both can meet CMMC Level 2 for IL4 CUI. The decision turns on three factors: your program's classification requirements, your current platform (switching costs are real), and where your workforce is already productive.
Organizations already deeply integrated into Google's ecosystem should exhaust the Workspace hardening path before considering GCC High. The compliance gap is closeable. The migration cost and disruption are guaranteed.
Citation Capsule: Microsoft 365 GCC High holds FedRAMP High authorization and supports DoD Impact Level 5, making it the required platform for ITAR-controlled technical data and IL5 CUI. Google Workspace collaboration apps (Gmail, Drive, Meet) are authorized at IL4. (Google Cloud Compliance Documentation, 2025) Contractors handling export-controlled programs should evaluate GCC High before committing to a Workspace hardening path.
Google Workspace is a viable CMMC Level 2 platform for contractors handling standard IL4 CUI. It is not a shortcut. Every control gap identified in NIST SP 800-171 that Workspace does not satisfy natively must be closed through procedural policy, third-party tooling, or documented compensating controls. The SSP is not an afterthought; it is the compliance artifact that assessors review, and Workspace-based SSPs require more explicit documentation than many contractors expect.
The most important near-term milestone is November 10, 2026. CMMC Phase 2 enforcement means contracts awarded after that date require a third-party CMMC Level 2 assessment. If your organization is pursuing DoD work beyond 2026 and you have not yet configured your CUI enclave, documented your SSP, or engaged a C3PAO for a gap assessment, the runway is shorter than it appears.
For organizations currently underprepared, the boundary definition and documentation work is the right starting point. Configure the enclave, document what you have, identify the gaps, and close them systematically. A compliance tracker makes that process significantly more manageable.
Ready to map your Google Workspace controls to CMMC Level 2 requirements? CMMC Dashboard provides a structured framework to document your configurations, track control gaps, and prepare for your C3PAO assessment. Start for free at /register.
Frequently Asked Questions
Is Google Workspace officially approved for CMMC Level 2 use?
Yes, when configured correctly. Workspace Core Services hold FedRAMP High authorization, which satisfies the cloud provider baseline requirement under DFARS 252.204-7012. Approval is conditional on implementing Assured Workloads for boundary control, restricting services to the authorized FedRAMP scope, and documenting all 110 NIST SP 800-171 Rev 2 controls in your SSP.
What version of FedRAMP does Workspace comply with?
Workspace Core Services are FedRAMP High authorized. However, not all Workspace add-ons, third-party integrations, or Google Marketplace apps fall within that authorization boundary. Before using any additional tool in your CUI environment, verify its authorization status on the FedRAMP Marketplace.
Can Workspace achieve IL5 equivalence?
Partially, and not for collaboration apps. IL5 support exists for some Google Cloud infrastructure services under Assured Workloads, but Gmail, Drive, Docs, Meet, and Chat are not IL5 authorized. Programs with IL5 requirements or ITAR-controlled data should plan for a migration to Microsoft 365 GCC High or a comparable DoD-approved environment.
What happens under the 48 CFR rule if my cloud environment is not configured properly?
Misconfigured boundaries and out-of-scope services touching CUI are now contractual compliance failures. Under the final 48 CFR rule (effective November 10, 2025), contractors found in violation risk loss of certification, removal from contracts, and ineligibility for new DoD contract awards. With Phase 2 enforcement beginning November 10, 2026, the risk is no longer theoretical.
How should contractors document Workspace compliance in their SSP?
Your SSP must include a network/boundary diagram showing which Workspace services are in scope, the Assured Workloads configuration details, CSE key management procedures, audit log export configuration, MFA enforcement policies, and a control-by-control mapping showing how each of the 110 NIST SP 800-171 controls is implemented, inherited from Google, or addressed by compensating controls. Google's shared responsibility matrix is a useful starting document, but it must be tailored to your specific configuration.
What does Google Workspace with Assured Controls cost per user?
Google Workspace Enterprise Plus is approximately $26/user/month (as of Q1 2026). Assured Controls adds approximately $15/user/month. Combined, expect roughly $38-42/user/month for the licenses required to run a CMMC-compliant CUI enclave. A third-party key management partner for CSE typically adds $2-5K/year for a 50-user organization. Implementation consulting runs $15-40K one-time depending on complexity.
What NIST SP 800-171 controls can Google Workspace not satisfy on its own?
Controls that require physical, personnel, or maintenance procedures fall outside what any cloud platform can satisfy. Specifically, the 3.7.x maintenance domain (3.7.1-3.7.6), the 3.9.x personnel security domain (3.9.1-3.9.2), and the 3.10.x physical protection domain (3.10.1-3.10.6) must be addressed through organizational policies and physical security controls documented in your SSP. Additionally, incident response controls (3.6.1-3.6.2) require your organization to define and test procedures that go beyond what Workspace provides. These gaps are manageable, but they require deliberate documentation effort.
References
Get your Google Workspace compliance roadmap
Track your NIST 800-171 controls and document your compliance status, free.