These settings and features can work together to address a variety of compliance needs. However, you are responsible for evaluating your compliance needs against the requirements of Impact Level 4 (IL4) and other standards.
This article provides an overview of recommended settings and features that Google Workspace administrators should enable to support compliance with IL4 security controls. For a complete understanding of additional functionalities needed to meet IL4 requirements, consult the IL4 documentation on eMASS.
Google Workspace & IL4
Cloud security is recognized in the industry as a shared responsibility between the customer and the cloud service provider (CSP). For its part, Google Workspace maintains security controls required by the U.S. federal government and global standards for cloud security and privacy. For instance, Google Workspace maintains an IL4 and FedRAMP High authorization, is certified against ISO 27017, 27018, 27001, and is audited against the AICPA Service Organization Control (SOC) standards. Learn more about Google Workspace compliance offerings and reports.
Google Workspace provides IL4 compliance controls to Department of Defense (DOD) customers that are required to operate within the IL4 boundary.
To support IL4 compliance, you must have a Google Workspace Enterprise Plus edition, Assured Controls and Assured Support.
Enterprise Plus with Assured Controls includes built-in security controls and features that enable DOD customers to support IL4 compliance and issue their own Authority to Operate (ATO). Key Google Workspace features that support IL4 compliance include the ability to geographically:
- Restrict data to the U.S. using data regions
- Limit Google staff support actions to only U.S. Persons using Assured Controls Access Management
The following sections describe features and controls you can use to address IL4 policy requirements.
Services covered by IL4
For users who are required to be within the IL4 boundary, you can give them access to only the services that meet IL4 authorization. For more information, go to Turn a service on or off for Google Workspace users.
Services currently covered by IL4 authorization:
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Meet
- Google Sheets
- Google Slides
Data location (United States)
Google owns and operates data centers that host Google Workspace services within the Continental United States (CONUS).
Google can store encrypted Google Workspace primary data-at-rest in either the United States or Europe, as a specified geographic location. Select the United States for users who need to stay within the IL4 boundary.
DOD customers should, as best practice, set the data region policy for all their users. With Enterprise Plus, Education Plus, or Education Standard editions, you can set a data region for an organizational unit or configuration group. To learn more about data regions and choosing a geographic location for your data, go to Data regions: Choose a geographic location for your data.
Assured Controls
Assured Controls is an add-on required for DOD customers to support their IL4 compliance requirements. The add-on allows you to precisely control cloud service provider access. Access Management gives you the ability to geographically limit Google staff support actions to U.S. Persons within our support teams. To support IL4 compliance, you should geographically limit Google support personnel to U.S. Persons only using this add-on.
Access Transparency
Google Workspace Access Transparency is a feature designed to provide organizations with visibility into the actions taken by Google staff. DOD customers should monitor Access Transparency logs to track and verify access to their data.
Data loss prevention
Google Workspace data loss prevention (DLP) is a set of tools and processes designed to prevent the unauthorized sharing, exposure, or theft of sensitive information within an organization's Google Workspace environment. You can set up DLP policies to take automatic actions relating to sensitive data, such as blocking the transmission of the data, notifying administrators, or quarantining the content for review.
DOD customers should set up DLP to monitor and control how sensitive information is handled within their organization.
Single sign-on
Google Workspace Single sign-on (SSO) is Google's authentication process that allows users to access multiple applications and services with one set of credentials.
DOD customers should implement and enforce strong authentication protocols, ensuring that only authorized personnel have access to controlled unclassified information (CUI).
Google Vault
Google Vault is an information governance and eDiscovery tool that allows organizations to manage, retain, search, and export their data within Google Workspace applications.
DOD customers should set up retention and eDiscovery features to ensure that CUI can be adequately preserved, accessed, and monitored in compliance with IL4 standards.
Need more help?
To learn more, contact your Google Sales representative or our distributors: