Does Google Meet CMMC Compliance Requirements

Since the DoD intends for contractors to comply with CMMC level 3 or higher requirements, Google had a Third Party Assessing Organization assess it to determine its level of compliance.

Does Google Meet CMMC Compliance Requirements

Now that almost every business has embraced technology, the government has become increasingly protective of information. Hackers are always advancing their tricks. And for anyone in the defense contract supply chain, being CMMC (Cybersecurity Maturity Model Certification) certified has become mandatory. CMMC is the DoD’s (Department of Defense) latest verification mechanism. That is designed to ensure that cybersecurity processes and controls protect CUI (Controlled Unclassified Information) stored in the DIB (Defense Industrial Base) systems. With contractors preferring to use G Suite to share and store information in the cloud, synchronize files on connected devices and connect in real-time, you have to wonder if Google meets CMMC compliance requirements. Unfortunately, it does not. Read on to find out how exactly Google fails in CMMC compliance and the impact it could have on your business.

How Does Google Not Meet CMMC Compliance Requirements?

Since the DoD intends for contractors to comply with CMMC level 3 or higher requirements, Google had a Third Party Assessing Organization assess it to determine its level of compliance. The assessor found that Google failed in the following regards:

CMMC AC.2.009- Limit Unsuccessful Login Attempts

Anyone trying to access a document or account without the correct login details might keep guessing until he is successful. An organization should limit the number of times a user can guess the password. And then lock the account for a specific time. Usually, a series of unsuccessful indicates a potential hacker trying to access the information.

Most organizations set the limit of unsuccessful login attempts to three. The system then locks out the user for a predefined time. And once the account unlocks, the user can try again. Other businesses prefer keeping the account locked until the system administrator unlocks it, which is a far better precaution.

Google instead only sends account users a sign-in attempt message when it spots a suspicious activity. It also provides account owners with user login attempt reports. Which the organization can use to detect the number of suspicious logins in their domain. While this is essential information, it is only reactive, yet an ideal strategy would be proactive.

CMMC AC.2.005-Provide Privacy and Security Notices Consistent with Applicable CUI Rules

System users should be aware that they need to agree with policies to comply with this requirement when using Google. The notification can be through login banners. These force users to admit that they are accessing the company’s data. And that the firm has the right to store, use and access the information. The system should also let the user know that they can be held accountable for their actions. Therefore, Google should enable system configurations such that you can create a security notice for users to agree with before they log in to your site.

Closeup of a password change process on a computer screen.

CMMC IA.2.078- Enforce Minimum Password Complexity and a Change of Characters When New Passwords are Created

You might have noticed that you can only create specific accounts if you meet a minimum password complexity level. This involves mixing capital, small letters, and symbols. As a system administrator, it is up to you to define the lowest password complexity level and enforce it. Such measures make it hard for unauthorized users to guess passwords.

CMMC IA.2.079- Prohibit Password Reuse for a Specified Number of Generations

Even after ensuring the users have created strong passwords, an administrator must also implement regularly changing passwords. This rule also means that you cannot use a past password for a certain period. With most organizations setting the limit to a minimum of 10. This means that you will keep creating new passwords nine other times before reusing them.

The system should be configured to remember the ten passwords to ensure that the user does not get tempted to reuse them. For even more enhanced security, the temporary passwords should also be changed. And remain unique instead of having one temporary password for new users. The temporary passwords should meet the complexity threshold. And users should change them immediately since everyone involved in setting up the account probably knows the temporary password.

CMMC MP.3.122- Mark Media with Necessary CUI Markings and Distribution Limitations

The users should be aware that they are handling data with policies and security processes by marking the media. Security marking is using human-readable attributes. You could mark the media, whether digital or non-digital, with a notice reading “controlled.” Also, mark any room, containers, or places where CUI is held. Note that the marking should still comply with federal laws, or executive directives, regulations, or policies.

Should Companies Using Google Rush to Comply with CMMC Requirements?

G-Suite has the benefit of being so pocket-friendly. Hence, many small businesses prefer adopting it. Non-compliance with CMMC requirements results in subcontractors missing out on government contracts. Although the DoD will not fully implement the CMMC program until 2026, a subcontractor without a CMMC certification will find it hard to compete for lucrative contracts with those that have already complied.

The high cost is the main thing that could be setting subcontractors from complying with such requirements. For level one certification, subcontractors should expect to pay between $3,000 and $5,000. Since there are five levels, the higher the certification your company requires, the deeper you will have to dig into your pockets.

Luckily, you do not have to fret about not winning any government contract because you cannot afford the certification. Advantage Industries has your back. We will ensure that you are prepared for your certificate. Which in turn cuts down the cost incurred. As a Managed Security Services Provider, Advantage Industries is home to all your IT needs. Book your pre-assessment evaluation. And let us help you gain a competitive advantage over other subcontractors by preparing you early for your CMMC certification. Contact us today.

Not Happy with your current IT Company? Advantage Industries is here to help.

Fill out the form below to schedule a no-obligation review with Advantage.


Keith Heilveil

In 1999 Advantage Industries was created to protect and promote our client’s success through the use of innovative technology. Our company is a full services technology firm that provides computer network support and solutions, managed services, cybersecurity, and custom application development for small and medium businesses in the Maryland, DC, and Virginia areas.

Looking for something specific?

Search our blog library to find the article you need.
Tim Happel

Tim Happel

Sr. Director of Sales, PMP

Get a strategic advantage over your competitors & peers by partnering with Advantage Industries.

Book Your Complimentary Strategic IT Consultation Using The Form Below.