IRONKEEP vs Google Workspace
Google Workspace is familiar, affordable, and FedRAMP authorized. But its compliance documentation uses ambiguous language around CUI handling, and getting to actual compliance costs more than most small contractors expect.
| Google Workspace | IRONKEEP | |
|---|---|---|
| CUI compliance built in | No (add-ons required) | Yes |
| ITAR support | Requires custom agreement | Built in |
| US-only data residency | Requires configuration | Default |
| Compliance add-on cost | ~$30/user/month extra | Included |
| Per-tenant encryption keys | Client-side encryption (Enterprise Plus only) | ✓ |
Ambiguous CUI compliance language
Google Workspace holds a FedRAMP High authorization, but its documentation uses vague language around how CUI is handled in practice. DFARS 252.204-7012 requires more than just hosting on a FedRAMP-authorized platform. Paragraphs (c) through (g) of the clause cover cyber incident reporting, malicious software isolation, media preservation, and forensic analysis. Standard Google Workspace may not satisfy these requirements without Assured Workloads at the IL4 level, and Google’s own documentation does not make it easy to tell.
The DoD CMMC FAQ states: “If a contractor intends to use an external CSP in the performance of a DoD contract to store encrypted CUI data, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established for the FedRAMP Moderate baseline.”
The burden falls on the contractor to verify that their configuration actually meets DFARS requirements. Google’s ambiguous language makes that verification harder than it should be.
Compliance requires Enterprise Plus and expensive add-ons
To approach full DFARS compliance, you need Google Workspace Enterprise Plus with the Assured Controls Plus add-on, estimated to cost around $30 per user per month on top of your Enterprise Plus license (Google does not publish this pricing publicly). You also need Assured Workloads configured for US data residency. For a small contractor, the total cost rivals or exceeds GCC High, without the same level of compliance coverage.
ITAR support requires a custom agreement
Google Workspace supports ITAR-controlled data through Client-Side Encryption on Enterprise Plus. However, the default Google Workspace Terms of Service do not cover ITAR-controlled materials. Google will modify the ToS on request for specific customers, but this requires negotiating a custom agreement before your organization can use the platform for export-controlled data.
Most contractors do not know what DFARS actually requires
Beyond FedRAMP authorization, DFARS 252.204-7012 requires cyber incident reporting to the DoD within 72 hours, malicious software isolation and submission, media preservation for 90 days, and access to equipment for forensic analysis. These are operational obligations that standard Google Workspace, even with FedRAMP High authorization, does not satisfy without Assured Workloads at the IL4 level. Most small contractors using standard Workspace have no idea these requirements exist.
Compliance requires dedicated architecture
Google Workspace is a powerful productivity platform with a broad feature set. Its compliance capabilities come through add-ons and configuration rather than the base architecture. For organizations handling CUI, this means ongoing configuration management where a misconfiguration can affect your compliance posture.
How IRONKEEP is different
IRONKEEP does not require add-ons, configuration guides, or third-party tools to be compliant. Compliance is the architecture, not a feature flag. Migrate your email, files, and contacts and get compliant in hours, not months.
- FedRAMP Moderate (or higher) authorized infrastructure
- Per-tenant encryption with zero-operator key access
- US-hosted, administered by US citizens
- ITAR controls built in: no contradictory terms of service
- Designed for CMMC Level 2, NIST 800-171, DFARS, and ITAR
Make sure your compliance posture matches your ambition.
Founding member pricing goes away at launch.