IronKeep vs Google Workspace

Ambiguous CUI compliance language

Google Workspace holds a FedRAMP High authorization, but its documentation uses vague language around how CUI is handled in practice. DFARS 252.204-7012 requires more than just hosting on a FedRAMP-authorized platform. Paragraphs (c) through (g) of the clause cover cyber incident reporting, malicious software isolation, media preservation, and forensic analysis. Without Google Assured Workloads deployed at the IL4 level, it is unclear whether standard Google Workspace satisfies these requirements — and Google’s own documentation does not make it easy to tell.

The DoD CMMC FAQ states: “If a contractor intends to use an external CSP in the performance of a DoD contract to store encrypted CUI data, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established for the FedRAMP Moderate baseline.”

The burden falls on the contractor to verify that their configuration actually meets DFARS requirements — and Google’s ambiguous language makes that verification harder than it should be.

Compliance requires Enterprise Plus and expensive add-ons

To approach full DFARS compliance, you need Google Workspace Enterprise Plus with the Assured Controls Plus add-on — which is estimated to cost around $30 per user per month on top of your Enterprise Plus license (Google does not publish this pricing publicly). You also need Assured Workloads configured for US data residency. For a small contractor, the total cost rivals or exceeds GCC High, without the same level of compliance coverage.

ITAR compliance is contradictory

Google Workspace supports ITAR-controlled data through Client-Side Encryption, but only on Enterprise Plus. Meanwhile, the default Google Workspace Terms of Service explicitly prohibit using Workspace for materials subject to ITAR. Google has acknowledged this contradiction and will modify the ToS on request for specific customers, but the default terms still prohibit ITAR — meaning every contractor must negotiate a custom agreement before they can legally use the platform for export-controlled data.

Most contractors do not know what DFARS actually requires

Beyond FedRAMP authorization, DFARS 252.204-7012 requires cyber incident reporting to the DoD within 72 hours, malicious software isolation and submission, media preservation for 90 days, and access to equipment for forensic analysis. These are operational obligations that standard Google Workspace — even with FedRAMP High authorization — does not satisfy without Assured Workloads at the IL4 level. Most small contractors using standard Workspace have no idea these requirements exist.

It was not designed for this

Google Workspace is a productivity platform built for the commercial market. Compliance features are aftermarket add-ons that require specialized configuration, third-party tools, and ongoing management. A misconfiguration does not just break a feature — it breaks your compliance posture.

How IronKeep is different

IronKeep does not require add-ons, configuration guides, or third-party tools to be compliant. Compliance is the architecture, not a feature flag.

• FedRAMP Moderate (or higher) authorized infrastructure
• Per-tenant encryption with zero-operator key access
• US-hosted, administered by US citizens
• ITAR controls built in — no contradictory terms of service
• Designed for CMMC Level 2, NIST 800-171, DFARS, and ITAR