Comparing Azure GCC High, AWS GovCloud, and Google Assured Workloads for CMMC
Author: Leonard Esere, Senior Cloud Security Architect
Date: April 2026
Organization: Aeolitech
Abstract
Defense Industrial Base (DIB) contractors pursuing CMMC Level 2 or Level 3 certification face a foundational architectural decision: which government cloud platform best fits their compliance posture, existing technology stack, and operational model? Three major platforms compete for this workload: Microsoft Azure Government with Microsoft 365 GCC High, Amazon Web Services GovCloud (US), and Google Cloud with Assured Workloads. Each holds FedRAMP High authorization and can support CUI under DFARS 252.204-7012, yet they differ significantly in compliance maturity, developer experience, service parity with commercial clouds, licensing models, DoD Impact Level coverage, and integration with the productivity tools most defense contractors already rely on. This whitepaper provides a systematic feature-by-feature comparison and a practical recommendation framework based on existing technology stack and organizational priorities.
Table of Contents
1. Compliance Authorization Landscape
2. Personnel Clearance and Sovereignty Controls
3. DoD Impact Level Coverage
4. Data Sovereignty and Residency
5. CJIS and ITAR Compliance
6. Service Parity with Commercial Clouds
7. Identity and Access Management
8. Security Tooling Ecosystem
9. Licensing and Cost Considerations
10. Developer Experience
11. Integration with Productivity Suites
12. Comprehensive Comparison Table
13. Recommendation Framework
14. About the Author
15. References
1. Compliance Authorization Landscape
All three platforms have achieved FedRAMP High provisional authorizations, satisfying the baseline cloud security requirement under DFARS 252.204-7012 for CUI workloads. However, the path each platform took—and the depth of their compliance posture—differs in important ways.
Microsoft Azure Government / M365 GCC High: Microsoft holds FedRAMP High authorizations across its Azure Government services and Microsoft 365 GCC High tenant. The authorization was granted by the FedRAMP Joint Authorization Board (JAB) and covers a broad set of services. DISA has issued IL4 and IL5 Provisional Authorizations (PAs) for Azure Government, making it one of the first hyperscale clouds to achieve IL5 authorization. The GCC High environment is specifically built for the DIB, providing contractual DFARS 7012 commitments.
AWS GovCloud (US): AWS was the first hyperscale provider to achieve FedRAMP High JAB authorization for GovCloud. AWS's Artifact portal provides on-demand access to audit reports for authorized customers. DISA has issued IL2, IL4, and IL5 PAs for GovCloud. AWS's FedRAMP High System Security Plan covers a large service catalog, though not all commercial services are available in GovCloud.
Google Cloud / Assured Workloads: Google's approach to government compliance differs architecturally. Rather than maintaining a physically separate cloud partition, Google Cloud uses configurable compliance boundaries—Assured Workloads—within its standard multi-tenant infrastructure, with dedicated US-only regions for sensitive workloads. Google Cloud achieved FedRAMP High authorization and DISA IL4 PA; a DISA IL5 PA was also obtained. However, the IL5 designation covers a more limited set of services than IL5 coverage at AWS or Azure. Google Workspace (productivity suite) separately holds FedRAMP High authorization and DoD IL4 certification.
Compliance freshness (as of April 2026): All three providers maintain current FedRAMP authorizations. Contractors should verify service-level authorization status in the FedRAMP Marketplace (https://marketplace.fedramp.gov/) before deploying specific services, as not every service within each platform's catalog is individually authorized.
2. Personnel Clearance and Sovereignty Controls
One of the most important—and frequently misunderstood—distinctions between government cloud platforms concerns who can access your data and under what conditions.
Azure GCC High: Microsoft contractually commits to US-citizen-only personnel for GCC High operations and support. All access by Microsoft staff is logged. Microsoft's government cloud staff undergo enhanced background screening. The GCC High environment is explicitly designed to satisfy DFARS 7012's US-person access requirements. This commitment is contractually enforceable via Microsoft's Online Services Government Terms.
AWS GovCloud (US): AWS similarly restricts GovCloud operations and support to US citizens on US soil. Access to GovCloud by AWS personnel is logged, monitored, and subject to formal approval processes. GovCloud accounts require customers to agree to GovCloud terms, which certify that users are eligible to use the environment under US export compliance laws. The personnel screening and access controls are comparable to Azure GCC High.
Google Cloud / Assured Workloads: Google's personnel controls for Assured Workloads are more complex. For standard Assured Workloads deployments, US-only personnel access is configurable—Google's Access Transparency and Access Approval features allow customers to require justification for any Google access to their data. However, by default, Google does not restrict admin access to US persons unless specific configurations are applied. Google's Sovereign Controls for US Government (available in dedicated regions) provides stronger personnel controls, but this offering is more limited in service coverage and availability than AWS or Azure GCC High equivalents.
Practical implication for CMMC: Both AWS GovCloud and Azure GCC High provide contractual US-person-only commitments out of the box. Google Assured Workloads requires active configuration and ongoing enforcement monitoring to achieve equivalent assurances—creating additional compliance burden and audit complexity.
3. DoD Impact Level Coverage
| DoD SRG Impact Level | Azure Government | AWS GovCloud | Google Cloud |
|---|---|---|---|
| IL2 (Publicly releasable, low sensitivity) | Yes | Yes | Yes |
| IL4 (CUI Controlled) | Yes | Yes | Yes (Assured Workloads) |
| IL5 (CUI requiring higher protection, NSS) | Yes (Azure Gov regions) | Yes (GovCloud regions) | Yes (limited services) |
| IL6 (Secret) | Yes (Azure Gov Secret - restricted) | Pending/Limited | No |
| IL7 / TS (Top Secret) | Yes (Azure Gov Top Secret - restricted) | No | No |
IL5 nuances: At AWS GovCloud and Azure Government, IL5 is achievable in the standard GovCloud/Government regions with specific configuration (compute and storage isolation documented by DISA). At Google Cloud, IL5 coverage applies to a narrower service list. DISA's Cloud Computing SRG Impact Level 5 guidance provides per-service configuration requirements for each platform.
IL6 and above: Only Azure Government (via the classified Government Secret and Top Secret environments) offers pathways to classified workloads above IL5. These environments require DoD sponsorship and are not accessible to general DIB contractors without specific authorization. AWS has announced classified cloud capabilities in partnership with the intelligence community (AWS Secret Region, Top Secret Region), but general DIB access pathways differ from Azure's model.
4. Data Sovereignty and Residency
All three platforms offer data residency guarantees for US government workloads:
Azure GCC High: Data is stored in Microsoft's four Azure Government regions (US Gov Virginia, US Gov Texas, US Gov Arizona, US Gov Iowa). Microsoft commits contractually that customer data does not leave these regions without customer instruction. Azure Policy enforcements prevent resource creation in non-government regions. Data at rest is encrypted with AES-256; data in transit uses TLS 1.2+.
AWS GovCloud: Data is stored in two GovCloud regions (us-gov-west-1, us-gov-east-1). The GovCloud partition is entirely separate from the commercial AWS partition. SCPs and region restrictions prevent data from being accidentally created in commercial regions. By default, AWS encrypts data in transit between regions, between availability zones, and between AWS services.
Google Assured Workloads: Data residency is enforced through Assured Workloads organization policies that restrict resource creation to specified US regions (e.g., us-central1, us-east4). Unlike AWS and Azure, which have dedicated government infrastructure, Google enforces residency through policy rather than physical partition separation. While policy-based enforcement can be equally effective when properly configured, it requires careful ongoing governance to ensure no accidental policy exceptions.
5. CJIS and ITAR Compliance
Criminal Justice Information Services (CJIS):
All three platforms can support CJIS-compliant deployments:
- Azure GCC High: CJIS compliance available, Microsoft will sign CJIS Security Addendum agreements
- AWS GovCloud: CJIS compliance supported; AWS signs CJIS Security Addenda for applicable jurisdictions
- Google Cloud: CJIS compliance available for Assured Workloads customers; Google will execute CJIS agreements
CJIS compliance requires both the cloud provider's technical controls and the contractor's configuration and operational procedures. The specific requirements (background screening, access controls, audit logging) must be documented in a CJIS Systems Agency (CSA) agreement.
International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR):
| Platform | ITAR Support | Notes |
|---|---|---|
| Azure GCC High | Native, contractual | Microsoft commits to ITAR compliance in GCC High Online Services Terms |
| AWS GovCloud | Native, requires configuration | Customer certifies eligible use; AWS staff US-only |
| Google Assured Workloads | With client-side encryption | Requires Google CSE or third-party key management; more complex |
ITAR distinction: Azure GCC High and AWS GovCloud provide ITAR compliance as a built-in commitment for properly configured environments. For Google Workspace with Assured Workloads, ITAR compliance for export-controlled CUI requires deployment of Client-Side Encryption (CSE) with customer-controlled key management—this adds architectural complexity and requires ongoing key hygiene practices that Azure and AWS handle natively.
6. Service Parity with Commercial Clouds
The breadth of available services matters significantly for application modernization and operational flexibility:
| Category | Azure Government GCC High | AWS GovCloud | Google Assured Workloads |
|---|---|---|---|
| Compute (VMs, containers, serverless) | High (EC equivalent) | Very High | High |
| Managed databases | High (SQL, Cosmos DB) | Very High (RDS, DynamoDB, Aurora) | Moderate (Cloud SQL, Spanner) |
| AI/ML services | Moderate (Azure OpenAI available in some Gov regions) | Moderate (limited vs. commercial) | Moderate |
| Data analytics | Moderate (Synapse, Fabric - limited) | High (EMR, Glue, Athena) | Moderate (BigQuery - limited) |
| DevOps/CI-CD | High (Azure DevOps, GitHub Enterprise) | High (CodePipeline, CodeBuild, EKS) | Moderate |
| Networking | High (Firewall, VNet, ExpressRoute) | Very High (TGW, Network Firewall, Direct Connect) | Moderate |
| Storage | High | Very High | High |
| IoT/Edge | Limited | Moderate (IoT Core, Greengrass) | Limited |
Service gap consideration: Azure Government and AWS GovCloud generally offer higher service parity with their commercial counterparts than Google Assured Workloads, which uses commercial infrastructure with policy guardrails. However, Google's model means that as commercial services gain FedRAMP authorization, they become available in Assured Workloads faster than new services can be deployed in dedicated government infrastructure.
7. Identity and Access Management
| Feature | Azure GCC High | AWS GovCloud | Google Assured Workloads |
|---|---|---|---|
| Identity Platform | Entra ID Government (dedicated) | IAM + IAM Identity Center (GovCloud) | Google Cloud Identity / Workspace Identity |
| MFA support | Phishing-resistant FIDO2, TOTP | FIDO2, TOTP, hardware tokens | FIDO2, TOTP |
| Privileged access mgmt | PIM (just-in-time, approval-based) | AWS Organizations SCPs + IAM Roles (no native PIM equivalent) | No native PIM equivalent |
| Conditional Access | Entra ID Conditional Access (rich) | Limited (IAM Condition Keys) | Context-Aware Access (BeyondCorp) |
| Identity federation | Entra ID B2B (GCC High to GCC High) | SAML 2.0, SCIM via IdP | SAML 2.0, OIDC |
| Directory services | Entra ID DS, AD Connect | Directory Service (Managed AD) | Google Cloud Directory Sync |
Azure GCC High identity advantage: Entra ID Government provides the richest native identity governance capabilities: PIM, Identity Protection, Conditional Access with 100+ conditions, Entitlement Management, and Access Reviews. For organizations already standardized on Microsoft identity, this represents a significant compliance acceleration advantage—particularly for CMMC Access Control (3.1.x) and Identification and Authentication (3.5.x) domains.
AWS identity limitations: AWS GovCloud's IAM is powerful for resource-level access control but lacks native privileged access management comparable to PIM. Organizations require third-party tools (HashiCorp Vault, CyberArk, BeyondTrust) or custom solutions to achieve CMMC AC 3.1.5 (least privilege) and 3.1.6 (non-privileged accounts) at the administrator access level.
Google BeyondCorp: Google's Context-Aware Access (part of Chrome Enterprise Premium) provides device trust and context-based access controls that map to CMMC access control requirements. However, it requires additional licensing and is not as seamlessly integrated with the IaaS layer as Azure's Conditional Access.
8. Security Tooling Ecosystem
| Tool Category | Azure GCC High | AWS GovCloud | Google Assured Workloads |
|---|---|---|---|
| SIEM | Microsoft Sentinel (native, GCC High) | Amazon Security Lake + OpenSearch / Partner SIEM | Chronicle (limited gov availability) |
| Cloud Security Posture Mgmt | Defender for Cloud (native) | Security Hub + AWS Config | Security Command Center |
| Endpoint Detection & Response | Defender for Endpoint (GCC High) | AWS Systems Manager + third-party | CrowdStrike / third-party |
| Data Loss Prevention | Microsoft Purview (native, GCC High) | AWS Macie (data discovery) | Google DLP (Assured Workloads) |
| Vulnerability Management | Defender for Cloud (Server Plan) | Amazon Inspector | Security Command Center |
| Threat Intelligence | Defender Threat Intelligence | GuardDuty + third-party | Google VirusTotal + third-party |
| Network Security | Azure Firewall Premium | AWS Network Firewall | Cloud Armor + Cloud Firewall |
Azure security suite depth: Microsoft's integrated security stack—Sentinel, Defender for Cloud, Defender for Endpoint, Purview, and Entra ID Protection—operates as a unified platform in GCC High. Alert correlation across identity, endpoint, cloud, and collaboration layers is native, enabling XDR (Extended Detection and Response) without third-party integration complexity.
AWS flexibility advantage: AWS's security tooling is highly composable. Organizations can deploy best-of-breed tools alongside AWS-native services. AWS Security Hub aggregates findings from a wide ecosystem of partner solutions, providing flexibility for organizations with existing security investments in non-Microsoft tools.
Google Chronicle: Google's SIEM (Chronicle) offers strong capabilities but its government availability and integration with GovCloud workloads is less mature than Azure Sentinel in GCC High or AWS Security Hub. Organizations choosing Google Assured Workloads frequently pair it with a third-party SIEM (Splunk, Elastic Security) deployed on Google Cloud.
9. Licensing and Cost Considerations
Government cloud pricing carries premiums over commercial equivalents due to dedicated infrastructure, personnel requirements, and compliance overhead:
| Platform | Pricing Premium vs. Commercial | Key Cost Drivers |
|---|---|---|
| Azure GCC High (M365 E5) | 30-40% per user | Licensing premium for GCC High SKUs |
| Azure Government (IaaS/PaaS) | 10-25% per resource | Government region premium |
| AWS GovCloud | 10-20% per resource | GovCloud premium on compute/storage |
| Google Assured Workloads | 10-20% premium (Assured Workloads add-on) | Assured Workloads licensing; CSE additional |
Total cost of ownership considerations:
Azure GCC High: Higher upfront licensing cost (E5 GCC High ~$57/user/month vs. commercial E5 ~$38/user/month) is partially offset by the breadth of included security tooling—Sentinel, Defender for Cloud, Defender for Endpoint, Purview, PIM, Identity Protection—that would require separate procurement on other platforms.
AWS GovCloud: Lower base infrastructure costs, but organizations must procure and operate security tools that Microsoft bundles in E5. A fully equipped AWS GovCloud CMMC environment often requires third-party investments in PAM, DLP, and SIEM that can approach or exceed Azure's all-in cost.
Google Assured Workloads: The base platform cost is competitive, but achieving CMMC Level 2 parity requires Assured Workloads add-on licensing, Chrome Enterprise Premium for device access controls, Google Workspace Business Plus or Enterprise, and potentially client-side encryption solutions for ITAR data—making the total cost comparable to Microsoft in practice.
10. Developer Experience
| Dimension | Azure GCC High | AWS GovCloud | Google Assured Workloads |
|---|---|---|---|
| Service availability vs. commercial | ~80% of commercial services | ~75% of commercial services | ~90% (policy-based boundary) |
| CI/CD tooling | Azure DevOps, GitHub (some limitations) | CodePipeline, CodeBuild, Jenkins | Cloud Build, GitHub Actions |
| IaC support | Terraform, Bicep, ARM | Terraform, CloudFormation | Terraform, Deployment Manager |
| Container orchestration | AKS GovCloud (limited) | EKS GovCloud | GKE Autopilot (Assured Workloads) |
| Serverless | Azure Functions (GovCloud) | Lambda GovCloud | Cloud Run, Cloud Functions |
| Feature release lag | 6-18 months behind commercial | 6-12 months behind commercial | Minimal (uses commercial infra) |
Google's developer experience advantage: Because Google Assured Workloads is policy-based on commercial infrastructure, new services and features become available much faster than in dedicated government clouds. For teams building modern cloud-native applications, this can be a meaningful productivity advantage.
AWS developer experience: AWS GovCloud has the most mature DevSecOps ecosystem of the dedicated government clouds, with extensive support for containers (EKS), serverless (Lambda), and infrastructure-as-code. The GovCloud API surface is nearly identical to commercial, making cross-environment development straightforward.
Azure developer friction: Azure Government and GCC High have historically lagged commercial Azure in service availability. Azure OpenAI, for example, has limited GovCloud availability compared to commercial. For teams relying on Azure AI services, this is a consideration—though Microsoft is accelerating GovCloud parity.
11. Integration with Productivity Suites
This dimension is often decisive for DIB contractors who spend most of their day in email, collaboration, and document management tools:
Microsoft 365 GCC High (Azure ecosystem): GCC High is the only Microsoft 365 environment that provides full DFARS 7012 compliance. Exchange Online, SharePoint, Teams, and OneDrive operate within the GCC High sovereign boundary. Organizations already on M365 GCC High find Azure Government infrastructure a natural extension—same identity provider, same security tools, same admin portals. Cross-service data governance via Microsoft Purview applies uniformly across productivity and IaaS workloads.
AWS GovCloud + Productivity Tools: AWS GovCloud has no native email or collaboration suite. Organizations using AWS GovCloud for infrastructure typically pair it with M365 GCC High (Microsoft) or Google Workspace with Assured Workloads for productivity. Amazon WorkMail is available in GovCloud but has limited feature set compared to Exchange Online GCC High and is rarely chosen for enterprise deployments.
Google Workspace + Assured Workloads: Google Workspace Enterprise can be deployed with Assured Workloads to satisfy DFARS 7012 and support CMMC Level 2. It requires careful configuration, boundary management, and potentially Client-Side Encryption for ITAR data. Google's C3PAO attestation for NIST 800-171 covers most controls, but two control gaps (3.1.9 and 3.5.6) require compensating controls or third-party solutions, adding compliance complexity.
12. Comprehensive Comparison Table
| Feature | Azure GCC High | AWS GovCloud | Google Assured Workloads |
|---|---|---|---|
| Compliance | | | |
| FedRAMP Level | High (JAB P-ATO) | High (JAB P-ATO) | High (JAB P-ATO) |
| DoD IL2 | Yes | Yes | Yes |
| DoD IL4 | Yes | Yes | Yes |
| DoD IL5 | Yes | Yes | Limited service set |
| DoD IL6 (Secret) | Yes (restricted) | Limited | No |
| CMMC Level 2 | Yes | Yes | Yes (with configuration) |
| CMMC Level 3 | Yes | Yes | Limited (gaps remain) |
| ITAR/EAR | Native | Native | Requires CSE configuration |
| CJIS | Yes | Yes | Yes |
| Personnel & Sovereignty | | | |
| US-Only Personnel | Contractual default | Contractual default | Configurable (not default) |
| Data Residency | Physical (Azure Gov) | Physical (GovCloud) | Policy-based (commercial infra) |
| Physical Isolation | Yes (dedicated) | Yes (dedicated) | No (shared, policy-fenced) |
| Identity & Access | | | |
| Native PAM/PIM | Yes (Entra PIM) | No | No |
| Conditional Access | Yes (Entra CA) | Limited | Yes (BeyondCorp) |
| Phishing-Resistant MFA | Yes (FIDO2) | Yes (FIDO2) | Yes (FIDO2) |
| Security Tools | | | |
| Native SIEM | Yes (Sentinel) | Limited (Security Lake) | Limited (Chronicle) |
| CSPM | Yes (Defender for Cloud) | Yes (Security Hub) | Yes (SCC) |
| EDR | Yes (Defender for Endpoint) | Third-party | Third-party |
| DLP | Yes (Purview) | Limited (Macie for S3) | Yes (Cloud DLP) |
| Productivity | | | |
| Email/Calendar | Yes (Exchange Online GCC High) | Limited (WorkMail) | Yes (Google Workspace) |
| Collaboration | Yes (Teams GCC High) | No native | Yes (Google Meet/Chat) |
| Document Mgmt | Yes (SharePoint GCC High) | No native | Yes (Google Drive) |
| Economics | | | |
| User Licensing Premium | 30-40% (E5 GCC High) | N/A (pay-per-use) | 10-20% (Assured + Workspace) |
| Infrastructure Premium | 10-25% | 10-20% | 10-20% |
| Bundled Security Value | High (E5 includes many tools) | Moderate | Moderate |
| Developer Experience | | | |
| Service Parity | ~80% | ~75% | ~90% |
| IaC Maturity | High | Very High | High |
| Container/Serverless | High | Very High | High |
| Feature Lag | 6-18 months | 6-12 months | Minimal |
13. Recommendation Framework
The right government cloud platform is determined by your existing technology stack, compliance obligations, and operational capabilities—not by vendor marketing. Use this framework to make a defensible, evidence-based decision:
Choose Azure GCC High + Azure Government if:
- Your organization is already standardized on Microsoft 365 (any tier) and a migration to GCC High is planned or underway
- Your primary CMMC challenge involves identity governance, privileged access management, and access control policy enforcement—Entra ID + PIM + Conditional Access provides the most mature native capability
- You handle ITAR/EAR export-controlled CUI and need contractual, out-of-box commitments without additional tool procurement
- Your security team is skilled in Microsoft security tools (Sentinel, Defender, Purview)
- You need a unified compliance story across productivity (M365) and infrastructure (Azure)
- Budget exists for E5 GCC High licensing, which bundles significant security value
Choose AWS GovCloud if:
- Your organization already operates significant workloads in commercial AWS and has DevSecOps maturity
- Your contract portfolio requires IL4/IL5 isolation across multiple independent programs (multi-account AWS Organizations design is well-suited to this)
- Your team builds containerized, serverless, or microservices architectures—AWS's GovCloud service breadth for modern application patterns is the deepest
- You have existing investments in AWS-native CI/CD, IaC, and monitoring tooling that you want to preserve
- You need the richest native cloud-native security service options (GuardDuty, Macie, Inspector, Security Hub, Network Firewall, Control Tower) without Microsoft ecosystem dependency
Choose Google Assured Workloads if:
- Your organization is already standardized on Google Workspace and a migration to Assured Workloads is more cost-effective than a move to GCC High
- Your primary workloads are data analytics, AI/ML, or BigQuery-based and you need access to Google's advanced data services with minimal compliance lag
- You can accept and manage the additional complexity of policy-based (vs. physical) isolation
- Your CUI does not include ITAR/EAR data, or you can implement and sustain the required Client-Side Encryption architecture
- Your compliance team is comfortable managing the two documented NIST 800-171 control gaps (3.1.9, 3.5.6) with compensating controls
Consider a hybrid approach if:
- You have M365 GCC High as your productivity suite (identity + email + collaboration) and want AWS GovCloud for application workloads—this is a common and well-supported pattern, using Entra ID GCC High as the federated identity provider for AWS IAM Identity Center via SAML 2.0
- Multiple programs with different data sensitivity levels warrant different cloud tiers
About the Author
Leonard Esere is a Senior Cloud Security Architect at Aeolitech with cross-platform expertise spanning Microsoft Azure Government, AWS GovCloud, and Google Cloud for government workloads. He has supported security authorization activities at Los Alamos National Laboratory (LANL), contributed to MITRE ATT&CK-based threat modeling for DoD program offices, and holds active DoD clearance credentials. Leonard regularly advises DIB contractors on platform selection, CMMC scoping, and compliance architecture design. He holds CISSP, AWS Certified Solutions Architect – Professional, and Microsoft Certified: Azure Solutions Architect Expert certifications.
References
1. FedRAMP. FedRAMP Marketplace – Authorized Cloud Services. https://marketplace.fedramp.gov/
2. DISA. Cloud Computing Security Requirements Guide (SRG) v1r4. https://public.cyber.mil/dccs/
3. Microsoft. Microsoft 365 GCC High Service Description. https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-for-us-government/gcc-high-and-dod
4. Microsoft. Azure Government Overview. https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-welcome
5. Microsoft. Azure Government DoD Impact Level 5. https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-overview-dod
6. AWS. AWS GovCloud (US) Overview. https://aws.amazon.com/govcloud-us/
7. AWS. AWS GovCloud Compliance Details. https://aws.amazon.com/govcloud-us/details/
8. Google Cloud. FedRAMP and DoD Compliance Scope. https://docs.cloud.google.com/architecture/security/fedramp-dod-compliance-scope
9. Google Cloud. Assured Workloads Overview. https://cloud.google.com/assured-workloads/docs/overview
10. NIST. Special Publication 800-171 Rev. 2. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
11. DoD. DFARS 252.204-7012. https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting
12. Summit 7 Systems. Is Google Workspace CMMC, DFARS, and ITAR Compliant? https://www.summit7.us/blog/google-workspace-cmmc-dfars-itar-compliance
13. CMMC Dashboard. Can Google Workspace Meet CMMC Level 2 for CUI? https://cmmcdashboard.com/blog/google-workspace-cmmc-level-2-compliance
Call to Action
Aeolitech's Platform Selection Advisory service provides a structured, three-week engagement to evaluate your organization's specific technology stack, contract obligations, and workforce capabilities against each government cloud platform. The output is a written Platform Decision Memorandum that documents the analysis, recommendation, and implementation roadmap—suitable for presentation to your ISSO, Contracting Officer Representative (COR), and executive leadership. Contact us to begin your evaluation.
© 2026 Aeolitech. All rights reserved. This document is provided for informational purposes. Platform capabilities, pricing, and compliance authorizations change frequently. Verify current authorization status at the FedRAMP Marketplace before making architectural decisions.