Overview of Assured Workloads frameworks
Frameworks for Assured Workloads provide new and equivalent cloud controls for data residency, access, and personnel, similar to those in Assured Workloads folders.
You can use Assured Workloads frameworks to meet the security and regulatory requirements of your folders and projects in the following ways:
- Choose a predefined data boundary to enforce and monitor your Google Cloud environment's compliance
- Define your own compliant and secure configuration for your Google Cloud environment
- View dashboards that show your environment's alignment with your compliance and security requirements
- Audit your cloud environments, including collecting evidence and generating reports
Assured Workloads frameworks use software-defined controls that let you assess support for multiple compliance programs and security requirements within a Google Cloud folder or project.
Assured Workloads frameworks components
The following table describes the components of Assured Workloads frameworks:
| Rule | A technical item within a cloud control that lets you meet a compliance, security, or privacy requirement. Rules can be organization policies, IAM policies, cloud settings, and detection logic based on Common Expression Language (CEL). |
|---|---|
| Cloud control | A set of rules and associated metadata that you can use to define the security or compliance intent for your folder or project. Assured Workloads frameworks include a library of built-in cloud controls and lets you create your own. The metadata in a cloud control includes the remediation instructions and finding severity. Cloud controls have the following modes:
|
| Framework | A collection of cloud controls and regulatory controls that represent security best practices or industry-defined standards. A framework can include a mapping between cloud controls and the regulatory controls, such as data boundaries like FedRAMP Moderate or IL2. Assured Workloads includes a library of built-in frameworks. You can customize these frameworks or create your own. |
| Framework deployment | The binding between a particular framework and a folder or project when you deploy the framework. |
Supported frameworks
Assured Workloads supports built-in frameworks for Google Cloud, such as Assured Workloads data boundaries. You can deploy these frameworks as is or customize them for your needs.
Supported Assured Workloads data boundaries
The following Assured Workloads data boundary frameworks are available:
- Data Boundary for FedRAMP High (Preview)
- Data Boundary for FedRAMP Moderate (Preview)
- Data Boundary for Impact Level 2 (IL2) (Preview)
- Data Boundary for Impact Level 4 (IL4) (Preview)
- Data Boundary for Impact Level 5 (IL5) (Preview)
- Data Boundary for International Traffic in Arms (ITAR) (Preview)
- Data Boundary for Criminal Justice Information Systems (CJIS) (Preview)
- EU Data Boundary
- EU Data Boundary and Support (Preview)
- Switzerland Data Boundary
- UK Data Boundary
- US Data Boundary
- US Data Boundary and Support (Preview)
Supported Compliance Manager frameworks
The following Compliance Manager frameworks are available in Assured Workloads frameworks if you have a Security Command Center subscription at the Premium or Enterprise tiers:
- Center for Information Security (CIS) Controls 8.0
- CIS Google Cloud Computing Platform Benchmark v3.0
- CIS Kubernetes Benchmark v1.1.7
- Cloud Controls Matrix (CCM) 4
- FedRAMP Low 20x
- Google Recommended AI Essentials - Gemini Enterprise Agent Platform
- Google Cloud Security Essentials
- International Organization for Standardization (ISO) 27001, 2022
- National Institute of Standards and Technology (NIST) SP 800-53 R5
- NIST Cybersecurity Framework (CSF) 1.1
- Payment Card Industry Data Security Standard (PCI DSS) 4.0
- Qatar National Information Assurance Standard 2.1
- System and Organization Controls (SOC) 2
What's next
- Learn how to manage frameworks.
- Learn how to manage cloud controls.