Enable Compliance Manager

Enable Compliance Manager so that you can apply frameworks to your Google Cloud organization.

Before you begin

Complete these tasks before you enable Compliance Manager.

Enable Compliance Manager

Complete the following steps to enable Compliance Manager at the organization level:

  1. Enable Compliance Manager using one of the following methods:
    Scenario Instructions
    You haven't activated Security Command Center and want to use the Security Command Center Standard tier. Enable Compliance Manager by activating Security Command Center Standard.

    For new organizations that activate the Standard tier, Compliance Manager is automatically enabled.
    You are already using the Security Command Center Standard tier. No action required.
    Compliance Manager is enabled through a backend upgrade. For more information, see Migration and activation of the Standard tier.
    You haven't activated Security Command Center and want to use the Security Command Center Premium tier. Enable Compliance Manager by activating Security Command Center Premium.
    You haven't activated Security Command Center and want to use the Security Command Center Enterprise tier. Enable Compliance Manager by activating Security Command Center Enterprise.
    You activated the Security Command Center Premium tier previously and want to enable Compliance Manager. Enable Compliance Manager using the Settings page.

    Go to the Settings page
    You activated the Security Command Center Enterprise tier previously and want to enable Compliance Manager. Enable Compliance Manager using the Activate Compliance Manager page.

    Go to Activate Compliance Manager
    For more information about Security Command Center tiers, see Security Command Center service tiers. Compliance Manager doesn't support customer-managed encryption keys (CMEK). When you enable Compliance Manager, the following services are also enabled:
  • (Premium and Enterprise tiers only) Sensitive Data Protection to use data sensitivity signals for default data risk assessment.
  • (Premium and Enterprise tiers only) Event Threat Detection (part of Security Command Center) at the organization level.
  • Data Security Posture Management for data security frameworks.

  • (Premium and Enterprise tiers only) AI protection for AI security frameworks.

    The Cloud Security Compliance service agent (service-org-ORGANIZATION_ID@gcp-sa-csc-hpsa.iam.gserviceaccount.com) is created when you enable Compliance Manager. Compliance Manager uses this service agent to access resources in your organization.

For Security Command Center Standard, the Security Essentials framework is applied to the organization automatically.

For Security Command Center Premium, frameworks are not applied to the organization automatically.

For Security Command Center Enterprise, the following frameworks are applied to the organization automatically:

  • Google Recommended AI Essentials - Vertex AI
  • Data Security and Privacy Essentials

Manage service tiers in Compliance Manager

Compliance Manager features vary by Security Command Center service tier. The Standard tier provides a security baseline through the Security Essentials framework. The Premium and Enterprise tiers include advanced capabilities, such as built-in regulatory frameworks, audit capabilities, and custom cloud controls.

Downgrade to Security Command Center Standard service tier

If you downgrade your organization to the Standard tier, you lose access to advanced capabilities like built-in regulatory frameworks, audit capabilities, and custom cloud controls. Review the effects before you downgrade because you may permanently lose or alter some data.

Impact on frameworks and deployments

When you downgrade to Security Command Center Standard, the following changes occur to frameworks and deployments:

  • The system automatically removes all built-in framework deployments (excluding Security Essentials) without warning or notification.
  • If a custom framework contains a cloud control that isn't supported in the Standard tier, the system removes the entire framework.

Impact on findings

When you downgrade to Security Command Center Standard, the following changes occur to findings:

  • The system marks the findings associated with unsupported frameworks as inactive.
  • You have read-only access to inactive findings for seven days, after which they expire and become unavailable.

Impact on custom cloud controls

When you downgrade to Security Command Center Standard, the following changes occur to custom cloud controls:

  • You can't create or manage custom cloud controls.
  • Custom cloud controls are preserved but become inactive and unusable. The system automatically removes any active framework deployments that contain custom cloud controls.
  • If you downgrade to Security Command Center Standard tier, the IAM permissions related to custom cloud controls become ineffective. You don't have to manually revoke them.

Impact on audit capabilities

Audit capabilities are exclusive to Security Command Center Premium and Enterprise tiers.

Audit reports and evidence in your Cloud Storage buckets are managed by Object Lifecycle Management rules, not Security Command Center retention policies.

Upgrade again to Security Command Center Premium or Enterprise service tiers

When you return to the Security Command Center Premium or Enterprise service tiers, the advanced features are restored. The upgrade has the following effects on your deployments:

  • Inactive custom controls become available again.
  • Framework deployments removed during the downgrade are not recoverable. You must manually re-deploy your frameworks.

What's next