Menu Categories
Cart To use Cart please install WooCommerce plugin
Google Workspace CMMC Level 1 Self-Audit: 12 Things Assessors Actually Check | Overwatch Tools
๐Ÿ“‹ CMMC Level 1: The Reality Check โ€” Part 2 of 6

Is Your Google Workspace Actually CMMC-Ready? Take the 12-Point Self-Audit

A compliance diagnostic for GWS defense contractors โ€” no guesswork, no jargon

Published by Overwatch Tools | CMMC Compliance Specialists | Chesapeake, Virginia

You've set up Google Workspace. You're using it every day for email, docs, and file sharing. You've even heard it can be configured for CMMC Level 1 compliance.

So you're good, right?

Maybe. But "using Google Workspace" and "having a CMMC-compliant Google Workspace configuration" are very different things โ€” and the gap between them is exactly where small defense contractors fail self-assessments.

This audit isn't designed to scare you. It's designed to give you an honest picture of where you stand before an assessor, a prime contractor, or a DoD audit does. Go through each item and answer as truthfully as you can: โœ… Confirmed, โš ๏ธ Unsure, or โŒ Not Done.

How to Use This Checklist

For each of the 12 items below, assess your current Google Workspace configuration honestly. If you're not certain โ€” if you'd have to go look, ask someone, or guess โ€” mark it โš ๏ธ Unsure. Uncertainty counts the same as a gap when an assessor is in the room.

Track your results. We'll help you interpret your score at the end.

The 12-Point Google Workspace CMMC Self-Audit

Item 1

Admin Account Separation

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Your Google Workspace super admin account is a dedicated administrative account โ€” separate from anyone's day-to-day email and productivity account. No one uses the admin account to read email or create documents.
Non-compliant commonly looks like: The owner or IT lead logs into their normal Google account to access the Admin Console, and that same account is their personal email, Drive, and Calendar. One account wearing all the hats.

Why it matters: Super admin accounts have the keys to your entire organization. If that account is compromised โ€” through phishing, password reuse, or a device breach โ€” everything is exposed. Separation limits blast radius and demonstrates access control hygiene that CMMC assessors look for.

Item 2

MFA Enforcement at the Organization Level

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: 2-Step Verification is enforced at the organization level in the Google Admin Console โ€” meaning users cannot bypass it, cannot opt out, and will be locked out if they haven't enrolled. Enrollment is mandatory, not optional.
Non-compliant commonly looks like: 2SV is enabled or "allowed" in the Admin Console, and a policy document says users should use it, but it isn't actually enforced. Some users have it set up; others don't. There's no guarantee.

This is one of the most common configuration gaps we encounter. Having 2FA available is not the same as having it required. The distinction is made in the Admin Console under Security โ†’ 2-Step Verification โ†’ Enforcement. If you haven't confirmed the enforcement setting yourself recently, you may not know what it's actually set to.

Item 3

External Drive Sharing Settings

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Google Drive sharing is configured at the Admin Console level to restrict or prohibit external sharing of sensitive files. Users cannot share files with people outside your organization without deliberate admin-level exceptions, and those exceptions are documented.
Non-compliant commonly looks like: Default sharing settings are in place. Anyone in your organization can share a Drive file with anyone on the internet, including setting it to "Anyone with the link." This is Google's default behavior and most small orgs never change it.
โš ๏ธ We find gaps here frequently. Default Google Workspace sharing settings are intentionally permissive for productivity โ€” and intentionally problematic for CUI protection. This is one of the items we review directly in consultation sessions with Turnkey clients.
Item 4

Google Vault Configuration

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Google Vault is not just enabled โ€” it is actively configured with retention rules that cover email and Drive data, and you have run at least one audit log review to verify it's capturing what it should. You know where to find audit logs and have reviewed them.
Non-compliant commonly looks like: Vault is included in your subscription (it comes with Business Plus and above) and you've seen it in the Admin Console, but you haven't set up any retention policies, exported any logs, or verified it's actually capturing anything useful. It's "on" but not configured.
โš ๏ธ We find gaps here frequently. Vault is one of those features that gives a false sense of security. Many contractors assume that because it's included in their plan, it's working. Configuration and usage are two different things โ€” and assessors want to see evidence of the latter.

Not sure if your Vault is actually configured? This is exactly what we review in Session 2 of the Turnkey program โ€” and it takes less than an hour to get it right.

Schedule a free 30-minute consultation to talk through your setup โ†’
Item 5

Device Management and Endpoint Policies

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Company devices โ€” laptops, phones โ€” are enrolled in Google Workspace's endpoint management. Policies are actively enforced: screen lock is required, disk encryption is verified, and you have a way to remotely wipe a device if it's lost or stolen.
Non-compliant commonly looks like: Devices are not formally enrolled. Employees access company email and Drive from personal devices with no centralized policy enforcement. Or device management is set up for mobile but not for laptops. Or enrollment is in place but no policies are actually applied.

Device management becomes especially important for remote and hybrid workers โ€” which describes most small defense contractors today. If an employee's laptop is stolen at a coffee shop and you have no way to wipe it or verify it was encrypted, that's a significant CMMC gap.

Item 6

Third-Party App Access Control

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: You have reviewed which third-party apps and integrations have access to your Google Workspace data. You have a process for approving or blocking connected apps, and you've removed any apps that don't have a clear business justification.
Non-compliant commonly looks like: Employees have connected various tools โ€” project management apps, browser extensions, productivity add-ons โ€” to their Google accounts, and none of this has been reviewed at the admin level. Some apps may have broad data access permissions that were granted years ago.

Google Workspace allows granular control over which apps can access organizational data. If you haven't reviewed this in the Admin Console โ†’ Security โ†’ API controls section, you may have more data exposure than you realize.

Item 7

User Offboarding Process

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: You have a written, documented procedure for revoking access when an employee leaves โ€” covering Google account suspension, Drive access transfer, removal from groups, and device wipe. You've tested this process. You can show evidence it's been followed for past departures.
Non-compliant commonly looks like: When someone leaves, you remember to change their password or suspend their account โ€” eventually. There's no checklist. The process varies by person and urgency. Former employees may still have access to shared Drives they were added to via a link.
โš ๏ธ We find gaps here frequently. Offboarding documentation is one of the highest-impact, easiest-to-fix CMMC gaps โ€” and one of the most commonly missing. Assessors will ask to see it. "We handle it when it comes up" is not an acceptable answer.
Item 8

Audit Log Review Practice

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Someone in your organization reviews Google Workspace audit logs on a regular, documented schedule โ€” looking for unusual sign-in activity, external sharing events, admin changes, and other anomalies. That review is logged, even informally.
Non-compliant commonly looks like: Audit logs exist โ€” you know they're in the Admin Console somewhere โ€” but no one reviews them proactively. You'd only go looking if something went obviously wrong. There's no scheduled review, no documentation of past reviews.
โš ๏ธ We find gaps here frequently. Having logs is the baseline. Actually reviewing them is what demonstrates ongoing security awareness โ€” and what CMMC requires. This is reviewed in the Turnkey program's consultation sessions, along with what to look for and how often.

Unsure what to look for in your audit logs โ€” or how often you should be reviewing them? Session 2 of the Turnkey program covers this directly, including a review of your actual Admin Console configuration.

Talk to a compliance expert โ€” free, 30 minutes โ†’
Item 9

Password Policy Enforcement

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: Your password strength requirements are set and enforced in the Google Admin Console โ€” minimum length, complexity, and reuse restrictions are applied at the organizational level, not just described in a policy document that people may or may not have read.
Non-compliant commonly looks like: You have a written password policy in a handbook or security document, but the Admin Console password settings are at Google's defaults. There's no technical enforcement โ€” it's honor system.

Policy documents are necessary but not sufficient. CMMC requires that controls be implemented โ€” meaning technically enforced, not just written down and hoped for. Admin Console password settings and policy documentation need to align and reinforce each other.

Item 10

Google Workspace Edition Verification

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: You are running Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, or a comparable edition that includes Google Vault, advanced endpoint management, and enhanced security controls. You have verified this in the Admin Console.
Non-compliant commonly looks like: You're running Business Starter or Business Standard โ€” common for small companies that signed up years ago โ€” and don't have access to Vault or advanced endpoint management. Or you're unsure what edition you have.

Edition matters more than most small contractors realize. Lower tiers of Google Workspace lack security features that are not optional for CMMC Level 1. We've covered this in detail in our Google Workspace edition guide for defense contractors โ€” worth reviewing if you're not 100% certain what you're running.

Item 11

Incident Response Documentation

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: You have a written incident response plan that references your Google Workspace environment specifically โ€” who gets notified if there's a breach or suspicious activity, what steps are taken, how the incident is documented, and when/how you notify the DoD.
Non-compliant commonly looks like: You have a general idea of what you'd do if something went wrong, but it isn't written down. Or you have a generic incident response template that doesn't mention Google Workspace, specific contacts, or the 72-hour DoD reporting requirement.
โš ๏ธ We find gaps here frequently. Incident response plans that actually reference your specific environment โ€” your tools, your contacts, your escalation path โ€” are rare. Generic templates don't satisfy assessors, and more importantly, they don't help you when something actually goes wrong. The Turnkey program includes GWS-specific IR procedures.

Your incident response plan needs to reference Google Workspace specifically โ€” not just be a generic template. This is one of the documents we help customize in the Turnkey program's consultation sessions.

Schedule a free consultation to see what's in the Turnkey IR package โ†’
Item 12

Annual Security Review Evidence

โœ… Confirmed โš ๏ธ Unsure โŒ Not Done
Compliant looks like: You have documented evidence โ€” a log, a dated report, meeting notes, a compliance review record โ€” showing that your Google Workspace security settings were reviewed within the past 12 months. Someone signed off on it. It's findable.
Non-compliant commonly looks like: You've reviewed your settings informally, or you set them up when you first configured Workspace and haven't formally revisited them since. There's no dated record of a security review. "We check it when something seems off" doesn't count.

CMMC isn't a one-time event โ€” it's ongoing. Annual reviews with documented evidence demonstrate that compliance is maintained, not just achieved once and forgotten. This is something many contractors only realize they need after their first assessment cycle.

How Many "Unsure" Answers Did You Get?

Be honest with yourself. Each "Unsure" is a gap in your compliance posture โ€” not because you're doing something wrong, but because you don't have confirmed evidence that you're doing it right. In a self-assessment, unconfirmed controls don't count.

0โ€“1 Unsure

Strong

You likely have solid fundamentals. Consider a consultation to confirm before your formal assessment.

2โ€“4 Unsure

At Risk

You have real gaps that need to be addressed. A consultation will help you prioritize and fix them efficiently.

5+ Unsure

Exposed

Your configuration hasn't been verified against CMMC requirements. Starting with expert guidance will save significant time and risk.

If you marked more than 2 items as "Unsure" or "Not Done," a consultation is worth your time โ€” not because you've failed anything, but because you now know exactly where to focus.

What the Turnkey Program's GWS Consultation Sessions Actually Cover

The Overwatch Tools Turnkey CMMC Level 1 Compliance Package includes 8 bi-weekly expert consultation sessions, and for Google Workspace users, several of those sessions are dedicated directly to the items in this checklist.

Here's what that looks like in practice:

GWS-Specific Consultation Coverage

  • Admin Console walkthrough: We review your actual settings โ€” MFA enforcement, sharing controls, password policies, app access โ€” not hypothetically but in your specific configuration.
  • Vault setup and verification: We confirm retention policies are configured correctly and that audit logs are being captured and accessible.
  • Device management review: We assess your endpoint enrollment and policy settings, including the common gaps for organizations with mixed personal/company devices.
  • Offboarding documentation: We build a GWS-specific offboarding checklist that becomes part of your evidence library.
  • Incident response plan: We customize your IR procedures to reference your Google Workspace environment, your contacts, and DoD notification requirements specifically.
  • Annual review evidence: We document your review sessions so you have dated, signed-off records from day one.

The Turnkey program also includes the complete GWS configuration guide โ€” step-by-step instructions for configuring each of the 12 areas above in your Admin Console. We don't just tell you what needs to be done; we show you exactly how to do it for your specific workspace.

โš ๏ธ A Note on Edition Requirements

Several of the controls above โ€” including Google Vault and advanced endpoint management โ€” are only available in Business Plus or Enterprise editions. If you're running a lower tier, your configuration gaps may be subscription-level, not just settings-level. Our edition guide covers exactly which features are required and which plans include them.

Most Turnkey clients with Google Workspace complete their Level 1 assessment preparation in 2โ€“4 weeks. The primary factors that determine timeline are your existing infrastructure, your edition level, and how quickly you can implement the configuration changes from your consultation sessions.

What Comes Next

This checklist gives you a clear picture of where your Google Workspace stands against CMMC Level 1 requirements. But knowing the gaps is only the first step โ€” closing them is what actually moves the needle.

If you marked any items "Unsure" or "Not Done," you have two paths forward:

  • Self-guided with the Turnkey Toolkit: Use the GWS configuration guide and 400+ templates to work through each item systematically, with 8 expert sessions to keep you on track.
  • Start with a free consultation: Talk through your specific configuration and get a prioritized action list before committing to anything.

The consultation is free, it's 30 minutes, and you'll leave with a clearer sense of what your actual compliance posture looks like โ€” not what you hope it is.

Get a GWS Compliance Expert on the Phone

We've helped dozens of small defense contractors close exactly the gaps in this checklist. In 30 minutes, we can tell you where you stand and what needs to happen before your assessment.

No sales pressure. No obligation. Just a straight answer about your compliance posture.

Book Your Free 30-Minute Consultation Explore the Turnkey Program

Turnkey CMMC Level 1 Package โ€” $2,495/year ยท Includes GWS configuration guides, 8 consultation sessions, and 400+ templates

About This Series

This post is Part 2 of 6 in the "CMMC Level 1: The Reality Check" series โ€” a diagnostic series designed to help small defense contractors identify their actual compliance posture, not their assumed one.

  • Part 1: The Most Common CMMC Level 1 Mistakes
  • Part 2: Google Workspace Self-Audit (this post)
  • Part 3: Microsoft 365 Self-Audit
  • Part 4: Evidence Collection โ€” The Task Nobody Warns You About
  • Part 5: SPRS Scoring โ€” What It Means and How to Avoid Getting It Wrong
  • Part 6: Maintaining Compliance After Your Assessment

Overwatch Tools | CMMC Compliance Specialists | Chesapeake, Virginia
info@overwatchtools.com | overwatchtools.com

Comments are closed

Home
Shop
Contact us
More
More