This guide provides technical guidance for US Federal agencies on deploying and using Gemini for Government in compliance with FedRAMP High and Impact Level 4 (IL4) requirements. This document describes which services and features are included in the authorization boundaries and the steps to help you ensure a compliant deployment.
Gemini for Government uses Assured Workloads to help with compliance. You must deploy all Gemini for Government resources within an Assured Workloads folder that's configured for your specific compliance regime (FedRAMP High or IL4).
Core product dependencies
Gemini for Government relies on several Google Cloud services. The following table lists the compliance status for each service.
| Google Cloud service | FedRAMP High status | IL4 status |
|---|---|---|
| Generative AI on Vertex AI |
Authorized |
Authorized |
| BigQuery |
Authorized |
Authorized |
| Cloud Storage |
Authorized |
Authorized |
| Looker (Google Cloud core) |
Authorized |
Submitted |
Authorized services and features
The following table lists the services and features that you can use within Gemini for Government for FedRAMP High and IL4.
| Feature | FedRAMP High | IL4 |
|---|---|---|
| Approved |
Approved |
|
| Approved |
Approved |
|
| Approved |
Approved |
|
| Authorized data stores such as Cloud Storage and BigQuery |
Approved |
Approved |
| Approved |
Approved |
|
| Uploading documents from local machines |
Approved |
Approved |
| Ability for end users to select models |
Approved |
Approved |
Unauthorized features that you must disable manually
The following services and features aren't authorized for FedRAMP High or IL4. However, they aren't blocked by the Assured Workloads control packages and are available in your project. To remain compliant, you must manually disable the features on this list in your Gemini Enterprise application configuration.
- Grounding with Google Maps Platform
- Grounding with Google Search
- Grounding using Google Drive uploads
- Grounding using Microsoft OneDrive uploads
For more information about implicit context caching, see Vertex AI and zero data retention .
Unauthorized features that you can't disable
The following services and features are available in the Assured Workloads control package. You can't disable them and using these features makes your environment no longer compliant. If you do use these features, you are accepting the risk of operating a non-compliant environment.
To remove availability for these agents, contact Google Cloud.
- View analytics data
- Data agent context for Looker data sources
- Data agent context for BigQuery data sources
- Data agents that you create using the Conversational Analytics API
- Gemini in BigQuery
- Gemini in Looker
- Google Workspace data sources such as Google Drive, Gmail, or Google Calendar
- Google Cloud data stores such as Cloud SQL and Firestore
- Google Calendar and Gmail actions
- Third-party data sources such as Salesforce or Microsoft
- People data sources such as Google Workspace , Microsoft Entra , or custom sources
- Gemini Code Assist
- Creating a no-code agent using Agent Designer
Deploy a compliant environment
Follow these steps to ensure that your deployment is compliant:
- Deploy Assured Workloads:
- Create an Assured Workloads folder that uses Data Boundary for FedRAMP High or Data Boundary for IL4.
- Create your Google Cloud project inside this folder.
- Verify that all users and service accounts have the required Identity and Access Management (IAM) permissions.
- Create a Gemini Enterprise app . Select US Multi-regionas the location. The Assured Workloads data residency policy enforces this option.
-
Connect to a Google data source that is located within your Assured Workloads folder. The authorized data stores for FedRAMP High and IL4 are Cloud Storage buckets and BigQuery datasets.
-
Configure authorized compliance features.
-
Turn off the unauthorized features that are described in unauthorized features that you must disable manually .
-
Train your personnel not to use unauthorized features that you can't disable .
