diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/convert.sh b/gcp/documentation/02_Solutions_and_Service_Architecture/convert.sh
new file mode 100755
index 00000000..1d4b1e5d
--- /dev/null
+++ b/gcp/documentation/02_Solutions_and_Service_Architecture/convert.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+#pandoc --to gfm --extract-media=images/notional-architecture '00_GCP Initial Notional Architecture.pptx' -o notional-architecture.md
+pandoc --to gfm --extract-media=images/solution-architecture '01_GCP Solutions Architecture.docx' -o solution-architecture.md
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image1.jpeg b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image1.jpeg
new file mode 100644
index 00000000..543fad64
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image1.jpeg differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image2.png b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image2.png
new file mode 100644
index 00000000..fa07e8cd
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image2.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image3.png b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image3.png
new file mode 100644
index 00000000..fe077e1a
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image3.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image4.png b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image4.png
new file mode 100644
index 00000000..9fd801a5
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image4.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image5.jpeg b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image5.jpeg
new file mode 100644
index 00000000..c79109f3
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/images/solution-architecture/media/image5.jpeg differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/solution-architecture.md b/gcp/documentation/02_Solutions_and_Service_Architecture/solution-architecture.md
new file mode 100644
index 00000000..66ff6bf8
--- /dev/null
+++ b/gcp/documentation/02_Solutions_and_Service_Architecture/solution-architecture.md
@@ -0,0 +1,748 @@
+## 
+
+Table of Contents
+
+[1 Revision History [4](#revision-history)](#revision-history)
+
+[2 Executive Overview [5](#executive-overview)](#executive-overview)
+
+[2.1 Document Purpose [5](#document-purpose)](#document-purpose)
+
+[2.2 Document Audience [5](#document-audience)](#document-audience)
+
+[2.3 Document Organization
+[5](#document-organization)](#document-organization)
+
+[2.4 Document Control [5](#document-control)](#document-control)
+
+[2.5 Document Limits [5](#document-limits)](#document-limits)
+
+[3 Infrastructure Overview
+[6](#infrastructure-overview)](#infrastructure-overview)
+
+[3.1 Conceptual Design [6](#conceptual-design)](#conceptual-design)
+
+[4 Enterprise Service Dependencies
+[6](#enterprise-service-dependencies)](#enterprise-service-dependencies)
+
+[4.1 Telecommunications Office (TCO)
+[7](#telecommunications-office-tco)](#telecommunications-office-tco)
+
+[4.1.1 CIDR [7](#cidr)](#cidr)
+
+[4.1.2 MTIPS [7](#mtips)](#mtips)
+
+[4.1.3 Certificate Authority
+[7](#certificate-authority)](#certificate-authority)
+
+[4.1.4 Identity Management
+[7](#identity-management)](#identity-management)
+
+[4.1.5 Network Time Protocol
+[7](#network-time-protocol)](#network-time-protocol)
+
+[4.2 Office of Information Security (OIS)
+[7](#office-of-information-security-ois)](#office-of-information-security-ois)
+
+[4.2.1 Azure Sentinel [7](#azure-sentinel)](#azure-sentinel)
+
+[4.2.2 Security Operations Center (SOC)
+[7](#security-operations-center-soc)](#security-operations-center-soc)
+
+[4.3 Client Support Division (CSD)
+[8](#client-support-division-csd)](#client-support-division-csd)
+
+[4.3.1 IT Service Management
+[8](#it-service-management)](#it-service-management)
+
+[4.4 Computer Services Division (CSvD)
+[8](#computer-services-division-csvd)](#computer-services-division-csvd)
+
+[4.4.1 Enterprise Operations Center (EOC)
+[8](#enterprise-operations-center-eoc)](#enterprise-operations-center-eoc)
+
+[5 GCP Project Design [8](#gcp-project-design)](#gcp-project-design)
+
+[5.1 Project Relationship
+[8](#project-relationship)](#project-relationship)
+
+[5.2 Shared Services [8](#shared-services)](#shared-services)
+
+[6 Security and Governance
+[8](#security-and-governance)](#security-and-governance)
+
+[6.1 GCP Organizations [8](#gcp-organizations)](#gcp-organizations)
+
+[6.1.1 Census GCP Resource Management Folder Design
+[9](#census-gcp-resource-management-folder-design)](#census-gcp-resource-management-folder-design)
+
+[6.1.1.1 Assured Workloads [9](#assured-workloads)](#assured-workloads)
+
+[6.1.1.2 Baseline & Baseline-Mod Folders
+[9](#baseline-baseline-mod-folders)](#baseline-baseline-mod-folders)
+
+[6.1.1.3 Organization Level Folders (Ex: DITD, GEO)
+[9](#organization-level-folders-ex-ditd-geo)](#organization-level-folders-ex-ditd-geo)
+
+[6.1.1.4 Core Folder [10](#core-folder)](#core-folder)
+
+[6.1.1.5 Billing GCP Folder
+[11](#billing-gcp-folder)](#billing-gcp-folder)
+
+[6.2 GCP Security Command Center
+[11](#gcp-security-command-center)](#gcp-security-command-center)
+
+[6.3 System Usage [12](#system-usage)](#system-usage)
+
+[7 Capacity and Cost Management
+[12](#capacity-and-cost-management)](#capacity-and-cost-management)
+
+[8 Monitoring and Alerting
+[12](#monitoring-and-alerting)](#monitoring-and-alerting)
+
+[8.1 GCP Operations Suite
+[12](#gcp-operations-suite)](#gcp-operations-suite)
+
+[8.1.1 Logging [13](#logging)](#logging)
+
+[9 Asset Management [13](#asset-management)](#asset-management)
+
+[10 Appendix [13](#appendix)](#appendix)
+
+[10.1 Reference Documents
+[13](#reference-documents)](#reference-documents)
+
+List of Figures
+
+[Figure 1 GCP Conceptual Design [6](#_Toc165281635)](#_Toc165281635)
+
+[Figure 2 GCP Organization [9](#_Ref157515696)](#_Ref157515696)
+
+List of Table
+
+[Table 1 Revision History [4](#_Toc165281637)](#_Toc165281637)
+
+# Revision History
+
+Table 1 Revision History
+
+| Version | Date | Description |
+|---------|------------|-------------------------------------------------|
+| 0.01 | 9/14/2023 | Initial TOC and Draft Defined |
+| 0.02 | 9/18/2023 | Updates for GCP Design Decisions |
+| 0.03 | 9/29/2023 | Organizational Updates |
+| 0.04 | 10/6/2023 | Team Peer Review |
+| 0.05 | 10/11/2023 | Environment Updates |
+| 0.06 | 10/24/2023 | Ready for Baseline Review |
+| 1.00 | 1/30/2024 | GitLab inf/core \#426 |
+| 1.01 | 4/29/2024 | Update to organizational graphic inf/core \#567 |
+
+# Executive Overview
+
+This document describes the Google Cloud Platform (GCP) design in
+support of the Enterprise Cloud and the Secure Cloud Concept of
+Operations (CONOPS) for the United States Census Bureau (USCB).
+
+## Document Purpose
+
+This document serves as the overarching design for the GCP
+infrastructure and the basis for additional GCP services to build upon.
+
+## Document Audience
+
+The target audience for this document are cloud, networking, and
+security leaders, architects, engineers, and operators.
+
+## Document Organization
+
+This document is a work product of the US Census Bureau Decennial
+Information Technology Directorate (DITD).
+
+## Document Control
+
+This document, and changes to this document, are governed by the Secure
+Cloud Team (SCT) Cloud Governance Board (CGB).
+
+## Document Limits
+
+This document assumes familiarity with GCP services. For additional
+information on GCP services, consult: [Google Cloud documentation
+\| Documentation](https://cloud.google.com/docs/). All GCP design
+elements found in this document are FedRAMP authorized. For a list of
+current FedRAMP services in scope, consult: [FedRAMP Marketplace -
+Compliance \| Google
+Cloud](https://cloud.google.com/security/compliance/fedramp/).
+
+# Infrastructure Overview
+
+## Conceptual Design
+
+The design of the GCP platform is based upon a minimum footprint to
+achieve an authorization to operate (ATO) for workloads hosted in the
+Google Cloud Platform census.gov organization. This design incorporates
+elements from the Census Enterprise to satisfy controls defined by the
+Office of Information Security (OIS) for authorization, access, logging,
+and operations.
+
+- GCP aggregates and ships logs to the Enterprise security services
+ provided by the Enterprise and hosted in Azure. This provides
+ visibility across all GCP assets and interactions.
+
+- Google Cloud Identity is integrated with the Enterprise Identity
+ Management System (IDMS). This provides a single sign on experience,
+ using Census Bureau James Bond IDs, to google projects.
+
+- Network communication with the Census Bureau is provided by the USCB
+ Telecommunications Office (TCO) via an encrypted Virtual Private
+ Network (VPN) using Cloud VPN. Communications to and hosted
+ on-premises resources utilizes this connection to communicate with
+ resources among USCB networks. As bandwidth requirements increase,
+ additional Cloud VPN connections or optional Google interconnects may
+ be utilized to expand capacity.
+
+
+
+Figure 1 GCP Conceptual
+Design[^1]
+
+# Enterprise Service Dependencies
+
+GCP integrates with a variety of services provided by Census Enterprise.
+This provides GCP consumers with core, bureau-wide capabilities while
+allowing systems to develop GCP Cloud-native systems. The systems and
+respective Census organizations providing those services, are listed
+below:
+
+## Telecommunications Office (TCO)
+
+### CIDR
+
+TCO allocated an IPv4 /16 and an IPv6 /48 CIDR block for use with GCP.
+Allocation of these addresses are governed by the CGB and are under
+configuration management in GitLab.
+
+### MTIPS
+
+GCP connects with the Census Managed Trusted Internet Protocol Service
+(MTIPS) provider using Google Cloud VPNs to on premise Datacenters.
+Traffic is encrypted and routing provided by TCO and associated BCC and
+HQ datacenter networking.
+
+A cloud-based TIC 3.0 solution will replace MTIPS functionality for
+cloud-specific assets at a later date. This reduces costs associated
+with egress over GCP VPNs, and Private Interconnects, increases
+scalability and throughput by leveraging native GCP networking services,
+and reduces latency and trips back to USCB datacenters hosted in the
+eastern part of the United States.
+
+### Certificate Authority
+
+TCO manages a private Certificate Authority (CA), including a Root and
+Secondary CAs. As of this writing, certificate requirements are
+fulfilled by TCO. Later, an independent GCP Private CA may be offered,
+that is authorized and signed from the USCB secondary CAs. When a
+private or public certificate is required, TCO is engaged using a
+standard Remedy workflow process. This includes a CSR generation with
+required fields, and a certificate is provided. Certificate lifecycle
+management is a shared responsibility between the system and TCO, and
+TCO re-engagement is required to renew any certificates.
+
+### Identity Management
+
+GCP designs leverage USCB-managed IdP platforms and methodologies to
+centralize account management and practices. Identities are federated
+via SAML 2.0 through the IDMS system to GCP. Identity management occurs
+using Google Cloud Identity to provide access to resources and assets in
+GCP. Considerations for the use of SCIM are currently outside the scope
+of this document.
+
+### Network Time Protocol
+
+Time is offered by TCO. TCO maintains a network of physical atomic
+clocks located in Jeffersonville, Indiana and Bowie, Maryland.
+
+## Office of Information Security (OIS)
+
+OIS provides an analysis of the GCP FedRAMP package and details the user
+responsible controls. OIS also governs the use of Enterprise services to
+assist in satisfying user controls and mitigating security and
+operational risks using Azure Sentinel which is operated and monitored
+by members of the Enterprise Security Operations Center (SOC).
+
+### Azure Sentinel
+
+Sentinel is a cloud native Security Information and Event Management
+(SIEM) platform hosted in the Census Enterprise Azure subscription. This
+product provides intelligent detection, investigation, and response and
+is cloud-scale. GCP audit logs are aggregated from GCP Operations Suite
+Cloud Logging and GCP Security Command Center alerts are transferred
+directly to Sentinel via GCP Pub/Sub integration.
+
+### Security Operations Center (SOC)
+
+The SOC provides real-time monitoring and alerting for GCP cloud assets.
+If a security event is identified, the appropriate incident is raised
+and routed to DITD staff for mitigation and resolution. The SOC utilizes
+a SaaS product, Axonius, to aggregate an inventory of GCP assets
+periodically throughout the day.
+
+## Client Support Division (CSD)
+
+### IT Service Management
+
+CSD provides Remedy to the Census Enterprise. A GCP infrastructure
+support group is defined for all GCP related assets. Service requests,
+change requests, incidents, and work orders may be routed to this group
+to provide ongoing support for end-users of the GCP platform.
+
+## Computer Services Division (CSvD)
+
+### Enterprise Operations Center (EOC)
+
+The USCB Enterprise Operations Center (EOC) utilizes Solarwinds Orion as
+the primary enterprise monitoring platform. Solarwinds is utilized to
+monitor WAN connectivity to GCP from Census data centers.
+
+The EOC utilizes the Enterprise Incident Management Plan. The EOC
+provides up to 24x7 coverage, Service Level Agreements,
+bridge/conference support, triage, and call & ticket routing. At the
+time of this writing, the EOC is actively working towards an ATO for
+Datadog. Datadog is intended to address gaps in the current technology
+as it relates to cloud native constructs and services. Once the product
+is available for use across the USCB, additional capability will be made
+available. For more details about the Datadog implementation, see the
+reference link in the appendix.
+
+# GCP Project Design
+
+A GCP Project is the basic security and billing boundary for consuming
+services within GCP. All assets and resource consumption within a GCP
+project are billed to the billing project associated to the resource
+project.
+
+## Project Relationship
+
+Individual System teams are allocated projects by environment. This
+level of granularity provides system teams with the autonomy to develop
+and enhance their systems without affecting other systems and reduces
+administrative complexity for isolation, segmentation, and operations &
+maintenance (O&M). It provides a high velocity track for onboarding
+system teams using repeatable and consistent GCP project provisioning
+and service deployment standards and methods.
+
+GCP does not have a service limit on GCP projects and GCP Folders within
+an organization, and shared costs can be isolated down to the individual
+system team through this Project allocation. System teams have a
+dedicated Lab, Dev, Test, ITE, Stage, and Prod project placed in the
+corresponding GCP Folder (eg, GEO Dev, etc), as required.
+
+An associated DMZ ITE, Stage, and Prod set of projects can be
+established, as required.
+
+## Shared Services
+
+Core Infrastructure services, including shared infrastructure,
+operations, and application services for system teams, are arranged in a
+separate GCP Folder structure and associated GCP projects that align to
+a respective function for resources there.
+
+# Security and Governance
+
+## GCP Organizations
+
+The census.gov organization provides centralized governance, control,
+cost management, audit compliance, and service resource sharing. The
+organization design aligns with the infrastructure GCP Software
+Development Lifecycle (iSDLC), a set of developer and tester guidelines,
+configuration management practices, and agile software development
+methods for developing, testing, and releasing infrastructure as code.
+
+### Census GCP Resource Management Folder Design
+
+The Enterprise GCP Organization layout is depicted below:
+
+
+
+Figure 2 GCP Organization
+
+#### Assured Workloads
+
+Folders depicted in green in Figure 2 GCP Organization, provide security
+controls that ensure alignment with FedRAMP moderate requirements as
+established by the GCP FedRAMP moderate package and approval. Folders
+and projects nested under green folders cannot use non-FedRAMP services.
+
+#### Baseline & Baseline-Mod Folders
+
+These folders contain organization specific security policies, including
+prevention of external addresses and approved regions. This hosts the
+terraform state bucket for gcp-iac-core.
+
+#### Organization Level Folders (Ex: DITD, GEO)
+
+This folder is for applying a program specific set of security policies.
+Unless an individual system or application requires a unique set of
+controls or exceptions to a control, a generalized organizational
+structure will be utilized to apply policies. The following describes
+the organizational structure of the subfolders.
+
+##### Lab (System Level)
+
+GCP Project membership in this GCP Folder is designated for
+experimentation and prototyping. Title data is not permitted in this
+environment.
+
+##### Dev (System Level)
+
+GCP Project membership in this GCP Folder is designated for system
+specific functional software development activities. Title data is not
+permitted in this environment.
+
+##### Test (System Level)
+
+GCP Project membership in this GCP Folder is designated for system
+specific project level testing activities. Title data is not permitted
+in this environment.
+
+##### ITE (System Level)
+
+Accounts membership in this GCP Folder is designated for integrated
+testing activities.
+
+##### Stage (System Level)
+
+Accounts membership in this GCP Folder is designated for system specific
+pre-production, operations readiness, and performance testing
+activities.
+
+##### Prod (System Level)
+
+Accounts membership in this GCP Folder is designated for system specific
+production activities.
+
+#### Core Folder
+
+##### DMZ (Future Use Case Placeholder – Not included in initial ATO)
+
+###### Routing
+
+GCP Project membership in this GCP Folder is designated for GCP Cloud
+Routers and VPCs supporting ingress and/or egress requirements to
+resources external to the Census Bureau networks.
+
+###### ITE (System Level)
+
+Accounts membership in this GCP Folder is designated for DMZ integrated
+testing activities.
+
+###### Stage (System Level)
+
+Accounts membership in this GCP Folder is designated for system specific
+DMZ pre-production, operations readiness, and performance testing
+activities.
+
+###### Prod (System Level)
+
+Accounts membership in this GCP Folder is designated for system specific
+DMZ production activities.
+
+##### Platform
+
+###### Networking
+
+GCP Project membership in this GCP Folder is designed to support core
+Networking services including GCP Cloud Router and centralized VPCs for
+VPC sharing.
+
+####### Routing-High
+
+GCP Project membership in this GCP Folder is designated for GCP Cloud
+Routers and VPCs supporting ingress and/or egress requirements to
+resources external to the Census Bureau networks for prod projects.
+
+####### Routing-Lower
+
+GCP Project membership in this GCP Folder is designated for GCP Cloud
+Routers and VPCs supporting ingress and/or egress requirements to
+resources external to the Census Bureau networks for lab, dev, test,
+ITE, and stage projects.
+
+####### Dev
+
+GCP Project membership in this GCP Folder is designated for network
+development activities.
+
+####### VPC Sharing-Lower
+
+GCP Project membership in this GCP Folder is designated for VPC sharing
+for lab, dev, test, integration & test (ITE), and stage projects.
+
+####### VPC Sharing-High
+
+GCP Project membership in this GCP Folder is designated for VPC sharing
+for prod projects.
+
+###### Shared Services
+
+GCP Project membership in this GCP Folder contains shared service
+projects. Future services may include IT Operations Management (ITOM)
+services, application services such as GitLab runners, and
+infrastructure platform services. Sub GCP Folders are designated for the
+development of Infrastructure, Application, and IT Operations Management
+services.
+
+##### Security
+
+GCP Project membership in this GCP Folder is designed for Security / OIS
+tooling, centralized log aggregation and collection, and key management.
+
+##### Sandbox Folder (Infrastructure Lab)
+
+GCP Project Membership in this GCP Folder is designed to accommodate
+infrastructure labs for evaluation of new and emerging technology and
+standards. Workloads are isolated from production networks to provide
+the cloud engineering team the ability to perform research, analysis,
+and prototyping of new products and features. ***NOTE:** This is
+**not to be utilized** for infrastructure and networking
+development and testing as part of the regular management of changes.*
+
+##### TIC Folder (Future Use Case Placeholder – Not included in initial ATO)
+
+GCP Project Membership in this folder is designed to provide
+infrastructure and capabilities for an GCP-based TIC 3.0-compliant
+networking environment. It is contained in a separate folder to provide
+GCP service integration and associated organization policies to tightly
+control and manage resources required in an edge network environment.
+
+#### Billing GCP Folder
+
+This folder will serve as an aggregation point for all billing accounts
+in the environment, segmented by GCP contracts. Permissions to it are
+restricted. Billing accounts will integrate and export to BigQuery and
+with FinOps tooling, including Apptio Cloudability. If independent
+contracts are required, an independent billing project is required,
+along with integration with Apptio. Financial strategy is outside the
+scope of this document.
+
+## GCP Security Command Center
+
+Security Command Center provides a centralized vulnerability and threat
+reporting service. Security Command elevates security configurations,
+provides asset inventory and discovery, and identify misconfigurations,
+vulnerabilities, and threats. Activation of Security Command Center at
+the Census organization-level (top-level folder), to provide
+consolidated view of all findings within Census organization. At the
+time writing this, following are list of design configurations for
+Security Command Center:
+
+- Organization-level activation of Security Command Center is active for
+ one or more projects within Census GCP Organization and thus enables
+ the Premium tier of Security Commands Center.
+
+- Security Command Center’s detectors are configured for Center for
+ Information Security (CIS).
+
+- DITD Security Team or Cloud Security Engineers, with either
+ “gr-sec.adm” or “gr-sec.auditor” Google Identity roles are responsible
+ for managing and responding to the applicable cloud vulnerabilities
+ and security findings within Security Command Center.
+
+- For any High or Critical severity findings the DITD Cloud Security
+ Engineer, designated SOC members, or Security Auditor will escalate
+ these findings to the GCP Information System Security Officer (ISSO)
+ per OIS security policy.
+
+- Designated Enterprise Security Operations Center (SOC) members provide
+ real-time monitoring and are alerted for GCP cloud assets. If a
+ security event is identified, the appropriate incident is raised and
+ routed to DITD security staff for mitigation and including
+ notification to the SOC.
+
+## System Usage
+
+No actions may be performed in GCP without an associated authenticated
+and authorized account.
+
+# Capacity and Cost Management
+
+GCP manages and maintains capacity as part of their service offering.
+This does not eliminate the need for USCB to plan and maintain capacity
+utilization/planning and cost management controls. A list of approved
+services is governed by the CGB. Vendor details, including contact
+information, current support contracts, escalation points, software
+services, feature requests, product roadmap, integration points,
+announcements, and end-of-life/support are recorded in a vendor log
+referenced in the GCP Cloud Operations Plan. A government stakeholder
+designated by the CGB is responsible for reviewing the vendor
+relationship with GCP. Meetings are hosted to review GCP performance,
+current issues, product updates, program dependencies, security events,
+and other topics of importance.
+
+Cost management for GCP is based around independent project billing
+codes. Each project is linked to a billing project/code. New
+project/billing codes are established, as required, for maintaining
+project cost control and visibility.
+
+The following guidelines exists:
+
+- Systems are responsible for self-governing their planning, budget,
+ optimization, and consumption.
+
+- Specific system members, designated by system leadership, are
+ responsible for onboarding with Apptio Cloudability to receive access
+ to cloud financial reports.
+
+- All assets must comply with GCP Naming and Tagging Standards.
+
+- Periodic reviews, reporting, and audits are defined in the GCP
+ Operations Plan.
+
+GCP offers both Labels and Tags to track deployed assets within the
+platform. Labels are utilized for annotating meta data to resources that
+can be queried within BigQuery and provide context for billing and other
+functions. GCP Tags are applied to resources to affect policies and
+other security focused uses. With respect to billing and capacity the
+focus will be on GCP Labels. Billing data is aggregated and accessible
+from GCP BigQuery. Only infrastructure administrators have access to
+BigQuery for this purpose. Apptio Cloudability is integrated with GCP
+and BigQuery to produce financial reports.
+
+Standard GCP labels are required. All GCP labels must follow the
+labeling standards documented in the Enterprise Naming and Tagging
+standards. Labeling is enforced through IaC deployment. Tags are
+enforced through organization and project inheritance.
+
+# Monitoring and Alerting
+
+## GCP Operations Suite
+
+The monitoring and alerting capabilities within GCP are included within
+the Operations Suite. Cloud Monitoring API collects metrics, events, and
+metadata from cloud resources that are deployed throughout the GCP
+organization. These metrics are ingested into the Operations Suite where
+that data to generate insights via dashboards, charts, and alerts.
+Alerting also resides within the Cloud Monitoring API which comprises of
+an alerting policy, incident record, and notification channel.
+Configuration of alerts can be performed from project, folder, and
+organizational level within GCP. At the time of writing this document,
+the following configurations are applied for monitoring and alerting for
+GCP audit logs:
+
+- Bucket-scoped log-based metrics are configured for logs that are
+ routed into a centralized logging bucket through the aggregated
+ log-sink within GCP Organization.
+
+- Creation of Logging Metric project within Core folder, contains the
+ user-defined metrics for the bucket-scoped log-based metric.
+
+- Cloud Security Engineers with the appropriate Google group membership
+ are responsible to define the appliable system-defined [Google Cloud
+ metrics](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-logging)
+ within the Logging Metric GCP project.
+
+- Labels created for log-based metrics must adhere to the [GCP Naming
+ and Tagging
+ Standards](https://uscensus.sharepoint.com/:x:/r/sites/DITDSIRS/_layouts/15/Doc.aspx?sourcedoc=%7B73417D72-DA96-4CEA-8021-DAD6068EA2BE%7D&file=02_Naming%20and%20Tagging%20Standard%20-%20GCP.xlsx&action=default&mobileredirect=true)
+ schema.
+
+- Metric Scopes are defined within a GCP scoping project that resides
+ within CORE folder structure. These metric scopes are codified as
+ Infrastructure as Code (IaC) and sourced within CORE GitLab source
+ code repository.
+
+- Creation of the alerting policies for log-based metrics is the
+ responsibilities of the DITD Cloud Security Engineer following the
+ applicable guidance from OIS.
+
+- The notification channel for alerting will be distribution list (DL)
+ for DITD Security team, any further coordination with the SOC is the
+ responsibility of the DITD Security Team.
+
+### Logging
+
+Cloud Logging API is a capability within Operations Suite. Cloud Logging
+provides the real-time log-management, with storage, search, analysis
+and monitoring support. At the time of writing this document, the
+current design and configurations for Cloud Logging are the following:
+
+- Collate and route all organization-level logs to an Aggregated Sinks.
+
+- The aggregate sink resides within the Core folder within Census GCP
+ Organization folder structure.
+
+- A Cloud Logging bucket stores all aggregated audit logs within Census
+ Organization for the default number of days.
+
+ - 400 days for Admin Activity logs (including IAM logs) and System
+ Event audit logs.
+
+ - Data Access Logs and Policy Denied logs are stored for 30 days by
+ default.
+
+- GCP Audit Logs will be integrated with Microsoft Azure Sentinel by way
+ of a Pub/Sub integration with Azure.
+
+For additional design, Enterprise integration, and operational details,
+consult the GCP Operations Suite Cloud Logging design document.
+
+# Asset Management
+
+Assets are tracked through an integration of GCP and Apptio Cloudability
+and Axonius. Apptio tracks all assets deployed to GCP, and associated
+cloud consumption costs. Axonius provides an inventory of all deployed
+GCP assets.
+
+# Appendix
+
+## Reference Documents
+
+- [USCB GCP Identity Detailed
+ Design](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EXyyzNyQ1iNHvXPCyrEBSPkB8_U_F9e22sFj7j552nyXLg?e=rnoQjS)
+
+- [USCB GCP Cloud DNS Detailed
+ Design](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/Ed33dNlVFt1Di0rQRbLZa_gBRT6h0dnpRg-5ThzR64NbbA?e=W8bk0i)
+
+- [USCB GCP Networking Detailed
+ Design](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EctS_2nmCj9HtTELOW8wv6cBqycZJYH01VNqMVgapaFuew?e=Vc7C3l)
+
+- [USCB GCP Operations Suite – Cloud
+ Logging](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EUWHv2fuP0dMpsb4RbP5nmEBI040PmYvjs5k4x_RS2_K8A?e=wGvD3e)
+
+- [USCB Azure Sentinel SharePoint Content
+ Hub](https://uscensus.sharepoint.com/:u:/s/DITDSIRS/EYrMDaQNE6RNjAZEf-i59IEBgjJGM6wzqmPUucsVPT50ww?e=vG5gic)
+
+- [USCB GCP Standards and Frameworks (iSDLC, Naming, Tagging, Projects,
+ Roles, Groups,
+ Guidelines)](https://uscensus.sharepoint.com/:f:/s/DITDSIRS/EpbVeuUQbE1Ftjo-SJpUjj4BG9Nq15mRUQdNsUaQcRyeyw?e=OvPw18)
+
+- [Cloud Concept of
+ Operations](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EaC_b3BNlPVLj-VwhcCEFdsB37unOxCiTh00H449c1Av6A?e=07a9hW)
+ USCB Enterprise Management System SharePoint site
+
+- USCB [Datadog
+ Implementation](https://uscensus.sharepoint.com/teams/csvd/Datadog/SitePages/Home.aspx)
+ SharePoint site
+
+- USCB Remedy Request for Enterprise Event Management
+
+- [Google Cloud
+ Metrics](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-logging)
+
+- [Google Cloud Computing Foundations
+ Benchmark](https://www.cisecurity.org/benchmark/google_cloud_computing_platform)
+
+- [Enterprise Secure Cloud Concept of
+ Operations](https://uscensus.sharepoint.com/:w:/t/OCIOSecureCloud/EckI_0J5vOJIhreZy-0WSMMBqOI7b5_yrmb78-HeB9IZ-Q?e=uapwY2)
+
+- [GCP Operations
+ Plan](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EfHiSwwk1mFCtyuXFnCKGoMBjV158-8VEfxVUCVI37D3lQ?e=BkivsF)
+
+[^1]: This is a conceptual graphic and does not depict all services in
+ use. See GCP Service Detailed Designs and Architecture, and Services
+ in Scope for additional details linked in the Appendix.