Return to the report summary

Common Controls Baseline Report

Customer DomainReport DateBaseline VersionTool Version
example.org02/10/2025 09:39:56 Pacific Daylight Timev0.4v0.4.0

COMMONCONTROLS-1 Phishing-Resistant Multi-Factor Authentication

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.1.1v0.4 Phishing-Resistant MFA SHALL be required for all users. Fail Shall The following OUs are non-compliant:
  • Nichole Erickson: Allowed methods is set to Any
  • Org Name: Allowed methods is set to Any except verification codes via text, phone call
  • Org Name (group "Kimberly Mathews"): Allowed methods is set to Any
  • Beth Moses: 2-step verification (2SV) is not enforced.
  • Norma Hayes: Allowed methods is set to Any
GWS.COMMONCONTROLS.1.2v0.4 Google 2SV new user enrollment period SHALL be set to 1 week. Fail Shall The following OUs are non-compliant:
  • Nichole Erickson: New user enrollment period (0 seconds) doesn't match expected (7 days)
  • Org Name (group "Kimberly Mathews"): New user enrollment period (0 seconds) doesn't match expected (7 days)
  • Beth Moses: New user enrollment period (15552000 seconds) doesn't match expected (7 days)
GWS.COMMONCONTROLS.1.3v0.4 Allow users to trust the device SHALL be disabled. Fail Shall The following OUs are non-compliant:
  • Nichole Erickson: User is allowed to trust device.
  • Org Name: User is allowed to trust device.
  • Org Name (group "Kimberly Mathews"): User is allowed to trust device.
  • Norma Hayes: User is allowed to trust device.
GWS.COMMONCONTROLS.1.4v0.4 If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim. Fail Shall The following OUs are non-compliant:
  • Nichole Erickson: Allowed methods is set to Any

COMMONCONTROLS-2 Context-aware Access

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.2.1v0.4 Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented. Pass Should Requirement met.

COMMONCONTROLS-3 Login Challenges

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.3.1v0.4 Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization. Pass Should Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.3.2v0.4 Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-4 User Session Duration

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.4.1v0.4 Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired. Fail Shall The following OUs are non-compliant:
  • Org Name: Web session duration: 20 hours

COMMONCONTROLS-5 Secure Passwords

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.5.1v0.4 User password strength SHALL be enforced. Fail Shall The following OUs are non-compliant:
  • Tiffany Brewer: Password strength is WEAK, not STRONG
GWS.COMMONCONTROLS.5.2v0.4 User password length SHALL be at least 12 characters. Fail Shall The following OUs are non-compliant:
  • Tiffany Brewer: Minimum password length: 8, less than 12
GWS.COMMONCONTROLS.5.3v0.4 User password length SHOULD be at least 15 characters. Warning Should The following OUs are non-compliant:
  • Tiffany Brewer: Minimum password length: 8, recommended is at least 15
  • Norma Hayes: Minimum password length: 12, recommended is at least 15
GWS.COMMONCONTROLS.5.4v0.4 Password policy SHALL be enforced at next sign-in. Fail Shall The following OUs are non-compliant:
  • Org Name: Enforce password policy at next sign-in is OFF
  • Carolyn Aguirre: Enforce password policy at next sign-in is OFF
GWS.COMMONCONTROLS.5.5v0.4 User passwords SHALL NOT be reused. Fail Shall The following OUs are non-compliant:
  • Tiffany Brewer: Allow password reuse is ON
GWS.COMMONCONTROLS.5.6v0.4 User passwords SHALL NOT expire. Fail Shall The following OUs are non-compliant:
  • Tiffany Brewer: Password reset frequency is 2592000s

COMMONCONTROLS-6 Highly Privileged Accounts

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.6.1v0.4 All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.6.2v0.4 A minimum of **two** and maximum of **eight** separate and distinct super admin users SHALL be configured. Fail Shall The following super admins are configured: admin1@example.com, admin2@example.com, admin3@example.com, admin4@example.com, admin5@example.com, admin6@example.com, admin7@example.com, admin8@example.com, admin9@example.com, admin10@example.com. Note: Exceptions are allowed for "break glass" super admin accounts, though we are not able to account for this automatically.

COMMONCONTROLS-7 Conflicting Account Management

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.7.1v0.4 Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-8 Catastrophic Recovery Options for Super Admins

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.8.1v0.4 Account self-recovery for Super Admins SHALL be disabled Fail Shall The following OUs are non-compliant:
  • Tiffany Brewer: Allow super admins to recover their account is ON
  • Org Name: Allow super admins to recover their account is ON

COMMONCONTROLS-9 GWS Advanced Protection Program

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.9.1v0.4 Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.9.2v0.4 All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-10 App Access to Google APIs

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.10.1v0.4 Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps. Fail Shall The following services allow access: GSUITE_ADMIN.
GWS.COMMONCONTROLS.10.2v0.4 Agencies SHALL NOT allow users to consent to access to low-risk scopes. Fail Shall The following services allow access: GSUITE_ADMIN.
GWS.COMMONCONTROLS.10.3v0.4 Agencies SHALL NOT trust unconfigured internal apps. No events found Shall No relevant event in the current logs for the top-level OU, Org Name. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended.
GWS.COMMONCONTROLS.10.4v0.4 Agencies SHALL NOT allow users to access unconfigured third-party apps. No events found Shall No relevant event in the current logs for the top-level OU, Org Name. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended.
GWS.COMMONCONTROLS.10.5v0.4 Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented. Pass Shall Requirement met in all OUs and groups.

COMMONCONTROLS-11 Authorized Google Marketplace Apps

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.11.1v0.4 Only approved Google Workspace Marketplace applications SHALL be allowed for installation. Fail Shall The following OUs are non-compliant:
  • Org Name: Users can install and run any internal app, even if it's not allowlisted.

COMMONCONTROLS-12 Google Takeout Services for Users

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.12.1v0.4 Google Takeout services SHALL be disabled. Pass Shall Requirement met in all OUs and groups.

COMMONCONTROLS-13 System-defined Rules

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.13.1v0.4 Required system-defined alerting rules, as listed in the Policy group description, SHALL be enabled with alerts. Fail Shall Of the 39 required rules, at least 4 are enabled and 1 is disabled. Unable to determine the state of the 34 remaining required rules. See System Defined Alerts for more details.

COMMONCONTROLS-14 Google Workspace Logs

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.14.1v0.4 The following critical logs SHALL be sent to the agency's centralized SIEM. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.14.2v0.4 Audit logs SHALL be maintained for at least 6 months in active storage and an additional 18 months in cold storage, as dictated by OMB M-21-31. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-15 Data Regions and Storage

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.15.1v0.4 The data storage region SHALL be set to be the United States for all users in the agency's GWS environment. N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.15.2v0.4 Data SHALL be processed in the region selected for data at rest. Pass Shall Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.15.3v0.4 The supplemental data storage region SHALL NOT be set to 'Russian Federation'. No events found Shall No relevant event in the current logs for the top-level OU, Org Name. While we are unable to determine the state from the logs, the default setting is compliant; manual check recommended.

COMMONCONTROLS-16 Additional Google Services

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.16.1v0.4 Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone. Pass Should Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.16.2v0.4 User access to Early Access Apps SHOULD be disabled. Warning Should The following OUs are non-compliant:
  • Org Name: Early access apps are ENABLED

COMMONCONTROLS-17 Multi-Party Approval

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.17.1v0.4 Require multi party approval for sensitive admin actions SHALL be enabled. Fail Shall The following OUs are non-compliant:
  • Org Name: Require multi party approval for sensitive admin actions is DISABLED

COMMONCONTROLS-18 Data Loss Prevention

Control ID Requirement Result Criticality Details
GWS.COMMONCONTROLS.18.1v0.4 A custom policy SHALL be configured for Google Drive to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN). N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.2v0.4 A custom policy SHALL be configured for Google Chat to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN). N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.3v0.4 A custom policy SHALL be configured for Gmail to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN). N/A Shall/Not-Implemented Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.4v0.4 The action for the above DLP policies SHOULD be set to block external sharing. N/A Should/Not-Implemented Currently not able to be tested automatically; please manually check.

System Defined Alerts

Note: As ScubaGoggles currently relies on admin log events to determine alert status, ScubaGoggles will not be able to determine the current status of any alerts whose state has not changed recently.

Alert Name Description Status
Account suspension warning Google Workspace accounts engaging in suspicious activity may have their account suspended. Google Workspace accounts must comply with the Google Workspace Terms of Service, Google Workspace for Education Terms of Service, Google Cloud Platform Terms of Service or Cloud Identity Terms of Service. Unknown
App Maker Cloud SQL setup A user has requested a Google Cloud SQL instance to be set up for use with App Maker. Unknown
Apps outage alert Alerts about new, updated, or resolved outage on the Google Workspace Status Dashboard. Unknown
Calendar settings changed An admin has changed Google Workspace Calendar settings. Unknown
Device compromised Provides details about devices in your domain that have entered a compromised state. Unknown
Directory sync cancelled due to safeguard threshold exceeded Directory sync has been automatically cancelled and disabled as the directory sync service detected a possibility to exceed deprovisioning safeguard threshold. Unknown
Domain data export initiated A Super Administrator for your Google account has started exporting data from your domain. Unknown
Drive settings changed An admin has changed Google Workspace Drive settings. Disabled
Email settings changed An admin has changed Google Workspace Gmail settings. Unknown
Exchange journaling failure Failures with Exchange journaling that ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault. Unknown
Gmail potential employee spoofing Incoming messages where a sender's name is in your Google Workspace directory, but the mail is not from your company's domains or domain aliases. Unknown
Google Operations Provides details about security and privacy issues that affect your Google Workspace services. Unknown
Google Voice configuration problem Auto attendants and ring groups with invalid references may hang up at unexpected times. Unknown
Government-backed attacks Warnings about potential government-backed attacks. Unknown
Leaked password Google detected compromised credentials requiring a reset of the user's password. Unknown
Malware message detected post-delivery Messages detected as malware post-delivery that are automatically reclassified. Unknown
Mobile settings changed An admin has changed mobile management settings. Unknown
New user added A new user has been added to the domain. Enabled
Phishing in inboxes due to bad whitelist Messages classified as spam by Gmail filters delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters. Unknown
Phishing message detected post-delivery Messages detected as phishing post-delivery that are automatically reclassified. Unknown
Rate limited recipient A high rate of incoming email indicating a potential malicious attack or misconfigured setting. Unknown
Smarthost failure Alerts if a large number of messages can't be delivered to one of your smart host servers. Unknown
Spike in user-reported spam An unusually high volume of messages from a sender that users have marked as spam. Unknown
Suspended user made active A suspended user is made active. Unknown
Suspicious device activity Provides details if device properties such as device ID, serial number, type of device, or device manufacturer are updated. Unknown
Suspicious login Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location. Enabled
Suspicious message reported A sender has sent messages to your domain that users have classified as spam. Unknown
Suspicious programmatic login Google detected suspicious login attempts from potential applications or computer programs. Unknown
TLS failure Messages requiring Transport Layer Security (TLS) can't be delivered. Unknown
User deleted A user has been deleted from the domain. Unknown
User granted Admin privilege A user is granted an admin privilege. Enabled
User suspended (Google identity alert) Google detected suspicious activity and suspended the account. Unknown
User suspended (by admin) An admin has suspended the account. Unknown
User suspended due to suspicious activity Google suspended a user's account due to a potential compromise detected. Unknown
User suspended for spamming Google detected suspicious activity such as spamming and suspended the account. Unknown
User suspended for spamming through relay Google detected suspicious activity such as spamming through a SMTP relay service and suspended the account. Unknown
User's Admin privilege revoked A user is revoked of their admin privilege. Enabled
User-reported phishing A sender has sent messages to your domain that users have classified as phishings. Unknown
[Beta] Client-side encryption service unavailable A problem has been detected with your client-side encryption service indicating an outage or misconfigured setting. Unknown