Common Controls Baseline Report

Customer Name	Customer Domain	Customer ID	Report Date	Baseline Version	Tool Version
Cool Example Org	example.org	ABCDEFG	06/26/2025 16:02:22 Pacific Daylight Time	0.5	v0.5.0

COMMONCONTROLS-1 Phishing-Resistant Multifactor Authentication

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.1.1v0.5	Phishing-Resistant MFA SHALL be required for all users.	Fail	Shall	The following OUs are non-compliant: 2SV Exempt: Allowed 2-step verification (2SV) method is set to "Any". Matthew Jones's OU: 2-step verification (2SV) is not enforced. Cool Example Org: Allowed 2-step verification (2SV) method is set to "Any". Cool Example Org (group "Pamela Martinez's group"): Allowed 2-step verification (2SV) method is set to "Any". John Bennett's OU (in Matthew Jones's OU): Allowed 2-step verification (2SV) method is set to "Any except verification codes via text, phone call". Cheryl Santiago's OU: Users cannot enable 2-step verification (2SV). Andrea Davis's OU (test): Allowed 2-step verification (2SV) method is set to "Any".
GWS.COMMONCONTROLS.1.2v0.5	If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.	Fail	Shall	The following OUs are non-compliant: 2SV Exempt: 2-step verification (2SV) is not enforced. Matthew Jones's OU: 2-step verification (2SV) is not enforced. Cheryl Santiago's OU: Users cannot enable 2-step verification (2SV).
GWS.COMMONCONTROLS.1.3v0.5	SMS or Voice as the MFA method SHALL NOT be used.	Fail	Shall	The following OUs are non-compliant: 2SV Exempt: Verification codes via text and phone call allowed. Matthew Jones's OU: 2-step verification (2SV) is not enforced. Cool Example Org: Verification codes via text and phone call allowed. Cool Example Org (group "Pamela Martinez's group"): Verification codes via text and phone call allowed. Cheryl Santiago's OU: Users cannot enable 2-step verification (2SV). Andrea Davis's OU (test): Verification codes via text and phone call allowed.
GWS.COMMONCONTROLS.1.4v0.5	Google 2SV new user enrollment period SHALL be set to at least 1 day or at most 1 week.	Fail	Shall	The following OUs are non-compliant: 2SV Exempt: New user enrollment period is NONE Cool Example Org (group "Pamela Martinez's group"): New user enrollment period is NONE Cheryl Santiago's OU: New user enrollment period 14 days (longer than 7 days)
GWS.COMMONCONTROLS.1.5v0.5	Allow users to trust the device SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: 1-1-1-1 (in Matthew Jones's OU): User is allowed to trust device. 1-1-1-1 (in Matthew Jones's OU) (group "Jennifer Owens's group"): User is allowed to trust device. 2SV Exempt: User is allowed to trust device. Cool Example Org: User is allowed to trust device. Cool Example Org (group "Pamela Martinez's group"): User is allowed to trust device. John Bennett's OU (in Matthew Jones's OU): User is allowed to trust device. Andrea Davis's OU (test): User is allowed to trust device.

COMMONCONTROLS-2 Context-aware Access

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.2.1v0.5	Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.	Warning	Should	Requirement not met. Log-based check. See limitations.

COMMONCONTROLS-3 Login Challenges

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.3.1v0.5	Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.	Pass	Should	Requirement met in all OUs and groups. Log-based check. See limitations.
GWS.COMMONCONTROLS.3.2v0.5	Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.	Pass	Should	Requirement met in all OUs and groups. Log-based check. See limitations.

COMMONCONTROLS-4 User Session Duration

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.4.1v0.5	Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.	Fail	Shall	The following OUs are non-compliant: Andrea Davis's OU (test): Web session duration: 20 hours

COMMONCONTROLS-5 Secure Passwords

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.5.1v0.5	User password strength SHALL be enforced.	Pass	Shall	Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.5.2v0.5	User password length SHALL be at least 12 characters.	Fail	Shall	The following OUs are non-compliant: 1-1-1-1 (in 1/1-1/1-1-1): Minimum password length: 8, less than 12
GWS.COMMONCONTROLS.5.3v0.5	User password length SHOULD be at least 15 characters.	Warning	Should	The following OUs are non-compliant: 1-1-1-1 (in 1/1-1/1-1-1): Minimum password length: 8, recommended is at least 15 Matthew Jones's OU: Minimum password length: 12, recommended is at least 15 Cool Example Org: Minimum password length: 12, recommended is at least 15 Andrea Davis's OU (test): Minimum password length: 12, recommended is at least 15
GWS.COMMONCONTROLS.5.4v0.5	Password policy SHALL be enforced at next sign-in.	Fail	Shall	The following OUs are non-compliant: 1-1-1-1 (in 1/1-1/1-1-1): Enforce password policy at next sign-in is OFF Cool Example Org: Enforce password policy at next sign-in is OFF Fernando Rodriguez's OU: Enforce password policy at next sign-in is OFF
GWS.COMMONCONTROLS.5.5v0.5	User passwords SHALL NOT be reused.	Fail	Shall	The following OUs are non-compliant: Matthew Jones's OU: Allow password reuse is ON
GWS.COMMONCONTROLS.5.6v0.5	User passwords SHALL NOT expire.	Fail	Shall	The following OUs are non-compliant: Matthew Jones's OU: Password reset frequency is 30 days

COMMONCONTROLS-6 Privileged Accounts

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.6.1v0.5	All administrative accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.6.2v0.5	A minimum of two and maximum of eight separate and distinct super admin users SHALL be configured.	Fail	Shall	The following super admins are configured: stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org, stephanieyoung@example.org. Note: Exceptions are allowed for "break glass" super admin accounts. "Break glass" accounts can be specified in a config file. 3 break glass accounts are currently configured.

COMMONCONTROLS-7 Conflicting Account Management

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.7.1v0.5	Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-8 Account Recovery Options

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.8.1v0.5	Account self-recovery for Andrea Davis's OU SHALL be disabled.	Pass	Shall	Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.8.2v0.5	Account self-recovery for users and non-Andrea Davis's OU SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Users and non-Andrea Davis's OU are allowed to recover their accounts.
GWS.COMMONCONTROLS.8.3v0.5	Ability to add recovery information SHOULD be disabled.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-9 GWS Advanced Protection Program

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.9.1v0.5	Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.9.2v0.5	All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-10 App Access to Google APIs

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.10.1v0.5	Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.10.2v0.5	Agencies SHALL NOT allow users to consent to access to low-risk scopes.	Fail	Shall	The following services allow access: CALENDAR. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.3v0.5	Agencies SHALL NOT trust unconfigured internal apps.	Pass	Shall	Requirement met in all OUs and groups. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.4v0.5	Agencies SHALL NOT allow users to access unconfigured third-party apps.	Fail	Shall	The following OUs are non-compliant: Matthew Jones's OU: Unconfigured third-party app access is set to Allow users to access third-party apps that only request basic info needed for Sign in with Google. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.5v0.5	Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.	Pass	Shall	Requirement met in all OUs and groups.

COMMONCONTROLS-11 Authorized Google Marketplace Apps

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.11.1v0.5	Only approved Google Workspace Marketplace applications SHALL be allowed for installation.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Users can install and run any internal app, even if it's not allowlisted.

COMMONCONTROLS-12 Google Takeout Services for Users

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.12.1v0.5	Google Takeout services SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: Matthew Jones's OU: The following apps with individual admin control have Takeout enabled: YouTube Cool Example Org: Takeout is enabled for services without an individual admin control. Cool Example Org: The following apps with individual admin control have Takeout enabled: Blogger, Google Books

COMMONCONTROLS-13 System-defined Rules

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.13.1v0.5	Required system-defined alerting rules, as listed in the Policy group description, SHALL be enabled with alerts.	N/A	Shall/Not-Implemented	Of the 39 required rules, at least 1 is enabled and 2 are disabled. Unable to determine the state of the 36 remaining required rules. See System Defined Alerts for more details. Log-based check. See limitations.

COMMONCONTROLS-14 Google Workspace Logs

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.14.1v0.5	The following critical logs SHALL be sent to the agency's centralized SIEM.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.14.2v0.5	Audit logs SHALL be maintained for at least 6 months in active storage and an additional 18 months in cold storage, as dictated by OMB M-21-31.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-15 Data Regions and Storage

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.15.1v0.5	The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.15.2v0.5	Data SHALL be processed in the region selected for data at rest.	Pass	Shall	Requirement met in all OUs and groups. Log-based check. See limitations.

COMMONCONTROLS-16 Additional Google Services

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.16.1v0.5	Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.	Pass	Should	Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.16.2v0.5	User access to Early Access apps SHOULD be disabled.	Warning	Should	The following OUs are non-compliant: Cool Example Org: Early access apps are ENABLED

COMMONCONTROLS-17 Multi-Party Approval

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.17.1v0.5	Require multi party approval for sensitive admin actions SHALL be enabled.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Require multi party approval for sensitive admin actions is DISABLED Log-based check. See limitations.

COMMONCONTROLS-18 Data Loss Prevention

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.18.1v0.5	A custom policy SHALL be configured for Google Drive to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.2v0.5	A custom policy SHALL be configured for Google Chat to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.3v0.5	A custom policy SHALL be configured for Gmail to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.4v0.5	The action for the above DLP policies SHOULD be set to block external sharing.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

System Defined Alerts

Note: As ScubaGoggles currently relies on admin log events to determine alert status, ScubaGoggles will not be able to determine the current status of any alerts whose state has not changed recently.

Alert Name	Description	Status
Account suspension warning	Google Workspace accounts engaging in suspicious activity may have their account suspended. Google Workspace accounts must comply with the Google Workspace Terms of Service, Google Workspace for Education Terms of Service, Google Cloud Platform Terms of Service or Cloud Identity Terms of Service.	Unknown
App Maker Cloud SQL setup	A user has requested a Google Cloud SQL instance to be set up for use with App Maker.	Unknown
Apps outage alert	Alerts about new, updated, or resolved outage on the Google Workspace Status Dashboard.	Unknown
Calendar settings changed	An admin has changed Google Workspace Calendar settings.	Unknown
Device compromised	Provides details about devices in your domain that have entered a compromised state.	Unknown
Directory sync cancelled due to safeguard threshold exceeded	Directory sync has been automatically cancelled and disabled as the directory sync service detected a possibility to exceed deprovisioning safeguard threshold.	Unknown
Domain data export initiated	A Super Administrator for your Google account has started exporting data from your domain.	Unknown
Drive settings changed	An admin has changed Google Workspace Drive settings.	Disabled
Email settings changed	An admin has changed Google Workspace Gmail settings.	Unknown
Exchange journaling failure	Failures with Exchange journaling that ensures email traffic generated by Microsoft Exchange server users is properly archived in Google Vault.	Unknown
Gmail potential employee spoofing	Incoming messages where a sender's name is in your Google Workspace directory, but the mail is not from your company's domains or domain aliases.	Unknown
Google Operations	Provides details about security and privacy issues that affect your Google Workspace services.	Unknown
Google Voice configuration problem	Auto attendants and ring groups with invalid references may hang up at unexpected times.	Unknown
Government-backed attacks	Warnings about potential government-backed attacks.	Unknown
Leaked password	Google detected compromised credentials requiring a reset of the user's password.	Unknown
Malware message detected post-delivery	Messages detected as malware post-delivery that are automatically reclassified.	Unknown
Mobile settings changed	An admin has changed mobile management settings.	Unknown
New user added	A new user has been added to the domain.	Unknown
Phishing in inboxes due to bad whitelist	Messages classified as spam by Gmail filters delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters.	Unknown
Phishing message detected post-delivery	Messages detected as phishing post-delivery that are automatically reclassified.	Unknown
Rate limited recipient	A high rate of incoming email indicating a potential malicious attack or misconfigured setting.	Unknown
Smarthost failure	Alerts if a large number of messages can't be delivered to one of your smart host servers.	Disabled
Spike in user-reported spam	An unusually high volume of messages from a sender that users have marked as spam.	Unknown
Suspended user made active	A suspended user is made active.	Unknown
Suspicious device activity	Provides details if device properties such as device ID, serial number, type of device, or device manufacturer are updated.	Unknown
Suspicious login	Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.	Enabled
Suspicious message reported	A sender has sent messages to your domain that users have classified as spam.	Unknown
Suspicious programmatic login	Google detected suspicious login attempts from potential applications or computer programs.	Unknown
TLS failure	Messages requiring Transport Layer Security (TLS) can't be delivered.	Unknown
User deleted	A user has been deleted from the domain.	Unknown
User granted Admin privilege	A user is granted an admin privilege.	Unknown
User suspended (Google identity alert)	Google detected suspicious activity and suspended the account.	Unknown
User suspended (by admin)	An admin has suspended the account.	Unknown
User suspended due to suspicious activity	Google suspended a user's account due to a potential compromise detected.	Unknown
User suspended for spamming	Google detected suspicious activity such as spamming and suspended the account.	Unknown
User suspended for spamming through relay	Google detected suspicious activity such as spamming through a SMTP relay service and suspended the account.	Unknown
User's Admin privilege revoked	A user is revoked of their admin privilege.	Unknown
User-reported phishing	A sender has sent messages to your domain that users have classified as phishings.	Unknown
[Beta] Client-side encryption service unavailable	A problem has been detected with your client-side encryption service indicating an outage or misconfigured setting.	Unknown