Connect with us

Hi, what are you looking for?



CISA Seeks Public Opinion on Google Workspace Secure Configuration Baselines

CISA is asking for public opinion on SCuBA secure configuration baselines for nine Google Workspace services.

The US cybersecurity agency CISA on Tuesday released draft guidance and capabilities for federal agencies to securely use Google Workspace services.

The proposed materials, for which CISA is seeking public comment, include Secure Cloud Business Applications (SCuBA) secure configuration baselines for nine Google Workspace (GWS) services, namely Calendar, Chat, Common Controls, Classroom, Drive and Docs, Gmail, Groups for Business, Meet, and Sites.

“Federal agencies and other organizations are invited to adopt the draft baselines in their GWS environments, tailor them to reflect their own unique needs and risk tolerances, and then share their experiences with CISA during the public comment period,” CISA notes.

Federal agencies are encouraged to provide feedback on the draft baselines until January 12, 2024. The baselines are available on GitHub and on CISA’s website.

The cybersecurity agency also announced the release of ScubaGoggles, an assessment tool designed to help organizations verify that their GWS configuration falls in line with the policies outlined in the SCuBA security configuration baselines.

The tool, which relies on GWS admin log events to perform assessments, was released in alpha and is under active development, meaning that outputs might not be correct, CISA warns.

“CISA requests public comment on the GWS baselines and the ScubaGoggles tool to help ensure our products enable necessary security improvements to keep pace with evolving technologies while considering the challenging cyber threat environment,” the agency notes.

The GWS baseline documentation provides minimum secure configuration baselines to help federal agencies secure collaboration, along with data and sensitive information stored and transmitted via GWS services.

Advertisement. Scroll to continue reading.

“Once finalized and fully implemented, the GWS baselines will reduce misconfigurations and enhance the protection of sensitive data, bolstering overall cybersecurity resilience. These baselines provide a collection of tailored security controls for nine core GWS services,” CISA says.

The development of Google Workspace baselines built on CISA’s experience from the Microsoft 365 baselines project, which was opened to public comment between October and December 2022. The agency plans to release the final M365 baselines early 2024.

The US government’s cybersecurity arm also asks federal agencies to help it “validate and enhance the automated implementation of these SCuBA baselines”, and encourages them to contact CISA for coordination.

Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation

Related: CISA Asks for Public Opinion on Secure Software Attestation

Related: CISA Seeks Public Opinion on Cloud Application Security Guidance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.