The US cybersecurity agency CISA on Tuesday released draft guidance and capabilities for federal agencies to securely use Google Workspace services.
The proposed materials, for which CISA is seeking public comment, include Secure Cloud Business Applications (SCuBA) secure configuration baselines for nine Google Workspace (GWS) services, namely Calendar, Chat, Common Controls, Classroom, Drive and Docs, Gmail, Groups for Business, Meet, and Sites.
“Federal agencies and other organizations are invited to adopt the draft baselines in their GWS environments, tailor them to reflect their own unique needs and risk tolerances, and then share their experiences with CISA during the public comment period,” CISA notes.
Federal agencies are encouraged to provide feedback on the draft baselines until January 12, 2024. The baselines are available on GitHub and on CISA’s website.
The cybersecurity agency also announced the release of ScubaGoggles, an assessment tool designed to help organizations verify that their GWS configuration falls in line with the policies outlined in the SCuBA security configuration baselines.
The tool, which relies on GWS admin log events to perform assessments, was released in alpha and is under active development, meaning that outputs might not be correct, CISA warns.
“CISA requests public comment on the GWS baselines and the ScubaGoggles tool to help ensure our products enable necessary security improvements to keep pace with evolving technologies while considering the challenging cyber threat environment,” the agency notes.
The GWS baseline documentation provides minimum secure configuration baselines to help federal agencies secure collaboration, along with data and sensitive information stored and transmitted via GWS services.
“Once finalized and fully implemented, the GWS baselines will reduce misconfigurations and enhance the protection of sensitive data, bolstering overall cybersecurity resilience. These baselines provide a collection of tailored security controls for nine core GWS services,” CISA says.
The development of Google Workspace baselines built on CISA’s experience from the Microsoft 365 baselines project, which was opened to public comment between October and December 2022. The agency plans to release the final M365 baselines early 2024.
The US government’s cybersecurity arm also asks federal agencies to help it “validate and enhance the automated implementation of these SCuBA baselines”, and encourages them to contact CISA for coordination.
Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation
Related: CISA Asks for Public Opinion on Secure Software Attestation
Related: CISA Seeks Public Opinion on Cloud Application Security Guidance
