Secure Cloud Business Applications (SCuBA)

Baseline Documents

Light mode

Google Drive and Docs Baseline Report

Customer Name	Customer Domain	Customer ID	Report Date	Baseline Version	Tool Version
Cool Example Org	example.org	ABCDEFG	10/10/2025 13:08:58 Pacific Daylight Time	0.6	v0.6.0

DRIVEDOCS-1 Sharing Outside the Organization

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.1.1v0.6	External sharing SHALL be restricted to allowlisted domains.	Warning	Should	The following OUs are non-compliant: Anita Short's OU: Files owned by users or shared drives can be shared outside of the organization Cool Example Org: Files owned by users or shared drives can be shared with Google accounts in compatible allowlisted domains
GWS.DRIVEDOCS.1.2v0.6	Receiving files from outside of allowlisted domains SHOULD be disabled.	Warning	Should	The following OUs are non-compliant: Cool Example Org: File sharing with allowlisted domains, receiving files permitted.
GWS.DRIVEDOCS.1.3v0.6	Warnings SHALL be enabled when a user is attempting to share with someone not in allowlisted domains.	Pass	Shall	Requirement met in all OUs and groups.
GWS.DRIVEDOCS.1.4v0.6	If sharing outside of the organization, then agencies SHOULD disable sharing of files with individuals who are not using a Google account.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: File sharing with allowlisted domains, with non-Google users.
GWS.DRIVEDOCS.1.5v0.6	Any OUs that do allow external sharing SHOULD disable making content available to anyone with the link.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Published web content can be made visible to anyone with a link
GWS.DRIVEDOCS.1.6v0.6	Agencies SHALL set access checking to recipients only.	Fail	Shall	The following OUs are non-compliant: Jonathan Edwards's OU: Access Checker allows users to share files to recipients only, suggested target audience, or public (no Google account required) Cool Example Org: Access Checker allows users to share files to recipients only, suggested target audience, or public (no Google account required)
GWS.DRIVEDOCS.1.7v0.6	Users SHOULD NOT be allowed to upload or move content to shared drives owned by another organization.	Pass	Shall	Requirement met in all OUs and groups.
GWS.DRIVEDOCS.1.8v0.6	Private to owner SHALL be the default access level for newly created items.	Fail	Shall	The following OUs are non-compliant: Jonathan Edwards's OU: When users create items, the default access is set to: the primary target audience can search and find the item.
GWS.DRIVEDOCS.1.9v0.6	Out-of-Domain file-level warnings SHALL be enabled.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.DRIVEDOCS.1.10v0.6	If external sharing isn't allowed, then forms owned by users within your organization SHOULD NOT be able to accept responses from anyone with the link outside the organization.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.DRIVEDOCS.1.11v0.6	If receiving external files isn’t allowed, then users in your organization SHOULD NOT be able to submit responses to forms from users or shared drives outside of your organization.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

DRIVEDOCS-2 Shared Drive Creation

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.2.1v0.6	Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.	Warning	Should	The following OUs are non-compliant: Anita Short's OU: Members with manager access can override shared drive settings.
GWS.DRIVEDOCS.2.2v0.6	Agencies SHALL allow users who are not shared drive members to be added to files.	Fail	Shall	The following OUs are non-compliant: Anita Short's OU: Users who aren't shared drive members are not allowed to be added to files.

DRIVEDOCS-3 Security Updates for Files

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.3.1v0.6	Agencies SHALL enable the security update for Drive files.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Users are allowed to remove/apply the security update for files they own or manage.

DRIVEDOCS-4 Drive SDK

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.4.1v0.6	Agencies SHOULD disable Drive SDK access.	Pass	Should	Requirement met in all OUs and groups.

DRIVEDOCS-5 User Installation of Drive and Docs Add-Ons

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.5.1v0.6	Agencies SHALL disable Add-Ons.	Pass	Shall	Requirement met in all OUs and groups. Log-based check. See limitations.

DRIVEDOCS-6 Drive for Desktop

Control ID	Requirement	Result	Criticality	Details
GWS.DRIVEDOCS.6.1v0.6	Google Drive for Desktop SHALL be enabled only for authorized devices.	Warning	Should	The following OUs are non-compliant: Cool Example Org (group "Kathryn Brooks's group"): Drive for Desktop is enabled and can be used on any device. Cool Example Org (group "Alyssa Tate's group"): Drive for Desktop is enabled and can be used on any device. Cool Example Org (group "Mrs. Kristina Boyle's group"): Drive for Desktop is enabled and can be used on any device.