Common Controls Baseline Report

Customer Name	Customer Domain	Customer ID	Report Date	Baseline Version	Tool Version
Cool Example Org	example.org	ABCDEFG	10/10/2025 13:08:58 Pacific Daylight Time	0.6	v0.6.0

COMMONCONTROLS-1 Phishing-Resistant Multifactor Authentication

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.1.1v0.6	Phishing-Resistant MFA SHALL be required for all users.	Fail	Shall	The following OUs are non-compliant: Example 2: 2-step verification (2SV) is not enforced. Amy Chavez's OU: Allowed 2-step verification (2SV) method is set to "Any". Cool Example Org: Allowed 2-step verification (2SV) method is set to "Any". Cool Example Org (group "Martin Merritt's group"): Allowed 2-step verification (2SV) method is set to "Any". Kristen Bates's OU (in Amy Chavez's OU): Allowed 2-step verification (2SV) method is set to "Any except verification codes via text, phone call". Marissa Holmes's OU: Users cannot enable 2-step verification (2SV). Christina Ingram's OU: Allowed 2-step verification (2SV) method is set to "Any".
GWS.COMMONCONTROLS.1.2v0.6	If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.	Fail	Shall	The following OUs are non-compliant: Example 2: 2-step verification (2SV) is not enforced. Marissa Holmes's OU: Users cannot enable 2-step verification (2SV).
GWS.COMMONCONTROLS.1.3v0.6	SMS or Voice as the MFA method SHALL NOT be used.	Fail	Shall	The following OUs are non-compliant: Example 2: 2-step verification (2SV) is not enforced. Amy Chavez's OU: Verification codes via text and phone call allowed. Cool Example Org: Verification codes via text and phone call allowed. Cool Example Org (group "Martin Merritt's group"): Verification codes via text and phone call allowed. Marissa Holmes's OU: Users cannot enable 2-step verification (2SV). Christina Ingram's OU: Verification codes via text and phone call allowed.
GWS.COMMONCONTROLS.1.4v0.6	Google 2SV new user enrollment period SHALL be set to at least 1 day or at most 1 week.	Fail	Shall	The following OUs are non-compliant: Example 2: 2-step verification (2SV) is not enforced. Amy Chavez's OU: New user enrollment period 180 days (longer than 7 days) Cool Example Org: New user enrollment period is NONE Cool Example Org (group "Martin Merritt's group"): New user enrollment period is NONE Marissa Holmes's OU: Users cannot enable 2-step verification (2SV).
GWS.COMMONCONTROLS.1.5v0.6	Allow users to trust the device SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: example (in Amy Chavez's OU): User is allowed to trust device. example (in Amy Chavez's OU) (group "Christine Avila's group"): User is allowed to trust device. Example 2: 2-step verification (2SV) is not enforced. Amy Chavez's OU: User is allowed to trust device. Cool Example Org: User is allowed to trust device. Cool Example Org (group "Martin Merritt's group"): User is allowed to trust device. Kristen Bates's OU (in Amy Chavez's OU): User is allowed to trust device. Marissa Holmes's OU: Users cannot enable 2-step verification (2SV). Christina Ingram's OU: User is allowed to trust device.

COMMONCONTROLS-2 Context-aware Access

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.2.1v0.6	Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.	Warning	Should	Requirement not met. Log-based check. See limitations.

COMMONCONTROLS-3 Login Challenges

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.3.1v0.6	Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.	No events found	Should	No relevant event in the current logs for the top-level OU, Cool Example Org. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended. Log-based check. See limitations.
GWS.COMMONCONTROLS.3.2v0.6	Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.	No events found	Should	No relevant event in the current logs for the top-level OU, Cool Example Org. While we are unable to determine the state from the logs, the default setting is non-compliant; manual check recommended. Log-based check. See limitations.

COMMONCONTROLS-4 User Session Duration

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.4.1v0.6	Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.	Fail	Shall	The following OUs are non-compliant: Shelly Garcia's OU: Web session duration: 24 hours Christina Ingram's OU: Web session duration: 20 hours

COMMONCONTROLS-5 Secure Passwords

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.5.1v0.6	User password strength SHALL be enforced.	Pass	Shall	Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.5.2v0.6	User password length SHALL be at least 12 characters.	Fail	Shall	The following OUs are non-compliant: example (in Example sub OU/Jeff Smith's OU): Minimum password length: 8, less than 12
GWS.COMMONCONTROLS.5.3v0.6	User password length SHOULD be at least 15 characters.	Warning	Should	The following OUs are non-compliant: example (in Example sub OU/Jeff Smith's OU): Minimum password length: 8, recommended is at least 15 Example 2: Minimum password length: 12, recommended is at least 15 Amy Chavez's OU: Minimum password length: 12, recommended is at least 15 Shelly Garcia's OU: Minimum password length: 12, recommended is at least 15 Cool Example Org: Minimum password length: 12, recommended is at least 15 Christina Ingram's OU: Minimum password length: 12, recommended is at least 15
GWS.COMMONCONTROLS.5.4v0.6	Password policy SHALL be enforced at next sign-in.	Fail	Shall	The following OUs are non-compliant: example (in Example sub OU/Jeff Smith's OU): Enforce password policy at next sign-in is OFF Example 2: Enforce password policy at next sign-in is OFF Shelly Garcia's OU: Enforce password policy at next sign-in is OFF Cool Example Org: Enforce password policy at next sign-in is OFF Betty Aguirre's OU: Enforce password policy at next sign-in is OFF
GWS.COMMONCONTROLS.5.5v0.6	User passwords SHALL NOT be reused.	Fail	Shall	The following OUs are non-compliant: Amy Chavez's OU: Allow password reuse is ON Shelly Garcia's OU: Allow password reuse is ON
GWS.COMMONCONTROLS.5.6v0.6	User passwords SHALL NOT expire.	Fail	Shall	The following OUs are non-compliant: Amy Chavez's OU: Password reset frequency is 30 days Shelly Garcia's OU: Password reset frequency is 5184000 seconds

COMMONCONTROLS-6 Privileged Accounts

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.6.1v0.6	All administrative accounts SHALL leverage Google Account authentication with phishing-resistant multifactor authentication(MFA), not an agency's authoritative on-premises or federated identity system.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.6.2v0.6	A minimum of two and maximum of eight separate and distinct super admin users SHALL be configured.	Fail	Shall	The following super admins are configured: scottprince@example.net, scottprince@example.net, scottprince@example.net, scottprince@example.net, scottprince@example.net, scottprince@example.net. Note: Exceptions are allowed for "break glass" super admin accounts. "Break glass" accounts can be specified in a config file. 3 break glass accounts are currently configured.

COMMONCONTROLS-7 Conflicting Account Management

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.7.1v0.6	Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-8 Account Recovery Options

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.8.1v0.6	Account self-recovery for super admins SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: Cool Example Org (group "Morgan Johnson's group"): Super admins are allowed to recover their accounts. Cool Example Org (group "Dustin Mitchell's group"): Super admins are allowed to recover their accounts.
GWS.COMMONCONTROLS.8.2v0.6	Account self-recovery for users and non-super admins SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: Cool Example Org: Users and non-super admins are allowed to recover their accounts.
GWS.COMMONCONTROLS.8.3v0.6	Ability to add recovery information SHOULD be disabled.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-9 GWS Advanced Protection Program

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.9.1v0.6	Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.9.2v0.6	All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-10 App Access to Google APIs

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.10.1v0.6	Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.10.2v0.6	Agencies SHALL NOT allow users to consent to access to low-risk scopes.	Fail	Shall	The following services allow access: CALENDAR. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.3v0.6	Agencies SHALL NOT trust unconfigured internal apps.	Pass	Shall	Requirement met in all OUs and groups. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.4v0.6	Agencies SHALL NOT allow users to access unconfigured third-party apps.	Fail	Shall	The following OUs are non-compliant: Amy Chavez's OU: Unconfigured third-party app access is set to Allow users to access third-party apps that only request basic info needed for Sign in with Google. Log-based check. See limitations.
GWS.COMMONCONTROLS.10.5v0.6	Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.	Pass	Shall	Requirement met in all OUs and groups.

COMMONCONTROLS-11 Authorized Google Marketplace Apps

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.11.1v0.6	Only approved Google Workspace Marketplace applications SHALL be allowed for installation.	Fail	Shall	The following OUs are non-compliant: Betty Aguirre's OU: Users can install and run any internal app, even if it's not allowlisted.

COMMONCONTROLS-12 Google Takeout Services for Users

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.12.1v0.6	Google Takeout services SHALL be disabled.	Fail	Shall	The following OUs are non-compliant: Amy Chavez's OU: The following apps with individual admin control have Takeout enabled: YouTube Cool Example Org: Takeout is enabled for services without an individual admin control. Cool Example Org: The following apps with individual admin control have Takeout enabled: Blogger, Google Books

COMMONCONTROLS-13 System-defined Rules

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.13.1v0.6	Required system-defined alerting rules, as listed in the Policy group description, SHALL be enabled with alerts.	N/A	Shall/Not-Implemented	Of the 30 required rules, at least 0 are enabled and 2 are disabled. Unable to determine the state of the 28 remaining required rules. See System Defined Alerts for more details. Log-based check. See limitations.

COMMONCONTROLS-14 Google Workspace Logs

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.14.1v0.6	The following critical logs SHALL be sent to the agency's centralized SIEM.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.14.2v0.6	Audit logs SHALL be maintained for at least 6 months in active storage and an additional 18 months in cold storage, as directed by OMB M-21-31.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.

COMMONCONTROLS-15 Data Regions and Storage

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.15.1v0.6	The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.15.2v0.6	Data SHALL be processed in the region selected for data at rest.	Pass	Shall	Requirement met in all OUs and groups. Log-based check. See limitations.

COMMONCONTROLS-16 Additional Google Services

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.16.1v0.6	Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.	Pass	Should	Requirement met in all OUs and groups.
GWS.COMMONCONTROLS.16.2v0.6	User access to Early Access apps SHOULD be disabled.	Warning	Should	The following OUs are non-compliant: Cool Example Org: Early access apps are ENABLED

COMMONCONTROLS-17 Multi-Party Approval

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.17.1v0.6	Require multiparty approval for sensitive admin actions SHOULD be enabled.	Warning	Should	The following OUs are non-compliant: Cool Example Org: Require multi party approval for sensitive admin actions is DISABLED Log-based check. See limitations.

COMMONCONTROLS-18 Data Loss Prevention

Control ID	Requirement	Result	Criticality	Details
GWS.COMMONCONTROLS.18.1v0.6	A custom policy SHALL be configured for Google Drive to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.2v0.6	A custom policy SHALL be configured for Google Chat to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.3v0.6	A custom policy SHALL be configured for Gmail to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).	N/A	Shall/Not-Implemented	Currently not able to be tested automatically; please manually check.
GWS.COMMONCONTROLS.18.4v0.6	The action for the above DLP policies SHOULD be set to block external sharing.	N/A	Should/Not-Implemented	Currently not able to be tested automatically; please manually check.

System Defined Alerts

Note: As ScubaGoggles currently relies on admin log events to determine alert status, ScubaGoggles will not be able to determine the current status of any alerts whose state has not changed recently.

Alert Name	Description	Status
Account suspension warning	Google Workspace accounts engaging in suspicious activity may have their account suspended. Google Workspace accounts must comply with the Google Workspace Terms of Service, Google Workspace for Education Terms of Service, Google Cloud Platform Terms of Service or Cloud Identity Terms of Service.	Unknown
Calendar settings changed	An admin has changed Google Workspace Calendar settings.	Unknown
Device compromised	Provides details about devices in your domain that have entered a compromised state.	Unknown
Domain data export initiated	A Super Administrator for your Google account has started exporting data from your domain.	Unknown
Drive settings changed	An admin has changed Google Workspace Drive settings.	Unknown
Email settings changed	An admin has changed Google Workspace Gmail settings.	Unknown
Gmail potential employee spoofing	Incoming messages where a sender's name is in your Google Workspace directory, but the mail is not from your company's domains or domain aliases.	Unknown
Google Operations	Provides details about security and privacy issues that affect your Google Workspace services.	Unknown
Government-backed attacks	Warnings about potential government-backed attacks.	Unknown
Leaked password	Google detected compromised credentials requiring a reset of the user's password.	Unknown
Malware message detected post-delivery	Messages detected as malware post-delivery that are automatically reclassified.	Unknown
Mobile settings changed	An admin has changed mobile management settings.	Unknown
Phishing in inboxes due to bad whitelist	Messages classified as spam by Gmail filters delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters.	Unknown
Phishing message detected post-delivery	Messages detected as phishing post-delivery that are automatically reclassified.	Unknown
Rate limited recipient	A high rate of incoming email indicating a potential malicious attack or misconfigured setting.	Unknown
SSO profile added	Alerts you when a new SSO profile allows users to sign in to Google services through your third-party identity provider.	Unknown
SSO profile updated	Alerts you when thereâ€™s a change to the SSO profile that allows users to sign in to Google services through your third-party identity provider.	Unknown
Spike in user-reported spam	An unusually high volume of messages from a sender that users have marked as spam.	Unknown
Super admin password reset	Alerts you when the password for a super admin account changes. This admin can manage all features in your Admin console and Admin APIs.	Unknown
Suspicious device activity	Provides details if device properties such as device ID, serial number, type of device, or device manufacturer are updated.	Unknown
Suspicious login	Google detected a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location.	Unknown
Suspicious message reported	A sender has sent messages to your domain that users have classified as spam.	Unknown
Suspicious programmatic login	Google detected suspicious login attempts from potential applications or computer programs.	Unknown
User granted Admin privilege	A user is granted an admin privilege.	Disabled
User suspended (Google identity alert)	Google detected suspicious activity and suspended the account.	Unknown
User suspended due to suspicious activity	Google suspended a user's account due to a potential compromise detected.	Unknown
User suspended for spamming	Google detected suspicious activity such as spamming and suspended the account.	Unknown
User suspended for spamming through relay	Google detected suspicious activity such as spamming through a SMTP relay service and suspended the account.	Unknown
User's Admin privilege revoked	A user is revoked of their admin privilege.	Disabled
User-reported phishing	A sender has sent messages to your domain that users have classified as phishings.	Unknown