The Cybersecurity and Infrastructure Security Agency (CISA), as part of its Secure Cloud Business Applications (SCuBA) program, released a series of nine security configuration baselines for Google Workspace today, including applications like Gmail, Google Drive, and Google Meet.
“As federal civilian agencies continue to modernize IT enterprises, increased reliance on cloud services, platform services, and external providers has introduced new types of risks,” CISA Associate Director Michael Duffy wrote in a Dec. 12 blog post.
“Recent threat activity from groups such as Storm-0558 have demonstrated the importance of hardening email and identity infrastructure, enabling key security capabilities such as logging, and enhancing the security of underlying cloud environments,” he added.
CISA released the SCuBA project’s Google Workspace (GWS) secure configuration baselines along with a new assessment tool, ScubaGoggles.
Developed in close collaboration with Google, these materials are specifically designed to assist Federal agencies with securing GWS environments and leveraging native security capabilities to enhance an organization’s overall cyber posture, CISA said.
However, the organization is encouraging every organization, public and private, to leverage the new GWS tools, noting that everyone can benefit from the security recommendations and best practices outlined and should consider whether their current baseline requires enhancements in light of the evolving cyber threat environment.
CISA is requesting public comment on the GWS baselines and the ScubaGoggles tool to help ensure its products enable necessary security improvements to keep pace with evolving technologies while considering the challenging cyber threat environment.
All comments on the GWS baselines are due by Jan. 12 via email to CyberSharedServices@cisa.dhs.gov.
Once finalized and fully implemented, the GWS baselines will reduce misconfigurations and enhance the protection of sensitive data, bolstering overall cybersecurity resilience, CISA said.
These baselines provide a collection of tailored security controls for nine core GWS services. They cover key GWS components, such as safeguarding collaboration on Google Meet, securing data stored in Gmail, or protecting sensitive information in Google Drive and Docs.
CISA said it is also asking Federal agencies to help validate and enhance the automated implementation of these SCuBA Baselines. Agencies interested in coordinating with CISA to help refine the baselines, implementation guidance, and assessment tool should email CyberSharedServices@cisa.dhs.gov.
CISA’s GWS baselines unveiled today follow the agency’s SCuBA baselines for Microsoft 365 (M365).
CISA noted that its GWS Baselines draw upon the success, lessons learned, and expertise gained from the M365 Baselines project to apply a consistent and comprehensive approach to securing GWS cloud environments.
“The publication of the GWS and M365 Baselines will further CISA’s mission to secure the federal IT enterprise while also serving as a resource for all organizations leveraging the two most widely-used business platforms,” Duffy wrote in a blog post. “Users across the Federal Government and beyond rely on these cloud-based business applications daily to communicate and store sensitive information and conduct critical business functions which is precisely why these systems remain such prime targets for malicious actors.”
He added, “Our goal is to help organizations secure their work, keep confidential information private, and empower cybersecurity teams to harden these environments and gain operational visibility within these cloud-based business applications.”
The baselines for both GWS and M365 are available for download on CISA’s GitHub or at CISA.gov/SCUBA.