CISA Seeks Public Comment on Newly Developed Secure Configuration Baselines for Google Workspace  


By Michael Duffy, Associate Director, CISA 

As federal civilian agencies continue to modernize IT enterprises, increased reliance on cloud services, platform services, and external providers has introduced new types of risks. Recent threat activity from groups such as Storm-0558 have demonstrated the importance of hardening email and identity infrastructure, enabling key security capabilities such as logging, and enhancing the security of underlying cloud environments. The Administration’s Executive Order 14028 has accelerated cross-government efforts to advance cloud security practices, implement encryption and multifactor authentication, and enhance operational visibility and logging on federal government networks.  

Earlier this year, CISA worked with a dozen federal agencies to apply the Secure Cloud Business Applications (SCuBA) secure configuration baselines for Microsoft 365 (M365) across agency enterprises. Using our ScubaGear assessment tool, agency practitioners implemented advanced protections and configured cloud environments to better safeguard sensitive information and secure government services against sophisticated threat actors. Though the Microsoft-specific baselines were developed collaboratively with the Federal Chief Information Officers Council to provide necessary security enhancements for most federal cloud business applications, we quickly identified that more was needed. 

Today, CISA takes another step forward by releasing the SCuBA project’s Google Workspace (GWS) secure configuration baselines along with our new assessment tool, ScubaGoggles. Developed in close collaboration with Google, these materials are specifically designed to assist federal agencies with securing GWS environments and leveraging native security capabilities to enhance an organization’s overall cyber posture. However, every organization, public and private, can benefit from the security recommendations and best practices outlined in the GWS Baselines and should consider whether their current baseline requires enhancements in light of the evolving cyber threat environment.

CISA requests public comment on the GWS baselines and the ScubaGoggles tool to help ensure our products enable necessary security improvements to keep pace with evolving technologies while considering the challenging cyber threat environment. CISA’s GWS Baselines draw upon the success, lessons learned and expertise gained from the M365 Baselines project to apply a consistent and comprehensive approach to securing GWS cloud environments. 

Once finalized and fully implemented, the GWS baselines will reduce misconfigurations and enhance the protection of sensitive data, bolstering overall cybersecurity resilience. These baselines provide a collection of tailored security controls for nine core GWS services. They cover key GWS components, such as safeguarding collaboration on Google Meet, securing data stored in Gmail or protecting sensitive information in Google Drive and Docs.  

The GWS series includes minimum viable secure configuration baselines for: 

Groups for Business 


Google Calendar 

 Google Chat 

Google Classroom 

Google Drive and Docs 

Google Meet 

Google Sites 

Google Common Controls 


The publication of the GWS and M365 Baselines will further CISA’s mission to secure the federal IT enterprise while also serving as a resource for all organizations leveraging the two most widely-used business platforms. Users across the Federal Government and beyond rely on these cloud-based business applications daily to communicate and store sensitive information and conduct critical business functions which is precisely why these systems remain such prime targets for malicious actors. Our goal is to help organizations secure their work, keep confidential information private, and empower cybersecurity teams to harden these environments and gain operational visibility within these cloud-based business applications.  

Along with seeking public comment from all interested stakeholders, CISA asks federal agencies to help validate and enhance the automated implementation of these SCuBA Baselines. Agencies interested in coordinating with CISA to help refine the baselines, implementation guidance, and the assessment tool should email  

Please send all comments on the GWS baselines via email to by January 12, 2024. The baselines are available for download on CISA’s GitHub or at