Google Workspace

CISA SCuBA provides security baselines for Google Workspace with specific policy IDs and MITRE ATT&CK mappings. GWS.COMMONCONTROLS.1.1v0.6: "Phishing-Resistant MFA SHALL be required for all users." Maps to T1110 (Brute Force), T1566 (Phishing). GWS.COMMONCONTROLS.1.3v0.6: "SMS or Voice as the MFA method SHALL NOT be used." GWS.COMMONCONTROLS.2.1v0.6: "Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented." GWS.COMMONCONTROLS.6.1v0.6: "Super admins SHOULD be in a separate OU and have policies specific to their roles." Required for BOD 25-01 compliance. Source: CISA SCuBA Project.

CIS provides security configuration benchmarks for Google Workspace. 1.1.2: "Ensure Enforce 2-Step Verification is set to ON." 1.1.3: "Ensure only Security Keys are allowed for 2-Step Verification." 2.1.1: "Ensure Mail Delegation is disabled." 3.1.1: "Ensure Link Sharing is restricted." 5.1.1: "Ensure only authorized Marketplace apps are allowed."

NIST SP 800-63B §4.2: "AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber's account. Proof of possession and control of two different authentication factors is required." §4.3: "AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance." Google security keys and Titan Security Keys meet AAL3.

Google's official security checklist covering 2-Step Verification enforcement, admin account security, password policies, OAuth app controls, mobile device management, and audit logging.