The Cybersecurity and Infrastructure Security Agency (CISA) is taking strides to fortify federal civilian agencies’ cybersecurity as they modernize IT infrastructures and increasingly rely on cloud services. Recent threat activities underscore the need for robust security measures, prompting CISA to develop Secure Configuration Baselines for Google Workspace (GWS) along with the ScubaGoggles assessment tool. These resources aim to assist federal agencies in securing GWS environments, leveraging native security features, and enhancing overall cybersecurity posture. The effort aligns with the Executive Order 14028 and the government’s commitment to advancing cloud security practices, encryption, and multifactor authentication.
Earlier this year, CISA collaborated with federal agencies to apply the Secure Cloud Business Applications (SCuBA) secure configuration baselines for Microsoft 365 (M365). Now, expanding this initiative to GWS reflects a comprehensive approach to secure cloud environments. The GWS baselines provide tailored security controls for nine core GWS services, covering critical components like Gmail, Google Drive, and Google Meet. Once implemented, these baselines aim to reduce misconfigurations, protect sensitive data, and enhance overall cybersecurity resilience.
CISA invites public comment on the GWS baselines and ScubaGoggles tool, emphasizing the collaborative approach to address evolving technologies and cybersecurity challenges. The release of these baselines for widely-used business platforms, including M365 and GWS, reinforces CISA’s mission to secure federal IT enterprises and serves as a valuable resource for organizations beyond the federal government. The agency encourages stakeholders to validate and enhance the automated implementation of these baselines, fostering a collective effort to strengthen cybersecurity across diverse cloud-based business applications. Interested federal agencies are invited to coordinate with CISA in refining the baselines and related tools, underscoring the importance of collective action in safeguarding critical IT infrastructures.
