CISA | DEFEND TODAY. SECURE TOMORROW.
1. CISA GOOGLE WORKSPACE SECURE CONFIGURATION BASELINE
FOR GOOGLE DRIVE AND DOCS
Google Drive and Docs are collaboration tools in Google Workspace that support document management and
storage, access, and sharing of files. Drive and Docs allow administrators to control and manage their files and
documents. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Drive and Docs
security.
The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure
agencies’ cloud business application environments and protect federal information that is created, accessed,
shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google
Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within
GWS cloud environments through consistent, effective, modern, and manageable security configurations.
The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business
application environments through consistent, effective, and manageable security configurations. CISA created
baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every
organization has different threat models and risk tolerance. Non-governmental organizations may also find
value in applying these baselines to reduce risks.
The information in this document is provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not
endorse any commercial product or service, including any subjects of analysis. Any reference to specific
commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer,
or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. This
document does not address, ensure compliance with, or supersede any law, regulation, or other authority.
Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the
use of technology. This document is not intended to, and does not, create any right or benefit for anyone
against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other
person.
This baseline is based on Google documentation available at Google Workspace Admin Help: Overview:
Manage Drive for an organization and addresses the following:
• Sharing Outside the Organization
• Shared Drive Creation
• Security Updates for Files
• Drive SDK
• Installation of Drive and Doc Add-Ons
• Drive for Desktop
• DLP Rules
Settings can be assigned to certain users within Google Workspace through organizational units, configuration
groups, or individually. Before changing a setting, the user can select the organizational unit, configuration
group, or individual users to which they want to apply changes.
1.1 ASSUMPTIONS
This document assumes the organization is using GWS Enterprise Plus.
This document does not address, ensure compliance with, or supersede any law, regulation, or other
authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may