From 0d7209a25ebc8255808c8399805e08ea3c2d0e69 Mon Sep 17 00:00:00 2001
From: "Max Dueltgen (MITRE)" <148897369+mdueltgen@users.noreply.github.com>
Date: Mon, 4 Nov 2024 10:50:31 -0500
Subject: [PATCH] Changing Common Controls 3.1 from SHALL to SHOULD (#490)

* reducing shall to should

* change Common Controls 3.1 rego to should

* update SHALL to SHOULD in drift rule

---------

Co-authored-by: buidav <105074908+buidav@users.noreply.github.com>
Co-authored-by: Alden Hilton <adhilto@sandia.gov>
---
 baselines/commoncontrols.md                                   | 2 +-
 ...rift Monitoring Rules - Common Controls as of 11-14-23.csv | 2 +-
 rego/Commoncontrols.rego                                      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/baselines/commoncontrols.md b/baselines/commoncontrols.md
index ab14c749..85781681 100644
--- a/baselines/commoncontrols.md
+++ b/baselines/commoncontrols.md
@@ -308,7 +308,7 @@ Login challenges are additional security measures used to verify a user's identi
 ### Policies
 
 #### GWS.COMMONCONTROLS.3.1v0.3
-Login Challenges SHALL be enabled when third party SAML SSO is in use.
+Login challenges SHOULD be enabled when third party SAML SSO is in use.
 
 - _Rationale:_ Without enabling Post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling Post-SSO verification will apply 2SV verification policies.
 - _Last modified:_ July 10, 2023
diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
index aa04d080..974e8300 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv	
@@ -5,7 +5,7 @@ GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Ad
 GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
 GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
 GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHALL be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHOULD be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
 GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
 GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
 GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego
index 92db95e5..4ea30acd 100644
--- a/rego/Commoncontrols.rego
+++ b/rego/Commoncontrols.rego
@@ -506,7 +506,7 @@ NonCompliantOUs3_1 contains {
 
 tests contains {
     "PolicyId": "GWS.COMMONCONTROLS.3.1v0.3",
-    "Criticality": "Shall",
+    "Criticality": "Should",
     "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
     "ActualValue": "No relevant event for the top-level OU in the current logs",
     "RequirementMet": DefaultSafe,
@@ -520,7 +520,7 @@ if {
 
 tests contains {
     "PolicyId": "GWS.COMMONCONTROLS.3.1v0.3",
-    "Criticality": "Shall",
+    "Criticality": "Should",
     # Empty list on the next line as this setting can't be set at the group level
     "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []),
     "ActualValue": {"NonCompliantOUs": NonCompliantOUs3_1},