Change Common Controls 7.1 to SHOULD and update Common Controls Polic…

…y Group 17 resource link (#558) * Changed 7.1 to SHOULD and Fixed CC 17 Resource Link * Updated Drift Rules * Updated Date * Change CommonControls 7.1 to SHOULD in rego --------- Co-authored-by: Alden Hilton <[email protected]>
cisagov · Jan 9, 2025 · 3f9ff5e · 3f9ff5e
1 parent 2219d49
commit 3f9ff5e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
@@ -16,7 +16,7 @@ GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,C
 GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
 GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
+GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
 GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
 GWS.COMMONCONTROLS.9.1v0.3,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
 GWS.COMMONCONTROLS.9.2v0.3,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21

diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md
@@ -604,10 +604,10 @@ By changing the email address, the user resolves the conflict by ensuring that t
 ### Policies
 
 #### GWS.COMMONCONTROLS.7.1v0.3
-Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.
+Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.
 
 - _Rationale:_ Unmanaged user accounts cannot be controlled or monitored by workspace admins. By resolving conflicting accounts, you ensure all users in your workspace are using managed accounts.
-- _Last modified:_ September 14, 2023
+- _Last modified:_ January 2025
 
 - MITRE ATT&CK TTP Mapping
   - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
@@ -1243,7 +1243,7 @@ Require multi party approval for sensitive admin actions SHALL be enabled.
   - No TTP Mappings
 
 ### Resources
--	[GWS Admin Help \| Multi-party approval for sensitive actions](https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F13790448%3Fhl%3Den&assistant_id=generic-unu&product_context=13790448&product_name=UnuFlow&trigger_context=a)
+-	[GWS Admin Help \| Multi-party approval for sensitive actions](https://support.google.com/a/answer/13790448?hl=en-Link)
 
 ### Prerequisites
 

diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego
@@ -1207,7 +1207,7 @@ CommonControlsId7_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.7.1")
 
 tests contains {
     "PolicyId": CommonControlsId7_1,
-    "Criticality": "Shall/Not-Implemented",
+    "Criticality": "Should/Not-Implemented",
     "ReportDetails": "Currently not able to be tested automatically; please manually check.",
     "ActualValue": "",
     "RequirementMet": false,