Add new post-SSO verification control (#493)

* Add 3.2 to common controls

* Adjust spacing

Co-authored-by: David Bui <[email protected]>

* Clarify org-wide vs other sso profiles.

---------

Co-authored-by: David Bui <[email protected]>

baselines/commoncontrols.md

@@ -302,16 +302,31 @@ Note that the implementation details of context-aware access use cases will vary
 -   Use nested access levels instead of selecting multiple access levels during assignment
 
 ## 3. Login Challenges
+Login challenges are additional security measures used to verify a user's identity, including post-SSO verification.
 
-Login challenges are additional security measures used to verify a user's identity. For example, Google might ask the user to confirm their recovery email before logging in as part of a challenge.
+Post-SSO verification controls what additional checks are performed (e.g., Google 2SV) after a user succesfully authenticates through a third-party identity provider.
+SSO is managed through profiles, which can be assigned org-wide or to specific org units/groups.
+Google Workspace handles post-SSO verification for profiles assigned org-wide as a separate case, allowing users more granual control of when post-SSO verification requirements apply.
 
 ### Policies
 
 #### GWS.COMMONCONTROLS.3.1v0.3
-Login challenges SHOULD be enabled when third party SAML SSO is in use.
+Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.
 
-- _Rationale:_ Without enabling Post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling Post-SSO verification will apply 2SV verification policies.
-- _Last modified:_ July 10, 2023
+- _Rationale:_ Without enabling post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling post-SSO verification will apply 2SV verification policies.
+- _Last modified:_ November 4, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+    - [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+    - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+    - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+
+#### GWS.COMMONCONTROLS.3.2v0.3
+Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.
+
+- _Rationale:_ Without enabling post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling post-SSO verification will apply 2SV verification policies.
+- _Last modified:_ November 4, 2024
 
 - MITRE ATT&CK TTP Mapping
   - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
@@ -326,19 +341,23 @@ Login challenges SHOULD be enabled when third party SAML SSO is in use.
 
 ### Prerequisites
 
--   When using Employee ID challenge, the Employee ID must be uploaded to Google Workspace through the Agency's Identity Management infrastructure (e.g., via GCDS).
+-   None
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.3.1v0.3 Instructions
+#### Policy Group 3 Common Instructions
 1.  Sign in to [Google Admin console](https://admin.google.com) as an administrator.
-2.  Select **Security**-\>**Authentication**-\>**Login challenges.**
+2.  Select **Security**-\>**Authentication**-\>**Login challenges**.
 3.  Under **Organizational units**, ensure that the name for the entire organization is selected.
-4.  Click **Post-SSO verification**, then select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**. Click **SAVE**.
-5.  Optionally, if employee IDs are known to agency employees (or accessible to the employee outside of Google Workspace), they may be used.
-6.  Click **Login challenges**.
-7.  Select the **Use employee ID to keep my users more secure** checkbox.
-8.  Click **SAVE**.
+4.  Click **Post-SSO verification**.
+
+#### GWS.COMMONCONTROLS.3.1v0.3 Instructions
+1. For **Settings for users signing in using the SSO profile for your organization**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**.
+2. Click **SAVE**.
+
+#### GWS.COMMONCONTROLS.3.2v0.3 Instructions
+1. For **Settings for users signing in using other SSO profiles**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**.
+2. Click **SAVE**.
 
 ## 4. User Session Duration
 

drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv

@@ -5,7 +5,8 @@ GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Ad
 GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
 GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
 GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHOULD be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.3.1v0.3,Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.3.2v0.3,Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.,Admin Log Event,Change Application Setting,SsoPolicyProto sso_profile_challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
 GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
 GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
 GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51

rego/Commoncontrols.rego

@@ -534,6 +534,21 @@ if {
 }
 #--
 
+#
+# Baseline GWS.COMMONCONTROLS.3.2v0.3
+#--
+# TODO replace the following placeholder with actual implementation
+# SsoPolicyProto sso_profile_challenge_selection_behavior appears to the appropriate log event
+tests contains {
+    "PolicyId": "GWS.COMMONCONTROLS.3.2v0.3",
+    "Criticality": "Should/Not-Implemented",
+    "ReportDetails": "Currently not able to be tested automatically; please manually check.",
+    "ActualValue": "",
+    "RequirementMet": false,
+    "NoSuchEvent": true
+}
+#--
+
 ########################
 # GWS.COMMONCONTROLS.4 #
 ########################