cisagov · adhilto · Nov 4, 2024 · Nov 1, 2024 · Nov 1, 2024 · Nov 4, 2024
diff --git a/baselines/commoncontrols.md b/baselines/commoncontrols.md
@@ -308,7 +308,7 @@ Login challenges are additional security measures used to verify a user's identi
 ### Policies
 
 #### GWS.COMMONCONTROLS.3.1v0.3
-Login Challenges SHALL be enabled when third party SAML SSO is in use.
+Login challenges SHOULD be enabled when third party SAML SSO is in use.
 
 - _Rationale:_ Without enabling Post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling Post-SSO verification will apply 2SV verification policies.
 - _Last modified:_ July 10, 2023

diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
@@ -5,7 +5,7 @@ GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Ad
 GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
 GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
 GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHALL be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHOULD be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
 GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
 GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
 GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51

diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego
@@ -506,7 +506,7 @@ NonCompliantOUs3_1 contains {
 
 tests contains {
     "PolicyId": "GWS.COMMONCONTROLS.3.1v0.3",
-    "Criticality": "Shall",
+    "Criticality": "Should",
     "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
     "ActualValue": "No relevant event for the top-level OU in the current logs",
     "RequirementMet": DefaultSafe,
@@ -520,7 +520,7 @@ if {
 
 tests contains {
     "PolicyId": "GWS.COMMONCONTROLS.3.1v0.3",
-    "Criticality": "Shall",
+    "Criticality": "Should",
     # Empty list on the next line as this setting can't be set at the group level
     "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []),
     "ActualValue": {"NonCompliantOUs": NonCompliantOUs3_1},