diff --git a/README.md b/README.md
index 488b099a..131508f5 100644
--- a/README.md
+++ b/README.md
@@ -6,9 +6,9 @@
   </ul>
   <ul>
         <a href="https://github.com/cisagov/ScubaGoggles/releases">
-        <img src="https://img.shields.io/badge/ScubaGoggles-v0.3.0-%2385B065?labelColor=%23005288"  alt="ScubaGoggles version #"></a>
+        <img src="https://img.shields.io/badge/ScubaGoggles-v0.4.0-%2385B065?labelColor=%23005288"  alt="ScubaGoggles version #"></a>
         <a href="https://github.com/cisagov/ScubaGoggles/tree/main/baselines">
-        <img src="https://img.shields.io/badge/GWS_SCB-v0.3-%2385B065?labelColor=%23005288" alt="GWS SCB version #"></a>
+        <img src="https://img.shields.io/badge/GWS_SCB-v0.4-%2385B065?labelColor=%23005288" alt="GWS SCB version #"></a>
         <a href="">
         <img src="https://img.shields.io/github/downloads/cisagov/ScubaGoggles/total.svg"  alt="Downloads"></a>
   </ul>
diff --git a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv
index 97e33aff..409655db 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv	
@@ -1,7 +1,7 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.CALENDAR.1.1v0.3,"External Sharing Options for Primary Calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs1clzmpm,JK 07-28-23 @ 12:08
-GWS.CALENDAR.1.2v0.3,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32
-GWS.CALENDAR.2.1v0.3,External invitations warnings SHALL be enabled to prompt users before sending invitations.,Admin Log Event,Change Calendar Setting,ENABLE_EXTERNAL_GUEST_PROMPT,true,rules/00gjdgxs26jpj72,JK 07-28-23 @ 12:20
-GWS.CALENDAR.3.1v0.3,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42
-GWS.CALENDAR.3.2v0.3,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard."
-GWS.CALENDAR.4.1v0.3,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47
+GWS.CALENDAR.1.1v0.4,"External Sharing Options for Primary Calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs1clzmpm,JK 07-28-23 @ 12:08
+GWS.CALENDAR.1.2v0.4,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32
+GWS.CALENDAR.2.1v0.4,External invitations warnings SHALL be enabled to prompt users before sending invitations.,Admin Log Event,Change Calendar Setting,ENABLE_EXTERNAL_GUEST_PROMPT,true,rules/00gjdgxs26jpj72,JK 07-28-23 @ 12:20
+GWS.CALENDAR.3.1v0.4,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42
+GWS.CALENDAR.3.2v0.4,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard."
+GWS.CALENDAR.4.1v0.4,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47
diff --git a/drift-rules/GWS Drift Monitoring Rules - Chat.csv b/drift-rules/GWS Drift Monitoring Rules - Chat.csv
index 1e618121..95f2cbc3 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Chat.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Chat.csv	
@@ -1,11 +1,11 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.CHAT.1.1v0.3,Chat history SHOULD be enabled for information traceability.,Admin Log Event,Change Application Setting,DynamiteOTRSettingsProto off_the_record_state,ALWAYS_ON_THE_RECORD,rules/00gjdgxs1svgvm3,JK 08-01-23 @ 06:36
-GWS.CHAT.1.2v0.3,Users SHALL NOT be allowed to change their history setting.,Admin Log Event,Change Application Setting,DynamiteOTRSettingsProto off_the_record_state,ALWAYS_ON_THE_RECORD,rules/00gjdgxs18ozqwd,JK 08-01-23 @ 06:51
-GWS.CHAT.2.1v0.3,External file sharing SHALL be disabled to protect sensitive information from unauthorized or accidental sharing.,Admin Log Event,Change Application Setting,DynamiteFileSharingSettingsProto external_file_sharing_setting,NO_FILES,rules/00gjdgxs2l93fr0,JK 08-01-23 @ 07:01
-GWS.CHAT.3.1v0.3,Space history SHOULD be enabled for traceability of information.,Admin Log Event,Change Application Setting,RoomOtrSettingsProto otr_state,"ALWAYS_ON_THE_RECORD
+GWS.CHAT.1.1v0.4,Chat history SHOULD be enabled for information traceability.,Admin Log Event,Change Application Setting,DynamiteOTRSettingsProto off_the_record_state,ALWAYS_ON_THE_RECORD,rules/00gjdgxs1svgvm3,JK 08-01-23 @ 06:36
+GWS.CHAT.1.2v0.4,Users SHALL NOT be allowed to change their history setting.,Admin Log Event,Change Application Setting,DynamiteOTRSettingsProto off_the_record_state,ALWAYS_ON_THE_RECORD,rules/00gjdgxs18ozqwd,JK 08-01-23 @ 06:51
+GWS.CHAT.2.1v0.4,External file sharing SHALL be disabled to protect sensitive information from unauthorized or accidental sharing.,Admin Log Event,Change Application Setting,DynamiteFileSharingSettingsProto external_file_sharing_setting,NO_FILES,rules/00gjdgxs2l93fr0,JK 08-01-23 @ 07:01
+GWS.CHAT.3.1v0.4,Space history SHOULD be enabled for traceability of information.,Admin Log Event,Change Application Setting,RoomOtrSettingsProto otr_state,"ALWAYS_ON_THE_RECORD
 OR
 DEFAULT_ON_THE_RECORD",rules/00gjdgxs13kc3ei,JK 08-01-23 @ 11:58
-GWS.CHAT.4.1v0.3(a),External Chat messaging SHALL be restricted to allowlisted domains only.,Admin Log Event,Change Application Setting,RestrictChatProto restrictChatToOrganization,false,rules/00gjdgxs3vz76ij,JK 08-01-23 @ 13:17
-GWS.CHAT.4.1v0.3(b),External Chat messaging SHALL be restricted to allowlisted domains only.,Admin Log Event,Change Application Setting,RestrictChatProto externalChatRestriction,TRUSTED_DOMAINS,rules/00gjdgxs3exvv2u,JK 08-01-23 @ 13:27
-GWS.CHAT.5.1v0.3,"Chat content reporting SHALL be enabled for all conversation types.",Admin Log Event,Create Application Setting,ContentReportingProto group_chat_reporting,CONTENT_REPORTING_STATE_ENABLED,N/A, MD @ 10-15-24 @ 16:47
-GWS.CHAT.5.2v0.3,"All reporting message categories SHOULD be selected.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
+GWS.CHAT.4.1v0.4(a),External Chat messaging SHALL be restricted to allowlisted domains only.,Admin Log Event,Change Application Setting,RestrictChatProto restrictChatToOrganization,false,rules/00gjdgxs3vz76ij,JK 08-01-23 @ 13:17
+GWS.CHAT.4.1v0.4(b),External Chat messaging SHALL be restricted to allowlisted domains only.,Admin Log Event,Change Application Setting,RestrictChatProto externalChatRestriction,TRUSTED_DOMAINS,rules/00gjdgxs3exvv2u,JK 08-01-23 @ 13:27
+GWS.CHAT.5.1v0.4,Chat content reporting SHALL be enabled for all conversation types.,Admin Log Event,Create Application Setting,ContentReportingProto group_chat_reporting,CONTENT_REPORTING_STATE_ENABLED,N/A, MD @ 10-15-24 @ 16:47
+GWS.CHAT.5.2v0.4,All reporting message categories SHOULD be selected.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
diff --git a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv
index 2209a040..ccac90bf 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv	
@@ -1,7 +1,7 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.CLASSROOM.1.1v0.3,Who can join classes in your domain SHALL be set to Users in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto who_can_join_classes,1,rules/00gjdgxs1c0jzhh,JK 10-20-23 @ 13:18
-GWS.CLASSROOM.1.2v0.3,Which classes can users in your domain join SHALL be set to Classes in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto which_classes_can_users_join,1,rules/00gjdgxs0hj2dit,JK 10-20-23 @ 13:23
-GWS.CLASSROOM.2.1v0.3,Classroom API SHALL be disabled for users,Admin Log Events,Change Application Setting,ApiDataAccessSettingProto api_access_enabled,false,rules/00gjdgxs3aafl8p,JK 10-20-23 @ 13:31
-GWS.CLASSROOM.3.1v0.3,Roster import with Clever SHOULD be turned off,Admin Log Events,Change Application Setting,RosterImportSettingsProto sis_integrator,SIS_INTEGRATOR_NONE,rules/00gjdgxs25t0l8g,JK 10-20-23 @ 13:42
-GWS.CLASSROOM.4.1v0.3,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50
-GWS.CLASSROOM.5.1v0.3,Class creation SHALL be restricted to verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58,
+GWS.CLASSROOM.1.1v0.4,Who can join classes in your domain SHALL be set to Users in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto who_can_join_classes,1,rules/00gjdgxs1c0jzhh,JK 10-20-23 @ 13:18
+GWS.CLASSROOM.1.2v0.4,Which classes can users in your domain join SHALL be set to Classes in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto which_classes_can_users_join,1,rules/00gjdgxs0hj2dit,JK 10-20-23 @ 13:23
+GWS.CLASSROOM.2.1v0.4,Classroom API SHALL be disabled for users,Admin Log Events,Change Application Setting,ApiDataAccessSettingProto api_access_enabled,false,rules/00gjdgxs3aafl8p,JK 10-20-23 @ 13:31
+GWS.CLASSROOM.3.1v0.4,Roster import with Clever SHOULD be turned off,Admin Log Events,Change Application Setting,RosterImportSettingsProto sis_integrator,SIS_INTEGRATOR_NONE,rules/00gjdgxs25t0l8g,JK 10-20-23 @ 13:42
+GWS.CLASSROOM.4.1v0.4,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50
+GWS.CLASSROOM.5.1v0.4,Class creation SHALL be restricted to verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58,
diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
index 24571997..8c756681 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv	
@@ -1,45 +1,45 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.COMMONCONTROLS.1.1v0.3,Phishing-Resistant MFA SHALL be required for all users.,Admin Log Event,Enforce 2-Step Verification,No Setting Name,true,rules/00gjdgxs3twm54g,JK 08-02-23 @ 06:51
-GWS.COMMONCONTROLS.1.2v0.3,New user enrollment period SHALL be set to 1 week.,Admin Log Event,Change 2-Step Verification Enrollment Period Duration,No Setting Name,1 week,rules/00gjdgxs19shvvu,JK 08-02-23 @ 07:04
-GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Admin Log Event,Change 2-Step Verification Frequency,No Setting Name,ENABLE_USERS_TO_TRUST_DEVICE,rules/00gjdgxs15t2155,JK 08-02-23 @ 07:10
-GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
-GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
-GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.3.1v0.3,Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
-GWS.COMMONCONTROLS.3.2v0.3,Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.,Admin Log Event,Change Application Setting,SsoPolicyProto sso_profile_challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
-GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
-GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
-GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
-GWS.COMMONCONTROLS.5.3v0.3,User password length SHOULD be at least 15 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,15,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
-GWS.COMMONCONTROLS.5.4v0.3,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
-GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
-GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
-GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
-GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
-GWS.COMMONCONTROLS.9.1v0.3,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
-GWS.COMMONCONTROLS.9.2v0.3,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
-GWS.COMMONCONTROLS.10.1v0.3,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.10.2v0.3,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.10.3v0.3,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
+GWS.COMMONCONTROLS.1.1v0.4,Phishing-Resistant MFA SHALL be required for all users.,Admin Log Event,Enforce 2-Step Verification,No Setting Name,true,rules/00gjdgxs3twm54g,JK 08-02-23 @ 06:51
+GWS.COMMONCONTROLS.1.2v0.4,New user enrollment period SHALL be set to 1 week.,Admin Log Event,Change 2-Step Verification Enrollment Period Duration,No Setting Name,1 week,rules/00gjdgxs19shvvu,JK 08-02-23 @ 07:04
+GWS.COMMONCONTROLS.1.3v0.4,Allow users to trust the device SHALL be disabled.,Admin Log Event,Change 2-Step Verification Frequency,No Setting Name,ENABLE_USERS_TO_TRUST_DEVICE,rules/00gjdgxs15t2155,JK 08-02-23 @ 07:10
+GWS.COMMONCONTROLS.1.4v0.4,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
+GWS.COMMONCONTROLS.2.1v0.4,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
+GWS.COMMONCONTROLS.2.2v0.4,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.3.1v0.4,Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.3.2v0.4,Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.,Admin Log Event,Change Application Setting,SsoPolicyProto sso_profile_challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
+GWS.COMMONCONTROLS.4.1v0.4,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
+GWS.COMMONCONTROLS.5.1v0.4,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
+GWS.COMMONCONTROLS.5.2v0.4,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
+GWS.COMMONCONTROLS.5.3v0.4,User password length SHOULD be at least 15 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,15,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
+GWS.COMMONCONTROLS.5.4v0.4,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
+GWS.COMMONCONTROLS.5.5v0.4,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
+GWS.COMMONCONTROLS.5.6v0.4,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
+GWS.COMMONCONTROLS.6.1v0.4,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.6.2v0.4,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.7.1v0.4,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
+GWS.COMMONCONTROLS.8.1v0.4,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
+GWS.COMMONCONTROLS.9.1v0.4,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
+GWS.COMMONCONTROLS.9.2v0.4,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
+GWS.COMMONCONTROLS.10.1v0.4,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.10.2v0.4,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.10.3v0.4,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
 OR
         All third party API access unblocked",No Setting Name,No Value,rules/00gjdgxs0xcbmu1,
-GWS.COMMONCONTROLS.10.4v0.3(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
-GWS.COMMONCONTROLS.10.4v0.3(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
-GWS.COMMONCONTROLS.10.5v0.3,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
-GWS.COMMONCONTROLS.11.1v0.3(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33
-GWS.COMMONCONTROLS.11.1v0.3(b),Only approved Google Workspace Marketplace applications SHALL be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37
-GWS.COMMONCONTROLS.12.1v0.3,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19
-GWS.COMMONCONTROLS.13.1v0.3,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
-GWS.COMMONCONTROLS.14.1v0.3,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
-GWS.COMMONCONTROLS.15.1v0.3,"The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.",Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
-GWS.COMMONCONTROLS.15.2v0.3,"Data SHALL be processed in the region selected for data at rest.",Admin Log Event,Create Application Setting,DataProcessingRequirementsProto limit_to_storage_location,true,N/A,MD 09-20-24 @ 15:57
-GWS.COMMONCONTROLS.15.3v0.3,"The supplemental data storage region SHALL NOT be set to 'Russian Federation'.",Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
-GWS.COMMONCONTROLS.16.1v0.3,"Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.",Admin Log Event,Toggle Service Enabled,DISABLE_UNLISTED_SERVICES, true, N/A, MD 09-12-2024 @ 11:12
-GWS.COMMONCONTROLS.16.2v0.3,"Early Access Apps Service Status SHOULD be set to OFF for everyone.", Admin Log Event,Toggle Service Enabled,Early Access Apps, false, N/A, MD 09-12-2024 @ 11:16
-GWS.COMMONCONTROLS.17.1v0.3,"Require multi party approval for sensitive admin actions SHALL be enabled.", Admin Log Event, Change Application Setting, Multi Party Approval (MPA) Control Multi Party Approval Control, enabled, N/A, MD 09-12-2024 @ 11:20
-GWS.COMMONCONTROLS.18.1v0.3,"A custom policy SHALL be configured for Google Drive to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
-GWS.COMMONCONTROLS.18.2v0.3,"A custom policy SHALL be configured for Google Chat to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
-GWS.COMMONCONTROLS.18.3v0.3,"A custom policy SHALL be configured for Gmail to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
-GWS.COMMONCONTROLS.18.4v0.3,"The action for the custom DLP policy SHOULD be set to block external sharing.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
+GWS.COMMONCONTROLS.10.4v0.4(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.4v0.4(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.5v0.4,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
+GWS.COMMONCONTROLS.11.1v0.4(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33
+GWS.COMMONCONTROLS.11.1v0.4(b),Only approved Google Workspace Marketplace applications SHALL be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37
+GWS.COMMONCONTROLS.12.1v0.4,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19
+GWS.COMMONCONTROLS.13.1v0.4,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
+GWS.COMMONCONTROLS.14.1v0.4,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
+GWS.COMMONCONTROLS.15.1v0.4,The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.,Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
+GWS.COMMONCONTROLS.15.2v0.4,Data SHALL be processed in the region selected for data at rest.,Admin Log Event,Create Application Setting,DataProcessingRequirementsProto limit_to_storage_location,true,N/A,MD 09-20-24 @ 15:57
+GWS.COMMONCONTROLS.15.3v0.4,The supplemental data storage region SHALL NOT be set to 'Russian Federation'.,Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
+GWS.COMMONCONTROLS.16.1v0.4,Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.,Admin Log Event,Toggle Service Enabled,DISABLE_UNLISTED_SERVICES, true, N/A, MD 09-12-2024 @ 11:12
+GWS.COMMONCONTROLS.16.2v0.4,Early Access Apps Service Status SHOULD be set to OFF for everyone., Admin Log Event,Toggle Service Enabled,Early Access Apps, false, N/A, MD 09-12-2024 @ 11:16
+GWS.COMMONCONTROLS.17.1v0.4,Require multi party approval for sensitive admin actions SHALL be enabled., Admin Log Event, Change Application Setting, Multi Party Approval (MPA) Control Multi Party Approval Control, enabled, N/A, MD 09-12-2024 @ 11:20
+GWS.COMMONCONTROLS.18.1v0.4,"A custom policy SHALL be configured for Google Drive to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
+GWS.COMMONCONTROLS.18.2v0.4,"A custom policy SHALL be configured for Google Chat to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
+GWS.COMMONCONTROLS.18.3v0.4,"A custom policy SHALL be configured for Gmail to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
+GWS.COMMONCONTROLS.18.4v0.4,The action for the custom DLP policy SHOULD be set to block external sharing.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no specfic log event
diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv
index a528e5b5..b982086a 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv	
@@ -1,17 +1,17 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.DRIVEDOCS.1.1v0.3,Agencies SHOULD disable sharing outside of the organization’s domain.,Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_NOT_ALLOWED,rules/00gjdgxs10es4se,JK 08-02-23 @ 12:25
-GWS.DRIVEDOCS.1.2v0.3,"If disabling sharing outside of the organization's domain, then agencies SHALL also disable users' receiving files from outside of the organization's domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_NOT_ALLOWED,rules/00gjdgxs10es4se,JK 08-02-23 @ 12:26
-GWS.DRIVEDOCS.1.3v0.3,"If sharing outside of the organization, then agencies SHALL enable warnings for users when they are about to share something outside of their domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_ALLOWED_WITH_WARNING,rules/00gjdgxs0qwshr5,
-GWS.DRIVEDOCS.1.4v0.3,"If sharing outside of the organization, then agencies SHALL disable sharing of files with individuals who are not using a Google account.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log evemt
-GWS.DRIVEDOCS.1.5v0.3,Agencies SHALL disable making files and published web content visible to anyone with the link.,Admin Log Event,Change Drive Setting,PUBLISHING_TO_WEB,NOT_ALLOWED,rules/00gjdgxs2l9hukl,JK 08-02-23 @ 12:16
-GWS.DRIVEDOCS.1.6v0.3,Agencies SHOULD set access checking to recipients only.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59
-GWS.DRIVEDOCS.1.7v0.3,Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organizations.,Admin Log Event,Change Drive Setting,SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS,CROSS_DOMAIN_FROM_INTERNAL_ONLY,rules/00gjdgxs2bll5l2,JK 09-26-23 @ 09:24
-GWS.DRIVEDOCS.1.8v0.3,Agencies SHALL ensure that newly created items assume the default access level of Private to the Owner.,Admin Log Event,Change Drive Setting,DEFAULT_LINK_SHARING_FOR_NEW_DOCS,PRIVATE,rules/00gjdgxs1jfq3ds,JK 08-02-23 @ 13:28
-GWS.DRIVEDOCS.2.1v0.3,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44
-GWS.DRIVEDOCS.2.2v0.3,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12
-GWS.DRIVEDOCS.2.3v0.3,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23
-GWS.DRIVEDOCS.2.4v0.3,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30
-GWS.DRIVEDOCS.3.1v0.3,Agencies SHALL enable the security update for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41
-GWS.DRIVEDOCS.4.1v0.3,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49
-GWS.DRIVEDOCS.5.1v0.3,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14
-GWS.DRIVEDOCS.6.1v0.3,Google Drive for Desktop SHOULD be enabled only for authorized devices..,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01
+GWS.DRIVEDOCS.1.1v0.4,Agencies SHOULD disable sharing outside of the organization’s domain.,Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_NOT_ALLOWED,rules/00gjdgxs10es4se,JK 08-02-23 @ 12:25
+GWS.DRIVEDOCS.1.2v0.4,"If disabling sharing outside of the organization's domain, then agencies SHALL also disable users' receiving files from outside of the organization's domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_NOT_ALLOWED,rules/00gjdgxs10es4se,JK 08-02-23 @ 12:26
+GWS.DRIVEDOCS.1.3v0.4,"If sharing outside of the organization, then agencies SHALL enable warnings for users when they are about to share something outside of their domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_ALLOWED_WITH_WARNING,rules/00gjdgxs0qwshr5,
+GWS.DRIVEDOCS.1.4v0.4,"If sharing outside of the organization, then agencies SHALL disable sharing of files with individuals who are not using a Google account.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log evemt
+GWS.DRIVEDOCS.1.5v0.4,Agencies SHALL disable making files and published web content visible to anyone with the link.,Admin Log Event,Change Drive Setting,PUBLISHING_TO_WEB,NOT_ALLOWED,rules/00gjdgxs2l9hukl,JK 08-02-23 @ 12:16
+GWS.DRIVEDOCS.1.6v0.4,Agencies SHOULD set access checking to recipients only.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59
+GWS.DRIVEDOCS.1.7v0.4,Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organizations.,Admin Log Event,Change Drive Setting,SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS,CROSS_DOMAIN_FROM_INTERNAL_ONLY,rules/00gjdgxs2bll5l2,JK 09-26-23 @ 09:24
+GWS.DRIVEDOCS.1.8v0.4,Agencies SHALL ensure that newly created items assume the default access level of Private to the Owner.,Admin Log Event,Change Drive Setting,DEFAULT_LINK_SHARING_FOR_NEW_DOCS,PRIVATE,rules/00gjdgxs1jfq3ds,JK 08-02-23 @ 13:28
+GWS.DRIVEDOCS.2.1v0.4,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44
+GWS.DRIVEDOCS.2.2v0.4,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12
+GWS.DRIVEDOCS.2.3v0.4,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23
+GWS.DRIVEDOCS.2.4v0.4,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30
+GWS.DRIVEDOCS.3.1v0.4,Agencies SHALL enable the security update for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41
+GWS.DRIVEDOCS.4.1v0.4,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49
+GWS.DRIVEDOCS.5.1v0.4,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14
+GWS.DRIVEDOCS.6.1v0.4,Google Drive for Desktop SHOULD be enabled only for authorized devices..,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01
diff --git a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv
index c6c95700..4a1bd7de 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv	
@@ -1,55 +1,55 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.GMAIL.1.1v0.3,Mail delegation SHALL be disabled for all users by default.,Admin Log Event,Change Email Setting,ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN,false,rules/00gjdgxs1dj2igu,JK 07-28-223 @ 13:40
-GWS.GMAIL.2.1v0.3,DKIM SHOULD be enabled for agencies’ mail enabled domain.,No Log,No Log,No Log,No Log,No Log,Cannot create rule due to no log event generated
-GWS.GMAIL.3.1v0.3,Agencies SHALL determine which IP addresses are approved senders for their domain(s).,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.3.2v0.3,Agencies SHALL publish SPF policy(s) that designate these (and only these) addresses as approved senders for their domain(s).,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.4.1v0.3,Agencies SHALL publish a DMARC policy.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.4.2v0.3,"Agencies SHALL set their policy to message rejection (i.e., “p=reject”).",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.4.3v0.3,Agencies SHALL include reports@dmarc.cyber.dhs.gov as a point of contact for aggregate reports.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.4.4v0.3,Agencies SHOULD include an agency point of contact for aggregate and/or failure reports in their policy.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.5.1v0.3,Protect against encrypted attachments from untrusted senders SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: protect against encrypted attachments from untrusted senders,true,rules/00gjdgxs0qglwig,JK 07-31-23 @ 06:54
-GWS.GMAIL.5.2v0.3,Protect against attachments with scripts from untrusted senders SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: protect against attachments with scripts from untrusted senders,true,rules/00gjdgxs3ag9f69,JK 07-31-23 @ 06:54
-GWS.GMAIL.5.3v0.3,Protect against anomalous attachment types in emails SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: Protect against anomalous attachment types in emails,true,rules/00gjdgxs1rx81d3,JK 07-31-23 @ 07:05
-GWS.GMAIL.5.4v0.3,Google SHOULD be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Attachment safety Enable: automatically enables all future added settings,true,rules/00gjdgxs13a7n9n,JK 07-31-23 @ 07:15
-GWS.GMAIL.5.5v0.3(a),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Encrypted attachment protection setting action,Show warning,rules/00gjdgxs0hkfqd2,JK 07-31-23 @ 07:42
-GWS.GMAIL.5.5v0.3(b),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Attachment with scripts protection action,Show warning,rules/00gjdgxs0qfhyzm,JK 07-31-23 @ 07:42
-GWS.GMAIL.5.5v0.3(c),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Anomalous attachment protection setting action,Show warning,rules/00gjdgxs3hwhm6r,JK 07-31-23 @ 07:42
-GWS.GMAIL.5.6v0.3,Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.6.1v0.3,Identify links behind shortened URLs SHALL be Enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: identify links behind shortened URLs,true,rules/00gjdgxs3af5hnf,JK 07-31-23 @ 08:00
-GWS.GMAIL.6.2v0.3,Scan linked images SHALL be enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: scan linked images,true,rules/00gjdgxs44inn5a,JK 07-31-23 @ 08:08
-GWS.GMAIL.6.3v0.3,Show warning prompt for any click on links to untrusted domains SHALL be enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: show warning prompt for click on links to unstrusted domains,true,rules/00gjdgxs2jnxxd3,JK 07-31-23 @ 08:22
-GWS.GMAIL.6.4v0.3,Google SHALL be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Links and external images safety Enable: automatically enables all future added settings,true,rules/00gjdgxs4hxtj4b,JK 07-31-23 @ 08:33
-GWS.GMAIL.6.5v0.3,Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.7.1v0.3,Protect against domain spoofing based on similar domain names SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against domain spoofing using similar domain names,true,rules/00gjdgxs324jgpv,JK 07-31-23 @ 08:55
-GWS.GMAIL.7.2v0.3,Protect against spoofing of employee names SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against spoofing of employee names,true,rules/00gjdgxs3w81m7q,JK 07-31-23 @ 08:55
-GWS.GMAIL.7.3v0.3,Protect against inbound emails spoofing your domain SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against inbound emails spoofing your domain,true,rules/00gjdgxs226brg1,JK 07-31-23 @ 08:55
-GWS.GMAIL.7.4v0.3,Protect against any unauthenticated emails.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against any unauthenticated emails,true,rules/00gjdgxs3ai9pb5,JK 07-31-23 @ 08:55
-GWS.GMAIL.7.5v0.3,Protect your Groups from inbound emails spoofing your domain.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect your Groups from inbound emails spoofing your domain,true,rules/00gjdgxs2dw9t9x,JK 07-31-23 @ 08:55
-GWS.GMAIL.7.6v0.3(a),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against domain spoofing based on similar domain names action,Show warning,rules/00gjdgxs0sndbln,JK 07-31-23 @ 10:10
-GWS.GMAIL.7.6v0.3(b),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against spoofing of employee names action,Show warning,rules/00gjdgxs2flhnf2,JK 07-31-23 @ 10:10
-GWS.GMAIL.7.6v0.3(c),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against inbound emails spoofing your domain action,Show warning,rules/00gjdgxs0uqrxmv,JK 07-31-23 @ 10:10
-GWS.GMAIL.7.6v0.3(d),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against any unauthenticated emails action,Show warning,rules/00gjdgxs1jhp3jp,JK 07-31-23 @ 10:10
-GWS.GMAIL.7.6v0.3(e),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain - group type,All groups,rules/00gjdgxs3793brc,JK 07-31-23 @ 10:14
-GWS.GMAIL.7.6v0.3(f),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain action,Show warning,rules/00gjdgxs1jvvvfs,JK 07-31-23 @ 10:20
-GWS.GMAIL.7.7v0.3,Google SHALL be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: automatically enables all future added settings,true,rules/00gjdgxs2puldi0,JK 07-31-23 @ 10:26
-GWS.GMAIL.7.8v0.3,Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.8.1v0.3,User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment.,Admin Log Event,Change Email Setting,ENABLE_EMAIL_USER_IMPORT,false,rules/00gjdgxs1vu7fnv,JK 07-31-23 @ 10:52
-GWS.GMAIL.9.1v0.3(a),POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.,Admin Log Event,Change Email Setting,IMAP_ACCESS,DISABLED,rules/00gjdgxs3ynriy0,JK 07-31-23 @ 11:07
-GWS.GMAIL.9.1v0.3(b),POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.,Admin Log Event,Change Email Setting,ENABLE_POP_ACCESS,false,rules/00gjdgxs16dhzcn,JK 07-31-23 @ 11:07
-GWS.GMAIL.10.1v0.3,Google Workspace Sync SHOULD be disabled.,Admin Log Event,Change Email Setting,ENABLE_OUTLOOK_SYNC,false,rules/00gjdgxs2caikn5,JK 07-31-23 @ 11:39
-GWS.GMAIL.10.2v0.3,Google Workspace Sync MAY be enabled on a per-user basis as needed.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.11.1v0.3,"Automatic forwarding SHOULD be disabled, especially to external domains.",Admin Log Event,Change Email Setting,ENABLE_EMAIL_AUTOFORWARDING,false,rules/00gjdgxs3bfgdir,JK 07-31-23 @ 11:50
-GWS.GMAIL.12.1v0.3,Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled.,Admin Log Event,Change Email Setting,OUTBOUND_RELAY_ENABLED,false,rules/00gjdgxs0wkcpwf,JK 07-31-23 @ 11:38
-GWS.GMAIL.13.1v0.3,Unintended external reply warnings SHALL be enabled,Admin Log Event,Change Application Setting,OutOfDomainWarningProto disable_untrusted_recipient_warning,true,rules/00gjdgxs0o6v2pe,JK 07-31-23 @ 13:56
-GWS.GMAIL.14.1v0.3,An email allowlist SHOULD not be implemented.,Admin Log Event,Change Email Setting,EMAIL_SPAM_ALLOWLIST,[],rules/00gjdgxs17hggqa,JK 08-01-23 @ 11:36
-GWS.GMAIL.15.1v0.3,Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing.,Admin Log Event,Change Application Setting,DelayedDeliverySettingsProto disable_delayed_delivery_for_suspicious_email,true,rules/00gjdgxs0z436wh,JK 07-13-23 @ 15:18
-GWS.GMAIL.15.2v0.3,Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.16.1v0.3,Security sandbox SHOULD be enabled to provide additional protections for their email messages.,Admin Log Event,Change Application Setting,AttachmentDeepScanningSettingsProto deep_scanning_enabled,true,rules/00gjdgxs2e64nj2,JK 07-13-23 @ 15:42
-GWS.GMAIL.16.2v0.3,Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.17.1v0.3,Comprehensive mail storage SHOULD be enabled to ensure information can be tracked across applications.,Admin Log Event,Change Gmail Setting,COMPREHENSIVE_MAIL_STORAGE,No Value,rules/00gjdgxs388y21u,
-GWS.GMAIL.18.1v0.3,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.18.2v0.3,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.18.3v0.3,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.GMAIL.19.1v0.3,Domains SHALL NOT be added to lists that bypass spam filters.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
-GWS.GMAIL.19.2v0.3,Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
-GWS.GMAIL.19.3v0.3,Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.1.1v0.4,Mail delegation SHALL be disabled for all users by default.,Admin Log Event,Change Email Setting,ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN,false,rules/00gjdgxs1dj2igu,JK 07-28-223 @ 13:40
+GWS.GMAIL.2.1v0.4,DKIM SHOULD be enabled for agencies’ mail enabled domain.,No Log,No Log,No Log,No Log,No Log,Cannot create rule due to no log event generated
+GWS.GMAIL.3.1v0.4,Agencies SHALL determine which IP addresses are approved senders for their domain(s).,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.3.2v0.4,Agencies SHALL publish SPF policy(s) that designate these (and only these) addresses as approved senders for their domain(s).,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.4.1v0.4,Agencies SHALL publish a DMARC policy.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.4.2v0.4,"Agencies SHALL set their policy to message rejection (i.e., “p=reject”).",N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.4.3v0.4,Agencies SHALL include reports@dmarc.cyber.dhs.gov as a point of contact for aggregate reports.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.4.4v0.4,Agencies SHOULD include an agency point of contact for aggregate and/or failure reports in their policy.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.5.1v0.4,Protect against encrypted attachments from untrusted senders SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: protect against encrypted attachments from untrusted senders,true,rules/00gjdgxs0qglwig,JK 07-31-23 @ 06:54
+GWS.GMAIL.5.2v0.4,Protect against attachments with scripts from untrusted senders SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: protect against attachments with scripts from untrusted senders,true,rules/00gjdgxs3ag9f69,JK 07-31-23 @ 06:54
+GWS.GMAIL.5.3v0.4,Protect against anomalous attachment types in emails SHALL be enabled.,Admin Log Event,Change Application Setting,Attachment safety Enable: Protect against anomalous attachment types in emails,true,rules/00gjdgxs1rx81d3,JK 07-31-23 @ 07:05
+GWS.GMAIL.5.4v0.4,Google SHOULD be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Attachment safety Enable: automatically enables all future added settings,true,rules/00gjdgxs13a7n9n,JK 07-31-23 @ 07:15
+GWS.GMAIL.5.5v0.4(a),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Encrypted attachment protection setting action,Show warning,rules/00gjdgxs0hkfqd2,JK 07-31-23 @ 07:42
+GWS.GMAIL.5.5v0.4(b),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Attachment with scripts protection action,Show warning,rules/00gjdgxs0qfhyzm,JK 07-31-23 @ 07:42
+GWS.GMAIL.5.5v0.4(c),"At the least, email SHOULD be kept in the inbox and show warning labels for attachment protection controls.",Admin Log Event,Change Application Setting,Attachment safety Anomalous attachment protection setting action,Show warning,rules/00gjdgxs3hwhm6r,JK 07-31-23 @ 07:42
+GWS.GMAIL.5.6v0.4,Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.6.1v0.4,Identify links behind shortened URLs SHALL be Enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: identify links behind shortened URLs,true,rules/00gjdgxs3af5hnf,JK 07-31-23 @ 08:00
+GWS.GMAIL.6.2v0.4,Scan linked images SHALL be enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: scan linked images,true,rules/00gjdgxs44inn5a,JK 07-31-23 @ 08:08
+GWS.GMAIL.6.3v0.4,Show warning prompt for any click on links to untrusted domains SHALL be enabled.,Admin Log Event,Change Application Setting,Links and external images safety Enable: show warning prompt for click on links to unstrusted domains,true,rules/00gjdgxs2jnxxd3,JK 07-31-23 @ 08:22
+GWS.GMAIL.6.4v0.4,Google SHALL be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Links and external images safety Enable: automatically enables all future added settings,true,rules/00gjdgxs4hxtj4b,JK 07-31-23 @ 08:33
+GWS.GMAIL.6.5v0.4,Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.7.1v0.4,Protect against domain spoofing based on similar domain names SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against domain spoofing using similar domain names,true,rules/00gjdgxs324jgpv,JK 07-31-23 @ 08:55
+GWS.GMAIL.7.2v0.4,Protect against spoofing of employee names SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against spoofing of employee names,true,rules/00gjdgxs3w81m7q,JK 07-31-23 @ 08:55
+GWS.GMAIL.7.3v0.4,Protect against inbound emails spoofing your domain SHALL be enabled.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against inbound emails spoofing your domain,true,rules/00gjdgxs226brg1,JK 07-31-23 @ 08:55
+GWS.GMAIL.7.4v0.4,Protect against any unauthenticated emails.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect against any unauthenticated emails,true,rules/00gjdgxs3ai9pb5,JK 07-31-23 @ 08:55
+GWS.GMAIL.7.5v0.4,Protect your Groups from inbound emails spoofing your domain.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: protect your Groups from inbound emails spoofing your domain,true,rules/00gjdgxs2dw9t9x,JK 07-31-23 @ 08:55
+GWS.GMAIL.7.6v0.4(a),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against domain spoofing based on similar domain names action,Show warning,rules/00gjdgxs0sndbln,JK 07-31-23 @ 10:10
+GWS.GMAIL.7.6v0.4(b),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against spoofing of employee names action,Show warning,rules/00gjdgxs2flhnf2,JK 07-31-23 @ 10:10
+GWS.GMAIL.7.6v0.4(c),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against inbound emails spoofing your domain action,Show warning,rules/00gjdgxs0uqrxmv,JK 07-31-23 @ 10:10
+GWS.GMAIL.7.6v0.4(d),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect against any unauthenticated emails action,Show warning,rules/00gjdgxs1jhp3jp,JK 07-31-23 @ 10:10
+GWS.GMAIL.7.6v0.4(e),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain - group type,All groups,rules/00gjdgxs3793brc,JK 07-31-23 @ 10:14
+GWS.GMAIL.7.6v0.4(f),"At the least, email SHOULD be kept in the inbox and show warning labels for spoofing and authentication controls.",Admin Log Event,Change Application Setting,Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain action,Show warning,rules/00gjdgxs1jvvvfs,JK 07-31-23 @ 10:20
+GWS.GMAIL.7.7v0.4,Google SHALL be allowed to automatically apply future recommended settings.,Admin Log Event,Change Application Setting,Spoofing and authentication safety Enable: automatically enables all future added settings,true,rules/00gjdgxs2puldi0,JK 07-31-23 @ 10:26
+GWS.GMAIL.7.8v0.4,Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.8.1v0.4,User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment.,Admin Log Event,Change Email Setting,ENABLE_EMAIL_USER_IMPORT,false,rules/00gjdgxs1vu7fnv,JK 07-31-23 @ 10:52
+GWS.GMAIL.9.1v0.4(a),POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.,Admin Log Event,Change Email Setting,IMAP_ACCESS,DISABLED,rules/00gjdgxs3ynriy0,JK 07-31-23 @ 11:07
+GWS.GMAIL.9.1v0.4(b),POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.,Admin Log Event,Change Email Setting,ENABLE_POP_ACCESS,false,rules/00gjdgxs16dhzcn,JK 07-31-23 @ 11:07
+GWS.GMAIL.10.1v0.4,Google Workspace Sync SHOULD be disabled.,Admin Log Event,Change Email Setting,ENABLE_OUTLOOK_SYNC,false,rules/00gjdgxs2caikn5,JK 07-31-23 @ 11:39
+GWS.GMAIL.10.2v0.4,Google Workspace Sync MAY be enabled on a per-user basis as needed.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.11.1v0.4,"Automatic forwarding SHOULD be disabled, especially to external domains.",Admin Log Event,Change Email Setting,ENABLE_EMAIL_AUTOFORWARDING,false,rules/00gjdgxs3bfgdir,JK 07-31-23 @ 11:50
+GWS.GMAIL.12.1v0.4,Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled.,Admin Log Event,Change Email Setting,OUTBOUND_RELAY_ENABLED,false,rules/00gjdgxs0wkcpwf,JK 07-31-23 @ 11:38
+GWS.GMAIL.13.1v0.4,Unintended external reply warnings SHALL be enabled,Admin Log Event,Change Application Setting,OutOfDomainWarningProto disable_untrusted_recipient_warning,true,rules/00gjdgxs0o6v2pe,JK 07-31-23 @ 13:56
+GWS.GMAIL.14.1v0.4,An email allowlist SHOULD not be implemented.,Admin Log Event,Change Email Setting,EMAIL_SPAM_ALLOWLIST,[],rules/00gjdgxs17hggqa,JK 08-01-23 @ 11:36
+GWS.GMAIL.15.1v0.4,Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing.,Admin Log Event,Change Application Setting,DelayedDeliverySettingsProto disable_delayed_delivery_for_suspicious_email,true,rules/00gjdgxs0z436wh,JK 07-13-23 @ 15:18
+GWS.GMAIL.15.2v0.4,Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.16.1v0.4,Security sandbox SHOULD be enabled to provide additional protections for their email messages.,Admin Log Event,Change Application Setting,AttachmentDeepScanningSettingsProto deep_scanning_enabled,true,rules/00gjdgxs2e64nj2,JK 07-13-23 @ 15:42
+GWS.GMAIL.16.2v0.4,Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.17.1v0.4,Comprehensive mail storage SHOULD be enabled to ensure information can be tracked across applications.,Admin Log Event,Change Gmail Setting,COMPREHENSIVE_MAIL_STORAGE,No Value,rules/00gjdgxs388y21u,
+GWS.GMAIL.18.1v0.4,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.18.2v0.4,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.18.3v0.4,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.19.1v0.4,Domains SHALL NOT be added to lists that bypass spam filters.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.2v0.4,Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.3v0.4,Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.,Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
diff --git a/drift-rules/GWS Drift Monitoring Rules - Groups.csv b/drift-rules/GWS Drift Monitoring Rules - Groups.csv
index e7bcdf17..085fa577 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Groups.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Groups.csv	
@@ -1,7 +1,7 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.GROUPS.1.1v0.3,Group access from outside the organization SHALL be disabled unless explicitly granted by the group owner.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto collaboration_policy,CLOSED,rules/00gjdgxs2kgaq5a,JK 08-01-23 @ 14:13
-GWS.GROUPS.2.1v0.3,Group owners’ ability to add external members to groups SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto owners_can_allow_external_members,false,rules/00gjdgxs4b8984a,JK 08-01-23 @ 14:41
-GWS.GROUPS.3.1v0.3,"Group owners’ ability to allow posting to a group by an external, non-group member SHOULD be disabled unless necessary for agency mission fulfillment.",Admin Log Event,Change Application Setting,GroupsSharingSettingsProto owners_can_allow_incoming_mail_from_public,false,rules/00gjdgxs0lw54bd,JK 08-01-23 @ 14:52
-GWS.GROUPS.4.1v0.3,Group creation SHOULD be restricted to admins within the organization unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto who_can_create_groups,ADMIN_ONLY,rules/00gjdgxs35vsmz6,JK 08-01-23 @ 15:06
-GWS.GROUPS.5.1v0.3,The default permission to view conversations SHALL be set to All Group Members.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto default_view_topics_access_level,MEMBERS,rules/00gjdgxs24dq6r2,JK 08-01-23 @ 15:14
-GWS.GROUPS.6.1v0.3,Group owners’ ability to hide groups from the directory SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto allow_unlisted_groups,false,rules/00gjdgxs0zbb0ae,JK 08-01-23 @ 15:22
+GWS.GROUPS.1.1v0.4,Group access from outside the organization SHALL be disabled unless explicitly granted by the group owner.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto collaboration_policy,CLOSED,rules/00gjdgxs2kgaq5a,JK 08-01-23 @ 14:13
+GWS.GROUPS.2.1v0.4,Group owners’ ability to add external members to groups SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto owners_can_allow_external_members,false,rules/00gjdgxs4b8984a,JK 08-01-23 @ 14:41
+GWS.GROUPS.3.1v0.4,"Group owners’ ability to allow posting to a group by an external, non-group member SHOULD be disabled unless necessary for agency mission fulfillment.",Admin Log Event,Change Application Setting,GroupsSharingSettingsProto owners_can_allow_incoming_mail_from_public,false,rules/00gjdgxs0lw54bd,JK 08-01-23 @ 14:52
+GWS.GROUPS.4.1v0.4,Group creation SHOULD be restricted to admins within the organization unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto who_can_create_groups,ADMIN_ONLY,rules/00gjdgxs35vsmz6,JK 08-01-23 @ 15:06
+GWS.GROUPS.5.1v0.4,The default permission to view conversations SHALL be set to All Group Members.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto default_view_topics_access_level,MEMBERS,rules/00gjdgxs24dq6r2,JK 08-01-23 @ 15:14
+GWS.GROUPS.6.1v0.4,Group owners’ ability to hide groups from the directory SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto allow_unlisted_groups,false,rules/00gjdgxs0zbb0ae,JK 08-01-23 @ 15:22
diff --git a/drift-rules/GWS Drift Monitoring Rules - Meet.csv b/drift-rules/GWS Drift Monitoring Rules - Meet.csv
index 9e7630fd..b2ab7ffc 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Meet.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Meet.csv	
@@ -1,6 +1,6 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.MEET.1.1v0.3,Meeting access SHALL be restricted to users signed in with a Google Account or Dialing in using a phone.,Admin Log Event,Change Application Setting,SafetyDomainLockProto users_allowed_to_join,LOGGED_IN,rules/00gjdgxs1wv8d7g,JK 08-02-23 @ 15:58
-GWS.MEET.2.1v0.3,Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.,Admin Log Event,Change Application Setting,SafetyAccessLockProto meetings_allowed_to_join,WORKSPACE_DOMAINS,rules/00gjdgxs0rw9s95,JK 08-02-23 @ 16:02
-GWS.MEET.3.1v0.3,Host Management meeting features SHALL be enabled so that they are available by default when a host starts their meeting.,Admin Log Event,Change Application Setting,SafetyModerationLockProto host_management_enabled,true,rules/00gjdgxs3bvxawy,JK 08-02-23 @ 16:05
-GWS.MEET.4.1v0.3,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
-GWS.MEET.5.1v0.3,Users receive calls only from contacts and other users in the organization SHALL be selected.,Admin Log Event,Change Application Setting,Incoming call restrictions Allowed caller type,CONTACTS_AND_SAME_DOMAIN,rules/00gjdgxs188dve6,MD 06-11-24 @ 12:30
+GWS.MEET.1.1v0.4,Meeting access SHALL be restricted to users signed in with a Google Account or Dialing in using a phone.,Admin Log Event,Change Application Setting,SafetyDomainLockProto users_allowed_to_join,LOGGED_IN,rules/00gjdgxs1wv8d7g,JK 08-02-23 @ 15:58
+GWS.MEET.2.1v0.4,Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.,Admin Log Event,Change Application Setting,SafetyAccessLockProto meetings_allowed_to_join,WORKSPACE_DOMAINS,rules/00gjdgxs0rw9s95,JK 08-02-23 @ 16:02
+GWS.MEET.3.1v0.4,Host Management meeting features SHALL be enabled so that they are available by default when a host starts their meeting.,Admin Log Event,Change Application Setting,SafetyModerationLockProto host_management_enabled,true,rules/00gjdgxs3bvxawy,JK 08-02-23 @ 16:05
+GWS.MEET.4.1v0.4,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
+GWS.MEET.5.1v0.4,Users receive calls only from contacts and other users in the organization SHALL be selected.,Admin Log Event,Change Application Setting,Incoming call restrictions Allowed caller type,CONTACTS_AND_SAME_DOMAIN,rules/00gjdgxs188dve6,MD 06-11-24 @ 12:30
diff --git a/drift-rules/GWS Drift Monitoring Rules - Sites.csv b/drift-rules/GWS Drift Monitoring Rules - Sites.csv
index f3375a46..0192c6a6 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Sites.csv	
+++ b/drift-rules/GWS Drift Monitoring Rules - Sites.csv	
@@ -1,2 +1,2 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-GWS.SITES.1.1v0.3,Sites Service SHOULD be disabled for all users.,Admin Log Event,Toggle Service Enabled,No Setting Name,FALSE,rules/00gjdgxs3gdgxe3,JK 07-28-23 @ 11:12
+GWS.SITES.1.1v0.4,Sites Service SHOULD be disabled for all users.,Admin Log Event,Toggle Service Enabled,No Setting Name,FALSE,rules/00gjdgxs3gdgxe3,JK 07-28-23 @ 11:12
diff --git a/scubagoggles/__init__.py b/scubagoggles/__init__.py
index 9d6f6c0c..8c8d3f87 100644
--- a/scubagoggles/__init__.py
+++ b/scubagoggles/__init__.py
@@ -4,4 +4,4 @@
 All other references to the version number are derived from this value.
 """
 
-__version__ = '0.3.0'
+__version__ = '0.4.0'
diff --git a/scubagoggles/baselines/calendar.md b/scubagoggles/baselines/calendar.md
index 6e28290f..e9bd73aa 100644
--- a/scubagoggles/baselines/calendar.md
+++ b/scubagoggles/baselines/calendar.md
@@ -35,7 +35,7 @@ This section determines what information is shared from calendars with external
 
 ### Policies
 
-#### GWS.CALENDAR.1.1v0.3
+#### GWS.CALENDAR.1.1v0.4
 External Sharing Options for Primary Calendars SHALL be configured to "Only free/busy information (hide event details)."
 
 - _Rationale:_ Calendars can contain private or otherwise sensitive information. Restricting calendar details to only free/busy information helps prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization.
@@ -44,7 +44,7 @@ External Sharing Options for Primary Calendars SHALL be configured to "Only free
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
-#### GWS.CALENDAR.1.2v0.3
+#### GWS.CALENDAR.1.2v0.4
 External sharing options for secondary calendars SHALL be configured to "Only free/busy information (hide event details)."
 
 - _Rationale:_ Calendars can contain private or otherwise sensitive information. Restricting calendar details to only free/busy information helps prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization.
@@ -66,14 +66,14 @@ External sharing options for secondary calendars SHALL be configured to "Only fr
 
 To configure the settings for External Sharing in Primary Calendar:
 
-#### GWS.CALENDAR.1.1v0.3 Instructions
+#### GWS.CALENDAR.1.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Calendar**.
 3.  Select **Sharing settings** -\> **External sharing options for primary calendars**.
 4.  Select **Only free/busy information (hide event details)**.
 5.  Select **Save**.
 
-#### GWS.CALENDAR.1.2v0.3 Instructions
+#### GWS.CALENDAR.1.2v0.4 Instructions
 
 To configure the settings for External Sharing in secondary calendars:
 
@@ -89,7 +89,7 @@ This section determines whether users are warned when inviting one or more guest
 
 ### Policies
 
-#### GWS.CALENDAR.2.1v0.3
+#### GWS.CALENDAR.2.1v0.4
 External invitations warnings SHALL be enabled to prompt users before sending invitations.
 
 - _Rationale:_ Users may inadvertently include external guests in calendar event invitations, potentially resulting in data leakage. Warning users when external participants are included can help reduce this risk.
@@ -113,7 +113,7 @@ External invitations warnings SHALL be enabled to prompt users before sending in
 
 ### Implementation
 
-#### GWS.CALENDAR.2.1v0.3 Instructions
+#### GWS.CALENDAR.2.1v0.4 Instructions
 
 To configure the settings for Confidential Mode:
 
@@ -131,7 +131,7 @@ Due to the added complexity and attack surface associated with configuring Calen
 
 ### Policies
 
-#### GWS.CALENDAR.3.1v0.3
+#### GWS.CALENDAR.3.1v0.4
 Calendar Interop SHOULD be disabled.
 
 - _Rationale:_ Enabling Calendar interop adds a layer of complexity to Calendar management, possibly increasing the attack surface. Disabling this feature unless required by the organization conforms to the principle of least functionality.
@@ -143,7 +143,7 @@ Calendar Interop SHOULD be disabled.
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
 
-#### GWS.CALENDAR.3.2v0.3
+#### GWS.CALENDAR.3.2v0.4
 OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.
 
 - _Rationale:_ Basic authentication is a deprecated and risk-prone authentication method. Using OAuth 2.0 helps reduce the risk of credential compromise.
@@ -163,7 +163,7 @@ OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivit
 
 ### Implementation
 
-#### GWS.CALENDAR.3.1v0.3 Instructions
+#### GWS.CALENDAR.3.1v0.4 Instructions
 
 To configure the settings for Calendar Interop:
 
@@ -173,7 +173,7 @@ To configure the settings for Calendar Interop:
 4.  Uncheck the **Enable Interoperability for Calendar** checkbox.
 5.  Select **Save**.
 
-#### GWS.CALENDAR.3.2v0.3 Instructions
+#### GWS.CALENDAR.3.2v0.4 Instructions
 
 To configure the settings for Calendar Interop:
 
@@ -189,7 +189,7 @@ This section covers whether or not the paid appointment booking feature is enabl
 
 ### Policies
 
-#### GWS.CALENDAR.4.1v0.3
+#### GWS.CALENDAR.4.1v0.4
 Appointment Schedule with Payments SHALL be disabled.
 
 - _Rationale:_ Enabling paid appointments adds a layer of complexity to Calendar management, possibly increasing the attack surface. Disabling this feature conforms to the principle of least functionality.
@@ -209,7 +209,7 @@ Appointment Schedule with Payments SHALL be disabled.
 
 ### Implementation
 
-#### GWS.CALENDAR.4.1v0.3 Instructions
+#### GWS.CALENDAR.4.1v0.4 Instructions
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Calendar**.
diff --git a/scubagoggles/baselines/chat.md b/scubagoggles/baselines/chat.md
index 60f81729..9f42f3ef 100644
--- a/scubagoggles/baselines/chat.md
+++ b/scubagoggles/baselines/chat.md
@@ -36,7 +36,7 @@ This section covers chat history retention for users within the organization and
 
 ### Policies
 
-#### GWS.CHAT.1.1v0.3
+#### GWS.CHAT.1.1v0.4
 Chat history SHALL be enabled for information traceability.
 
 - _Rationale:_ Users engaged in Google Chat may inadvertently share sensitive or private information during conversations and details discussed in chats may be crucial for future reference or dispute resolution. Enabling chat history for Google Chat may mitigate these risks by providing a traceable record of all conversations, enhancing information accountability and security.
@@ -46,7 +46,7 @@ Chat history SHALL be enabled for information traceability.
   - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
     - [T1562:001: Impair Defenses: Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001/)
 
-#### GWS.CHAT.1.2v0.3
+#### GWS.CHAT.1.2v0.4
 Users SHALL NOT be allowed to change their history setting.
 
 - _Rationale:_ Altering the history settings in Google Chat can potentially allow users to obfuscate the sharing of sensitive information via Chat. This policy ensures that all chat histories are preserved, enhancing data security and promoting accountability among users.
@@ -68,14 +68,14 @@ Users SHALL NOT be allowed to change their history setting.
 
 To configure the settings for History for chats:
 
-#### GWS.CHAT.1.1v0.3 Instructions
+#### GWS.CHAT.1.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Chat**.
 3.  Select **History for chats**.
 4.  Select **History is ON**.
 5.  Select **Save**
 
-#### GWS.CHAT.1.2v0.3 Instructions
+#### GWS.CHAT.1.2v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Chat**.
 3.  Uncheck the **Allow users to change their history setting** checkbox.
@@ -87,7 +87,7 @@ This section covers what types of files users are allowed to share external to t
 
 ### Policies
 
-#### GWS.CHAT.2.1v0.3
+#### GWS.CHAT.2.1v0.4
 External file sharing SHALL be disabled to protect sensitive information from unauthorized or accidental sharing.
 
 - _Rationale:_ Enabling external file sharing in Google Chat opens an additional avenue for data loss, one that may not be as rigorously monitored or protected as traditional collaboration channels, such as email. This policy limits the potential for unauthorized or accidental sharing.
@@ -109,7 +109,7 @@ External file sharing SHALL be disabled to protect sensitive information from un
 
 To configure the settings for External filesharing:
 
-#### GWS.CHAT.2.1v0.3 Instructions
+#### GWS.CHAT.2.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Chat**.
 3.  Select **Chat File Sharing**.
@@ -122,7 +122,7 @@ This section covers whether chat history is retained by default for users within
 
 ### Policies
 
-#### GWS.CHAT.3.1v0.3
+#### GWS.CHAT.3.1v0.4
 Space history SHOULD be enabled for traceability of information.
 
 - _Rationale:_ Users engaged in Google Chat may inadvertently share sensitive or private information during conversations. Details discussed in chats may be crucial for future reference or dispute resolution. Enabling chat history for Google Chat may mitigate these risks by providing a traceable record of all conversations, enhancing information accountability and security.
@@ -144,7 +144,7 @@ Space history SHOULD be enabled for traceability of information.
 
 To configure the settings for History for spaces:
 
-#### GWS.CHAT.3.1v0.3 Instructions
+#### GWS.CHAT.3.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Chat**.
 3.  Select **History for spaces**.
@@ -157,7 +157,7 @@ This section permits users to send Chat messages outside of their organization,
 
 ### Policies
 
-#### GWS.CHAT.4.1v0.3
+#### GWS.CHAT.4.1v0.4
 External Chat messaging SHALL be restricted to allowlisted domains only.
 
 - _Rationale:_ Allowing external chat messaging in Google Chat to unrestricted domains opens additional avenues for data exfiltration, increasing the risk of data leakage. By restricting external chat messaging to allowlisted domains only, the risk of sensitive information being distributed outside the organization without explicit consent and approval is minimized.
@@ -180,7 +180,7 @@ External Chat messaging SHALL be restricted to allowlisted domains only.
 
 To configure the settings for External Chat:
 
-#### GWS.CHAT.4.1v0.3 Instructions
+#### GWS.CHAT.4.1v0.4 Instructions
 To enable external chat for allowlisted domains only:
 1. Sign in to the [Google Admin Console](https://admin.google.com).
 2. Select **Apps** -\> **Google Workspace** -\> **Google Chat**.
@@ -204,7 +204,7 @@ This section covers the content reporting functionality, a feature that allows u
 
 ### Policies
 
-#### GWS.CHAT.5.1v0.3
+#### GWS.CHAT.5.1v0.4
 Chat content reporting SHALL be enabled for all conversation types.
 
 - _Rationale:_ Chat messages could potentially be used as an avenue for phishing, malware distribution, or other security risks. Enabling this feature allows users to report any suspicious messages to workspace admins, increasing threat awareness and facilitating threat mitigation. By selecting all conversation types, agencies help ensure that their users are able to report risky messages regardless of the conversation type.
@@ -213,7 +213,7 @@ Chat content reporting SHALL be enabled for all conversation types.
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
-#### GWS.CHAT.5.2v0.3
+#### GWS.CHAT.5.2v0.4
 All reporting message categories SHOULD be selected.
 
 - _Rationale:_ Users may be uncertain what kind of messages should be reported. Enabling all message categories can help users infer which types of messages should be reported.
@@ -230,7 +230,7 @@ All reporting message categories SHOULD be selected.
 
 ### Implementation
 
-#### GWS.CHAT.5.1v0.3 Instructions
+#### GWS.CHAT.5.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Menu** -> **Apps** -> **Google Workspace** -> **Google Chat**.
 3.  Click **Content Reporting**.
@@ -238,7 +238,7 @@ All reporting message categories SHOULD be selected.
 5.  Ensure all conversation type checkboxes are selected.
 6.  Click **Save**.
 
-#### GWS.CHAT.5.2v0.3 Instructions
+#### GWS.CHAT.5.2v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Menu** -> **Apps** -> **Google Workspace** -> **Google Chat**.
 3.  Click **Content Reporting**.
diff --git a/scubagoggles/baselines/classroom.md b/scubagoggles/baselines/classroom.md
index 15776303..6a7633bb 100644
--- a/scubagoggles/baselines/classroom.md
+++ b/scubagoggles/baselines/classroom.md
@@ -38,7 +38,7 @@ This section covers who has the ability to join classes and what classes the use
 
 ### Policies
 
-#### GWS.CLASSROOM.1.1v0.3
+#### GWS.CLASSROOM.1.1v0.4
 Who can join classes in your domain SHALL be set to Users in your domain only.
 
 - _Rationale:_ Classes can contain private or otherwise sensitive information. Restricting classes to users in your domain helps prevent data leakage resulting from unauthorized classroom access.
@@ -48,7 +48,7 @@ Who can join classes in your domain SHALL be set to Users in your domain only.
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.CLASSROOM.1.2v0.3
+#### GWS.CLASSROOM.1.2v0.4
 Which classes users in your domain can join SHALL be set to Classes in your domain only.
 
 - _Rationale:_ Allowing users to join a class from outside your domain could allow for data to be exfiltrated to entities outside the control of the organization creating a significant security risk.
@@ -74,11 +74,11 @@ To configure the settings for Class Membership:
 3.  Select **Class Settings**.
 4.  Select **About Class Membership**.
 
-#### GWS.CLASSROOM.1.1v0.3 Instructions
+#### GWS.CLASSROOM.1.1v0.4 Instructions
 1.  For **Who can join classes in your domain**, select **Users in your domain only**.
 2.  Select **Save**.
 
-#### GWS.CLASSROOM.1.2v0.3 Instructions
+#### GWS.CLASSROOM.1.2v0.4 Instructions
 1.  For **Which classes can users in your domain join**, select **Classes in your domain only**.
 2.  Select **Save**.
 
@@ -88,7 +88,7 @@ This section covers policies related to the Google Classroom API.
 
 ### Policies
 
-#### GWS.CLASSROOM.2.1v0.3
+#### GWS.CLASSROOM.2.1v0.4
 Users SHALL NOT be able to authorize apps to access their Google Classroom data.
 
 - _Rationale:_ Allowing ordinary users to authorize apps to have access to classroom data opens a possibility for data loss. Allowing only admins to authorize apps reduces this risk.
@@ -110,7 +110,7 @@ Users SHALL NOT be able to authorize apps to access their Google Classroom data.
 ### Implementation
 To configure the settings for Classroom API:
 
-#### GWS.CLASSROOM.2.1v0.3 Instructions
+#### GWS.CLASSROOM.2.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
 3.  Select **Data Access**.
@@ -123,7 +123,7 @@ This section covers policies related to importing rosters from Clever.
 
 ### Policies
 
-#### GWS.CLASSROOM.3.1v0.3
+#### GWS.CLASSROOM.3.1v0.4
 Roster import with Clever SHOULD be turned off.
 
 - _Rationale:_ If your organization does not use Clever, allowing roster imports could create a way for unauthorized data to be inputted into your organization's environment. If your organization does use Clever, then roster imports may be enabled.
@@ -143,7 +143,7 @@ Roster import with Clever SHOULD be turned off.
 ### Implementation
 To configure the settings for Roster Import:
 
-#### GWS.CLASSROOM.3.1v0.3 Instructions
+#### GWS.CLASSROOM.3.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
 3.  Select **Roster Import**.
@@ -156,7 +156,7 @@ This section covers policies related to unenrolling a student from a class.
 
 ### Policies
 
-#### GWS.CLASSROOM.4.1v0.3
+#### GWS.CLASSROOM.4.1v0.4
 Only teachers SHALL be allowed to unenroll students from classes.
 
 - _Rationale:_ Allowing students to unenroll themselves creates the opportunity for data loss or other inconsistencies, especially for K-12 classrooms. Restricting this ability to teachers mitigates this risk.
@@ -176,7 +176,7 @@ Only teachers SHALL be allowed to unenroll students from classes.
 ### Implementation
 To configure the settings for Student Unenrollment:
 
-#### GWS.CLASSROOM.4.1v0.3 Instructions
+#### GWS.CLASSROOM.4.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
 3.  Select **Student unenrollment**.
@@ -189,7 +189,7 @@ The first time users sign in to Classroom, they self-identify as either a studen
 
 ### Policies
 
-#### GWS.CLASSROOM.5.1v0.3
+#### GWS.CLASSROOM.5.1v0.4
 Class creation SHALL be restricted to verified teachers only.
 
 - _Rationale:_ Allowing pending teachers to create classes potentially allows students to impersonate teachers and exploit the trusted relationship between teacher and student, e.g., to phish sensitive information from the students. Restricting class creation to verified teachers reduces this risk.
@@ -214,7 +214,7 @@ Class creation SHALL be restricted to verified teachers only.
 ### Implementation
 To configure the settings for Class Creation:
 
-#### GWS.CLASSROOM.5.1v0.3 Instructions
+#### GWS.CLASSROOM.5.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
 3.  Select **General Settings**.
diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md
index 1ba842e9..a7da327b 100644
--- a/scubagoggles/baselines/commoncontrols.md
+++ b/scubagoggles/baselines/commoncontrols.md
@@ -49,7 +49,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 
 ## 1. Phishing-Resistant Multi-Factor Authentication
 
-Multi-factor authentication (MFA), particularly phishing-resistant MFA, is a critical security control against attacks such as password spraying, password theft, and phishing. Adopting phishing-resistant MFA may take time, especially on mobile devices. Organizations must upgrade to a phishing-resistant MFA method as soon as possible to be compliant with OMB M-22-09 and this policy to address the critical security threat posed by modern phishing attacks. In the intermediate period before phishing-resistant MFA is fully adopted, organizations should adopt an MFA method from the list in GWS.COMMONCONTROLS.1.4v0.3 below.
+Multi-factor authentication (MFA), particularly phishing-resistant MFA, is a critical security control against attacks such as password spraying, password theft, and phishing. Adopting phishing-resistant MFA may take time, especially on mobile devices. Organizations must upgrade to a phishing-resistant MFA method as soon as possible to be compliant with OMB M-22-09 and this policy to address the critical security threat posed by modern phishing attacks. In the intermediate period before phishing-resistant MFA is fully adopted, organizations should adopt an MFA method from the list in GWS.COMMONCONTROLS.1.4v0.4 below.
 
 This control recognizes federation as a viable option for phishing-resistant MFA and includes architectural considerations around on-premises and cloud-native identity federation in established Federal Civilian Executive Branch (FCEB) environments. Federation for GWS can be implemented via a cloud-native identity provider (IdP). Google's documentation acknowledges that on-premises Active Directory implementations may be predominant in environments that adopt GWS and provides guidance on the use of Google Cloud Directory Sync (GCDS) to synchronize Google Account data with an established Microsoft Active Directory or LDAP server.
 
@@ -61,7 +61,7 @@ Please note there is a distinction between Google 2 Step Verification (2SV) and
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.1.1v0.3
+#### GWS.COMMONCONTROLS.1.1v0.4
 Phishing-Resistant MFA SHALL be required for all users.
 
 
@@ -92,7 +92,7 @@ Phishing-Resistant MFA SHALL be required for all users.
   - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
-#### GWS.COMMONCONTROLS.1.2v0.3
+#### GWS.COMMONCONTROLS.1.2v0.4
 Google 2SV new user enrollment period SHALL be set to 1 week.
 
 - _Rationale:_ Enrollment must be enforced within a reasonable timeframe. 1 week balances the need for allowing new personnel time to set up their authentication methods and reducing the risks inherent to not enforcing MFA immediately.
@@ -111,7 +111,7 @@ Google 2SV new user enrollment period SHALL be set to 1 week.
   - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
-#### GWS.COMMONCONTROLS.1.3v0.3
+#### GWS.COMMONCONTROLS.1.3v0.4
 Allow users to trust the device SHALL be disabled.
 
 - _Rationale:_ Trusting the device allows users to bypass 2-Step Verification for future logins on that device. Disabling device trusting makes it possible for future logins on the same device to be protected by MFA.
@@ -130,7 +130,7 @@ Allow users to trust the device SHALL be disabled.
   - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
-#### GWS.COMMONCONTROLS.1.4v0.3
+#### GWS.COMMONCONTROLS.1.4v0.4
 If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.
 
 > Google prompt
@@ -185,22 +185,22 @@ To enforce Phishing-Resistant 2-Step Verification (MFA) for all users, use the G
 2.  Select **Security** -\> **Authentication.**
 3.  Select **2-Step Verification.**
 
-#### GWS.COMMONCONTROLS.1.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.1.1v0.4 Instructions
 1.  Under **Authentication**, ensure that **Allow users to turn on 2-Step Verification** is checked.
 2.  Set **Enforcement** to **On.**
 3.  Under **Methods** select **Only security key.**
 4.  Under **Security codes** select **Don't allow users to select security codes.**
 5.  Select **Save**
 
-#### GWS.COMMONCONTROLS.1.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.1.2v0.4 Instructions
 1.  Set **New user enrollment** period to **1 Week**.
 2.  Select **Save**
 
-#### GWS.COMMONCONTROLS.1.3v0.3 Instructions
+#### GWS.COMMONCONTROLS.1.3v0.4 Instructions
 1.  Under Frequency, deselect the **Allow user to trust device** checkbox.
 2.  Select **Save**
 
-#### GWS.COMMONCONTROLS.1.4v0.3 Instructions
+#### GWS.COMMONCONTROLS.1.4v0.4 Instructions
 
 If using security keys:
 1.  Under **Methods**, select **Only security Key**. Next, select **Don't allow users to select security codes**.
@@ -237,7 +237,7 @@ To enforce a device policy that requires company-owned devices, Google needs a l
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.2.1v0.3
+#### GWS.COMMONCONTROLS.2.1v0.4
 Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.
 
 - _Rationale:_ Granular device access control afforded by context-aware access is in alignment with Federal zero trust strategy and principles. Context-aware access can help to increase the security of your GWS data by allowing you to restrict access to certain applications or services based on user/device attributes.
@@ -284,7 +284,7 @@ Policies restricting access to GWS based on signals about enterprise devices SHO
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.2.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.2.1v0.4 Instructions
 To turn on Context-Aware Access:
 
 1.  Access the [Google Admin console](https://admin.google.com/).
@@ -310,7 +310,7 @@ Google Workspace handles post-SSO verification for profiles assigned org-wide as
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.3.1v0.3
+#### GWS.COMMONCONTROLS.3.1v0.4
 Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.
 
 - _Rationale:_ Without enabling post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling post-SSO verification will apply 2SV verification policies.
@@ -322,7 +322,7 @@ Post-SSO verification SHOULD be enabled for users signing in using the SSO profi
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.3.2v0.3
+#### GWS.COMMONCONTROLS.3.2v0.4
 Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.
 
 - _Rationale:_ Without enabling post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling post-SSO verification will apply 2SV verification policies.
@@ -351,11 +351,11 @@ Post-SSO verification SHOULD be enabled for users signing in using other SSO pro
 3.  Under **Organizational units**, ensure that the name for the entire organization is selected.
 4.  Click **Post-SSO verification**.
 
-#### GWS.COMMONCONTROLS.3.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.3.1v0.4 Instructions
 1. For **Settings for users signing in using the SSO profile for your organization**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**.
 2. Click **SAVE**.
 
-#### GWS.COMMONCONTROLS.3.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.3.2v0.4 Instructions
 1. For **Settings for users signing in using other SSO profiles**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**.
 2. Click **SAVE**.
 
@@ -367,7 +367,7 @@ Note: If using a third-party IdP, and agency-set web session lengths for its use
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.4.1v0.3
+#### GWS.COMMONCONTROLS.4.1v0.4
 Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.
 
 - _Rationale:_ Allowing sessions to persist indefinitely allows users to bypass 2-Step Verification for future activity on that device. Limiting sessions to 12 hours may reduce the impact of session hijacking attacks and prevent users from inadvertently remaining logged in on unattended devices.
@@ -389,7 +389,7 @@ Users SHALL be forced to re-authenticate after an established 12-hour GWS login
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.4.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.4.1v0.4 Instructions
 To configure Google session control:
 
 1.  Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
@@ -404,7 +404,7 @@ Per NIST 800-63 and OMB M-22-09, ensure that user passwords do not expire and th
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.5.1v0.3
+#### GWS.COMMONCONTROLS.5.1v0.4
 User password strength SHALL be enforced.
 
 - _Rationale:_ Weak passwords increase the risk of account compromise. Enforcing password strength adds an additional layer of defense, reducing the risk of account compromise.
@@ -417,7 +417,7 @@ User password strength SHALL be enforced.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.2v0.3
+#### GWS.COMMONCONTROLS.5.2v0.4
 User password length SHALL be at least 12 characters.
 
 - _Rationale:_ The National Institute of Standards and Technology (NIST) has published guidance indicating that password length is a primary factor in characterizing password strength (NIST SP 800-63B). Longer passwords tend to be more resistant to brute force and dictionary-based attacks.
@@ -429,7 +429,7 @@ User password length SHALL be at least 12 characters.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.3v0.3
+#### GWS.COMMONCONTROLS.5.3v0.4
 User password length SHOULD be at least 15 characters.
 
 - _Rationale:_ The National Institute of Standards and Technology (NIST) has published guidance indicating that password length is a primary factor in characterizing password strength (NIST SP 800-63B). Longer passwords tend to be more resistant to brute force and dictionary-based attacks.
@@ -441,7 +441,7 @@ User password length SHOULD be at least 15 characters.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.4v0.3
+#### GWS.COMMONCONTROLS.5.4v0.4
 Password policy SHALL be enforced at next sign-in.
 
 - _Rationale:_ Unless the password policy is enforced at next login, a user could potentially operate indefinitely using a weak password. Enforcing the policy at next login helps ensure that all active user passwords meet current requirements.
@@ -453,7 +453,7 @@ Password policy SHALL be enforced at next sign-in.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.5v0.3
+#### GWS.COMMONCONTROLS.5.5v0.4
 User passwords SHALL NOT be reused.
 
 - _Rationale:_ Password reuse represents a significant security risk. Preventing password reuse when possible limits the scope of a compromised password.
@@ -465,7 +465,7 @@ User passwords SHALL NOT be reused.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.6v0.3
+#### GWS.COMMONCONTROLS.5.6v0.4
 User passwords SHALL NOT expire.
 
 - _Rationale:_ The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB M-22-09 states, "Password policies must not require use of special characters or regular rotation."
@@ -498,22 +498,22 @@ To configure a strong password policy is configured, use the Google Workspace Ad
 4. Follow implementation for each individual policy.
 5. Select **Save**.
 
-#### GWS.COMMONCONTROLS.5.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.1v0.4 Instructions
 1.  Under **Strength**, select the **Enforce strong password** checkbox.
 
-#### GWS.COMMONCONTROLS.5.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.2v0.4 Instructions
 1.  Under **Length**, set **Minimum Length** to 12+.
 
-#### GWS.COMMONCONTROLS.5.3v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.3v0.4 Instructions
 1.  Under **Length**, set **Minimum Length** to 15+.
 
-#### GWS.COMMONCONTROLS.5.4v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.4v0.4 Instructions
 1.  Under **Strength and Length enforcement**, select the **Enforce password policy at next sign-in** checkbox.
 
-#### GWS.COMMONCONTROLS.5.5v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.5v0.4 Instructions
 1.  Under **Reuse**, deselect the **Allow password reuse** checkbox.
 
-#### GWS.COMMONCONTROLS.5.6v0.3 Instructions
+#### GWS.COMMONCONTROLS.5.6v0.4 Instructions
 1.  Under **Expiration**, select **Never Expires.**
 
 ## 6. Highly Privileged Accounts
@@ -530,7 +530,7 @@ Pre-Built GWS Admin Roles considered highly privileged:
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.6.1v0.3
+#### GWS.COMMONCONTROLS.6.1v0.4
 All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.
 
 - _Rationale:_ Leveraging Google Account authentication with phishing resistant MFA for highly privileged accounts reduces the risks associated with a compromise of on-premises federation infrastructure. This makes it more challenging for an adversary to pivot from a compromised on-premises environment to the cloud with privileged access.
@@ -544,7 +544,7 @@ All highly privileged accounts SHALL leverage Google Account authentication with
   - [T1556: Modifying Authentication Process](https://attack.mitre.org/techniques/T1556/)
     - [T1556:006: Modifying Authentication Process: Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006/)
 
-#### GWS.COMMONCONTROLS.6.2v0.3
+#### GWS.COMMONCONTROLS.6.2v0.4
 A minimum of **two** and maximum of **eight** separate and distinct super admin users SHALL be configured.
 
 - _Rationale:_ The super admin role provides unfettered access to the workspace. Properly managing the number of users with this level of access makes workspace compromise more challenging. However, having too few accounts can be problematic as it increases the risk of losing admin access entirely (e.g., if a super admin forgets their password); having between 2 and 4 balances these two concerns.
@@ -572,11 +572,11 @@ A minimum of **two** and maximum of **eight** separate and distinct super admin
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.6.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.6.1v0.4 Instructions
 1.  Determine how to track highly privileged accounts. For example, create an OU or group containing all highly privileged accounts.
 2.  Follow the instructions on [Set up SSO for your organization](https://support.google.com/a/answer/12032922?hl=en), under "Decide which users should use SSO." For all OUs or groups with highly privileged users, set the **SSO profile assignment** to **None**.
 
-#### GWS.COMMONCONTROLS.6.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.6.2v0.4 Instructions
 To obtain a list of all GWS Super Admins:
 
 1.  Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
@@ -603,7 +603,7 @@ By changing the email address, the user resolves the conflict by ensuring that t
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.7.1v0.3
+#### GWS.COMMONCONTROLS.7.1v0.4
 Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.
 
 - _Rationale:_ Unmanaged user accounts cannot be controlled or monitored by workspace admins. By resolving conflicting accounts, you ensure all users in your workspace are using managed accounts.
@@ -630,7 +630,7 @@ Account conflict management SHALL be configured to replace conflicting unmanaged
 -   Super Admin privileges
 
 ### Implementation
-#### GWS.COMMONCONTROLS.7.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.7.1v0.4 Instructions
 
 To configure account conflict management per the policy:
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
@@ -645,7 +645,7 @@ This section covers the admin self-recovery setting that is in Google Admin cons
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.8.1v0.3
+#### GWS.COMMONCONTROLS.8.1v0.4
 Account self-recovery for Super Admins SHALL be disabled
 
 - _Rationale:_ If enabled, an adversary could attempt to gain access to a super admin account through the account recovery method. Disabling this feature forces super admins to contact another super admin to recover their account, making it more difficult for a potential adversary to compromise their account.
@@ -666,7 +666,7 @@ Account self-recovery for Super Admins SHALL be disabled
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.8.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.8.1v0.4 Instructions
 To disable Super Admin account self-recovery:
 
 1.  Sign in to https://admin.google.com as an administrator.
@@ -691,7 +691,7 @@ This control enforces more secure protection of highly privileged, senior execut
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.9.1v0.3
+#### GWS.COMMONCONTROLS.9.1v0.4
 Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.
 
 - _Rationale:_ Sophisticated phishing tactics can trick even the most savvy users into giving their sign-in credentials to attackers. Advanced Protection requires you to use a security key, which is a hardware device or special software on your phone used to verify your identity, to sign in to your Google Account. Unauthorized users won't be able to sign in without your security key, even if they have your username and password. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.
@@ -705,7 +705,7 @@ Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Prog
   - [T1556: Modifying Authentication Process](https://attack.mitre.org/techniques/T1556/)
     - [T1556:006: Modifying Authentication Process: Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006/)
 
-#### GWS.COMMONCONTROLS.9.2v0.3
+#### GWS.COMMONCONTROLS.9.2v0.4
 All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program.
 
 - _Rationale:_ Sophisticated phishing tactics can trick even the most savvy users into giving their sign-in credentials to attackers. Advanced Protection requires you to use a security key, which is a hardware device or special software on your phone used to verify your identity, to sign in to your Google Account. Unauthorized users won't be able to sign in without your security key, even if they have your username and password. The Advanced Protection Program includes a curated group of high-security policies that are applied to enrolled accounts. Additional policies may be added to the Advanced Protection Program to ensure the protections are current.
@@ -748,7 +748,7 @@ Agencies need to have a process in place to manage and control application acces
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.10.1v0.3
+#### GWS.COMMONCONTROLS.10.1v0.4
 Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.
 
 - _Rationale:_ Third-party apps may include malicious content. Restricting app access to only apps trusted by the agency reduces the risk of allowing malicious apps to connect to the workspace.
@@ -762,7 +762,7 @@ Agencies SHALL use GWS application access control policies to restrict access to
   - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
     - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
-#### GWS.COMMONCONTROLS.10.2v0.3
+#### GWS.COMMONCONTROLS.10.2v0.4
 Agencies SHALL NOT allow users to consent to access to low-risk scopes.
 
 - _Rationale:_ Allowing users to give access to OAuth scopes that aren't classified as high-risk could still allow for apps that are not trusted to be granted access by non-administrator personnel and without having to be allowlisted in accordance with policy 10.1.
@@ -776,7 +776,7 @@ Agencies SHALL NOT allow users to consent to access to low-risk scopes.
   - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
     - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
-#### GWS.COMMONCONTROLS.10.3v0.3
+#### GWS.COMMONCONTROLS.10.3v0.4
 Agencies SHALL NOT trust unconfigured internal apps.
 
 - _Rationale:_ Internal apps may contain vulnerabilities or even malicious content created by compromised user accounts. Restricting access to these apps reduces the risk of allowing unsafe apps to connect to the workspace.
@@ -790,7 +790,7 @@ Agencies SHALL NOT trust unconfigured internal apps.
   - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
     - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
-#### GWS.COMMONCONTROLS.10.4v0.3
+#### GWS.COMMONCONTROLS.10.4v0.4
 Agencies SHALL NOT allow users to access unconfigured third-party apps.
 
 - _Rationale:_ External apps may contain vulnerabilities and malicious content. Restricting access to these apps reduces the risk of allowing unsafe apps to connect to the workspace.
@@ -804,7 +804,7 @@ Agencies SHALL NOT allow users to access unconfigured third-party apps.
   - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
     - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
 
-#### GWS.COMMONCONTROLS.10.5v0.3
+#### GWS.COMMONCONTROLS.10.5v0.4
 Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.
 
 - _Rationale:_ Antiquated authentication methods introduce additional risk into the workspace environment. Only allowing apps that use modern authentication standards helps reduce the risk of credential compromise.
@@ -837,31 +837,31 @@ Access to Google Workspace applications by less secure apps that do not meet sec
 1.  Sign in to [Google Admin console](https://admin.google.com).
 2.  Go to **Security** -\> **Access and Data Control** -\> **API controls.**
 
-#### GWS.COMMONCONTROLS.10.1v0.3 instructions:
+#### GWS.COMMONCONTROLS.10.1v0.4 instructions:
 1.  Select **Manage Google Services.**
 2.  Select the **Services box** to check all services boxes.
 3.  Once this box is selected, then the **Change access** link at the top of console will be available; select it.
 4.  Select **Restricted: Only trusted apps can access a service.**
 5.  Select **Change** then **confirm** if prompted.
 
-#### GWS.COMMONCONTROLS.10.2v0.3 instructions:
+#### GWS.COMMONCONTROLS.10.2v0.4 instructions:
 1.  Select **Manage Google Services.**
 2.  Select the **Services box** to check all services boxes.
 3.  Once this box is selected, then the **Change access** link at the top of console will be available; select it.
 4.  Ensure to uncheck the check box next to **For apps that are not trusted, allow users to give access to OAuth scopes that aren't classified as high-risk.**
 5.  Select **Change** then **confirm** if prompted.
 
-#### GWS.COMMONCONTROLS.10.3v0.3 Instructions
+#### GWS.COMMONCONTROLS.10.3v0.4 Instructions
 1.  Select **Settings.**
 2.  Select **Internal apps** and uncheck the box next to **Trust internal apps.**
 3.  Select **SAVE.**
 
-#### GWS.COMMONCONTROLS.10.4v0.3 Instructions
+#### GWS.COMMONCONTROLS.10.4v0.4 Instructions
 1.  Select **Settings.**
 2.  Select **Unconfigured third-party apps** and select **Don't allow users to access any third-party apps**
 3.  Select **SAVE.**
 
-#### GWS.COMMONCONTROLS.10.5v0.3 Instructions
+#### GWS.COMMONCONTROLS.10.5v0.4 Instructions
 1.  Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.  Select **Security** -\> **Overview**.
 3.  Select **Less Secure Apps**.
@@ -881,7 +881,7 @@ Some older versions of common software may break when this control is implemente
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.11.1v0.3
+#### GWS.COMMONCONTROLS.11.1v0.4
 Only approved Google Workspace Marketplace applications SHALL be allowed for installation.
 
 - _Rationale:_ Marketplace apps may include malicious content. Restricting app access to only apps trusted by the agency reduces the risk of allowing malicious apps to connect to the workspace.
@@ -902,7 +902,7 @@ Only approved Google Workspace Marketplace applications SHALL be allowed for ins
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.11.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.11.1v0.4 Instructions
 1.  Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.  Select **Apps** -\> **Google Workspace Marketplace apps** -\> **Settings.**
 3.  Select **Allow users to install and run allowlisted apps from the Marketplace.**
@@ -923,7 +923,7 @@ This section prevents users from downloading a copy of the Google Takeout servic
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.12.1v0.3
+#### GWS.COMMONCONTROLS.12.1v0.4
 Google Takeout services SHALL be disabled.
 
 - _Rationale:_ Google Takeout is a service that allows you to download a copy of your data stored within 40+ Google products and services, including data from Gmail, Drive, Photos, and Calendar. While there may be a valid use case for individuals to back up their data in non-enterprise settings, this feature represents considerable attack surface as a mass data exfiltration mechanism, particularly in enterprise settings where other backup mechanisms are likely in use.
@@ -943,7 +943,7 @@ Google Takeout services SHALL be disabled.
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.12.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.12.1v0.4 Instructions
 1.  Sign in to https://admin.google.com as an administrator.
 2.  Select **Data** -\> **Data import & export** -\> **Google Takeout**.
 3.  Select **User access to Takeout for Google services**.
@@ -992,7 +992,7 @@ GWS includes system-defined alerting rules that provide situational awareness in
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.13.1v0.3
+#### GWS.COMMONCONTROLS.13.1v0.4
 Required system-defined alerting rules, as listed in the Policy group description, SHALL be enabled with alerts.
 
 - _Rationale:_ Potentially malicious or service-impacting events may go undetected. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.
@@ -1014,7 +1014,7 @@ Required system-defined alerting rules, as listed in the Policy group descriptio
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.13.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.13.1v0.4 Instructions
 1.  Sign in to [Google Admin console](https://admin.google.com).
 2.  Click **Rules**.
 3.  From the Rules page, click **Add a filter**.
@@ -1034,7 +1034,7 @@ Configure GWS to send critical logs to the agency's centralized Security Informa
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.14.1v0.3
+#### GWS.COMMONCONTROLS.14.1v0.4
 The following critical logs SHALL be sent to the agency's centralized SIEM.
 
         > Admin Audit logs
@@ -1056,7 +1056,7 @@ The following critical logs SHALL be sent to the agency's centralized SIEM.
   - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
     - [T1562:008: Impair Defenses: Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
 
-#### GWS.COMMONCONTROLS.14.2v0.3
+#### GWS.COMMONCONTROLS.14.2v0.4
 Audit logs SHALL be maintained for at least 6 months in active storage and an additional 18 months in cold storage, as dictated by OMB M-21-31.
 
 - _Rationale:_ Audit logs may be unavailable when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago.
@@ -1083,12 +1083,12 @@ Audit logs SHALL be maintained for at least 6 months in active storage and an ad
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.14.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.14.1v0.4 Instructions
 Follow the configuration instructions unique to the products and integration patterns at your organization to send the security logs to the security operations center for monitoring.
 
 Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at [cyberliason@cisa.dhs.gov]
 
-#### GWS.COMMONCONTROLS.14.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.14.2v0.4 Instructions
 1.  There is no implementation for this policy.
 
 ## 15. Data Regions and Storage
@@ -1099,7 +1099,7 @@ At the time of writing, data region policies cannot be applied to data types not
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.15.1v0.3
+#### GWS.COMMONCONTROLS.15.1v0.4
 The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.
 
 - _Rationale_: Without this policy, data could be stored in various regions, potentially exposing it to unauthorized entities. Implementing this policy keeps most data in the U.S., making it harder for potential foreign adversaries to compromise the data.
@@ -1111,7 +1111,7 @@ The data storage region SHALL be set to be the United States for all users in th
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.COMMONCONTROLS.15.2v0.3
+#### GWS.COMMONCONTROLS.15.2v0.4
 Data SHALL be processed in the region selected for data at rest.
 
 - _Rationale:_ Without this policy, data could be processed in a region other than the United States, potentially exposing it unauthorized entities. Implementing this policy allows for data sovereignty over organizational data.
@@ -1125,7 +1125,7 @@ Data SHALL be processed in the region selected for data at rest.
   - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
     - [T1567:002: Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/)
 
-#### GWS.COMMONCONTROLS.15.3v0.3
+#### GWS.COMMONCONTROLS.15.3v0.4
 The supplemental data storage region SHALL NOT be set to 'Russian Federation'.
 
 - _Rationale:_ This policy is aligned with the concept of sovereignty, taking into account geopolitical and USG national security concerns. Keeping data out of Russia helps prevent official data from being subject to Russian law.
@@ -1144,7 +1144,7 @@ The supplemental data storage region SHALL NOT be set to 'Russian Federation'.
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.15.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.15.1v0.4 Instructions
 To configure Data Regions per the policy:
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.	Navigate to **Data** -\> **Compliance** -\> **Data Regions**.
@@ -1153,7 +1153,7 @@ To configure Data Regions per the policy:
 5.	Select the radio button option: "**United States**".
 6.	Click **Save**.
 
-#### GWS.COMMONCONTROLS.15.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.15.2v0.4 Instructions
 1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2. Navigate to **Data** -\> **Compliance** -\> **Data Regions**.
 3. Click the **Region** card.
@@ -1161,7 +1161,7 @@ To configure Data Regions per the policy:
 5. Select the radio button option: "**Process data in the region selected for data at rest**".
 6. Click **Save**.
 
-#### GWS.COMMONCONTROLS.15.3v0.3 Instructions
+#### GWS.COMMONCONTROLS.15.3v0.4 Instructions
 To configure Supplemental Data Storage per the policy:
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.	Navigate to **Account** -> **Account settings**.
@@ -1176,7 +1176,7 @@ Google Workspace considers some of its services "core services," including Gmail
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.16.1v0.3
+#### GWS.COMMONCONTROLS.16.1v0.4
 Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.
 
 - _Rationale_: Allowing access to additional google services without a need may create unnecessary vulnerabilities within the Google Workspace environment. By turning these services off, it mitigates the risk by not allowing access.
@@ -1190,7 +1190,7 @@ Service status for Google services that do not have an individual control SHOULD
     - [T1204:002: Trusted Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
     - [T1204:003: Trusted Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/)
 
-#### GWS.COMMONCONTROLS.16.2v0.3
+#### GWS.COMMONCONTROLS.16.2v0.4
 User access to Early Access Apps SHOULD be disabled.
 
 - _Rationale_: Allowing early access to apps may expose users to apps that have not yet been fully vetted and may still need to undergo robust testing to ensure the latest security standards are met.
@@ -1217,12 +1217,12 @@ User access to Early Access Apps SHOULD be disabled.
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.	Navigate to **Apps** -> **Additional Google services**.
 
-#### GWS.COMMONCONTROLS.16.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.16.1v0.4 Instructions
 1. Click **CHANGE** at the top where it says if **Access to additional services without individual control for all organizational units is On/Off**.
 2. Select the option: "**OFF for everyone**"
 3. Click **Save**.
 
-#### GWS.COMMONCONTROLS.16.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.16.2v0.4 Instructions
 1. In the list of all services, scroll to and click on the **Early Access Apps** service.
 2. Click on **Service status**.
 3. Ensure **OFF for everyone** is checked.
@@ -1233,7 +1233,7 @@ This section covers whether multiple super admins need to approve changes to spe
 
 ### Policies
 
-#### GWS.COMMONCONTROLS.17.1v0.3
+#### GWS.COMMONCONTROLS.17.1v0.4
 Require multi party approval for sensitive admin actions SHALL be enabled.
 
 - _Rationale_: Changes to sensitive admin settings, such as disabling 2-step verification, could introduce serious vulnerabilities in the GWS environment. Requiring multiple super admins to approve changes to those settings mitigates the risk changing these settings pose.
@@ -1251,7 +1251,7 @@ Require multi party approval for sensitive admin actions SHALL be enabled.
 
 ### Implementation
 
-#### GWS.COMMONCONTROLS.17.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.17.1v0.4 Instructions
 To configure additional services per the policy:
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.	Navigate to **Security** -> **Authentication** -> **Multi-party approval settings**.
@@ -1269,7 +1269,7 @@ There are several commercial DLP solutions available that document support for G
 Though use of Google's DLP solution is not strictly required, guidance for configuring Google's DLP solution can be found in the instructions of this policy section.
 
 ### Policies
-#### GWS.COMMONCONTROLS.18.1v0.3
+#### GWS.COMMONCONTROLS.18.1v0.4
 A custom policy SHALL be configured for Google Drive to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).
 
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
@@ -1282,7 +1282,7 @@ A custom policy SHALL be configured for Google Drive to protect PII and sensitiv
   - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
 
-#### GWS.COMMONCONTROLS.18.2v0.3
+#### GWS.COMMONCONTROLS.18.2v0.4
 A custom policy SHALL be configured for Google Chat to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).
 
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
@@ -1294,7 +1294,7 @@ A custom policy SHALL be configured for Google Chat to protect PII and sensitive
     - [T1048:002: Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1048/002/)
   - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
-#### GWS.COMMONCONTROLS.18.3v0.3
+#### GWS.COMMONCONTROLS.18.3v0.4
 A custom policy SHALL be configured for Gmail to protect PII and sensitive information as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).
 
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
@@ -1308,7 +1308,7 @@ A custom policy SHALL be configured for Gmail to protect PII and sensitive infor
 
 [//]: # (Keep the version suffix out of the anchor.)
 <a name="commoncontrols184"></a>
-#### GWS.COMMONCONTROLS.18.4v0.3
+#### GWS.COMMONCONTROLS.18.4v0.4
 The action for the above DLP policies SHOULD be set to block external sharing.
 
 - _Rationale:_ Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.
@@ -1340,7 +1340,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog
 3.  Under **Data protection rules and detectors** click **Manage Rules**.
 4.  Click **Add rule** -\> **New rule**.
 
-#### GWS.COMMONCONTROLS.18.1v0.3 Instructions
+#### GWS.COMMONCONTROLS.18.1v0.4 Instructions
 1. In the **Name** section, add the name and description of the rule.
 2. In the **Scope** section, apply this rule to the entire domain and click **Continue**.
 3. In the **Apps** section, under **Google Drive**, choose the trigger for **Drive files**, then click **Continue**.
@@ -1353,7 +1353,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog
 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**.
 7. Review the rule details, mark the rule as **Active**, and click **Create.**
 
-#### GWS.COMMONCONTROLS.18.2v0.3 Instructions
+#### GWS.COMMONCONTROLS.18.2v0.4 Instructions
 1. In the **Name** section, add the name and description of the rule.
 2. In the **Scope** section, apply this rule to the entire domain and click **Continue**.
 3. In the **Apps** section, choose the trigger for **Google Chat, Message sent, File uploaded** then click **Continue**.
@@ -1366,7 +1366,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog
 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**.
 7. Review the rule details, mark the rule as **Active**, and click **Create.**
 
-#### GWS.COMMONCONTROLS.18.3v0.3 Instructions
+#### GWS.COMMONCONTROLS.18.3v0.4 Instructions
 1. In the **Name** section, add the name and description of the rule.
 2. In the **Scope** section, apply this rule to the entire domain and click **Continue**.
 3. In the **Apps** section, choose the trigger for **Gmail, Message sent** then click **Continue**.
@@ -1379,7 +1379,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog
 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**.
 7. Review the rule details, mark the rule as **Active**, and click **Create.**
 
-#### GWS.COMMONCONTROLS.18.4v0.3 Instructions
+#### GWS.COMMONCONTROLS.18.4v0.4 Instructions
 1.  For each rule in the **Actions** section follow steps depending on application:
     1. For Google Drive policies select **Block external sharing**.
     2. For Chat policies rules select **Block message** and select **External Conversations** and **Spaces**, **Group chats**, and **1:1 chats**.
diff --git a/scubagoggles/baselines/drive.md b/scubagoggles/baselines/drive.md
index 44ff5532..0184d485 100644
--- a/scubagoggles/baselines/drive.md
+++ b/scubagoggles/baselines/drive.md
@@ -37,7 +37,7 @@ This section covers whether users can share files outside of the organization, w
 
 ### Policies
 
-#### GWS.DRIVEDOCS.1.1v0.3
+#### GWS.DRIVEDOCS.1.1v0.4
 Agencies SHOULD disable sharing outside of the organization's domain.
 
 - _Rationale:_ Documents may contain sensitive or private information. Disabling external sharing reduces the risk of inadvertent of data leakage.
@@ -53,7 +53,7 @@ Agencies SHOULD disable sharing outside of the organization's domain.
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.2v0.3
+#### GWS.DRIVEDOCS.1.2v0.4
 Agencies SHOULD disable users' receiving files from outside of the organization's domain.
 
 - _Rationale:_ Users given access to external files may inadvertently input sensitive or private content. Additionally, files created externally may contain malicious content. Disallowing external files from being shared to your users may reduce the risk of data loss or falling victim to external threats.
@@ -64,7 +64,7 @@ Agencies SHOULD disable users' receiving files from outside of the organization'
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.3v0.3
+#### GWS.DRIVEDOCS.1.3v0.4
 Warnings SHALL be enabled when a user is attempting to share something outside the domain.
 
 - _Rationale:_ Users may not always be aware a given user is external to their organization. Warning them before sharing increases user awareness and accountability.
@@ -75,7 +75,7 @@ Warnings SHALL be enabled when a user is attempting to share something outside t
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.4v0.3
+#### GWS.DRIVEDOCS.1.4v0.4
 If sharing outside of the organization, then agencies SHALL disable sharing of files with individuals who are not using a Google account.
 
 - _Rationale:_ Allowing users not signed-in to a Google account to view shared files diminishes oversight and accountability and increases the chance of potential data breach. This policy reduces that risk by requiring all people to be signed in when viewing shared Doc/Drive materials.
@@ -86,7 +86,7 @@ If sharing outside of the organization, then agencies SHALL disable sharing of f
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.5v0.3
+#### GWS.DRIVEDOCS.1.5v0.4
 Agencies SHALL disable making files and published web content visible to anyone with the link.
 
 - _Rationale:_ Allowing users not signed-in to a Google account to view shared files diminishes oversight and accountability and increases the chance of a potential data breach. This policy reduces that risk by requiring all people to be signed in when viewing shared Doc/Drive materials.
@@ -96,7 +96,7 @@ Agencies SHALL disable making files and published web content visible to anyone
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.6v0.3
+#### GWS.DRIVEDOCS.1.6v0.4
 Agencies SHALL set access checking to recipients only.
 
 - _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients.
@@ -106,7 +106,7 @@ Agencies SHALL set access checking to recipients only.
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.7v0.3
+#### GWS.DRIVEDOCS.1.7v0.4
 Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organization.
 
 - _Rationale:_ Once a document is moved outside the organization's drives, the organization no longer has control over the dissemination of the document. By not allowing users to distribute content to external shared drives, the organization maintains more control over the document.
@@ -116,7 +116,7 @@ Agencies SHALL NOT allow any users to distribute content from an organization-ow
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
-#### GWS.DRIVEDOCS.1.8v0.3
+#### GWS.DRIVEDOCS.1.8v0.4
 Agencies SHALL set newly created items to have Private to the Owner as the default level of access.
 
 - _Rationale:_ By implementing least privilege and setting the default to be private, the organization is able to prevent overly broad accidental sharing of information.
@@ -146,35 +146,35 @@ To configure the settings for Sharing options:
 4.  Follow implementation for each individual policy
 5.  Select **Save**
 
-#### GWS.DRIVEDOCS.1.1v0.3 Instructions
+#### GWS.DRIVEDOCS.1.1v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Select **Sharing outside of your domain** -\> **OFF – Files owned by users in your domain cannot be shared outside of your domain**
 
-#### GWS.DRIVEDOCS.1.2v0.3 Instructions
+#### GWS.DRIVEDOCS.1.2v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Deselect **Allow users to receive files from users or shared drives outside of the organization**
 
-#### GWS.DRIVEDOCS.1.3v0.3 Instructions
+#### GWS.DRIVEDOCS.1.3v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Select **Warn when files owned by users or shared drives in your organization are shared outside of your organization.**
 
-#### GWS.DRIVEDOCS.1.4v0.3 Instructions
+#### GWS.DRIVEDOCS.1.4v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Deselect **Allow users or shared drives in your organization to share items with people outside of your organization who aren't using a Google account.**
 
-#### GWS.DRIVEDOCS.1.5v0.3 Instructions
+#### GWS.DRIVEDOCS.1.5v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Deselect **When sharing outside of your organization is allowed, users in your organization can make files and published web content visible to anyone with the link.**
 
-#### GWS.DRIVEDOCS.1.6v0.3 Instructions
+#### GWS.DRIVEDOCS.1.6v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Select **Access Checker** -\> **Recipients only.**
 
-#### GWS.DRIVEDOCS.1.7v0.3 Instructions
+#### GWS.DRIVEDOCS.1.7v0.4 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
 2.  Select **Distributing content outside of your domain** -\> **No one**
 
-#### GWS.DRIVEDOCS.1.8v0.3 Instructions
+#### GWS.DRIVEDOCS.1.8v0.4 Instructions
 1.  Select **Sharing settings -\> General access default.**
 2.  Select **When users in your organization create items, the default access will be -\> Private to the owner.**
 
@@ -184,7 +184,7 @@ This section covers whether users can create new shared drives to share with oth
 
 ### Policies
 
-#### GWS.DRIVEDOCS.2.1v0.3
+#### GWS.DRIVEDOCS.2.1v0.4
 Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.
 
 - _Rationale:_ Allowing users who are not the drive owner to override settings violates the principle of least privilege. This policy reduces the risk of drive settings being modified by unauthorized individuals.
@@ -193,7 +193,7 @@ Agencies SHOULD NOT allow members with manager access to override shared drive c
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
-#### GWS.DRIVEDOCS.2.2v0.3
+#### GWS.DRIVEDOCS.2.2v0.4
 Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.
 
 - _Rationale:_ To regulate document access within the organization, it is recommended that agencies restrict external users from accessing files on shared drives. This policy is aimed at safeguarding internal documents from being distributed outside the organization without explicit consent and approval.
@@ -202,7 +202,7 @@ Agencies SHOULD NOT allow users outside of their organization to access files in
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
-#### GWS.DRIVEDOCS.2.3v0.3
+#### GWS.DRIVEDOCS.2.3v0.4
 Agencies SHALL allow users who are not shared drive members to be added to files.
 
 - _Rationale:_ Prohibiting non-members from being added to a file necessitates their addition as drive members, potentially exposing all drive files and increasing the risk of sensitive content exposure. By disallowing the sharing of these individual files, the risk of internal documents from being distributed outside the organization without explicit consent and approval is decreased.
@@ -211,7 +211,7 @@ Agencies SHALL allow users who are not shared drive members to be added to files
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
-#### GWS.DRIVEDOCS.2.4v0.3
+#### GWS.DRIVEDOCS.2.4v0.4
 Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.
 
 - _Rationale:_ Downloading and removing a file from the GWS tenant bypasses all access control settings, increasing the risk of data leakage. By preventing the sharing of these externally downloaded files, the risk of internal documents from being distributed outside the organization without explicit consent and approval is decreased.
@@ -240,16 +240,16 @@ To configure the settings for Shared drive creation:
 4.  Follow the implementation for each individual policy.
 5.  Select **Save**
 
-#### GWS.DRIVEDOCS.2.1v0.3 Instructions
+#### GWS.DRIVEDOCS.2.1v0.4 Instructions
 1.  Uncheck the **Allow members with manager access to override the settings below** checkbox.
 
-#### GWS.DRIVEDOCS.2.2v0.3 Instructions
+#### GWS.DRIVEDOCS.2.2v0.4 Instructions
 1.  Uncheck the **Allow users outside organization to access files in shared drives** checkbox.
 
-#### GWS.DRIVEDOCS.2.3v0.3 Instructions
+#### GWS.DRIVEDOCS.2.3v0.4 Instructions
 1.  Check the **Allow people who aren't shared drive members to be added to files** checkbox.
 
-#### GWS.DRIVEDOCS.2.4v0.3 Instructions
+#### GWS.DRIVEDOCS.2.4v0.4 Instructions
 1.  Check the **Allow viewers and commenters to download, print, and copy files** checkbox.
 
 ## 3. Security Updates for Files
@@ -258,7 +258,7 @@ This section covers whether a security update issued by Google will be applied t
 
 ### Policies
 
-#### GWS.DRIVEDOCS.3.1v0.3
+#### GWS.DRIVEDOCS.3.1v0.4
 Agencies SHALL enable the security update for Drive files.
 
 - _Rationale:_ By not enabling the update to the resource key security update a user could potentially gain unauthorized access to files. Enabling this security update decreases risk of unauthorized access and data spillage by controlling access to files in Google Drive.
@@ -279,7 +279,7 @@ Agencies SHALL enable the security update for Drive files.
 
 To configure the settings for Security update for files:
 
-##### GWS.DRIVEDOCS.3.1v0.3 Instructions
+##### GWS.DRIVEDOCS.3.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Drive and Docs.**
 3.  Select **Sharing settings -\> Security update for files.**
@@ -293,7 +293,7 @@ This section covers whether users have access to Google Drive with the Drive SDK
 
 ### Policies
 
-#### GWS.DRIVEDOCS.4.1v0.3
+#### GWS.DRIVEDOCS.4.1v0.4
 Agencies SHOULD disable Drive SDK access.
 
 - _Rationale:_ The Drive SDK allows third-party applications to access Drive data, potentially leading to unintentional information sharing and data leakage. By disabling the Drive SDK you can decrease the risk of internal documents from being distributed outside the organization without explicit consent and approval.
@@ -316,7 +316,7 @@ Agencies SHOULD disable Drive SDK access.
 
 To configure the settings for Drive SDK:
 
-#### GWS.DRIVEDOCS.4.1v0.3 Instructions
+#### GWS.DRIVEDOCS.4.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Drive and Docs.**
 3.  Select **Features and Applications -\> Drive SDK.**
@@ -329,7 +329,7 @@ This section covers whether users can use add-ons in file editors within Google
 
 ### Policies
 
-#### GWS.DRIVEDOCS.5.1v0.3
+#### GWS.DRIVEDOCS.5.1v0.4
 Agencies SHALL disable Add-Ons.
 
 - _Rationale:_ Google Docs Add-Ons, depending on their permissions, can present a security risk, including potential exposure of sensitive content. By disabling unapproved add-ons and preventing their sharing, the risk of data leakage can be significantly reduced.
@@ -352,7 +352,7 @@ Agencies SHALL disable Add-Ons.
 
 To configure the settings for add-ons:
 
-#### GWS.DRIVEDOCS.5.1v0.3 Instructions
+#### GWS.DRIVEDOCS.5.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Drive and Docs.**
 3.  Select **Features and Applications -\> Add-Ons.**
@@ -365,7 +365,7 @@ This section addresses Drive for Desktop, a feature that enables users to intera
 
 ### Policies
 
-#### GWS.DRIVEDOCS.6.1v0.3
+#### GWS.DRIVEDOCS.6.1v0.4
 Google Drive for Desktop SHOULD be enabled only for authorized devices.
 
 - _Rationale:_ Some users may attempt to use Drive for Desktop to connect unapproved devices (e.g., a personal computer), to the agency's Google Drive. Even if done without malicious intent, this represents a security risk as the agency has no ability audit or protect such computers.
@@ -385,7 +385,7 @@ Google Drive for Desktop SHOULD be enabled only for authorized devices.
 
 ### Implementation
 
-#### GWS.DRIVEDOCS.6.1v0.3 Instructions
+#### GWS.DRIVEDOCS.6.1v0.4 Instructions
 To Disable Google Drive for Desktop:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
diff --git a/scubagoggles/baselines/gmail.md b/scubagoggles/baselines/gmail.md
index 0cbbfb08..8443c376 100644
--- a/scubagoggles/baselines/gmail.md
+++ b/scubagoggles/baselines/gmail.md
@@ -51,7 +51,7 @@ This section determines whether users can delegate access to their mailbox to ot
 
 ### Policies
 
-#### GWS.GMAIL.1.1v0.3
+#### GWS.GMAIL.1.1v0.4
 Mail Delegation SHOULD be disabled.
 
 - _Rationale:_ Granting mail delegation can inadvertently lead to disclosure of sensitive information, impersonation of delegated accounts, or malicious alteration or deletion of emails. By controlling mail delegation, these risks can be significantly reduced, improving the security and integrity of email communications.
@@ -74,7 +74,7 @@ Mail Delegation SHOULD be disabled.
 
 ### Implementation
 
-#### GWS.GMAIL.1.1v0.3 Instructions
+#### GWS.GMAIL.1.1v0.4 Instructions
 To configure the settings for Mail Delegation:
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
@@ -89,7 +89,7 @@ This section enables DomainKeys Identified Mail (DKIM) to help prevent spoofing
 
 ### Policies
 
-#### GWS.GMAIL.2.1v0.3
+#### GWS.GMAIL.2.1v0.4
 DKIM SHOULD be enabled for all domains.
 
 - _Rationale:_ Enabling DKIM for all domains can help prevent email spoofing and phishing attacks. Without DKIM, adversaries could manipulate email headers to appear as if they're from a legitimate source, potentially leading to the disclosure of sensitive information. By enabling DKIM, the authenticity of emails can be verified, reducing this risk.
@@ -114,7 +114,7 @@ DKIM SHOULD be enabled for all domains.
 
 ### Implementation
 
-#### GWS.GMAIL.2.1v0.3 Instructions
+#### GWS.GMAIL.2.1v0.4 Instructions
 To configure the settings for DKIM:
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
@@ -134,7 +134,7 @@ The Sender Policy Framework (SPF) is a mechanism that allows administrators to s
 
 ### Policies
 
-#### GWS.GMAIL.3.1v0.3
+#### GWS.GMAIL.3.1v0.4
 An SPF policy SHALL be published for each domain that fails all non-approved senders.
 
 - _Rationale:_ Adversaries could potentially manipulate the 'FROM' field in an email to appear as a legitimate sender, increasing the risk of phishing attacks. By publishing an SPF policy for each domain that fails all non-approved senders, this risk can be reduced as it provides a means to detect and block such deceptive emails. Additionally, SPF is required for federal, executive branch, departments and agencies by Binding Operational Directive 18-01, "Enhance Email and Web Security."
@@ -160,7 +160,7 @@ An SPF policy SHALL be published for each domain that fails all non-approved sen
 
 ### Implementation
 
-#### GWS.GMAIL.3.1v0.3 Instructions
+#### GWS.GMAIL.3.1v0.4 Instructions
 First, identify any approved senders specific to your agency (see [Identify all email senders for your organization](https://support.google.com/a/answer/10686639#senders) for tips). SPF allows you to indicate approved senders by IP address or CIDR range. However, note that SPF allows you to [include](https://www.rfc-editor.org/rfc/rfc7208#section-5.2) the IP addresses indicated by a separate SPF policy, refered to by domain name. See [Define your SPF record—Basic setup](https://support.google.com/a/answer/10685031) for inclusions required for Google to send email on behalf of your domain.
 
 SPF is not configured through the Google Workspace admin center, but rather via DNS records hosted by the agency's domain. Thus, the exact steps needed to set up SPF varies from agency to agency. See [Add your SPF record at your domain provider](https://support.google.com/a/answer/10684623) for more details.
@@ -180,7 +180,7 @@ Domain-based Message Authentication, Reporting, and Conformance (DMARC) works wi
 
 ### Policies
 
-#### GWS.GMAIL.4.1v0.3
+#### GWS.GMAIL.4.1v0.4
 A DMARC policy SHALL be published for every second-level domain.
 
 - _Rationale:_ Without proper authentication and a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling adversaries to send deceptive emails that appear to be from your domain. Publishing a DMARC policy for every second-level domain further reduces the risk posed by authentication failures.
@@ -189,7 +189,7 @@ A DMARC policy SHALL be published for every second-level domain.
 - MITRE ATT&CK TTP Mapping
   - None
 
-#### GWS.GMAIL.4.2v0.3
+#### GWS.GMAIL.4.2v0.4
 The DMARC message rejection option SHALL be p=reject.
 
 - _Rationale:_ Without stringent email authentication, adversaries could potentially send deceptive emails that appear to be from your domain, increasing the risk of phishing attacks. This policy reduces risk as it automatically rejects emails that fail SPF or DKIM checks, preventing potentially harmful emails from reaching recipients. Additionally, "reject" is the level of protection required by BOD 18-01, "Enhance Email and Web Security," for federal, executive branch, departments and agencies.
@@ -203,7 +203,7 @@ The DMARC message rejection option SHALL be p=reject.
   - [T1586:002: Compromise Accounts](https://attack.mitre.org/techniques/T1586/)
     - [T1586:002: Compromise Accounts: Email Accounts](https://attack.mitre.org/techniques/T1586/002/)
 
-#### GWS.GMAIL.4.3v0.3
+#### GWS.GMAIL.4.3v0.4
 The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.
 
 - _Rationale:_ Without a centralized point of contact for DMARC aggregate reports, potential email security issues may go unnoticed, increasing the risk of phishing attacks. As required by BOD 18-01 for federal, executive branch, departments and agencies, set reports@dmarc.cyber.dhs.gov as the DMARC aggregate report recipient, which allows CISA to monitor and address email authentication issues.
@@ -213,7 +213,7 @@ The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cy
 - MITRE ATT&CK TTP Mapping
   - None
 
-#### GWS.GMAIL.4.4v0.3
+#### GWS.GMAIL.4.4v0.4
 An agency point of contact SHOULD be included for aggregate and failure reports.
 
 - _Rationale:_ Without a designated agency point of contact for DMARC aggregate and failure reports, potential email security issues may not be promptly addressed, increasing the risk of phishing attacks. By including an agency point of contact, this risk can be reduced as it facilitates a timely response to email authentication issues, enhancing overall email security.
@@ -238,7 +238,7 @@ An agency point of contact SHOULD be included for aggregate and failure reports.
 [//]: # (Keep the version suffix out of the anchor.)
 [//]: # (https://stackoverflow.com/questions/5319754/cross-reference-named-anchor-in-markdown)
 <a name="gmail41-instructions"></a>
-#### GWS.GMAIL.4.1v0.3 Instructions
+#### GWS.GMAIL.4.1v0.4 Instructions
 DMARC is not configured through the Google Admin Console, but rather via DNS records hosted by the agency's domain(s). As such, implementation varies depending on how an agency manages its DNS records. See [Add your DMARC record](https://support.google.com/a/answer/2466563) for Google guidance.
 
 Note, a DMARC record published at the second-level domain will protect all subdomains. In other words, a DMARC record published for `example.com` will protect both `a.example.com` and `b.example.com`, but a separate record would need to be published for `c.example.gov`.
@@ -251,13 +251,13 @@ dig _dmarc.example.com txt
 
 If DMARC is configured, a response resembling `v=DMARC1; p=reject; pct=100; rua=mailto:reports@dmarc.cyber.dhs.gov, mailto:reports@example.com; ruf=mailto:reports@example.com` will be returned, though by necessity, the contents of the record will vary by agency. In this example, the policy indicates all emails failing the SPF/DKIM checks are to be rejected and aggregate reports sent to reports@dmarc.cyber.dhs.gov and reports@example.com. Failure reports will be sent to reports@example.com.
 
-#### GWS.GMAIL.4.2v0.3 Instructions
+#### GWS.GMAIL.4.2v0.4 Instructions
 See [GWS.GMAIL.4.1 instructions](#gmail41-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes `p=reject`.
 
-#### GWS.GMAIL.4.3v0.3 Instructions
+#### GWS.GMAIL.4.3v0.4 Instructions
 See [GWS.GMAIL.4.1 instructions](#gmail41-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes reports@dmarc.cyber.dhs.gov as one of the emails for the `rua` field.
 
-#### GWS.GMAIL.4.4v0.3 Instructions
+#### GWS.GMAIL.4.4v0.4 Instructions
 See [GWS.GMAIL.4.1 instructions](#gmail41-instructions) for an overview of how to publish and check a DMARC record. Ensure the record published includes a point of contact specific to your agency, in addition to reports@dmarc.cyber.dhs.gov, as one of the emails for the `rua` field and one or more agency-defined points of contact for the `ruf` field.
 
 ## 5. Attachment Protections
@@ -268,7 +268,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.5.1v0.3
+#### GWS.GMAIL.5.1v0.4
 Protect against encrypted attachments from untrusted senders SHALL be enabled.
 
 - _Rationale:_ Attachments from untrusted senders, especially encrypted ones, may contain malicious content that poses a security risk. By enabling protection against encrypted attachments from untrusted senders, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -284,7 +284,7 @@ Protect against encrypted attachments from untrusted senders SHALL be enabled.
     - [T1204:002: User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
     - [T1204:003: User Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/)
 
-#### GWS.GMAIL.5.2v0.3
+#### GWS.GMAIL.5.2v0.4
 Protect against attachments with scripts from untrusted senders SHALL be enabled.
 
 - _Rationale:_ Attachments with scripts from untrusted senders may contain malicious content that poses a security risk. By enabling protection against such attachments, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -300,7 +300,7 @@ Protect against attachments with scripts from untrusted senders SHALL be enabled
     - [T1204:002: User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
     - [T1204:003: User Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/)
 
-#### GWS.GMAIL.5.3v0.3
+#### GWS.GMAIL.5.3v0.4
 Protect against anomalous attachment types in emails SHALL be enabled.
 
 - _Rationale:_ Anomalous attachment types in emails may contain malicious content that poses a security risk. By enabling protection against such attachments, this risk can be reduced, enhancing the safety and integrity of the user data and systems.
@@ -316,7 +316,7 @@ Protect against anomalous attachment types in emails SHALL be enabled.
     - [T1204:002: User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
     - [T1204:003: User Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/)
 
-#### GWS.GMAIL.5.4v0.3
+#### GWS.GMAIL.5.4v0.4
 Google SHOULD be allowed to automatically apply future recommended settings for attachments.
 
 - _Rationale:_ By enabling this feature, the system can automatically stay updated with the latest security measures recommended by Google, reducing the risk of security breaches.
@@ -325,7 +325,7 @@ Google SHOULD be allowed to automatically apply future recommended settings for
 - MITRE ATT&CK TTP Mapping
   - None
 
-#### GWS.GMAIL.5.5v0.3
+#### GWS.GMAIL.5.5v0.4
 Emails flagged by the above attachment protection controls SHALL NOT be kept in inbox.
 
 - _Rationale:_ Keeping emails flagged by attachment protection controls in the inbox could potentially expose users to malicious content. Removing these emails from the inbox enhances the safety and integrity of user data and systems.
@@ -343,7 +343,7 @@ Emails flagged by the above attachment protection controls SHALL NOT be kept in
     - [T1204:003: User Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/)
 
 
-#### GWS.GMAIL.5.6v0.3
+#### GWS.GMAIL.5.6v0.4
 Any third-party or outside application selected for attachment protection SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for attachment protection that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
@@ -372,24 +372,24 @@ To configure the settings for Attachment Protections:
 4.  Follow implementation for each individual policy
 5.  Select **Save**.
 
-#### GWS.GMAIL.5.1v0.3 Instructions
+#### GWS.GMAIL.5.1v0.4 Instructions
 1.  Check the **Protect against encrypted attachments from untrusted senders** checkbox.
 
-#### GWS.GMAIL.5.2v0.3 Instructions
+#### GWS.GMAIL.5.2v0.4 Instructions
 1.  Check the **Protect against attachments with scripts from untrusted senders** checkbox.
 
-#### GWS.GMAIL.5.3v0.3 Instructions
+#### GWS.GMAIL.5.3v0.4 Instructions
 1.  Check the **Protect against anomalous attachment types in emails** checkbox.
 
-#### GWS.GMAIL.5.4v0.3 Instructions
+#### GWS.GMAIL.5.4v0.4 Instructions
 1.  Check the **Apply future recommended settings automatically** checkbox.
 
-#### GWS.GMAIL.5.5v0.3 Instructions
+#### GWS.GMAIL.5.5v0.4 Instructions
 1.  Under the setting for Policy 5.1 through Policy 5.3, ensure either "Move email to spam" or "Quarantine" is selected.
 
 
 
-#### GWS.GMAIL.5.6v0.3 Instructions
+#### GWS.GMAIL.5.6v0.4 Instructions
 1.  No implementation steps for this policy
 
 
@@ -401,7 +401,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.6.1v0.3
+#### GWS.GMAIL.6.1v0.4
 Identify links behind shortened URLs SHALL be enabled.
 
 - _Rationale:_ Shortened URLs can potentially hide malicious links, posing a security risk. By enabling the identification of links behind shortened URLs, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -414,7 +414,7 @@ Identify links behind shortened URLs SHALL be enabled.
   - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
     - [T1204:001: User Execution: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
 
-#### GWS.GMAIL.6.2v0.3
+#### GWS.GMAIL.6.2v0.4
 Scan linked images SHALL be enabled.
 
 - _Rationale:_ Linked images in emails can potentially contain malicious content, posing a security risk. By enabling the scanning of linked images, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -427,7 +427,7 @@ Scan linked images SHALL be enabled.
   - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
     - [T1204:002: User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
 
-#### GWS.GMAIL.6.3v0.3
+#### GWS.GMAIL.6.3v0.4
 Show warning prompt for any click on links to untrusted domains SHALL be enabled.
 
 - _Rationale:_ Clicking on links to unfamiliar domains can potentially expose users to malicious content, posing a security risk. By enabling a warning prompt for any click on such links, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -440,7 +440,7 @@ Show warning prompt for any click on links to untrusted domains SHALL be enabled
   - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/)
     - [T1204:001: User Execution: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
 
-#### GWS.GMAIL.6.4v0.3
+#### GWS.GMAIL.6.4v0.4
 Google SHALL be allowed to automatically apply future recommended settings for links and external images.
 
 - _Rationale:_ By enabling this feature, the system can automatically stay updated with the latest recommended security measures from Google, reducing the risk of security breaches and enhancing the safety and integrity of user data and systems.
@@ -449,7 +449,7 @@ Google SHALL be allowed to automatically apply future recommended settings for l
 - MITRE ATT&CK TTP Mapping
   - None
 
-#### GWS.GMAIL.6.5v0.3
+#### GWS.GMAIL.6.5v0.4
 Any third-party or outside application selected for links and external images protection SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for links and external images protection that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services enhances the safety and integrity of user data and systems.
@@ -481,19 +481,19 @@ To configure the settings for Links and External Images Protection:
 4.  Follow implementation for each individual policy.
 5.  Select **Save**
 
-#### GWS.GMAIL.6.1v0.3 Instructions
+#### GWS.GMAIL.6.1v0.4 Instructions
 1.  Check the **Identify links behind shortened URLs** checkbox.
 
-#### GWS.GMAIL.6.2v0.3 Instructions
+#### GWS.GMAIL.6.2v0.4 Instructions
 1.  Check the **Scan linked images** checkbox.
 
-#### GWS.GMAIL.6.3v0.3 Instructions
+#### GWS.GMAIL.6.3v0.4 Instructions
 1.  Check the **Show warning prompt for any click on links to untrusted domains** checkbox.
 
-#### GWS.GMAIL.6.4v0.3 Instructions
+#### GWS.GMAIL.6.4v0.4 Instructions
 1.  Check the **Apply future recommended settings automatically** checkbox.
 
-#### GWS.GMAIL.6.5v0.3 Instructions
+#### GWS.GMAIL.6.5v0.4 Instructions
 1.  No implementation steps for this policy
 
 
@@ -505,7 +505,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.7.1v0.3
+#### GWS.GMAIL.7.1v0.4
 Protect against domain spoofing based on similar domain names SHALL be enabled.
 
 - _Rationale:_ Emails sent from domains that look similar to your domain can potentially deceive users into interacting with malicious content, posing a security risk. Enabling protection against such spoofing can reduce this risk, enhancing the safety and integrity of user data and systems.
@@ -517,7 +517,7 @@ Protect against domain spoofing based on similar domain names SHALL be enabled.
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.2v0.3
+#### GWS.GMAIL.7.2v0.4
 Protect against spoofing of employee names SHALL be enabled.
 
 - _Rationale:_ Spoofing of employee identities (e.g., CEO and IT staff) can potentially deceive users into interacting with malicious content, posing a security risk. Enabling protection against such spoofing can reduce this risk, enhancing the safety and integrity of user data and systems.
@@ -529,7 +529,7 @@ Protect against spoofing of employee names SHALL be enabled.
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.3v0.3
+#### GWS.GMAIL.7.3v0.4
 Protect against inbound emails spoofing your domain SHALL be enabled.
 
 - _Rationale:_ Inbound emails appearing to come from your domain can potentially deceive users into interacting with malicious content, posing a security risk. By enabling protection against such spoofing, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -541,7 +541,7 @@ Protect against inbound emails spoofing your domain SHALL be enabled.
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.4v0.3
+#### GWS.GMAIL.7.4v0.4
 Protect against any unauthenticated emails SHALL be enabled.
 
 - _Rationale:_ Unauthenticated emails can potentially contain malicious content, posing a security risk. By enabling protection against such emails, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -553,7 +553,7 @@ Protect against any unauthenticated emails SHALL be enabled.
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.5v0.3
+#### GWS.GMAIL.7.5v0.4
 Protect your Groups from inbound emails spoofing your domain SHALL be enabled.
 
 - _Rationale:_ Inbound emails spoofing your domain can potentially deceive users into interacting with malicious content, posing a security risk. By enabling protection against such spoofing, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -565,7 +565,7 @@ Protect your Groups from inbound emails spoofing your domain SHALL be enabled.
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.6v0.3
+#### GWS.GMAIL.7.6v0.4
 Emails flagged by the above spoofing and authentication controls SHALL NOT be kept in inbox.
 
 - _Rationale:_ Keeping emails flagged by spoofing and authentication controls in the inbox could potentially expose users to malicious content. Moving emails out of the inbox can reduce this risk, enhancing the safety and integrity of the user's data and systems.
@@ -579,7 +579,7 @@ Emails flagged by the above spoofing and authentication controls SHALL NOT be ke
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 
-#### GWS.GMAIL.7.7v0.3
+#### GWS.GMAIL.7.7v0.4
 Google SHALL be allowed to automatically apply future recommended settings for spoofing and authentication.
 
 - _Rationale:_ By enabling this feature, the system can automatically stay updated with the latest recommended security measures from Google, reducing the risk of security breaches and enhancing the safety and integrity of user data and systems.
@@ -591,7 +591,7 @@ Google SHALL be allowed to automatically apply future recommended settings for s
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
-#### GWS.GMAIL.7.8v0.3
+#### GWS.GMAIL.7.8v0.4
 Any third-party or outside application selected for spoofing and authentication protection SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for spoofing and authentication protection that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
@@ -622,29 +622,29 @@ To configure the settings for Spoofing and Authentication Protection:
 4.  Follow steps for individual policies below.
 5.  Select **Save**
 
-#### GWS.GMAIL.7.1v0.3 Instructions
+#### GWS.GMAIL.7.1v0.4 Instructions
 1.  Check the **Protect against domain spoofing based on similar domain names** checkbox.
 
-#### GWS.GMAIL.7.2v0.3 Instructions
+#### GWS.GMAIL.7.2v0.4 Instructions
 1.  Check the **Protect against spoofing of employee names** checkbox.
 
-#### GWS.GMAIL.7.3v0.3 Instructions
+#### GWS.GMAIL.7.3v0.4 Instructions
 1.  Check the **Protect against inbound emails spoofing your domain** checkbox.
 
-#### GWS.GMAIL.7.4v0.3 Instructions
+#### GWS.GMAIL.7.4v0.4 Instructions
 1.  Check the **Protect against any unauthenticated emails** checkbox.
 
-#### GWS.GMAIL.7.5v0.3 Instructions
+#### GWS.GMAIL.7.5v0.4 Instructions
 1.  Check the **Protect your groups from inbound emails spoofing your domain** checkbox.
 
-#### GWS.GMAIL.7.6v0.3 Instructions
+#### GWS.GMAIL.7.6v0.4 Instructions
 1.  Under each setting from Policy 7.1 through Policy 7.5, make sure either "Move email to spam" or "Quarantine" is selected.
 
 
-#### GWS.GMAIL.7.7v0.3 Instructions
+#### GWS.GMAIL.7.7v0.4 Instructions
 1.  Check the **Apply future recommended settings automatically** checkbox.
 
-#### GWS.GMAIL.7.8v0.3 Instructions
+#### GWS.GMAIL.7.8v0.4 Instructions
 1.  There is no implementation for this policy.
 
 
@@ -654,7 +654,7 @@ This section addresses a feature that enables users to import their email and co
 
 ### Policies
 
-#### GWS.GMAIL.8.1v0.3
+#### GWS.GMAIL.8.1v0.4
 User email uploads SHALL be disabled to protect against unauthorized files being introduced into the secured environment.
 
 - _Rationale:_ Allowing user email uploads could potentially introduce unauthorized or malicious files into the secured environment, posing a security risk. By disabling user email uploads, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -680,7 +680,7 @@ User email uploads SHALL be disabled to protect against unauthorized files being
 
 To configure the settings for User Email Uploads:
 
-#### GWS.GMAIL.8.1v0.3 Instructions
+#### GWS.GMAIL.8.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Setup -\> User email uploads**.
@@ -694,7 +694,7 @@ This section determines whether users have POP3 and IMAP access. Doing so allows
 
 ### Policies
 
-#### GWS.GMAIL.9.1v0.3
+#### GWS.GMAIL.9.1v0.4
 POP and IMAP access SHALL be disabled to protect sensitive agency or organization emails from being accessed through legacy applications or other third-party mail clients.
 
 - _Rationale:_ Enabling POP and IMAP access could potentially expose sensitive agency or organization emails to unauthorized access through legacy applications or third-party mail clients, posing a security risk. By disabling POP and IMAP access, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -718,7 +718,7 @@ POP and IMAP access SHALL be disabled to protect sensitive agency or organizatio
 To configure the settings for POP and IMAP access:
 
 
-#### GWS.GMAIL.9.1v0.3 Instructions
+#### GWS.GMAIL.9.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **End User Access -\> POP and IMAP access**.
@@ -733,7 +733,7 @@ This section determines whether Google Workspace Sync allows data synchronizatio
 
 ### Policies
 
-#### GWS.GMAIL.10.1v0.3
+#### GWS.GMAIL.10.1v0.4
 Google Workspace Sync SHOULD be disabled.
 
 - _Rationale:_ Enabling Google Workspace Sync could potentially expose sensitive agency or organization data to unauthorized access or loss, posing a security risk. By disabling Google Workspace Sync, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -747,7 +747,7 @@ Google Workspace Sync SHOULD be disabled.
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/)
 
-#### GWS.GMAIL.10.2v0.3
+#### GWS.GMAIL.10.2v0.4
 Google Workspace Sync MAY be enabled on a per-user basis as needed.
 
 - _Rationale:_ Enabling Google Workspace Sync indiscriminately could potentially expose sensitive agency or organization data to unauthorized access or loss, posing a security risk. By only allowing Google Workspace Sync on a per-user basis as needed, this risk can be reduced, ensuring the safety and integrity of user data and systems.
@@ -778,11 +778,11 @@ To configure the settings for Google Workspace Sync:
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **End User Access -\> Google Workspace Sync**.
 
-#### GWS.GMAIL.10.1v0.3 Instructions
+#### GWS.GMAIL.10.1v0.4 Instructions
 1.  Uncheck the **Enable Google Workspace Sync for Microsoft Outlook for my users** checkbox.
 2.  Select **Save**.
 
-#### GWS.GMAIL.10.2v0.3 Instructions
+#### GWS.GMAIL.10.2v0.4 Instructions
 1.  There is no implementation steps for this policy.
 2.  Select **Save**.
 
@@ -793,7 +793,7 @@ This section determines whether emails can be automatically forwarded from a use
 
 ### Policies
 
-#### GWS.GMAIL.11.1v0.3
+#### GWS.GMAIL.11.1v0.4
 Automatic forwarding SHOULD be disabled, especially to external domains.
 
 - _Rationale:_ By enabling automatic forwarding, especially to external domains, adversaries could gain persistent access to a victim's email, potentially exposing sensitive agency or organization emails to unauthorized access or loss. By disabling automatic forwarding, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -814,7 +814,7 @@ Automatic forwarding SHOULD be disabled, especially to external domains.
 
 To configure the settings for Automatic Forwarding:
 
-#### GWS.GMAIL.11.1v0.3 Instructions
+#### GWS.GMAIL.11.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **End User Access -\> Automatic forwarding**.
@@ -827,7 +827,7 @@ This section determines whether outgoing mail is delivered only through the Goog
 
 ### Policies
 
-#### GWS.GMAIL.12.1v0.3
+#### GWS.GMAIL.12.1v0.4
 Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers SHALL be disabled.
 
 - _Rationale:_ Using a per-user outbound gateway that is a mail server other than the Google Workspace mail servers could potentially expose sensitive agency or organization emails to unauthorized access or loss, posing a security risk. By disabling this feature, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -852,7 +852,7 @@ Using a per-user outbound gateway that is a mail server other than the Google Wo
 
 To configure the settings for Per-user Outbound Gateways:
 
-#### GWS.GMAIL.12.1v0.3 Instructions
+#### GWS.GMAIL.12.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **End User Access -\> Allow per-user outbound gateways**.
@@ -866,7 +866,7 @@ This section determines whether users are prompted with a warning for messages t
 
 ### Policies
 
-#### GWS.GMAIL.13.1v0.3
+#### GWS.GMAIL.13.1v0.4
 Unintended external reply warnings SHALL be enabled.
 
 - _Rationale:_ Unintended external reply warnings can help reduce the risk of exposing sensitive information in replies to external messages. Enabling these warnings reminds users to treat external messages with caution, reducing this risk and enhancing the safety and integrity of user data and systems.
@@ -892,7 +892,7 @@ Unintended external reply warnings SHALL be enabled.
 
 To configure the settings to warn users of external recipients:
 
-#### GWS.GMAIL.13.1v0.3 Instructions
+#### GWS.GMAIL.13.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **End User Access -\> Warn for external recipients**.
@@ -906,7 +906,7 @@ This section determines whether an email allowlist allows for messages from cert
 
 ### Policies
 
-#### GWS.GMAIL.14.1v0.3
+#### GWS.GMAIL.14.1v0.4
 An email allowlist SHOULD not be implemented.
 
 - _Rationale:_ Implementing an email allowlist could potentially expose users to security risks as allowlisted senders bypass important security mechanisms, including spam filtering and sender authentication checks. By not implementing an allowlist, this risk can be reduced, enhancing the safety and integrity of the user data and systems.
@@ -932,7 +932,7 @@ An email allowlist SHOULD not be implemented.
 
 To configure the settings for Email Allowlists:
 
-#### GWS.GMAIL.14.1v0.3 Instructions
+#### GWS.GMAIL.14.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Spam, phishing, and malware -\> Email allowlist**.
@@ -948,7 +948,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.15.1v0.3
+#### GWS.GMAIL.15.1v0.4
 Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing.
 
 - _Rationale:_ Without enhanced pre-delivery message scanning, users may be exposed to phishing attempts, posing a security risk. By enabling this feature, potential phishing emails can be identified and blocked before reaching the user, reducing this risk and enhancing the safety and integrity of user data and systems.
@@ -960,7 +960,7 @@ Enhanced pre-delivery message scanning SHALL be enabled to prevent phishing.
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
     - [T1566:003: Phishing: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
 
-#### GWS.GMAIL.15.2v0.3
+#### GWS.GMAIL.15.2v0.4
 Any third-party or outside application selected for enhanced pre-delivery message scanning SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for enhanced pre-delivery message scanning that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
@@ -981,14 +981,14 @@ Any third-party or outside application selected for enhanced pre-delivery messag
 
 To configure the settings for Enhanced Pre-Delivery Message Scanning:
 
-#### GWS.GMAIL.15.1v0.3 Instructions
+#### GWS.GMAIL.15.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Spam, phishing, and malware -\> Enhanced pre-delivery message scanning**.
 4.  Check the **Enables improved detection of suspicious content prior to delivery** checkbox.
 5.  Select **Save**.
 
-#### GWS.GMAIL.15.2v0.3 Instructions
+#### GWS.GMAIL.15.2v0.4 Instructions
 1.  There is no implementation steps for this policy
 
 
@@ -1000,7 +1000,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.16.1v0.3
+#### GWS.GMAIL.16.1v0.4
 Security sandbox SHOULD be enabled to provide additional protections for their email messages.
 
 - _Rationale:_ Without a security sandbox, emails with malicious content could potentially interact directly with the users' systems, posing a risk. By enabling the security sandbox, additional protections are provided for email messages, reducing this risk and enhancing the safety and integrity of user data and systems.
@@ -1010,7 +1010,7 @@ Security sandbox SHOULD be enabled to provide additional protections for their e
   - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
     - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
 
-#### GWS.GMAIL.16.2v0.3
+#### GWS.GMAIL.16.2v0.4
 Any third-party or outside application selected for security sandbox SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for security sandbox that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services reduces this risk, enhancing the safety and integrity of user data and systems.
@@ -1031,7 +1031,7 @@ Any third-party or outside application selected for security sandbox SHOULD offe
 
 To configure the settings for Security sandbox or Security sandbox rules:
 
-#### GWS.GMAIL.16.1v0.3 Instructions
+#### GWS.GMAIL.16.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Spam, phishing, and malware -\> Security sandbox**.
@@ -1044,7 +1044,7 @@ To configure the settings for Security sandbox or Security sandbox rules:
     4. Action to take if expressions match.
 7. Select **Save**.
 
-#### GWS.GMAIL.16.2v0.3 Instructions
+#### GWS.GMAIL.16.2v0.4 Instructions
 1.  There is no implementation steps for this policy.
 
 ## 17. Comprehensive Mail Storage
@@ -1053,7 +1053,7 @@ This section allows for email messages sent through other Google Workspace appli
 
 ### Policies
 
-#### GWS.GMAIL.17.1v0.3
+#### GWS.GMAIL.17.1v0.4
 Comprehensive mail storage SHOULD be enabled to allow tracking of information across applications.
 
 - _Rationale:_ Without comprehensive mail storage, tracking of information across applications could be compromised, posing a potential security risk. Enabling comprehensive mail storage can reduce this risk, enhancing the safety and integrity of user data and systems.
@@ -1074,7 +1074,7 @@ Comprehensive mail storage SHOULD be enabled to allow tracking of information ac
 
 To configure the settings for Comprehensive Mail Storage:
 
-#### GWS.GMAIL.17.1v0.3 Instructions
+#### GWS.GMAIL.17.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Compliance -\> Comprehensive mail storage**.
@@ -1090,7 +1090,7 @@ A Google Workspace solution is not strictly required to satisfy this baseline co
 
 ### Policies
 
-#### GWS.GMAIL.18.1v0.3
+#### GWS.GMAIL.18.1v0.4
 Content filtering SHOULD be enabled within Gmail messages.
 
 - _Rationale:_ Without content filtering, Gmail messages could potentially contain sensitive or private content, posing a security risk. By enabling content filtering, this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -1100,7 +1100,7 @@ Content filtering SHOULD be enabled within Gmail messages.
   - [T1114: Email Collection](https://attack.mitre.org/techniques/T1114/)
     - [T1114:002: Email Collection: Remote Email Collection](https://attack.mitre.org/techniques/T1114/002/)
 
-#### GWS.GMAIL.18.2v0.3
+#### GWS.GMAIL.18.2v0.4
 Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.
 
 - _Rationale:_ Using third-party or outside applications for advanced email content filtering that do not offer services comparable to those offered by Google Workspace could potentially expose users to security risks. Using applications that offer comparable services can reduce this risk, enhancing the safety and integrity of user data and systems.
@@ -1109,7 +1109,7 @@ Any third-party or outside application selected for advanced email content filte
 - MITRE ATT&CK TTP Mapping
   - None
 
-#### GWS.GMAIL.18.3v0.3
+#### GWS.GMAIL.18.3v0.4
 Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.
 
 - _Rationale:_ Without proper configuration, Gmail or third-party applications could potentially expose PII and sensitive information, posing a security risk. By configuring these applications to block at least credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN), this risk can be reduced, enhancing the safety and integrity of user data and systems.
@@ -1137,7 +1137,7 @@ Gmail or third-party applications SHALL be configured to protect PII and sensiti
 
 To configure the settings for Objectionable content:
 
-#### GWS.GMAIL.18.1v0.3 Instructions
+#### GWS.GMAIL.18.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Compliance -\> Content Compliance**.
@@ -1148,10 +1148,10 @@ To configure the settings for Objectionable content:
     4.  Compliance action options.
 5.  Select **Save**.
 
-#### GWS.GMAIL.18.2v0.3 Instructions
+#### GWS.GMAIL.18.2v0.4 Instructions
 1.  There is no implementation steps for this policy.
 
-#### GWS.GMAIL.18.3v0.3 Instructions
+#### GWS.GMAIL.18.3v0.4 Instructions
 1.  There is no implementation steps for this policy.
 
 
@@ -1161,7 +1161,7 @@ This section covers the settings relating to bypassing spam filters.
 
 ### Policies
 
-#### GWS.GMAIL.19.1v0.3
+#### GWS.GMAIL.19.1v0.4
 Domains SHALL NOT be added to lists that bypass spam filters.
 
 - _Rationale:_ Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
@@ -1174,7 +1174,7 @@ Domains SHALL NOT be added to lists that bypass spam filters.
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
   - [T1534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/)
 
-#### GWS.GMAIL.19.2v0.3
+#### GWS.GMAIL.19.2v0.4
 Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.
 
 - _Rationale:_ Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
@@ -1186,7 +1186,7 @@ Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.
     - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
   - [T1534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/)
 
-#### GWS.GMAIL.19.3v0.3
+#### GWS.GMAIL.19.3v0.4
 Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.
 
 - _Rationale:_ Bypassing spam filters and hiding warning for all messages from internal and external senders creates a security risk because all messages are allowed to bypass filters. Disabling this feature mitigates the risk.
@@ -1215,21 +1215,21 @@ To configure the settings for spam filtering:
 2.  Select **Apps -\> Google Workspace -\> Gmail**.
 3.  Select **Spam, Phishing, and Malware**.
 
-#### GWS.GMAIL.19.1v0.3 Instructions
+#### GWS.GMAIL.19.1v0.4 Instructions
 For each rule listed under **Spam**:
 1. Ensure that either:
     * **Bypass spam filters for messages from senders or domains in selected lists** is not selected, or
     * None of the lists shown under **Bypass spam filters for messages from senders or domains in selected lists** contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
 2. Modify the rule or lists associated with the rule as needed, then select **Save.**
 
-#### GWS.GMAIL.19.2v0.3 Instructions
+#### GWS.GMAIL.19.2v0.4 Instructions
 For each rule listed under **Spam**:
 1. Ensure that either:
     * **Bypass spam filters and hide warnings for messages from senders or domains in selected lists** is not selected, or
     * None of the lists shown under **Bypass spam filters and hide warnings for messages from senders or domains in selected lists** contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
 2. Modify the rule or lists associated with the rule as needed, then select **Save.**
 
-#### GWS.GMAIL.19.3v0.3 Instructions
+#### GWS.GMAIL.19.3v0.4 Instructions
 For each rule listed under **Spam**:
 1. Ensure that **Bypass spam filters and hide warnings for all messages from internal and external sender* is not selected.
 2. Select **Save.**
diff --git a/scubagoggles/baselines/groups.md b/scubagoggles/baselines/groups.md
index 4af5e0d5..6863ec6d 100644
--- a/scubagoggles/baselines/groups.md
+++ b/scubagoggles/baselines/groups.md
@@ -40,7 +40,7 @@ Note: Even with this setting configured, group owners can still explicitly add e
 
 ### Policies
 
-#### GWS.GROUPS.1.1v0.3
+#### GWS.GROUPS.1.1v0.4
 Group access from outside the organization SHALL be disabled unless explicitly granted by the group owner.
 
 - _Rationale:_ Groups may contain private or sensitive information. Restricting group access reduces the risk of data loss.
@@ -60,7 +60,7 @@ Group access from outside the organization SHALL be disabled unless explicitly g
 
 ### Implementation
 
-#### GWS.GROUPS.1.1v0.3 Instructions
+#### GWS.GROUPS.1.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -75,7 +75,7 @@ This section covers whether or not the owner of the group has the ability to add
 
 ### Policies
 
-#### GWS.GROUPS.2.1v0.3
+#### GWS.GROUPS.2.1v0.4
 Group owners' ability to add external members to groups SHOULD be disabled unless necessary for agency mission fulfillment.
 
 - _Rationale:_ Groups may contain private or sensitive information. Restricting group access reduces the risk of data loss.
@@ -97,7 +97,7 @@ Group owners' ability to add external members to groups SHOULD be disabled unles
 
 ### Implementation
 
-#### GWS.GROUPS.2.1v0.3 Instructions
+#### GWS.GROUPS.2.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -112,7 +112,7 @@ This section covers whether or not an owner of a group has the ability to allow
 
 ### Policies
 
-#### GWS.GROUPS.3.1v0.3
+#### GWS.GROUPS.3.1v0.4
 Group owners' ability to allow posting to a group by an external, non-group member SHOULD be disabled unless necessary for agency mission fulfillment.
 
 - _Rationale:_ Allowing external users to post opens the door for phishing or other malicious activity to be shared via Groups. Restricting posting by non-group members reduces this risk.
@@ -137,7 +137,7 @@ Group owners' ability to allow posting to a group by an external, non-group memb
 
 ### Implementation
 
-#### GWS.GROUPS.3.1v0.3 Instructions
+#### GWS.GROUPS.3.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -152,7 +152,7 @@ This section covers who has the ability to create a new group within the organiz
 
 ### Policies
 
-#### GWS.GROUPS.4.1v0.3
+#### GWS.GROUPS.4.1v0.4
 Group creation SHOULD be restricted to admins within the organization unless necessary for agency mission fulfillment.
 
 - _Rationale:_ Many settings for Google Workspace products can be set at the Group level. Allowing unrestricted group creation complicates setting management and opens channels of unmanaged communication.
@@ -174,7 +174,7 @@ Group creation SHOULD be restricted to admins within the organization unless nec
 
 ### Implementation
 
-#### GWS.GROUPS.4.1v0.3 Instructions
+#### GWS.GROUPS.4.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -189,7 +189,7 @@ This section covers the default permissions assigned to the viewing of conversat
 
 ### Policies
 
-#### GWS.GROUPS.5.1v0.3
+#### GWS.GROUPS.5.1v0.4
 The default permission to view conversations SHOULD be set to All Group Members.
 
 - _Rationale:_ Groups may contain private or sensitive information not appropriate for the entire Google Workspace organization. Restricting access to group members reduces the risk of data loss.
@@ -213,7 +213,7 @@ The default permission to view conversations SHOULD be set to All Group Members.
 
 ### Implementation
 
-#### GWS.GROUPS.5.1v0.3 Instructions
+#### GWS.GROUPS.5.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -228,7 +228,7 @@ This section covers whether or not the owner of a group can hide the group from
 
 ### Policies
 
-#### GWS.GROUPS.6.1v0.3
+#### GWS.GROUPS.6.1v0.4
 The Ability for Groups to be Hidden from the Directory SHALL be disabled.
 
 - _Rationale:_ Hidden groups are not visible, even to admins, in the list of groups found at groups.google.com, though they are still visible on the directory page on admin.google.com. As such, allowing for hidden groups increases the risk of groups being created without admin oversight.
@@ -250,7 +250,7 @@ The Ability for Groups to be Hidden from the Directory SHALL be disabled.
 
 ### Implementation
 
-#### GWS.GROUPS.6.1v0.3 Instructions
+#### GWS.GROUPS.6.1v0.4 Instructions
 To configure the settings for Sharing options:
 
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
@@ -258,4 +258,4 @@ To configure the settings for Sharing options:
 3.  Select **Sharing settings** -\> **Sharing options**.
 4.  **Uncheck** the **Group owners can hide groups from the directory** checkbox.
 5.  **Ensure** that the **hide newly created groups from the directory** checkbox is not selected.
-6.  Select **Save**.
\ No newline at end of file
+6.  Select **Save**.
diff --git a/scubagoggles/baselines/meet.md b/scubagoggles/baselines/meet.md
index cf1fa3c3..d157c178 100644
--- a/scubagoggles/baselines/meet.md
+++ b/scubagoggles/baselines/meet.md
@@ -36,7 +36,7 @@ This control limits safe meeting access to users with a Google Account or Dialin
 
 ### Policies
 
-#### GWS.MEET.1.1v0.3
+#### GWS.MEET.1.1v0.4
 Meeting access SHOULD be restricted to users signed in with a Google Account or Dialing in using a phone.
 
 - _Rationale:_ Allowing users not signed-in to join meetings diminishes host control of meeting participation, reduces user accountability, and invites potential data breach. This policy reduces that risk by requiring all users to sign-in.
@@ -62,7 +62,7 @@ Meeting access SHOULD be restricted to users signed in with a Google Account or
 
 To configure the settings for Domain Meet safety settings:
 
-#### GWS.MEET.1.1v0.3 Instructions
+#### GWS.MEET.1.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Meet**.
 3.  Select **Meet safety settings** -\> **Domain**.
@@ -76,7 +76,7 @@ This control determines which meetings users within the agency's organization ca
 
 ### Policies
 
-#### GWS.MEET.2.1v0.3
+#### GWS.MEET.2.1v0.4
 Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.
 
 - _Rationale:_ Contact with unmanaged users can pose the risk of data leakage and other security threats. This policy reduces such contact by not allowing agency users to join meetings created by users' personal accounts.
@@ -101,7 +101,7 @@ Meeting access SHALL be disabled for meetings created by users who are not membe
 
 To configure the settings for Access within Meet safety settings:
 
-#### GWS.MEET.2.1v0.3 Instructions
+#### GWS.MEET.2.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Meet**.
 3.  Select **Meet safety settings** -\> **Access**.
@@ -116,7 +116,7 @@ Note: When this feature is not enabled, any attendee that is a member of the hos
 
 ### Policies
 
-#### GWS.MEET.3.1v0.3
+#### GWS.MEET.3.1v0.4
 Host Management meeting features SHALL be enabled.
 
 - _Rationale:_ With host management disabled, any internal participant is able to take control of meetings, performing actions such as recording the meeting, disabling or enabling the chat, and ending the meeting. When enabled, these options are only available to meeting hosts.
@@ -143,7 +143,7 @@ Host Management meeting features SHALL be enabled.
 
 To enable Host Management meeting features:
 
-#### GWS.MEET.3.1v0.3 Instructions
+#### GWS.MEET.3.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Meet**.
 3.  Select **Meet safety settings** -\> **Host management**.
@@ -156,7 +156,7 @@ This control provides a warning label for any participating a meeting who is not
 
 ### Policies
 
-#### GWS.MEET.4.1v0.3
+#### GWS.MEET.4.1v0.4
 Warn for external participants SHALL be enabled.
 
 - _Rationale:_ Users may inadvertently include external users or not be aware that external users are present. When enabled, external or unidentified participants in a meeting are given a label. This increases situational awareness amongst meeting participants and can help prevent inadvertent data leakage.
@@ -184,7 +184,7 @@ Warn for external participants SHALL be enabled.
 
 To enable Host Management meeting features:
 
-#### GWS.MEET.4.1v0.3 Instructions
+#### GWS.MEET.4.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Google Meet**.
 3.  Select **Meet safety settings** -\> **Warn for external participants**.
@@ -197,7 +197,7 @@ This section covers who domain users are allowed to receive a 1:1 call from.
 
 ### Policies
 
-#### GWS.MEET.5.1v0.3
+#### GWS.MEET.5.1v0.4
 Incoming calls SHALL be restricted to contacts and other users in the organization.
 
 - _Rationale:_ Calls could potentially be used to pass sensitive information. By selecting this setting, it potentially mitigates unauthorized data leakage.
@@ -221,7 +221,7 @@ Incoming calls SHALL be restricted to contacts and other users in the organizati
 
 ### Implementation
 
-#### GWS.MEET.5.1v0.3 Instructions
+#### GWS.MEET.5.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Menu** -> **Apps** -> **Google Workspace** -> **Google Meet**.
 3.  Click **Meet safety settings**.
diff --git a/scubagoggles/baselines/sites.md b/scubagoggles/baselines/sites.md
index 84c0b7d5..68099c17 100644
--- a/scubagoggles/baselines/sites.md
+++ b/scubagoggles/baselines/sites.md
@@ -34,7 +34,7 @@ This section covers whether users are able to access Google Sites.
 
 ### Policies
 
-#### GWS.SITES.1.1v0.3
+#### GWS.SITES.1.1v0.4
 Sites Service SHOULD be disabled for all users.
 
 - _Rationale:_ Google Sites can increase the attack surface of Google Workspace. Disabling this feature unless it is needed conforms to the principle of least functionality.
@@ -57,7 +57,7 @@ Sites Service SHOULD be disabled for all users.
 
 To configure the settings for Site creation and editing:
 
-#### GWS.SITES.1.1v0.3 Instructions
+#### GWS.SITES.1.1v0.4 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Google Workspace** -\> **Sites**.
 3.  Select **Service Status**