An automated security audit tool for Google Workspace environments, designed to assess compliance with multiple regulatory frameworks. Built using the Model Context Protocol (MCP) for AI-powered analysis with interactive Q&A workflows.
Version: 2.0.0 Supports: Claude Desktop, ChatGPT Desktop
| Framework | Description |
|---|---|
| CMMC | Cybersecurity Maturity Model Certification (Level 2) |
| NIST 800-171 | Protecting Controlled Unclassified Information |
| NIST CSF | Cybersecurity Framework |
| ISO 27001 | Information Security Management Systems |
| HIPAA | Health Insurance Portability and Accountability Act |
| FTC Safeguards | FTC Safeguards Rule for financial institutions |
Select one or more frameworks when starting an audit to get tailored compliance mappings and recommendations.
This tool uses AI (via Claude Desktop or ChatGPT Desktop) to analyze your Google Workspace configuration. Before using this tool:
- Get leadership approval for using AI in your compliance assessment workflow
- Understand that configuration data from your Google Workspace will be processed by your chosen AI
- Review your organization's AI usage policies to ensure this aligns with your guidelines
This tool operates in read-only mode. It will:
- ✅ READ user lists, groups, security settings, and audit logs
- ✅ ANALYZE configurations against selected compliance frameworks
- ❌ NEVER modify, delete, or change any settings in your Google Workspace
The Google API scopes requested are all read-only (*.readonly). This tool cannot make changes to your environment.
Supported Platforms:
- ✅ macOS - Fully tested and supported
⚠️ Linux - Should work with minor path adjustments- ❌ Windows - Not supported (use WSL - Windows Subsystem for Linux)
Required Software:
- Node.js v18 or higher - Download from nodejs.org
- Check your version:
node --version - Must show v18.0.0 or higher
- Check your version:
- Google Workspace domain with admin access
- Google Cloud Platform account (free tier is sufficient)
- AI Desktop Client (one or both):
- Claude Desktop - Download from claude.ai
- ChatGPT Desktop - Download from openai.com (requires Plus/Pro/Enterprise)
Before You Start:
# Verify Node.js is installed and version is correct
node --version
# Should output: v18.x.x or higher
# If not installed or too old:
# Download LTS version from https://nodejs.orgThis tool is for internal security assessment and compliance gap identification only.
- ❌ NOT an official compliance certification for any framework
- ❌ NOT a substitute for professional auditors or assessors
- ❌ NOT a guarantee of compliance with any regulatory framework
✅ What this tool IS:
- A self-assessment tool to identify potential compliance gaps
- A starting point for compliance preparation
- A way to understand your current security posture across multiple frameworks
For official certification, work with appropriate professionals:
- CMMC: Certified C3PAO or Registered Practitioner (RP)
- HIPAA: Healthcare compliance specialists
- ISO 27001: Accredited certification bodies
- FTC Safeguards: Qualified Information Security Officer (QISO)
This tool provides automated assessment capabilities but does not replace professional compliance assessment and certification.
- Open your AI client (Claude Desktop or ChatGPT Desktop)
- Type:
Start a Google Workspace audit for yourdomain.com - Select frameworks when prompted (CMMC, HIPAA, NIST 800-171, etc.)
- Answer the business context questions
- AI will run 26 checks across 5 phases with Q&A after each
- Provide screenshots when asked for manual verification items
- Get your comprehensive report with compliance scores per framework
Important: Say "Start" not "Run" - this triggers the guided workflow!
Run this one command in your Mac terminal:
curl -sSL https://raw.githubusercontent.com/sean-m-sweeney/GoogleWorkspaceAudit/main/install.sh | bashThe installer will:
- Ask which AI client(s) you want to configure (Claude, ChatGPT, or both)
- Walk you through Google Cloud setup and credentials
- Configure your selected AI client(s)
- Test everything
Note for ChatGPT users: After installation, enable MCP in ChatGPT: Settings → Connectors → Advanced → Developer Mode
This tool provides 26 automated checks across 5 control areas with comprehensive reporting mapped to multiple compliance frameworks:
- Access Control - 9 checks
- Identification and Authentication - 3 checks
- Audit and Accountability - 2 checks
- System and Communications Protection - 8 checks
- MSP Operations - 4 checks for cost optimization
- 26 comprehensive audit checks (automated + manual verification guides)
- Google Cloud Identity Policy API integration for automated policy retrieval
- Multi-framework compliance mapping (CMMC, NIST 800-171, NIST CSF, ISO 27001, HIPAA, FTC Safeguards)
- Interactive Q&A workflow for gathering organizational context
- Comprehensive report generation with per-framework scoring
- MSP value identification (cost savings, license optimization)
- Licensing impact assessment (identifies when compliance requires Enterprise editions)
- Conversational interface via Claude Desktop
- Read-only access (audit only, no modifications)
- Data source transparency - each check indicates whether data came from Policy API, Admin SDK, or requires manual verification
Each check maps to controls in all supported frameworks. Example control mappings shown for reference.
Checks include a data_source field indicating where data was retrieved from:
policy_api- Retrieved automatically from Google Cloud Identity Policy APIadmin_sdk- Retrieved automatically from Google Admin SDKmanual_verification- Requires manual verification in Google Admin Console
-
2FA/MFA Status (e.g., CMMC IA.L2-3.5.3, HIPAA 164.312(d))
- Checks enforcement across all users
- Identifies admin accounts without 2FA
- Data source: Admin SDK
- Licensing: Included in all editions
-
2FA Enforcement Method (CMMC IA.L2-3.5.3) NEW in v2.0
- Checks allowed second factor types (security key, phone, etc.)
- Data source: Policy API
- Licensing: Included in all editions
-
Admin Role Audit (CMMC AC.L2-3.1.5)
- Lists all super admins and delegated admins
- Validates 2FA enrollment for privileged accounts
- Data source: Admin SDK
- Licensing: Included in all editions
-
Super Admin Recovery Settings (CMMC AC.L2-3.1.5) NEW in v2.0
- Checks if self-service recovery is disabled for super admins
- Data source: Policy API
- Licensing: Included in all editions
-
Session Control Settings (CMMC AC.L2-3.1.11)
- Automated via Policy API or manual verification fallback
- Data source: Policy API (with manual fallback)
- Licensing: Requires Enterprise editions (~$18-23/user/month)
-
External Sharing Settings (CMMC AC.L2-3.1.20)
- Automated via Policy API or manual verification fallback
- Data source: Policy API (with manual fallback)
- Licensing: Basic controls included; DLP requires Enterprise
-
API Access Control (CMMC AC.L2-3.1.2)
- Manual verification guide for third-party app access
- Data source: Manual verification
- Licensing: Context-aware access requires Enterprise
-
Groups with External Members (CMMC AC.L2-3.1.20)
- Automatically identifies groups with external collaborators
- Data source: Admin SDK
- Licensing: Included in all editions
-
Less Secure Apps (CMMC IA.L2-3.5.3) NEW in v2.0
- Checks if less secure app access is blocked
- Data source: Policy API
- Licensing: Included in all editions
-
Password Policy (CMMC IA.L2-3.5.7)
- Automated via Policy API or manual verification fallback
- Data source: Policy API (with manual fallback)
- Licensing: Basic policies included in all editions
-
Inactive Accounts (CMMC AC.L2-3.1.1)
- Identifies users not logged in for 90+ days
- Calculates cost savings from license removal
- Data source: Admin SDK
- Licensing: N/A (cost optimization)
-
Advanced Protection Program (CMMC IA.L2-3.5.3) NEW in v2.0
- Checks APP enrollment settings for high-risk users
- Data source: Policy API
- Licensing: Included in all editions
-
Audit Log Settings (CMMC AU.L2-3.3.1)
- Explains log retention policies
- Data source: Manual verification
- Licensing: Vault for extended retention requires Business Plus+
-
Suspicious Activity (CMMC AU.L2-3.3.4)
- Queries login failures and suspicious events (last 7 days)
- Data source: Admin SDK
- Licensing: Included in all editions
-
Mobile Device Management (CMMC SC.L2-3.13.11)
- Lists devices and encryption status
- Identifies unapproved/unencrypted devices
- Data source: Admin SDK
- Licensing: Included in all editions
-
Email Authentication (CMMC SC.L2-3.13.8)
- Automated via Policy API or manual verification fallback
- Data source: Policy API (with manual fallback)
- Licensing: Included in all editions
-
Email Forwarding Rules (CMMC AC.L2-3.1.20)
- Manual verification guide
- Data source: Manual verification
- Licensing: DLP to block forwarding requires Enterprise
-
Calendar Sharing (CMMC AC.L2-3.1.20)
- Manual verification guide for external calendar sharing
- Data source: Manual verification
- Licensing: Included in all editions
-
Calendar External Sharing Policy (CMMC AC.L2-3.1.3) NEW in v2.0
- Organization-wide calendar sharing policy via Policy API
- Data source: Policy API
- Licensing: Included in all editions
-
Chat External Restrictions (CMMC AC.L2-3.1.3) NEW in v2.0
- Checks Google Chat external messaging restrictions
- Data source: Policy API
- Licensing: Included in all editions
-
Meet Safety Settings (CMMC AC.L2-3.1.1) NEW in v2.0
- Checks host controls and external participant restrictions
- Data source: Policy API
- Licensing: Included in all editions
-
Data Regions (CMMC SC.L2-3.13.16)
- Automated via Policy API or manual verification fallback
- Data source: Policy API (with manual fallback)
- Licensing: Enterprise Plus required (~$23/user/month)
-
Shared Drives with External Access (CMMC AC.L2-3.1.20)
- Identifies shared drives with external users
- Data source: Admin SDK
- Licensing: Shared drives require Business Standard+
-
License Utilization
- Calculates active/inactive/suspended users
- Estimates monthly costs and potential savings
- Data source: Admin SDK
- Licensing: N/A (cost optimization)
-
Storage Usage
- Reports per-user storage consumption
- Identifies top storage consumers
- Data source: Admin SDK
- Licensing: N/A (capacity planning)
-
BAA Status (HIPAA only)
- Checks HIPAA Business Associate Agreement status
- Data source: Manual verification
- Licensing: Enterprise editions required
Comprehensive Report Generator
- Aggregates all findings by control area
- Calculates compliance score per framework
- Prioritizes recommendations by risk level
- Includes MSP value summary
- Incorporates Q&A context from interactive sessions
- MCP Server (
server.js): Node.js application that interfaces with Google Workspace Admin SDK - Google Service Account: Read-only authentication with domain-wide delegation
- Claude Desktop: Provides conversational interface to the audit tools
- Service account uses read-only OAuth scopes only
- Domain-wide delegation restricted to specific Admin SDK APIs
- Credentials stored locally with restrictive file permissions (600)
- No modification capabilities - audit only
Run this single command:
curl -sSL https://raw.githubusercontent.com/sean-m-sweeney/GoogleWorkspaceAudit/main/install.sh | bashThe installer will:
- ✓ Check prerequisites (macOS, Node.js 18+, Claude Desktop)
- ✓ Set up project directory at
~/workspace-compliance-audit - ✓ Install dependencies automatically
- ✓ Guide you through Google Cloud setup step-by-step
- ✓ Configure credentials
- ✓ Set up Claude Desktop integration
- ✓ Test everything
- ✓ Show you exactly what to do next
After installation completes:
- Restart Claude Desktop (Cmd+Q, then reopen)
- Type:
Start a Google Workspace audit for yourdomain.com
If you prefer complete control over each step:
# Check if you have Node.js
node --version
# If not installed, download from: https://nodejs.org
# Install the LTS version (20.x or later)git clone https://github.com/sean-m-sweeney/GoogleWorkspaceAudit.git
cd GoogleWorkspaceAuditnpm installThis will install the required dependencies:
@modelcontextprotocol/sdk- For MCP integration with Claudegoogleapis- For Google Workspace Admin SDK access
IMPORTANT: This tool uses Service Account authentication, NOT user OAuth.
- ✅ No login prompts - The tool authenticates using a service account key file
- ✅ No 2FA/MFA prompts - Service accounts don't require interactive authentication
- ✅ No browser pop-ups - All authentication happens silently in the background
- ❌ If you see login prompts or 2FA requests - Your service account is misconfigured
- You create a service account in Google Cloud (a special non-human account)
- You download a credentials file (JSON key) for that service account
- You grant the service account permission to access your Google Workspace data (domain-wide delegation)
- The tool uses this key file to authenticate automatically - no user interaction needed
- Security: The service account has read-only access limited to specific Admin SDK APIs
- Automation: The tool can run unattended without requiring you to log in
- Audit Trail: All API calls are logged under the service account name in Google Workspace audit logs
If you're seeing authentication prompts, skip to the Troubleshooting section.
PREREQUISITE: Check GCP Organization Policy
Before creating a service account, you may need to disable an organization policy that blocks service account key creation:
- Go to https://console.cloud.google.com
- Navigate to: IAM & Admin → Organization Policies
- Search for:
iam.disableServiceAccountKeyCreation- You may see either the "Managed" or "Legacy" version of this policy
- If this policy exists and is enforced, click on it
- Click Edit Policy or Manage Policy
- Set the policy to Inactive or Not Enforced
- Click Save
Important Notes:
- This requires Organization Policy Administrator permissions at the GCP organization level
- This is separate from Google Workspace Super Admin permissions
- This policy is part of Google's "Secure by Default" enforcement
- Some organizations may require approval to disable this policy for compliance testing
- If you don't have these permissions, contact your GCP organization administrator
If you don't see this policy or it's already inactive, you can skip this step and proceed to create the service account.
A. Create Service Account:
- Go to https://console.cloud.google.com
- Create a new project (name it "Workspace Audit" or similar)
- Click the hamburger menu (☰) → APIs & Services → Enable APIs and Services
- Search for "Admin SDK API" → Click it → Click Enable
- Search for "Cloud Identity API" → Click it → Click Enable (NEW in v2.0)
- Go back to hamburger menu → APIs & Services → Credentials
- Click Create Credentials → Service Account
- Name:
workspace-audit(click Create and Continue) - Skip the optional steps (click Continue, then Done)
B. Download Credentials File:
- Click on the service account you just created
- Go to the Keys tab
- Click Add Key → Create New Key → JSON → Create
- A file downloads - rename it to
credentials.json - Move it to your project folder:
mv ~/Downloads/your-project-12345-abc.json ~/workspace-compliance-audit/credentials.json
chmod 600 ~/workspace-compliance-audit/credentials.jsonC. Setup Domain-Wide Delegation:
- Copy the Client ID from your service account page (long number)
- Go to https://admin.google.com
- Go to: Security → Access and data control → API controls
- Click Manage Domain Wide Delegation
- Click Add new
- Paste the Client ID
- Add these OAuth scopes (copy-paste all at once):
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/cloud-identity.policies.readonly
- Click Authorize
Note for v2.0 upgrade: If upgrading from v1.x, you must add the new cloud-identity.policies.readonly scope to your existing domain-wide delegation configuration.
Download server.js from this repository and put it in ~/workspace-compliance-audit/
IMPORTANT: Create a .env file in the project directory with your admin email:
echo "[email protected]" > ~/workspace-compliance-audit/.env
chmod 600 ~/workspace-compliance-audit/.envReplace [email protected] with your actual Google Workspace admin email address.
A. Find your username:
whoamiRemember this - you'll need it.
B. Edit Claude Desktop config:
# Create the config if it doesn't exist
mkdir -p ~/Library/Application\ Support/Claude
nano ~/Library/Application\ Support/Claude/claude_desktop_config.jsonC. Paste this config (replace YOUR_USERNAME with your actual username from step A):
{
"mcpServers": {
"workspace-audit": {
"command": "/usr/local/bin/node",
"args": ["/Users/YOUR_USERNAME/workspace-compliance-audit/server.js"],
"cwd": "/Users/YOUR_USERNAME/workspace-compliance-audit"
}
}
}Note: The cwd field is required so the server can find the .env and credentials.json files.
D. Save and exit: Press Ctrl+X, then Y, then Enter
cd ~/workspace-compliance-audit
node server.jsYou should see: Workspace Compliance Audit MCP server running on stdio
Press Ctrl+C to stop.
- Quit Claude Desktop completely: Cmd+Q
- Open Claude Desktop again
- Start a new conversation
In Claude Desktop, type:
Start a Google Workspace audit for yourdomain.com
Claude will ask which frameworks you want to assess against, then ask about your business context, and run the full audit!
Keep for Recurring Use
- The service account and credentials should be kept long-term if you plan to run audits regularly
- Store credentials.json securely with 600 permissions (owner read/write only)
- Never commit credentials.json to version control
- Back up the credentials file in a secure, encrypted location
Key Rotation
- Rotate service account keys every 90 days as a security best practice
- To rotate: Create a new key in Google Cloud Console, test it, then delete the old key
- Document key creation dates in your security procedures
Only delete the service account when:
- You are permanently decommissioning this tool
- The Google Workspace domain is being shut down
- You are migrating to a different audit solution
Do NOT delete if:
- You're just taking a break from audits (keep the service account)
- You're troubleshooting issues (fix the configuration instead)
- You're upgrading or reinstalling the tool (reuse the same service account)
Understanding the Limited Scope:
- The service account has read-only access ONLY - it cannot modify any Google Workspace settings
- Access is limited to specific Admin SDK APIs (users, groups, devices, audit logs)
- Cannot create, update, or delete users, groups, or any workspace data
- Cannot change security settings or administrative configurations
- All API calls are logged in Google Workspace audit logs for accountability
OAuth Scopes Explained:
https://www.googleapis.com/auth/admin.directory.user.readonly - Read user data
https://www.googleapis.com/auth/admin.directory.group.readonly - Read group data
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly - Read mobile device data
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly - Read admin roles
https://www.googleapis.com/auth/admin.reports.audit.readonly - Read audit logs
https://www.googleapis.com/auth/drive.readonly - Read Drive metadata
https://www.googleapis.com/auth/cloud-identity.policies.readonly - Read Cloud Identity policies (NEW in v2.0)
Notice the .readonly suffix - this guarantees no modification capabilities.
New in v2.0: The Cloud Identity Policy API scope enables automated retrieval of security policies that previously required manual verification.
Run the uninstall script:
cd ~/workspace-compliance-audit # or wherever you installed it
chmod +x uninstall.sh
./uninstall.shThe script will:
- Remove the MCP server configuration from Claude Desktop
- Provide instructions for deleting the service account in Google Cloud (optional)
- Ask if you want to delete project files
If you prefer to uninstall manually:
Step 1: Remove Claude Desktop Configuration
# Edit the config file
nano ~/Library/Application\ Support/Claude/claude_desktop_config.json
# Remove the "workspace-audit" entry from mcpServers
# Save and exit (Ctrl+X, Y, Enter)
# Restart Claude DesktopStep 2: Delete Service Account (Optional)
Only do this if you're permanently decommissioning the tool:
- Go to https://console.cloud.google.com
- Select your project
- Go to IAM & Admin → Service Accounts
- Find the
workspace-auditservice account - Click the three dots → Delete
- Go to Google Workspace Admin Console → Security → API Controls → Domain-wide Delegation
- Find and remove the delegation for this service account
Step 3: Remove Project Files (Optional)
# This deletes everything including credentials
rm -rf ~/workspace-compliance-audit
# Or if you want to keep credentials for later:
rm ~/workspace-compliance-audit/node_modules -rf
rm ~/workspace-compliance-audit/server.js
# Keep credentials.json for reinstallation laterSymptom: Browser opens asking you to log in, or you see 2FA/MFA prompts
Cause: Service account authentication is not configured correctly
Fixes:
-
Verify credentials.json exists in your project directory
ls -la ~/workspace-compliance-audit/credentials.json # Should show a file with 600 permissions
-
Check domain-wide delegation is configured:
- Go to https://admin.google.com
- Navigate to Security → API Controls → Domain-wide Delegation
- Verify your service account Client ID is listed with all required scopes
-
Verify the admin email in .env file:
- Check
~/workspace-compliance-audit/.envexists - Must contain:
[email protected] - Must be a valid Google Workspace admin email address
- Check
-
Check the credentials file format:
cat ~/workspace-compliance-audit/credentials.json | grep type # Should show: "type": "service_account"
Symptom: node: command not found or version check fails
Fix:
- Install Node.js from https://nodejs.org/en/download/
- Download the LTS version (v20 or higher recommended)
- After installation, close and reopen your terminal
- Verify:
node --version(should show v18.0.0 or higher)
Symptom: Error when trying to create service account keys: "Service account key creation is disabled by an organization policy"
Cause: GCP organization has the iam.disableServiceAccountKeyCreation policy enforced
Fix:
- Go to https://console.cloud.google.com
- Navigate to IAM & Admin → Organization Policies
- Search for:
iam.disableServiceAccountKeyCreation - Click on the policy
- Click Edit Policy or Manage Policy
- Set to Inactive or Not Enforced
- Click Save
Important:
- Requires Organization Policy Administrator permissions (GCP org-level, not Workspace admin)
- This is separate from Google Workspace Super Admin permissions
- If you don't have these permissions, contact your GCP organization administrator
- Some organizations require approval to disable this policy due to security policies
- Alternative: Use Workload Identity Federation instead of service account keys (advanced)
Cause: Claude Desktop cannot connect to the MCP server
Fixes:
- Check that your username in the config file is correct
- Make sure the path
/Users/YOUR_USERNAME/workspace-compliance-audit/server.jsexists - Try using the full path to node:
which nodeto find it - Verify server.js is executable:
ls -la ~/workspace-compliance-audit/server.js
Cause: Service account cannot authenticate with Google Workspace
Fixes:
- Make sure
.envfile contains[email protected] - Verify domain-wide delegation is set up correctly (see "Login Prompts" section above)
- Check that all OAuth scopes were added exactly as specified
- Verify the Admin SDK API and Cloud Identity API are enabled in Google Cloud Console
Cause: Required Google Cloud APIs are not enabled
Fix:
- Go to https://console.cloud.google.com
- Select your project
- Navigate to APIs & Services → Library
- Search for and enable these APIs:
- "Admin SDK API" (required)
- "Google Drive API" (required for shared drive checks)
- "Cloud Identity API" (required for v2.0 Policy API features)
The recommended way to use this tool is through the interactive audit workflow:
User: "Start a Google Workspace audit for valleytechpartners.com"
Claude will:
- Ask which compliance frameworks you want to assess against
- Run all 26 audit checks organized into 5 phases
- Present findings after each phase with framework-specific control mappings
- Ask clarifying questions to gather organizational context
- Generate a comprehensive report with per-framework scoring
See WORKFLOW.md for detailed guidance on the interactive audit process.
You can also run individual checks conversationally:
Check the 2FA status for yourdomain.com
Check the admin roles for yourdomain.com
Check inactive accounts for yourdomain.com
Check license utilization for yourdomain.com
User: "Start a Google Workspace audit for valleytechpartners.com"
Claude:
"I'll conduct a comprehensive compliance audit of valleytechpartners.com.
Which frameworks would you like to assess against? (CMMC, HIPAA, NIST 800-171, etc.)"
User: "CMMC and HIPAA"
Claude:
"Great, I'll assess against CMMC and HIPAA.
PHASE 0: BUSINESS CONTEXT
Before we begin, I need some context:
1. Can you describe in a couple of sentences what your business does?
2. How many employees does your organization have?"
User: "We're an IT managed service provider focused on defense contractors. We have 15 employees."
Claude:
"Perfect! That context will help me tailor the findings.
Let's begin. I'll run this in 5 phases with Q&A after each section...
PHASE 1: ACCESS CONTROL CHECKS
Running 9 checks...
Results:
- 2FA Status: 3 users without 2FA
- 2FA Enforcement Method: Security keys allowed
- Admin Roles: 2 super admins, 1 delegated admin
- Super Admin Recovery: Disabled (good)
- Groups: 1 group with external members
- Session Settings: Retrieved from Policy API - 8hr max
- External Sharing: Retrieved from Policy API - Internal only
- API Access: Manual verification required
- Less Secure Apps: Blocked (good)
Questions:
1. Are any of the 3 users without 2FA service accounts or other exceptions?
2. The 'Marketing' group has [email protected]. Is this authorized access?"
User: "The contractor is authorized until Q4 2024. One user without 2FA is a service account."
Claude: [Records context, moves to Phases 2-5...]
[After Phase 5]
Claude:
"Before I generate the final report, I need to verify several settings that require manual
checks in the Google Admin Console. I'll walk you through each one.
Let's verify your session control settings:
1. Go to: Google Admin Console > Security > Session control
2. Take a screenshot showing session length and idle timeout settings
3. Share the screenshot with me
This helps verify compliance with CMMC's 15-minute idle timeout requirement."
User: [Provides screenshot]
Claude: "Thank you! I can see:
- Web session: 8 hours ✓
- Idle timeout: 15 minutes ✓
- COMPLIANT with CMMC AC.L2-3.1.11
Let's check the next item - external sharing settings..."
[After all screenshots collected]
Claude:
"Thank you for providing those screenshots. I've verified all manual configuration items.
Let me generate your comprehensive report...
EXECUTIVE SUMMARY:
Organization: IT MSP for defense contractors (15 employees)
Domain: valleytechpartners.com
Compliance Score: 85%
Critical Issues: 1
- 2FA not enforced (2 users without 2FA - excluding service account)
High Priority: 2
- 12 inactive accounts identified
- 1 group with external member (authorized contractor)
Medium Priority: 0
Strengths:
- Session controls properly configured (8hr max, 15min idle timeout)
- Password policy compliant (12 char minimum, 24 password history)
- Email authentication configured (SPF, DKIM, DMARC=quarantine)
Cost Optimization:
- Potential savings: $144/month from removing 12 inactive licenses
Would you like me to:
1. Export this report to JSON or Markdown?
2. Provide detailed remediation steps for the 2FA critical finding?
3. Generate a licensing upgrade recommendation?"
{
"domain": "example.com",
"total_users": 25,
"mfa_enforced": false,
"users_without_mfa": 8,
"admin_accounts_without_mfa": 0,
"cmmc_control": "IA.L2-3.5.3",
"recommendation": "Enable 2FA enforcement for all users...",
"licensing_note": "2FA is included in all Google Workspace editions."
}workspace-compliance-audit/
├── server.js # MCP server implementation (26 checks + report generator)
├── credentials.json # Google service account credentials (gitignored)
├── .env # Environment variables including admin email (gitignored)
├── README.md # This file (setup and usage)
├── package.json # Node.js dependencies
├── uninstall.sh # Uninstaller script
└── .gitignore # Prevents credential exposure
- Credentials file has 600 permissions (owner read/write only)
- Never commit
credentials.jsonto version control - Service account has read-only scopes only
- Consider key rotation every 90 days for production use
- All API calls are logged in Google Workspace audit logs
- Service account activity is visible to super admins
- No ability to modify configurations (read-only by design)
- Some organizations may restrict service account key creation
- May require org policy exemption for development projects
- Production deployments should use Workload Identity Federation instead of service account keys
- 2FA/MFA enforcement
- Admin role management
- Basic password policies (length, complexity, reuse prevention)
- Session control policies (idle timeout, max session length)
- Required for CMMC AC.L2-3.1.11
- Enterprise Standard: ~$18/user/month
- Enterprise Plus: ~$23/user/month
- Advanced context-aware access policies
- 18 comprehensive CMMC audit checks
- Interactive Q&A workflow for context gathering
- Comprehensive report generation with risk scoring
- MSP value identification (cost optimization)
- Mobile device management checks
- External sharing detection (groups, shared drives)
- Audit log guidance and suspicious activity monitoring
- License utilization and storage analysis
- 26 total compliance checks (7 new checks added)
- Google Cloud Identity Policy API integration for automated policy retrieval
- Data source transparency - each check indicates its data source (policy_api, admin_sdk, manual_verification)
- New checks: Less Secure Apps, 2FA Enforcement Method, Super Admin Recovery, Advanced Protection Program, Calendar External Sharing Policy, Chat External Restrictions, Meet Safety Settings
- Migrated 5 existing checks from manual verification to automated Policy API queries
- Graceful fallback to manual verification when Policy API is unavailable
- Automated report export to PDF/HTML/Markdown
- Scheduled audit runs with change detection
- Historical compliance tracking (trend analysis)
- Integration with CISA ScubaGear assessments
- Automated remediation scripts (optional)
- Microsoft 365 support (parallel audit capability)
- Multi-tenant reporting dashboard for MSPs
- Webhook notifications for compliance drift
- Integration with ticketing systems (Jira, ServiceNow)
- Continuous monitoring mode (real-time alerts)
Access Control (AC)
- AC.L2-3.1.1: Authorized Access Control (inactive accounts, Meet safety)
- AC.L2-3.1.2: Transaction & Function Control (API access)
- AC.L2-3.1.3: CUI Flow Control (calendar external sharing, chat restrictions)
- AC.L2-3.1.5: Principle of Least Privilege (admin roles, super admin recovery)
- AC.L2-3.1.11: Session Lock/Termination (session settings)
- AC.L2-3.1.20: External Connections (sharing, groups, drives, email, calendar)
Identification and Authentication (IA)
- IA.L2-3.5.3: Multi-factor Authentication (2FA status, enforcement method, less secure apps, advanced protection)
- IA.L2-3.5.7: Password Complexity & Management
Audit and Accountability (AU)
- AU.L2-3.3.1: System Auditing (audit log settings)
- AU.L2-3.3.4: Alert Generation (suspicious activity)
System and Communications Protection (SC)
- SC.L2-3.13.8: Transmission Confidentiality (email authentication)
- SC.L2-3.13.11: Cryptographic Protection (mobile device encryption)
- SC.L2-3.13.16: Data at Rest Protection (data regions/ITAR)
- Check MCP server logs:
tail -f ~/Library/Logs/Claude/mcp-server-workspace-audit.log - Verify credentials.json path is absolute, not relative
- Ensure service account has domain-wide delegation configured
- Verify domain-wide delegation scopes are correct
- Check that
.envfile contains a valid admin email - Confirm service account's Unique ID matches Client ID in delegation
- Run
npm installin project directory - Verify Node.js version:
node --version(should be v18+)
This is an open learning project. Feedback and contributions welcome.
# Test authentication separately
node test-auth.js
# Check for syntax errors
node --check server.js
# Monitor server logs
tail -f ~/Library/Logs/Claude/mcp*.logMIT License - See LICENSE file for details
- Built with Anthropic's Model Context Protocol (MCP)
- Uses Google Workspace Admin SDK
- CMMC control mappings based on CMMC Model v2.0
Sean Sweeney
Valley Technology Partners
valleytechpartners.com
This tool provides automated assessment capabilities but does not guarantee CMMC compliance. Professional compliance assessment and C3PAO certification are required for official CMMC compliance validation. This tool is intended to support internal security assessments and identify potential compliance gaps.
