cisagov · adhilto · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego b/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego
@@ -31,7 +31,7 @@ BadClassroomApi01 := {
         "topOU": {
             "classroom_class_membership": {
                 "whoCanJoinClasses": "ANYONE_IN_DOMAIN",
-                "whichClassesCanUsersJoin": "CLASSES_IN_ALLOWLISTED_DOMAINS"
+                "whichClassesCanUsersJoin": "ANY_GOOGLE_WORKSPACE_CLASS"
             },
             "classroom_service_status": {"serviceState": "ENABLED"}
         },
@@ -40,7 +40,7 @@ BadClassroomApi01 := {
         "thirdOU": {
             "classroom_class_membership": {
                 "whoCanJoinClasses": "ANY_GOOGLE_WORKSPACE_USER",
-                "whichClassesCanUsersJoin": "CLASSES_IN_ALLOWLISTED_DOMAINS"
+                "whichClassesCanUsersJoin": "ANY_GOOGLE_WORKSPACE_CLASS"
             },
         },
         "fourthOU": {
@@ -81,7 +81,7 @@ test_ClassroomAPI_JoinClasses_Incorrect_1 if {
     PolicyId := ClassroomId1_2
     Output := tests with input as BadClassroomApi01
 
-    whichClasses := "Classes in allowlisted domains"
+    whichClasses := "Any Google Workspace class"
     failedOU := [{"Name": "thirdOU",
                  "Value": NonComplianceMessage1_2(whichClasses)},
                  {"Name": "topOU",

diff --git a/scubagoggles/baselines/classroom.md b/scubagoggles/baselines/classroom.md
@@ -39,20 +39,20 @@ This section covers who has the ability to join classes and what classes the use
 ### Policies
 
 #### GWS.CLASSROOM.1.1v0.6
-Who can join classes in your domain SHALL be set to Users in your domain only.
+Who can join classes in your domain SHALL be restricted to users in your domain or allowlisted domains.
 
-- _Rationale:_ Classes can contain private or otherwise sensitive information. Restricting classes to users in your domain helps prevent data leakage resulting from unauthorized classroom access.
-- _Last modified:_ September 2023
+- _Rationale:_ Classes can contain private or otherwise sensitive information. Restricting access to your classes helps prevent data leakage resulting from unauthorized classroom access.
+- _Last modified:_ October 2025
 - _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ AC-3
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
 #### GWS.CLASSROOM.1.2v0.6
-Which classes users in your domain can join SHALL be set to Classes in your domain only.
+Which classes users in your domain can join SHALL be restricted to classes in your domain or allowlisted domains.
 
-- _Rationale:_ Allowing users to join a class from outside your domain could allow for data to be exfiltrated to entities outside the control of the organization creating a significant security risk.
-- _Last modified:_ January 2025
+- _Rationale:_ Allowing users to join classes in arbitrary domains could allow for data to be exfiltrated to entities outside the control of the organization.
+- _Last modified:_ October 2025
 - _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ SC-7(10)
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)

diff --git a/scubagoggles/rego/Classroom.rego b/scubagoggles/rego/Classroom.rego
@@ -35,6 +35,7 @@ NonCompliantOUs1_1 contains {
     ClassroomEnabled(OU)
     whoCanJoin := settings.classroom_class_membership.whoCanJoinClasses
     whoCanJoin != "ANYONE_IN_DOMAIN"
+    whoCanJoin != "ANYONE_IN_ALLOWLISTED_DOMAINS"
 }
 
 tests contains {
@@ -80,6 +81,7 @@ NonCompliantOUs1_2 contains {
     ClassroomEnabled(OU)
     whichClasses := settings.classroom_class_membership.whichClassesCanUsersJoin
     whichClasses != "CLASSES_IN_DOMAIN"
+    whichClasses != "CLASSES_IN_ALLOWLISTED_DOMAINS"
 }
 
 tests contains {