Complete your CASA

tier 2 customize
start sign

Before you begin

Follow the emailed instructions to create an account (if this is your first CASA) and login.

What you will need to submit your CASA:

  • CASA Tier 2 Notification email

  • Industry certifications (If Any)

  • AST configuration file(s), this can be an export of the scanning policy, screenshots of the CWEs scanned, or any evidence showing what you scanned against. 

  • AST scan result(s) in plain text (.txt) format.

If you used custom tools:

start sign

CASA Portal Getting Started

For first-time portal users, a Tier 2 CASA will be automatically generated. New assessments can be created anytime from the portal home page.

Opening a case leads to a Getting Started page requesting the following: 

  • Project Contact Name (first and last) 

  • Project Contact Email 

  • Project Contact Phone

  • Legal Entity Name 

  • Website 

  • Assessment Type ("New" or "Reassessment") 

  • Application Scope

  • Google Project ID

This information is used to identify which CASA requirements are in scope for your application and collect the necessary app metadata to issue a Letter of Verification.

NOTE: a CASA must be submitted for verification review within 30 days of initiation. Requests for deadline extension are evaluated on a case by case basis.

start sign

CASA Portal Tier 2 Uploads

Upload all evidence collected in Step 1 and Step 2. This includes:

  • Existing CASA-accepted security frameworks 

  • AST configuration file(s)

  • AST scan result(s) in xlsx, csv, xml, or pdf format

  • OWASP benchmark results (*only for custom or alternative AST scans)

NOTE: Security frameworks are optional to accelerate your CASA and not required for verification. Revisit Step 1 for more detail.

Need help? Use the integrated "Messages" feature within the portal to communicate directly with a CASA specialist. Email notifications for responses are sent to the email address used to log into the portal. 

REMINDER: Code scanning is required for Tier 2 verification. No application code, scan results, or vulnerability findings are shared or disclosed to Google as part of verification.

start sign

CASA Portal Self-attestation Survey

The portal will validate the inputs provided and provide set of remaining requirements for self-attestation, organized by CASA chapters. For users accelerating CASA with a large number of security frameworks, self-attestation may not be required. In these cases, the self-attestation survey portion of the portal will not appear.

In most cases, there will be small number of requirements that require self-attestation. For these requirements, the responding 3P developer will need to self-attest to a series of "Yes, No, N/A" questions tied to CASA requirements. 

A comment field is available for the developer to justify each response with how the application satisfies or does not satisfy a given requirement. CASA acceptance criteria provide a non-exhaustive set of examples as reference.

NOTE: Do not modify questions automatically populated as being "Fulfilled by prerequisite". These choices are automatically selected by the CASA portal based on responses in the Tier 2 Uploads section.


To qualify for Tier 2 verification, you must:

  • Remediate any failed CWEs that are mapped to CASA requirements

  • Self attest for non scannable CASA requirements

Once all assessment prerequisites have been completed sufficiently, the CASA Portal will prompt a developer to submit for verification.

Finalize