Complete your CASA

Before you begin

Follow the emailed instructions to create an account (if this is your first CASA) and login. 

What you will need to submit your CASA:

• CASA Tier 2 Notification email

• Prior CASA assessment results (*only applicable to applications that have previously received a CASA Tier 2 Letter of Verification)

• Industry certifications (*only for 3P devs accelerating CASA)

• AST configuration file(s)

• AST scan result(s) in plain text (.txt) format.”

Additional upload for custom or alternative AST scan:

• OWASP benchmark results (more info)

CASA Portal Getting Started

For first-time portal users, a Tier 2 CASA will be automatically generated. New assessments can be created anytime from the portal home page.

Opening a case leads to a Getting Started page requesting the following: 

• Project Contact Name (first and last) 

• Project Contact Email 

• Project Contact Phone

• Legal Entity Name 

• Website 

• Assessment Type ("New" or "Reassessment") 

• Application Scope

• Google Project ID

This information is used to identify which CASA requirements are in scope for your application and collect the necessary app metadata to issue a Letter of Verification.

NOTE: a CASA must be submitted for verification review within 30 days of initiation. Requests for deadline extension are evaluated on a case by case basis.

CASA Portal Tier 2 Uploads

Upload all evidence collected in Step 1 and Step 2. This includes:

• Existing CASA-accepted security frameworks 

• AST configuration file(s)

• AST scan result(s) in xlsx, csv, xml, or pdf format

• OWASP benchmark results (*only for custom or alternative AST scans)

NOTE: Security frameworks are optional to accelerate your CASA and not required for verification. Revisit Step 1 for more detail.

Need help? Use the integrated "Messages" feature within the portal to communicate directly with a CASA specialist. Email notifications for responses are sent to the email address used to log into the portal. 

REMINDER: Code scanning is required for Tier 2 verification. No application code, scan results, or vulnerability findings are shared or disclosed to Google as part of verification.

CASA Portal Self-attestation Survey

The portal will validate the inputs provided and provide set of remaining requirements for self-attestation, organized by CASA chapters. For users accelerating CASA with a large number of security frameworks, self-attestation may not be required. In these cases, the self-attestation survey portion of the portal will not appear.

In most cases, there will be small number of requirements that require self-attestation. For these requirements, the responding 3P developer will need to self-attest to a series of "Yes, No, N/A" questions tied to CASA requirements. 

A comment field is available for the developer to justify each response with how the application satisfies or does not satisfy a given requirement. CASA acceptance criteria provide a non-exhaustive set of examples as reference.

NOTE: Do not modify questions automatically populated as being "Fulfilled by prerequisite". These choices are automatically selected by the CASA portal based on responses in the Tier 2 Uploads section.

Warning messages will appear when responding "No" to requirements linked to CWEs with high and medium likelihood of exploit. To qualify for Tier 2 verification, you must:

• Satisfy requirements linked to common weakness enumerations (CWEs) with high likelihood of exploit

• Satisfy requirements linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)

• Requirements linked to CWEs with low likelihood of exploit are provided for educational purposes only and not required to receive a letter of verification

Once all assessment prerequisites have been completed sufficiently, the CASA Portal will prompt a developer to submit for verification.