

Before you begin
Follow the emailed instructions to create an account (if this is your first CASA) and login.
What you will need to submit your CASA:
-
CASA Tier 2 Notification email
-
Prior CASA assessment results (*only applicable to applications that have previously received a CASA Tier 2 Letter of Verification)
-
Industry certifications (*only for 3P devs accelerating CASA)
-
AST configuration file(s)
-
AST scan result(s) in plain text (.txt) format.”
Additional upload for custom or alternative AST scan:
-
OWASP benchmark results (more info)

CASA Portal Getting Started
For first-time portal users, a Tier 2 CASA will be automatically generated. New assessments can be created anytime from the portal home page.
Opening a case leads to a Getting Started page requesting the following:
-
Project Contact Name (first and last)
-
Project Contact Email
-
Project Contact Phone
-
Legal Entity Name
-
Website
-
Assessment Type ("New" or "Reassessment")
-
Application Scope
-
Google Project ID
This information is used to identify which CASA requirements are in scope for your application and collect the necessary app metadata to issue a Letter of Verification.
NOTE: a CASA must be submitted for verification review within 30 days of initiation. Requests for deadline extension are evaluated on a case by case basis.

CASA Portal Tier 2 Uploads
Upload all evidence collected in Step 1 and Step 2. This includes:
-
Existing CASA-accepted security frameworks
-
AST configuration file(s)
-
AST scan result(s) in xlsx, csv, xml, or pdf format
-
OWASP benchmark results (*only for custom or alternative AST scans)
NOTE: Security frameworks are optional to accelerate your CASA and not required for verification. Revisit Step 1 for more detail.
Need help? Use the integrated "Messages" feature within the portal to communicate directly with a CASA specialist. Email notifications for responses are sent to the email address used to log into the portal.
REMINDER: Code scanning is required for Tier 2 verification. No application code, scan results, or vulnerability findings are shared or disclosed to Google as part of verification.

CASA Portal Self-attestation Survey
The portal will validate the inputs provided and provide set of remaining requirements for self-attestation, organized by CASA chapters. For users accelerating CASA with a large number of security frameworks, self-attestation may not be required. In these cases, the self-attestation survey portion of the portal will not appear.
In most cases, there will be small number of requirements that require self-attestation. For these requirements, the responding 3P developer will need to self-attest to a series of "Yes, No, N/A" questions tied to CASA requirements.
A comment field is available for the developer to justify each response with how the application satisfies or does not satisfy a given requirement. CASA acceptance criteria provide a non-exhaustive set of examples as reference.
NOTE: Do not modify questions automatically populated as being "Fulfilled by prerequisite". These choices are automatically selected by the CASA portal based on responses in the Tier 2 Uploads section.
Warning messages will appear when responding "No" to requirements linked to CWEs with high and medium likelihood of exploit. To qualify for Tier 2 verification, you must:
-
Satisfy requirements linked to common weakness enumerations (CWEs) with high likelihood of exploit
-
Satisfy requirements linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
-
Requirements linked to CWEs with low likelihood of exploit are provided for educational purposes only and not required to receive a letter of verification
Once all assessment prerequisites have been completed sufficiently, the CASA Portal will prompt a developer to submit for verification.
Finalize