The CMMC Space CommsLink Google Workspace add-on is a lightweight Google Apps Script add-on that provides users with the capability to label and track emails that contain CUI for auditing purposes, as well as notify an external email address whenever there is a new, unread email in their secure CMMC Space email address. 

This guide will walk you through the basics of how to use CommsLink, as well as address potential questions regarding data integrity and security.

How to Use CommsLink

Look for this icon on the righthand sidebar of your browser after navigating to Gmail. Interacting with this icon will open an iFrame in your browser window. 

Classifying Emails with CommsLink

Selecting the Classify Email button inside of the iFrame does not have any applicable function. Selecting this button will provide you with insight on how to use this feature in CommsLink. Instead, select the Compose button on the top lefthand side of the Gmail window, then look for the More Options icon (identified by three vertical dots, see below).

Then select Classification. A window will appear with three classification options: Unclassified, Controlled Unclassified Information, and Confidential. Please note, by default, Controlled Unclassified Information is the only option that is monitored by default. Contact support@atxdefense.com if you would like the additional options logged. 

Selecting Controlled Unclassified Information will insert a purple banner into the top of the draft email's body. The banner may look smaller than it should be. However, when the email is sent, the banner will stretch across the top of the email body. This is a limitation of the add-on and is expected behavior.

This banner contains an alphanumeric string that your Admin console is monitoring for. Emails containing this string are logged in the Admin console's logs. The contents of this email are not logged, only the record that it was sent. Please note, this function is entirely optional. You are not required to use this, and unless the banner is inserted, Google will not log any email traffic beyond the native Admin Console logging functionality.

Email Notifications with CommsLink

The most useful feature of CommsLink is the ability to receive external email notifications when you have unread emails in CMMC Space. By selecting Notification Settings, you can begin to set up your external email settings. 

Select Notification Settings, and then Edit Settings on the next page. Once the next page loads, you will see a consent checkbox, a text field labeled Notification Email and a dropdown box labeled Notification Status. In order to receive email notifications, you must explicitly consent to receive the external emails. 

Enter the email address that you would like to receive notifications into the Notification Email text field, select Enabled in the Notifications Status dropdown menu, and then Save Settings. 

The notifications sent are hardcoded into the add-on. All notification emails sent have the subject line, "New Email Alert," and the body will always read, "You have received an email in your secure inbox." These emails will be sent by your CMMC Space email address. 

Be sure this email address is whitelisted, so as to not be redirected to your spam folder.

Data Integrity and Security

The CommsLink add-on has undergone a Cloud Application Security Assessment by TAC Security, and received an ESOF Cyber Score of 9.7 out of 10.

CommsLink is built on the principles of least functionality and least privilege. To that end, only API scopes that are absolutely required for the add-on to perform its intended functions are enabled. All API scopes that CommsLink uses are within the Google Services FedRAMP boundary and ATO.

CommsLink does not and cannot read the contents of any emails inside of your CMMC Space email. CommsLink only reads the metadata of the email and looks for the timestamp and read and unread status of the most recent email in your inbox. This is how the add-on knows whether or not to send you a notification. 

By selecting, "I consent," you are allowing the CommsLink to make a time-based trigger on your behalf. This trigger runs every hour, and checks for a new, unread email. If you ever disable or deselect the consent box, the trigger will be deleted. Additionally, your notification email is only stored locally in the add-on. This email is not being stored outside of your Gmail. 

You can read the entire TAC Security Report here.