diff --git a/config/org.go b/config/org.go
index 052e24c4..0f553fe9 100644
--- a/config/org.go
+++ b/config/org.go
@@ -37,6 +37,7 @@ type OrgConfig struct {
 	ServiceAccess              map[string][]string `yaml:"service-access,omitempty"`
 	NamedQuota                 string              `yaml:"named_quota"`
 	Metadata                   *Metadata           `yaml:"metadata"`
+	NamedSpaceSecurityGroups   []string            `yaml:"named-space-security-groups"`
 }
 
 func (o *OrgConfig) GetQuota() OrgQuota {
diff --git a/configcommands/org.go b/configcommands/org.go
index f67793ce..f4bb5b95 100644
--- a/configcommands/org.go
+++ b/configcommands/org.go
@@ -30,6 +30,8 @@ type OrgConfigurationCommand struct {
 	Auditor                          UserRole      `group:"auditor" namespace:"auditor"`
 	ServiceAccess                    ServiceAccess `group:"service-access"`
 	Metadata                         Metadata      `group:"metadata"`
+	ASGs                             []string      `long:"named-asg" description:"Named asg(s) to assign to space, specify multiple times"`
+	ASGsToRemove                     []string      `long:"named-asg-to-remove" description:"Named asg(s) to remove, specify multiple times"`
 }
 
 // Execute - updates org configuration`
@@ -154,6 +156,12 @@ func (c *OrgConfigurationCommand) Execute(args []string) error {
 			delete(orgConfig.Metadata.Annotations, annotation)
 		}
 	}
+	asgConfigs, err := c.ConfigManager.GetASGConfigs()
+	if err != nil {
+		return err
+	}
+	orgConfig.NamedSpaceSecurityGroups = removeFromSlice(addToSlice(orgConfig.NamedSpaceSecurityGroups, c.ASGs, &errorString), c.ASGsToRemove)
+	validateASGsExist(asgConfigs, orgConfig.NamedSpaceSecurityGroups, &errorString)
 
 	if errorString != "" {
 		return errors.New(errorString)
diff --git a/docs/config/README.md b/docs/config/README.md
index fce53a7f..37e86d8a 100644
--- a/docs/config/README.md
+++ b/docs/config/README.md
@@ -1,31 +1,31 @@
 # DEPRECATED Commands
 
-* [add-org](add-org/README.md), use [org](org/README.md)
-* [add-space](add-space/README.md), use [space](space/README.md)
-* [add-asg](add-asg/README.md), use [asg](asg/README.md)
-* [update-org](update-org/README.md), use [org](org/README.md)
-* [update-space](update-space/README.md), use [space](space/README.md)
+- [add-org](add-org/README.md), use [org](org/README.md)
+- [add-space](add-space/README.md), use [space](space/README.md)
+- [add-asg](add-asg/README.md), use [asg](asg/README.md)
+- [update-org](update-org/README.md), use [org](org/README.md)
+- [update-space](update-space/README.md), use [space](space/README.md)
 
 # Configuration Commands
 
-* [init](init/README.md)
-* [global](global/README.md)
-* [asg](asg/README.md)
-* [org](org/README.md)
-* [space](space/README.md)
-* [delete-org](delete-org/README.md)
-* [delete-space](delete-space/README.md)
-* [generate-concourse-pipeline](generate-concourse-pipeline/README.md)
-* [update-orgs](update-orgs/README.md)
-* [rename-org](rename-org/README.md)
-* [rename-space](rename-space/README.md)
-* [named-org-quota](named-org-quota/README.md)
-* [named-space-quota](named-space-quota/README.md)
-* [version](version/README.md)
+- [init](init/README.md)
+- [global](global/README.md)
+- [asg](asg/README.md)
+- [org](org/README.md)
+- [space](space/README.md)
+- [delete-org](delete-org/README.md)
+- [delete-space](delete-space/README.md)
+- [generate-concourse-pipeline](generate-concourse-pipeline/README.md)
+- [update-orgs](update-orgs/README.md)
+- [rename-org](rename-org/README.md)
+- [rename-space](rename-space/README.md)
+- [named-org-quota](named-org-quota/README.md)
+- [named-space-quota](named-space-quota/README.md)
+- [version](version/README.md)
 
 ## Global Config
 
-There is global configuration that is managed in `cf-mgmt.yml`.  The following options exist in that configuration.
+There is global configuration that is managed in `cf-mgmt.yml`. The following options exist in that configuration.
 
 ```yml
 enable-delete-isolation-segments: false #true/false
@@ -84,22 +84,22 @@ protected-users:
 
 ### Org Configuration
 
-There is a orgs.yml that contains list of orgs that will be created.  This should have a corresponding folder with name of the orgs cf-mgmt is managing. orgs.yml also can be configured with a list of protected orgs which would never be deleted when using the the `delete-orgs` command. An example of how orgs.yml could be configured is seen below.
+There is a orgs.yml that contains list of orgs that will be created. This should have a corresponding folder with name of the orgs cf-mgmt is managing. orgs.yml also can be configured with a list of protected orgs which would never be deleted when using the the `delete-orgs` command. An example of how orgs.yml could be configured is seen below.
 
 ```yml
 orgs:
-- foo-org
-- bar-org
+  - foo-org
+  - bar-org
 # added in 0.0.63+ which will remove orgs not configured in cf-mgmt
 enable-delete-orgs: true
 # added in 0.0.63+ which allows configuration of orgs to 'ignore'. Uses re2 syntax: https://github.com/google/re2/wiki/Syntax
 protected_orgs:
-- ^system$ # will match only system
-- system   # will match system at any place within the org name. For example: my-system-org will be protected.
-- ^p-      # matches any org beginning with "p-" and any characters following
+  - ^system$ # will match only system
+  - system # will match system at any place within the org name. For example: my-system-org will be protected.
+  - ^p- # matches any org beginning with "p-" and any characters following
 ```
 
-This will contain a orgConfig.yml and folder for each space.  Each orgConfig.yml consists of the following.
+This will contain a orgConfig.yml and folder for each space. Each orgConfig.yml consists of the following.
 
 ```yml
 # org name
@@ -119,7 +119,6 @@ org-billingmanager:
     - cwashburn@testdomain.com
     - cwashburn2@testdomain.com
 
-
   # ldap group that contains users that will be added to cf and given billing manager role
   ldap_group: test_billing_managers
 
@@ -202,18 +201,21 @@ metadata:
     foo: bar
   annotations:
     hello: world
+
+# added in 1.0.84+ allows setting security groups for all spaces in a given org
+named-space-security-groups: []
 ```
 
 ### Space Configuration
 
-There will be a spaces.yml that will list all the spaces for each org.  There will also be a folder for each space with the same name.  Each folder will contain a spaceConfig.yml and security-group.json file with an empty json file.
+There will be a spaces.yml that will list all the spaces for each org. There will also be a folder for each space with the same name. Each folder will contain a spaceConfig.yml and security-group.json file with an empty json file.
 
 Each spaceConfig.yml will have the following configuration options:
 
-* allow ssh at space level
-* map ldap group names to SpaceDeveloper, SpaceManager, SpaceAuditor role
-* setup quotas at a space level (if enabled)
-* apply application security group config at space level (if enabled)
+- allow ssh at space level
+- map ldap group names to SpaceDeveloper, SpaceManager, SpaceAuditor role
+- setup quotas at a space level (if enabled)
+- apply application security group config at space level (if enabled)
 
 ```yml
 # org that is space belongs to
@@ -340,7 +342,7 @@ Note that this is actually processed at runtime, not when spaces are added to th
 
 ### LDAP Configuration
 
-LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. By default, LDAP is disabled and you can enable it by setting ```enabled: true```. Once this is enabled, all other LDAP configuration properties are required.
+LDAP configuration file `ldap.yml` is located under the `config` folder. By default, LDAP is disabled and you can enable it by setting `enabled: true`. Once this is enabled, all other LDAP configuration properties are required.
 
 ```yml
 enabled: true
@@ -374,11 +376,11 @@ minTLSVersion: 1.0
 maxTLSVersion: 1.3
 ```
 
->When using LDAP with Active Directory, the `uid` for `userNameAttribute` should be a `sAMAccountName`
+> When using LDAP with Active Directory, the `uid` for `userNameAttribute` should be a `sAMAccountName`
 
 ### SAML Configuration with ldap group lookups
 
-LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. To have cf-mgmt create SAML users in UAA need to enable ldap to lookup the user information from an LDAP source to properly create the SAML users.  In orgConfig.yml and spaceConfig.yml leverage either/or `ldap_users` or `ldap_group(s)`
+LDAP configuration file `ldap.yml` is located under the `config` folder. To have cf-mgmt create SAML users in UAA need to enable ldap to lookup the user information from an LDAP source to properly create the SAML users. In orgConfig.yml and spaceConfig.yml leverage either/or `ldap_users` or `ldap_group(s)`
 
 ```yml
 enabled: true
@@ -413,7 +415,7 @@ maxTLSVersion: 1.3
 
 ### SAML Configuration
 
-LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. To have cf-mgmt create SAML users you can disable ldap integration for looking up users in ldap groups with v0.0.66+ as orgConfig.yml and spaceConfig.yml now includes a saml_users array attribute which can contain a list of email addresses.
+LDAP configuration file `ldap.yml` is located under the `config` folder. To have cf-mgmt create SAML users you can disable ldap integration for looking up users in ldap groups with v0.0.66+ as orgConfig.yml and spaceConfig.yml now includes a saml_users array attribute which can contain a list of email addresses.
 
 ```yml
 enabled: false
@@ -430,7 +432,7 @@ groupAttribute:
 
 ### Enable Temporary Application SSH Access
 
-With 1.0.13+ there is ability to grant applicaiton ssh access for a specific duration.  Durations supported are in number of Days (D), Hours (H) or Minutes (M).  Use the cf-mgmt-config cli to update a given space with one of these metrics.  This will generate the timestamp in the correct format for you.  You must also use the latest generated concourse pipeline as this places update-space command on a timer to run every 15m (by default) to check to see if time has elapsed to re-disable application ssh access
+With 1.0.13+ there is ability to grant applicaiton ssh access for a specific duration. Durations supported are in number of Days (D), Hours (H) or Minutes (M). Use the cf-mgmt-config cli to update a given space with one of these metrics. This will generate the timestamp in the correct format for you. You must also use the latest generated concourse pipeline as this places update-space command on a timer to run every 15m (by default) to check to see if time has elapsed to re-disable application ssh access
 
 The following will enable for 2 days:
 
diff --git a/docs/config/org/README.md b/docs/config/org/README.md
index 3114be9b..fa2e6c5c 100644
--- a/docs/config/org/README.md
+++ b/docs/config/org/README.md
@@ -32,6 +32,8 @@ Help Options:
       --enable-remove-users=[true|false]                  Enable removing users from the org
       --named-quota=                                      Named quota to assign to org
       --clear-named-quota                                 Sets the named quota to blank
+      --named-asg=                                        Named asg(s) to assign to space, specify multiple times
+      --named-asg-to-remove=                              Named asg(s) to remove, specify multiple times
 
 quota:
       --enable-org-quota=[true|false]                     Enable the Org Quota in the config
diff --git a/securitygroup/securitygroup.go b/securitygroup/securitygroup.go
index 2c2ce7c3..92a1f11b 100644
--- a/securitygroup/securitygroup.go
+++ b/securitygroup/securitygroup.go
@@ -57,6 +57,10 @@ func (m *DefaultManager) CreateApplicationSecurityGroups() error {
 	}
 
 	for _, input := range spaceConfigs {
+		orgConfig, err := m.Cfg.GetOrgConfig(input.Org)
+		if err != nil {
+			return errors.Wrapf(err, "can't find org configuration %s", input.Org)
+		}
 		space, err := m.SpaceManager.FindSpace(input.Org, input.Space)
 		if err != nil {
 			return errors.Wrapf(err, "Finding org/space %s/%s", input.Org, input.Space)
@@ -68,7 +72,12 @@ func (m *DefaultManager) CreateApplicationSecurityGroups() error {
 		lo.G.Debugf("Existing space security groups %+v", existingSpaceSecurityGroups)
 		// iterate through and assign named security groups to the space - ensuring that they are up to date is
 		// done elsewhere.
-		for _, securityGroupName := range input.ASGs {
+		namedASGs := input.ASGs
+		if len(namedASGs) == 0 {
+			lo.G.Debugf("using named asgs from org as space array is blank")
+			namedASGs = orgConfig.NamedSpaceSecurityGroups
+		}
+		for _, securityGroupName := range namedASGs {
 			if sgInfo, ok := sgs[securityGroupName]; ok {
 				if _, ok := existingSpaceSecurityGroups[securityGroupName]; !ok {
 					err := m.AssignSecurityGroupToSpace(space, sgInfo)
diff --git a/securitygroup/securitygroup_test.go b/securitygroup/securitygroup_test.go
index 4fc05698..ec90f7f1 100644
--- a/securitygroup/securitygroup_test.go
+++ b/securitygroup/securitygroup_test.go
@@ -68,6 +68,7 @@ var _ = Describe("given Security Group Manager", func() {
 			SpaceManager: fakeSpaceMgr,
 			Peek:         false,
 		}
+		fakeReader.GetOrgConfigReturns(&config.OrgConfig{}, nil)
 	})
 	Context("ListNonDefaultSecurityGroups", func() {
 		It("returns 2 security groups", func() {