Google releases FISMA-compliant Apps for Government

Cloud-based suite meets federal regs; Microsoft looking to catch up

After a year of working on security steps to comply with federal government regulations, Google today launched Google Apps for Government.

Google Apps for Government is the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government, said David Mihalchik, Google’s federal business development executive. The Google Apps platform consists of Google Docs, Gmail, spreadsheets, a video tool and Google Sites.

The General Services Administration has reviewed the documentation of the company’s security controls and last Thursday issued an authorization to operate, Mihalchik said.

The move will almost certainly intensify the competition between Google and Microsoft to provide cloud-based e-mail service and productivity applications to the federal community, industry observers said.

"The federal government is the golden nugget everyone is chasing,” said David Linthicum, chief technology officer and founder of Blue Mountain Labs.

“FISMA is always being brought up as a hindrance to the government moving to the cloud,” Linthicum said. Google is basically saying that Google Apps is ready to go, he said.


Related coverage:

Are Google Apps and Microsoft headed for a showdown?

GSA Plans email system revamp

 


“FISMA was a top priority for us," Mihalchik said. The certification was a very detail process that involved Google meeting 200 National Institute of Standards and Technology security controls, testing by an independent organization and a GSA review, he said. The review makes it easier for federal agencies to compare Google security features to those of their existing systems, Mihalchik said.

Microsoft says it is close to obtaining the same certification for a Web-based version of Exchange, a widely used program for managing e-mail that most organizations run on their own server systems, according to a Wall Street Journal article. Google and Microsoft are competing to provide e-mail to GSA.

The government defines cloud computing as an on-demand model for network access, allowing users to tap into a shared pool of configurable computing resources, such as applications, networks, servers, storage and services, that can be rapidly provisioned and released with minimal management effort or service-provider interaction.

Google Apps for Government is hosted in a multi-tenant cloud that conforms to NIST's definition of a community cloud, Mihalchik said.

Google  will store Gmail and Calendar data in a segregated system located in the continental United States, exclusively for government customers. Other applications will follow in the near future. Mihalchik said.

The Energy Department’s Lawrence Berkeley Laboratory starting deploying Google Apps for its 5,000 users early this year. Berkeley Labs is using Gmail, Docs, Sites and Calendar, with full deployment scheduled by the end of the year.

The Berkeley lab did its own security accreditation of Google Apps and reviewed Google’s documentation before the company had completed its FISMA compliance, Mihalchik noted. The lab is expected to save $1.5 million to $2 million over five years by using Google Apps for Government, he said.

Google also announced that InRelief.org, a humanitarian relief organization funded by the U.S. Navy, is also using Google Apps for Government to provide users with more real-time collaboration capabilities during disasters.

Government movement to the cloud will continue to be an evolutionary process – agency by agency, division by division, Linthicum said. The offering of e-mail services, which falls into the software-as-a service cloud delivery model, is a logical place for many agencies to start, industry experts have observed.

FISMA compliance for infrastructure-as-a service and platform-as-a-service will be the next step for cloud providers, Linthicum said. FISMA compliance for these cloud delivery models will be more complex, Linthicum noted.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Thu, Jul 29, 2010 Chuck Finley

What exactly is a "FISMA Certification"? And what specifically does a FISMA Certification mean? FISMA requires government agencies to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—"(i) information collected or maintained by or on behalf of the agency; and "(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. (http://csrc.nist.gov/drivers/documents/FISMA-final.pdf). The combined government-wide results appear in an annual OMB report to Congress (http://www.whitehouse.gov/omb/assets/egov_docs/FY09_FISMA.pdf). Until 2008, FISMA results were publicly shared via an annual Computer Security Report Card (http://gcn.com/articles/2007/04/23/fisma-grades-what-do-they-mean.aspx). *One* of the (IG) reporting requirements of FISMA is C&A. (http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-15.pdf). But that should not be construed as a FISMA Certification. Anyone?

Wed, Jul 28, 2010

If you read the official blog and articles, the FISMA C&A applies to Google Apps used by ALL users including commercial. A quick search shows that Google's data centers have for years extensive information assurance background to support such audits as Statement of Auditing Standards 70 (SAS-70) Type II Certification and Accreditation resulting in positive determinations. This is one of the same auditing standards used by DISA DECC's. In addition, Google also announced a US Government Community Cloud based only in the US running several Google Apps suite capabilities. These data centers are physically segmented with enhanced security to meet certain government requirements for having a separate community enclave. For government system integrators, they can now create contextual gadgets which intelligently display relevant information from other systems directly in Gmail for better decision support so government users can be more efficient without leaving their inbox. Users can even preview attached documents, spreadsheets, and presentations right from their inbox without having to download and open separately. http://googleenterprise.blogspot.com/2010/05/putting-email-in-context-with-gmail.html

Tue, Jul 27, 2010 Jeffrey Frisco Texas

I fully agree with Dave K's comments. Additionally NIST new standards are weak and FISMA's are as well. Still I have to wonder why Google long ago now had not at least met the known industry and FISMA standards and done so from the biginning?

Tue, Jul 27, 2010 DR

Of course, this raises the question of what security vulnerabilities the users of non-FISMA compliant Google apps are subject to. If Google had to work extensively with NIST to enhance the apps to federal standards, what were the weaknesses that still remain in the "commercial" versions. If the FISMA-compliant GMail and Calender apps are hosted In CONUS, where are the commercial versions stored? India? Unintentionally, this raises more questions about Google apps than perhaps intended.

Tue, Jul 27, 2010 Dave K

This COULD represent a sea-change in government computing... if the managers currently earning their keep on big-budget IT programs can be convinced to go this route. The Google site has a cost comparison estimator, but it doesn't take into account such issues as power consumption and real estate that are always of concern. As a taxpayer, I'd LOVE to see this happen!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above