Did Google lie about Apps for Government's FISMA certification?
Microsoft cites Justice Department brief; Google says system more secure than certified version
Microsoft has accused Google of misleading customers about Google Apps for Government being certified for government use — and in the process, perhaps raised questions about whether certifications of one product can apply to similar, or enhanced versions of, products.
At issue is whether Google Apps for Government, released in July 2010, is certified under the Federal Information Security Management Act, as Google has claimed.
Microsoft says no, citing a Justice Department brief in a Google suit against the department, in which a footnote states, “it appears that Google’s Google Apps for Government does not have FISMA certification.”
FISMA is a 2002 law that requires agencies to certify information security processes for their IT systems, including those managed by other agencies or contractors.
Google Apps for gov a boon for teleworkers
GSA takes the plunge, as first to move e-mail to the cloud agencywide
Google did receive FISMA certification for Google Apps Premier, the brief states, but Apps for Government is a “more restrictive” version that Google is preparing to submit for FISMA certification.
In a blog post April 11, David Howard, Microsoft corporate vice president and deputy general counsel, called attention to the department's brief, which had been unsealed the week before.
“Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government,” Howard wrote. “If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?”
In a response statement, David Mihalchik, business development executive for Google Federal, said that Apps for Government "is the same system with enhanced security controls that go beyond FISMA requirements" and said Google "did not mislead the court or our customers," according to a report in the Los Angeles Times.
The dispute grows out of a suit Google filed against Justice in October 2010, protesting the department’s decision to limit its search when choosing Microsoft’s Business Productivity Online Suite for departmentwide e-mail. BPOS, like Google Apps a cloud-based product, doesn’t have FISMA certification.
A judge granted Google a preliminary injunction in January.
The Justice brief cites an e-mail from December in which a General Services Administration security officer says that Google Apps for Government doesn’t have FISMA accreditation, according to the L.A. Times. GSA issues FISMA certifications.
Coincidentally, GSA in December became the first federal agency to begin moving its agencywide e-mail to the cloud, choosing Google Apps for Government.