No lie: GSA backs Google on FISMA certification
Agency says Apps for Government's certification 'remains intact' during review
The General Services Administration has backed up Google in its contention that its Apps for Government online office suite is, in fact, certified under the Federal Information Security Management Act.
“GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010," the agency said in a statement reported by Business Insider. "Google Apps for Government uses the Google Apps Premier infrastructure but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification.”
The statement came in response to claims by Microsoft and the Justice Department that its Apps for Government suite isn’t certified under FISMA and that Google has misled customers about its FISMA status.
Earlier, Google’s security chief also responded to the claims. “These allegations are false,” writes Eran Feigenbaum, the company’s director of security, in a post on Google’s official blog that were also submitted to the comments section of GCN’s story on the claim.
“We take the federal government’s security requirements seriously and have delivered on our promise to meet them,” Feigenbaum writes. “What’s more, we’ve been open and transparent with the government, and it’s irresponsible for Microsoft to suggest otherwise.”
Did Google lie about Apps for Government’s FISMA certification?
The dispute started with a Justice Department brief in a lawsuit that Google had filed against the Interior Department, in which Google claims Interior had not considered Google Apps when choosing Microsoft’s Business Productivity Online Suite, a Google Apps competitor for cloud-based services, as an agencywide e-mail system. (BPOS does not have FISMA certification.)
In the brief, which was unsealed April 8, Justice lawyers write that, contrary to Google’s claims, “it appears that Google’s Google Apps for Government does not have FISMA certification.” The upshot from the brief: Google Apps Premier received FISMA certification in July 2010. Apps for Government is based on that product, but with added security controls, and has been submitted for certification.
Microsoft drew on the brief in an April 11 blog post by David Howard, Microsoft corporate vice president and deputy general counsel, essentially accusing Google of lying about the certification for Apps for Government, since it is different from the certified version.
In his response April 13, Feigenbaum that Apps for Government’s certification was being reviewed, but was covered under that of Premier..
“Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system,” he writes. “It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.”
In congressional testimony April 13, GSA Associate Administrator David McClure described the process for Apps for Government as a recertification.
At a hearing held by Sen. Tom Carper (D-Del.), McClure described the issue, reported Business Insider.
“In July 2010, GSA did a FISMA security accreditation for ‘Google Apps Premier,’ " McClure said. "That's what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product. If we do one accreditation, it's leveraged across many agencies. Since that time, Google has introduced what they're calling ‘Google Apps for Government.’ It's a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes: You have to recertify it. So that's what we're doing right now, we're actually going through a recertification based on those changes that Google has announced with the ‘Apps for Government' ” product offering.
In his post, Feigenbaum said GSA and FISMA, a 2002 law that requires agencies to certify information security processes for IT systems, recognize that products evolve and that recertification is part of the process.
“We regularly inform GSA of changes to our system and update our security documentation accordingly,” he writes. “The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.”