Did Google lie about Apps for Government's FISMA certification?

Microsoft cites Justice Department brief; Google says system more secure than certified version

Microsoft has accused Google of misleading customers about Google Apps for Government being certified for government use — and in the process, perhaps raised questions about whether certifications of one product can apply to similar, or enhanced versions of, products.

At issue is whether Google Apps for Government, released in July 2010, is certified under the Federal Information Security Management Act, as Google has claimed.

Microsoft says no, citing a Justice Department brief in a Google suit against the department, in which a footnote states, “it appears that Google’s Google Apps for Government does not have FISMA certification.”

FISMA is a 2002 law that requires agencies to certify information security processes for their IT systems, including those managed by other agencies or contractors.

Related coverage:

Google Apps for gov a boon for teleworkers

GSA takes the plunge, as first to move e-mail to the cloud agencywide

Google did receive FISMA certification for Google Apps Premier, the brief states, but Apps for Government is a “more restrictive” version that Google is preparing to submit for FISMA certification.

In a blog post April 11, David Howard, Microsoft corporate vice president and deputy general counsel, called attention to the department's brief, which had been unsealed the week before.

“Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government,” Howard wrote. “If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?”

In a response statement, David Mihalchik, business development executive for Google Federal, said that Apps for Government "is the same system with enhanced security controls that go beyond FISMA requirements" and said Google "did not mislead the court or our customers," according to a report in the Los Angeles Times.

The dispute grows out of a suit Google filed against Justice in October 2010, protesting the department’s decision to limit its search when choosing Microsoft’s Business Productivity Online Suite for departmentwide e-mail. BPOS, like Google Apps a cloud-based product, doesn’t have FISMA certification.

A judge granted Google a preliminary injunction in January.

The Justice brief cites an e-mail from December in which a General Services Administration security officer says that Google Apps for Government doesn’t have FISMA accreditation, according to the L.A. Times. GSA issues FISMA certifications.

Coincidentally, GSA in December became the first federal agency to begin moving its agencywide e-mail to the cloud, choosing Google Apps for Government.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Mon, Apr 18, 2011

Eran Feigenbaum, you and Google could have avoided much of this controversy if you were correctly referencing the authorization status of the various Google Application suites. If the vendors that your company hired to take you through the FedRAMP Authorization process (i.e. C&A) aren't advising you on how to message around federal ceritification, you might want to re-engage them or hire a new set of vendors. As I posted in a comment on this article last week, there is no such thing as a FISMA certification. GSA's FedRAMP doesn't refer to it that way. Your apps are being subjected to certification testing under FedRAMP to receive a cloud Authorization. That is being done using NIST 800-53, 800-53A, and 800-37 at a moderate or low impact level as ategorized under FIPS 199. The other area of confusion is that a new or even slightly modified version of an application or system isn't certified or authorized until you get the final authorization letter. So the modified version of Google Apps for Federal is not authorized for use by Federal agencies until your re-certification is complete. Until then, you can't claim that the modified version is "certified". And you can never claim that any Google App is "FISMA Certified" because that certification doesn't exist.

Wed, Apr 13, 2011

The truth about Google Apps and FISMA Wednesday, April 13, 2011 at 2:32 PM In a breathless blog post, Microsoft recently suggested we intentionally misled the U.S. government over our compliance with the Federal Information Security Management Act (FISMA). Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false. We take the federal government’s security requirements seriously and have delivered on our promise to meet them. What’s more, we’ve been open and transparent with the government, and it’s irresponsible for Microsoft to suggest otherwise. Let’s look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application. This was reflected in yesterday’s Congressional testimony from the GSA: “...we're actually going through a re-certification based on those changes that Google has announced with the ‘Apps for Government’ product offering.” FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements. We’ve been very transparent about our FISMA authorization. Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers’ data secure. We’ll continue to update our documentation to reflect new capabilities in Google Apps. This continuous innovation is an important reason government customers select our service. We’re confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization. We look forward to continuing to work with governments around the world to bring them the many benefits of cloud computing. Posted by Eran Feigenbaum, Director of Security, Google Enterprise

Wed, Apr 13, 2011

"Microsoft has accused Google" what a surprise.

Wed, Apr 13, 2011

By the way, GCN/Google/Microsoft... There is NO SUCH THING as a "FISMA Certification". The terms Certification and Accreditation appear no where in the FISMA legislation. Nor does FISMA require use of accredited applications. None of the activities dicussed in this article are specified in FISMA, other than the fact that FISMA authorizes NIST to set minimum standards and publish guidelines for security federal information systems. FISMA is mis-associated with C&A because the OMB under the Bush Administration chose C&A status as a measure of federal agencies' security posture. They used that information in the reports to congressional oversight committees that were mandated by FISMA.

Wed, Apr 13, 2011

:-) It is funny to see that this person at Microsoft doesn't know the different between Google Apps Premier and Google Apps Premier for Gov. "Google did receive FISMA certification for Google Apps Premier, the brief states, but Apps for Government is a “more restrictive” version that Google is preparing to submit for FISMA certification." It is very difficult to get Google Apps Premier FISMA certified and Google did get that done. "Apps Premier for Government" is much easier to certified; since it is the exact Google Apps Premier but deployed in data center dedicated for US Government only.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group