Did Google lie about Apps for Government's FISMA certification?

Microsoft cites Justice Department brief; Google says system more secure than certified version

Microsoft has accused Google of misleading customers about Google Apps for Government being certified for government use — and in the process, perhaps raised questions about whether certifications of one product can apply to similar, or enhanced versions of, products.

At issue is whether Google Apps for Government, released in July 2010, is certified under the Federal Information Security Management Act, as Google has claimed.

Microsoft says no, citing a Justice Department brief in a Google suit against the department, in which a footnote states, “it appears that Google’s Google Apps for Government does not have FISMA certification.”

FISMA is a 2002 law that requires agencies to certify information security processes for their IT systems, including those managed by other agencies or contractors.

Related coverage:

Google Apps for gov a boon for teleworkers

GSA takes the plunge, as first to move e-mail to the cloud agencywide

Google did receive FISMA certification for Google Apps Premier, the brief states, but Apps for Government is a “more restrictive” version that Google is preparing to submit for FISMA certification.

In a blog post April 11, David Howard, Microsoft corporate vice president and deputy general counsel, called attention to the department's brief, which had been unsealed the week before.

“Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government,” Howard wrote. “If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?”

In a response statement, David Mihalchik, business development executive for Google Federal, said that Apps for Government "is the same system with enhanced security controls that go beyond FISMA requirements" and said Google "did not mislead the court or our customers," according to a report in the Los Angeles Times.

The dispute grows out of a suit Google filed against Justice in October 2010, protesting the department’s decision to limit its search when choosing Microsoft’s Business Productivity Online Suite for departmentwide e-mail. BPOS, like Google Apps a cloud-based product, doesn’t have FISMA certification.

A judge granted Google a preliminary injunction in January.

The Justice brief cites an e-mail from December in which a General Services Administration security officer says that Google Apps for Government doesn’t have FISMA accreditation, according to the L.A. Times. GSA issues FISMA certifications.

Coincidentally, GSA in December became the first federal agency to begin moving its agencywide e-mail to the cloud, choosing Google Apps for Government.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected