Is Google Apps for Government certified under the Federal Information Security Management Act (FISMA)?
The question has suddenly become the newest battleground for Google and Microsoft in their race to provide cloud-based services to government customers. Google announced last summer that its cloud-based suite for government users had met FISMA’s security standards. But on Monday, April 11, a Microsoft executive claimed that court records show Google Apps for Government hasn’t actually been certified.
According to a blog authored by David Howard, a Microsoft vice president and deputy general counsel, unsealed court documents from the U.S. Department of Justice state that while the U.S. General Services Administration has FISMA-certified Google’s Apps Premier product, “Google does not have FISMA certification for Google Apps for Government.”
The brief is part of a lawsuit filed by Google last year alleging the U.S. Department of the Interior (DOI) didn’t seriously consider Google Apps for Government when the department selected Microsoft’s Business Productivity Online Suite (BPOS) to upgrade some of its messaging and e-mail systems.
Government Technology asked a Google spokesperson if state and local government users of Apps for Government had signed contracts to use the suite on the condition that the program was FISMA certified. Google responded that the company believes Apps for Government is FISMA certified.
Google directed media to a prepared statement on the issue: “This case is about the Department of Interior [DOI] limiting its proposal to one product that isn’t even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers,” said David Mihalchik of Google Enterprise, in a statement.
“Even so, we did not mislead the court or our customers. Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system [as Apps Premier] with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements.”
But Howard claims a different truth. In his blog post on the Microsoft on the Issues website, Howard said Google couldn’t have been under the impression that Google Apps Premier’s FISMA certification also covered Google Apps for Government, particularly since it filed a separate FISMA application for the latter.
“[It doesn’t] seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people,” Howard said. “Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government. Instead, Google has continued to state that Google Apps for Government has FISMA certification itself.”
This isn’t the first time Google and Microsoft have squabbled about each other’s cloud-based offerings. Last year, both companies claimed they were the provider of choice to the State University of New York (SUNY) system for e-mail and productivity tools. A university spokesperson later clarified the issue, explaining that the university system had given student, faculty, staff and alumni the choice of using either Google Apps for Education or Microsoft Live@edu.