Google Rebuts Microsoft's Accusations with Confirmation of FISMA Status
- By Kevin McCaney
- April 14, 2011
In response to claims from Microsoft and the Department of Justice (DoJ) that Google's Apps for Government suite is not certified under the Federal Information Security Management Act (FISMA) -- and that Google had misled users about its certification status -- the General Services Administration (GSA) has issued a statement verifying that Apps for Government is, in fact, FISMA-certified.
According to a Business Insider report on Wednesday, the GSA issued the following statement verifying Google's certification status:
"GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification."
Google's director of security, Eran Feigenbaum, also countered Microsoft's accusations on Wednesday in a post on Google's official blog.
"These allegations are false," Feigenbaum wrote. "We take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise."
The dispute stemmed from a DoJ brief in a lawsuit that Google had filed against the Department of Interior (DoI) in October. In that lawsuit, Google had claimed the DoI did not give fair consideration to Google Apps when it was accepting bids for an agencywide e-mail system, instead favoring Microsoft's Business Productivity Online Suite (BPOS). BPOS, a Google Apps competitor for cloud-based services, is still under consideration to get FISMA certification for some applications, though Microsoft's cloud infrastructure has received FISMA approval.
In the DoJ brief, which was unsealed April 8, DoJ lawyers wrote that contrary to Google's claims, "it appears that Google's Google Apps for Government does not have FISMA certification." The upshot from the brief is that Google Apps Premier received FISMA certification in July 2010. Apps for Government is based on that product, but with added security controls, and has been submitted for certification.
Microsoft cited the brief in a blog post on Monday by David Howard, Microsoft corporate vice president and deputy general counsel, that essentially accused Google of lying about the certification for Apps for Government, since it is different from the certified version.
In his response on Wednesday, Google's Feigenbaum wrote that Apps for Government's certification was being reviewed, but was covered under that of Premier.
"Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system," Feigenbaum wrote. "It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application."
According to Business Insider, GSA Associate Administrator David McClure described the process for Apps for Government as a recertification in a congressional testimony on Wednesday:
"In July 2010, GSA did a FISMA security accreditation for 'Google Apps Premier.' That's what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product. If we do one accreditation, it's leveraged across many agencies. Since that time, Google has introduced what they're calling 'Google Apps for Government.' It's a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes: You have to recertify it. So that's what we're doing right now, we're actually going through a recertification based on those changes that Google has announced with the 'Apps for Government' product offering."
In his blog post, Feigenbaum said the GSA and FISMA, a 2002 law that requires agencies to certify information security processes for IT systems, recognize that products evolve and that recertification is part of the process.
"We regularly inform GSA of changes to our system and update our security documentation accordingly," Feigenbaum wrote. "The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements."
Kevin McCaney is the managing editor of Government Computer News.