Microsoft has accused Google of making "misleading security claims" to the US government, as the two companies continue to spar over the use of their respective online application suites among government agencies.
With a recent lawsuit, various public statements, and posts to its website, Google has said that its Google Apps for Government suite is certified under the requirements of FISMA (the Federal Information Security Management Act). But as Microsoft pointed out with a blog post entitled "Google’s misleading security claims to the government raise serious questions", recently unsealed court documents show that the suite has not actually received FISMA certification.
According to the documents, Google has received certification for a sister suite, Google Apps Premier, but not for Google Apps for Government, the version designed specifically for government agencies. Google Apps for Government is a superset of Google Apps Premier, so although the core of the suite has been certified by the US General Services Administration, other pieces have not.
"I’ll be the first to grant that FISMA certification amounts to something. The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need," reads the post from Microsoft corporate vice president and deputy general counsel David Howard .
"Open competition should involve accurate competition. It’s time for Google to stop telling governments something that is not true."
Google denies that it has mislead "the court or our customers", saying that Google Apps for Government offers security above and beyond that of Google Apps Premier. "Google Apps received a FISMA security authorization from the General Services Administration in July 2010," Google enterprise man David Mihalchik says in a statement sent to The Register. "Google Enterprise Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned, we're working with GSA to continuously update our documentation with these and other additional enhancements."
When Google Apps Premier received FISMA certification in July, Google Apps for Government did not exist.
Last fall, Google sued the US Department of the Interior (DOI), claiming it did not give Google a fair chance to win a contract to provide email and collaboration services for its roughly 88,000 employees. The contract was awarded to, yes, Microsoft, but following Google's suit a federal judge issued a temporary court order preventing the DOI from continuing with its Microsoft rollout.
When the DOI sent out an RFQ (request for quotation) for a hosted email services last year, according to Google's suit, the agency said it would consider only proposals involving the Microsoft Business Productivity Online Suite. Google claimed this was "unduly restrictive of competition", and the suit specifically raised the issue of FISMA certification. According to the suit, the DOI expressed concern over Google's ability to meet FISMA requirements and provide an email service whose "underlying infrastructure" is dedicated to the DOI.
Google does not provide a dedicated underlying infrastructure to any business or government agency. But it has repeatedly claimed that Google Apps for Government has FISMA certification. It does so in the suit itself, and its website makes the claim as of Monday morning. "Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA), which sets security standards for software applications in use by the United States federal government," reads Google's help pages.
But in a brief released by the court, the Department of Justice refuted Google's claims that Google Apps for Governments has received FISMA certification from the General Services Administration (GSA). "On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the [General Accounting Office], and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.” But the DoJ does point out that Google has received certification for Google App Premier.
"Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government," the DoJ says. “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government."
Microsoft was quick to pounce. "My first reaction was that perhaps something positive could come out of Google’s lawsuit," Microsoft counsel Howard says in his blog post. "For months a number of people have been asking for details about Google’s FISMA certification. To put it charitably, because of Google’s unwillingness to provide answers, the facts have remained opaque. As a result of the lawsuit, it looks like we finally are beginning to get some answers."
Earlier in the post, he indicated that Google has merely slowed the process by filing its suit. "As a result, the work of engineers and IT professionals was replaced, at least temporarily, by filings by lawyers. This meant significant delay for the Department of the Interior, which was trying to save millions of dollars and upgrade the email services for its 88,000 employees."
In his statement, Google's David Mihalchik points out that Microsoft's BPOS Federal service – which the Department of the Interior contracted with Redmond to provide email and collaboration for its roughly 88,000 employees – isn't FISMA-certified either. "This case is about the Department of Interior limiting its proposal to one product that isn’t even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers," he says.
But Microsoft's Davis Howard believes that precision is vitally important. "When it comes to security, the facts matter," he says. "As the Justice Department pointed out in its brief, Google’s initial FISMA certification for Google Apps Premier applied only to the infrastructure set-up and security needs of the General Services Administration. As the DOJ pointed out in its brief ... the Department of Interior concluded that it 'had only a low tolerance for risk' given 'its responsibility to manage sensitive information such as Indian trust data and law enforcement data.' Google may not like the Interior Department’s approach, but it certainly seems reasonable."
Microsoft has called on Google to update its website to remove claims that Google Apps for Government is FISMA certified. But Google has not yet done so. And it doesn't appear that it will. ®