FISMA Flap: Microsoft Cries Foul Over Google Federal Cloud Certification

Microsoft is calling out Google, its key cloud computing competitor, claiming that Google Apps for Government isn't up to snuff and doesn't have Federal Information Security Management Act (FISMA) certification, despite Google's claims to the contrary.

The FISMA fight is just another match in the long-standing cloud computing kerfuffle between Microsoft and Google as the two duke it out for cloud dominance.

According to Microsoft, recently unsealed court documents show that the U.S. Department of Justice rejected Google's claim that Google Apps for Government, Google's cloud suite of applications for federal and government customers, has been FISMA certified. FISMA certification shows that products adhere to security regulations as they pertain to the handling and protection of information for the federal government and national security. Microsoft said Google has been misleading federal customers into believing that Google Apps for Government has indeed been certified – via promotional materials and various mentions on Web sites and blog posts – but instead it is the Google Apps Premier play that has achieved the FISMA stamp of security approval.

"Indeed, for several months and as recently as this morning, Google's Web site states, 'Google Apps for Government -- now with FISMA certification.' And as if that's not sufficient, Google goes farther on another Web page and states 'Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA),'" wrote David Howard, Microsoft corporate vice president and deputy general counsel in a Microsoft blog post outing Google's FISMA cloud folly.

According to Microsoft, the foul-up came to light as a direct result of Microsoft's and Google's continuing legal battle over the cloud-based e-mail system for the Department of the Interior. The DOI selected Microsoft's Business Productivity Online Suite (BPOS) as its cloud provider for its 88,000 employees, but in October Google filed a lawsuit claiming it was unfairly passed over for the federal cloud e-mail deal and that procurement documents heavily favored Microsoft. In the suit, Google touted its Google Apps for Government suite and claimed it had all of the necessary functionality and security, plus the appropriate certifications, including FISMA, to fulfill the DOI's cloud computing needs. A judge granted Google an injunction that prevents the DOI project from moving forward with Microsoft's cloud until corrective actions are taken.

"So imagine my surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part," Howard wrote. "There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ's brief says 'On December 16, 2010, counsel for the Government learned that, notwithstanding Google's representations to the public at large, its counsel, the GAO and this Court, it appears that Google's Google Apps for Government does not have FISMA certification.'"

NEXT: Google: We're FISMA Certified In The Cloud

The Justice Department notes, however, that the General Services Administration (GSA) had certified a different Google cloud play, Google Apps Premier, under FISMA in 2010. Yet, the DOJ contends that Google claiming Google Apps for Government carries the certification is a fallacy.

"As the DOJ's brief explains, 'However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government'," Howard wrote. "Lest there be any doubt about the situation, the brief adds, 'To be clear, in the view of the GSA, the agency that certified Google's Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.' Backing all this up are five attachments to the brief devoted to this issue, two of which unfortunately remain redacted at this stage of the proceeding."

Howard called on Google to remove any instances from its Web sites and literature where it claims Google Apps for Government is FISMA certified. Further, Howard and Microsoft questioned the motivation behind Google's FISMA claims.

"Google can't be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government," Howard wrote. "If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?"

In a statement e-mailed to CRN, Google said it is not fudging the FISMA facts, noting that Google Apps is FISMA certified and is the same system, with some additional security controls, as Google Apps for Government.

"This case is about the Department of Interior limiting its proposal to one product that isn't even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers," Google Enterprise's David Mihalchik wrote in the statement.

"Even so, we did not mislead the court or our customers," Mihalchik continued. "Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements."

According to Microsoft's Howard, that's not enough.

"Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government," he wrote."Instead, Google has continued to state that Google Apps for Government has FISMA certification itself."

Howard concluded: "Open competition should involve accurate competition. It's time for Google to stop telling governments something that is not true."