Microsoft Not FISMA-Certified In The Cloud?


Microsoft threw the first stone in its Federal Information Security Management Act (FISMA) flap with Google, but the feud may have turned into a folly.

In a true "people in glass houses…" turn around, details have emerged indicating that Microsoft's government cloud offerings themselves aren't FISMA-certified, the same accusation the software giant levied against cloud rival Google.

"[H]ere's the funny part -- it turns out it's Microsoft whose cloud services for government aren't FISMA certified," wrote legal news site Groklaw in an examination of the Microsoft versus Google FISMA fight.

The Groklaw piece points to several court documents that show Microsoft's cloud e-mail offering for the Department of the Interior, the deal that sparked the federal firefight between the two tech titans, was not FISMA certified when the DOI made the selection. And according to other court documents cited by Groklaw, Google Apps is the only FISMA certified cloud offering in the running for the DOI contract, and Microsoft, at that time was not FISMA certified.

"In short, the bottom line is that it's actually Microsoft that is not FISMA certified. And yet, the Department of the Interior chose them over an offering that is?" Gorklaw wrote.

Microsoft did not respond by press time to a request for comment pertaining to its FISMA certification.

Earlier this week, Microsoft called Google a liar in a lengthy blog post that said unsealed Department of Justice documents show Google's Google Apps for Government cloud computing suite for federal customers hasn't obtained FISMA certification, despite Google claiming that it has. FISMA is a stamp of approval of sorts to show a solution is up to snuff with federal information security requirements. Microsoft's post, written by David Howard, Microsoft corporate vice president and deputy general counsel, said Google is misleading customers.

Google battled back against Microsoft's FISMA accusations, calling the claims "irresponsible" and "false."

Google said that Microsoft's indictment is bogus and in an blog post said that Google Apps is covered under FISMA certification and, in turn, Google Apps for Government is also FISMA authorized.

"Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system," Google Enterprise Director of Security Eran Feigenbaum wrote in the blog entry. "It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application."

In a statement to Business Insider the GSA said Google's FISMA certification is upheld and it will review changes to Google Apps for Government for certification.

The question over FISMA came to light as part of a recent lawsuit in which Google accused the DOI of not opening the bidding processes for its cloud e-mail to competition and wording its proposal to heavily favor Microsoft. A judge has placed an injunction on Microsoft's DOI cloud deployment until the matter is sorted out further.

The FISMA back and forth is the next chapter Microsoft's and Google's continuing cloud computing competition as the two powerhouses battle to control the cloud and fight for cloud contracts, including federal customers.

See the latest cloud technologies, learn best practices, and interact with your peers at the channel’s first all-inclusive cloud event: NexGen Cloud Conference & Expo, December 4-5, 2014 at the San Diego Convention Center. Register now at  www.NexGenCloudCon.com