Google: Microsoft's FISMA Certification Finger-Pointing 'Irresponsible'

Google battled back against Microsoft's accusation that Google lied about its Google Apps for Government cloud suite obtaining Federal Information Security Management Act (FISMA) certification calling Microsoft's gotcha diatribe a "breathless blog post" and saying Microsoft's charges are "irresponsible."

Earlier this week, Microsoft posted a lengthy blog entry noting that recently unsealed U.S. Department of Justice documents revealed that Google Apps for Government is not FISMA certified, despite Google's claims to the contrary. FISMA certification guarantees that products meet the necessary security guidelines to be appropriate for use in federal and government environments. In the blog post, David Howard, Microsoft corporate vice president and deputy general counsel, Howard calls Google's FISMA claims misleading and points out that Google's Google Apps Premier offering is FISMA certified, but not Google Apps for Government.

Google has already dismissed Microsoft's claims and in an e-mail to CRN, Google Enterprise's David Mihalchik said Google Apps received FISMA security authorization from the General Services Administration (GSA), and since Google Apps for Government is a similar system with tighter security controls, it is also FISMA certified by default.

Google expanded on its response to the FISMA flap in a post on Google's enterprise blog late Wednesday called "The Truth about Google Apps and FISMA." In the post, Google asserts that Microsoft's indictment of Google's FISMA certification is bogus.

Sponsored post

"In a breathless blog post, Microsoft recently suggested we intentionally misled the U.S. government over our compliance with the Federal Information Security Management Act (FISMA). Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false," Google Enterprise Director of Security Eran Feigenbaum wrote in the blog entry.

According to Feigenbaum, Google is serious about federal government security requirements and has delivered on its promise to meet them, while being open and transparent. Feigenbaum added that "it's irresponsible for Microsoft to suggest otherwise."

Feigenbaum said Google Apps received FISMA authorization from the GSA in July 2010, certification that can carry over to various editions of Google Apps, including Google Apps premier and Google Apps for Government.

"Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system," Feigenbaum wrote. "It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application."

NEXT: Google: We've Been Very Transparent

Feigenbaum added that in recent Congressional testimony from the GSA, the government body backed Google's declaration when it said "…we're actually going through a re-certification based on those changes that Google has announced with the 'Apps for Government' product offering."

Google said FISMA requires re-certification and anticipates changes in systems and technologies and that Google frequently informs the GSA of changes to its Google Apps cloud applications suite. Feigenbaum wrote that Google earlier this year submitted updates to the GSA with several changes to Google Apps, including a description of the Google Apps for Government enhancements.

"We've been very transparent about our FISMA authorization," Google wrote. "Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers' data secure."

Google will continue to update its documentation as Google Apps evolves, Feigenbaum wrote, adding that Google expects Microsoft will do the same.

"We're confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization," Feigenbaum said.

This latest blow in the continuing cloud computing kerfuffle between Google and Microsoft came to light as a direct result of Microsoft's and Google's ongoing legal battle over the cloud-based e-mail system for the U.S. Department of the Interior and the perpetual tit-for-tat between the two tech powerhouses as Google and Microsoft battle for cloud computing customer wins, government or otherwise.

In the case of the DOI, the agency selected Microsoft's Business Productivity Online Suite (BPOS) as its cloud e-mail platform for its 88,000 employees, but in October Google filed a lawsuit claiming it was unfairly passed over for the federal cloud e-mail deal and that procurement documents heavily favored Microsoft. In the suit, Google touted its Google Apps for Government suite and claimed it had all of the necessary functionality and security, plus the appropriate certifications, including FISMA, to fulfill the DOI's cloud computing needs. A judge granted Google an injunction that prevents the DOI project from moving forward with Microsoft's cloud until corrective actions are taken.