Google’s claims of FISMA certification questioned

By Jason Miller
Executive Editor
Federal News Radio

Google is having a hard time clearing up the confusion over whether its claim that its Google Apps for Government cloud offering has been approved to meet federal cybersecurity standards.

The search engine giant issued a release last summer saying it met the requirements to be certified at the moderate level of the Federal Information Security Management Act (FISMA) for its cloud offering.

David Mihalchik, Google’s business development executive, said last July during a press conference that Google Apps for Government has received FISMA certification from the General Services Administration.


But recently released court documents show Google’s Apps for Government is not FISMA certified. The court found that Google Apps Premier, its public cloud, received approval to operate from GSA, but not the Google Apps for Government suite of software. The court stated Google Apps for Government still is going through the certification process.

Microsoft, which is in a heated battle with Google to provide the Interior Department with cloud email and collaboration services, released the documents and pointed out the discrepancies in a blog Monday.

Microsoft quickly went on the offensive against one of its biggest competitors for federal cloud services

“Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government,” writes Microsoft’s David Howard, corporate vice president and deputy general counsel in the blog post. “If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government? Nor does it seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people. After all, if the facts are so good, why persist in telling a fiction? Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government. Instead, Google has continued to state that Google Apps for Government has FISMA certification itself.”

Microsoft recently received certification for its cloud-offerings from the Agriculture Department.

Google denies it misled the government about its certification.

“Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements,” Mihalchik said in an email statement. “As planned we’re working with GSA to continuously update our documentation with these and other additional enhancements.”

A Google spokesman added that the enhanced security features of Google Apps for Government including segregated data storage from other customers and information is kept in data centers in the U.S.

Mihalchik said the Interior case isn’t about FISMA, but the agency’s alleged decision to limit competition to one product.

But Microsoft’s Howard said, “Open competition should involve accurate competition. It’s time for Google to stop telling governments something that is not true.”

The court documents come as GSA is set to release the final requirements for the FedRAMP cloud security certification requirements Tuesday. Both Microsoft and Google, and many others, will have to go through the FedRAMP process to offer their services governmentwide after receiving approval from GSA, and the departments of Defense and Homeland Security.

(Copyright 2011 by All Rights Reserved.)