"Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified," said Google Enterprise security director Eran Feigenbaum in a blog post. "These allegations are false."
David Howard, corporate VP and deputy general counsel at Microsoft, made the allegations in a blog post on Monday.
Or as a Microsoft spokesperson asserted, the U.S. government made the claim--"it appears that Google's Google Apps for Government does not have FISMA certification"--and Microsoft merely repeated it.
Though that assertion did come from a U.S. government court filing, Howard used the government's claim to declare unequivocally that Google had presented false information. "It's time for Google to stop telling governments something that is not true," Howard wrote.
The context here is important. The government attorneys who made that claim are defending the Department of the Interior's right to proceed with a $59 million IT services contract for hosted email and collaboration software that involves Microsoft. Google claims the contract was unlawfully awarded as a no-bid contract and has succeeded in blocking the contract while its case is litigated. So the government and Microsoft are on the same side in this instance.
The use of the word "appears" by the government in its filing also is important. It's less than certain, in other words. And while it may be arguable that the FISMA status of Google Apps for Government isn't quite as clear as might be ideal, that argument looks a lot like splitting hairs when examined closely.
As Feigenbaum explained, Google received FISMA certification for Google Apps Premiere Edition (later renamed Google Apps for Business) from the General Services Administration last July. That same month, the company introduced Google Apps for Government. The two versions of Google Apps are the same system, except that Google Apps for Government stores data in a location suitable to federal rules and segregates it from other data for the same reason.
The GSA, according to Feigenbaum, told Google that the name change and additional features could be covered under the company's existing FISMA certification. And because FISMA rules anticipate systems will change over time, re-authorization efforts don't void previous certifications.
So Google Apps for Government is awaiting a FISMA certification update, but that doesn't mean is not certified, assuming Google's representations about its discussions with the GSA are accurate.
Feigenbaum concluded by pointing out an obvious irony, that Microsoft's BPOS system is not FISMA certified. "We're confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization," he quipped.
And to put this tempest in a teapot in its proper context, it's also worth noting that compliance with security rules isn't a guarantee of security. At best, it's blame insulation.