Google Calls Microsoft's FISMA Allegations False
The fight is mainly over the question of whether Google Apps for Business, which does have FISMA certification, is basically the same as Google Apps for Government.
"Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified," said Google Enterprise security director Eran Feigenbaum in a blog post. "These allegations are false."
More Internet Insights
- Smarter Commerce: The Midmarket Solution for a Customer-Centric World
- Managing Third party Services on Websites
- High Bandwidth Internet Access: Opening Doors to New Capabilities
- Bring Your Own Device (BYOD) & Business Networks
- Strategy: Using Google to Find Vulnerabilities
- How Google+, Facebook Impact Corporate Strategy: Social Media and IT at a Crossroads
David Howard, corporate VP and deputy general counsel at Microsoft, made the allegations in a blog post on Monday.
Or as a Microsoft spokesperson asserted, the U.S. government made the claim--"it appears that Google's Google Apps for Government does not have FISMA certification"--and Microsoft merely repeated it.
Though that assertion did come from a U.S. government court filing, Howard used the government's claim to declare unequivocally that Google had presented false information. "It's time for Google to stop telling governments something that is not true," Howard wrote.
The context here is important. The government attorneys who made that claim are defending the Department of the Interior's right to proceed with a $59 million IT services contract for hosted email and collaboration software that involves Microsoft. Google claims the contract was unlawfully awarded as a no-bid contract and has succeeded in blocking the contract while its case is litigated. So the government and Microsoft are on the same side in this instance.
The use of the word "appears" by the government in its filing also is important. It's less than certain, in other words. And while it may be arguable that the FISMA status of Google Apps for Government isn't quite as clear as might be ideal, that argument looks a lot like splitting hairs when examined closely.
As Feigenbaum explained, Google received FISMA certification for Google Apps Premiere Edition (later renamed Google Apps for Business) from the General Services Administration last July. That same month, the company introduced Google Apps for Government. The two versions of Google Apps are the same system, except that Google Apps for Government stores data in a location suitable to federal rules and segregates it from other data for the same reason.
The GSA, according to Feigenbaum, told Google that the name change and additional features could be covered under the company's existing FISMA certification. And because FISMA rules anticipate systems will change over time, re-authorization efforts don't void previous certifications.
So Google Apps for Government is awaiting a FISMA certification update, but that doesn't mean is not certified, assuming Google's representations about its discussions with the GSA are accurate.
Feigenbaum concluded by pointing out an obvious irony, that Microsoft's BPOS system is not FISMA certified. "We're confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization," he quipped.
And to put this tempest in a teapot in its proper context, it's also worth noting that compliance with security rules isn't a guarantee of security. At best, it's blame insulation.
Federal agencies must transition from static cybersecurity defenses to automated, real-time monitoring and response. This report will show you how IT security teams can get started. Download the report. (Free registration required.)