Google Calls Microsoft's FISMA Allegations False - InformationWeek
Mobile // Mobile Applications
03:35 PM
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Google Calls Microsoft's FISMA Allegations False

The fight is mainly over the question of whether Google Apps for Business, which does have FISMA certification, is basically the same as Google Apps for Government.

Top 15 Google Apps For Business
Slideshow: Top 15 Google Apps For Business
(click image for larger view and for full slideshow)
Google on Wednesday dismissed Microsoft's "breathless" claim that the search company misrepresented the compliance of its software with the Federal Information Security Management Act (FISMA), a security certification used by government agencies.

"Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified," said Google Enterprise security director Eran Feigenbaum in a blog post. "These allegations are false."

David Howard, corporate VP and deputy general counsel at Microsoft, made the allegations in a blog post on Monday.

Or as a Microsoft spokesperson asserted, the U.S. government made the claim--"it appears that Google's Google Apps for Government does not have FISMA certification"--and Microsoft merely repeated it.

Though that assertion did come from a U.S. government court filing, Howard used the government's claim to declare unequivocally that Google had presented false information. "It's time for Google to stop telling governments something that is not true," Howard wrote.

The context here is important. The government attorneys who made that claim are defending the Department of the Interior's right to proceed with a $59 million IT services contract for hosted email and collaboration software that involves Microsoft. Google claims the contract was unlawfully awarded as a no-bid contract and has succeeded in blocking the contract while its case is litigated. So the government and Microsoft are on the same side in this instance.

The use of the word "appears" by the government in its filing also is important. It's less than certain, in other words. And while it may be arguable that the FISMA status of Google Apps for Government isn't quite as clear as might be ideal, that argument looks a lot like splitting hairs when examined closely.

As Feigenbaum explained, Google received FISMA certification for Google Apps Premiere Edition (later renamed Google Apps for Business) from the General Services Administration last July. That same month, the company introduced Google Apps for Government. The two versions of Google Apps are the same system, except that Google Apps for Government stores data in a location suitable to federal rules and segregates it from other data for the same reason.

The GSA, according to Feigenbaum, told Google that the name change and additional features could be covered under the company's existing FISMA certification. And because FISMA rules anticipate systems will change over time, re-authorization efforts don't void previous certifications.

So Google Apps for Government is awaiting a FISMA certification update, but that doesn't mean is not certified, assuming Google's representations about its discussions with the GSA are accurate.

Feigenbaum concluded by pointing out an obvious irony, that Microsoft's BPOS system is not FISMA certified. "We're confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization," he quipped.

And to put this tempest in a teapot in its proper context, it's also worth noting that compliance with security rules isn't a guarantee of security. At best, it's blame insulation.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll