Google Apps for Government Not Yet FISMA Certified: GSA

By Clint Boulton  |  Posted 2011-04-14 Print this article Print

title=Google Plays Fast and Loose with FISMA}

McClure's use of the word "recertification" can be misconstrued as a separate certification. This is not the case, as a GSA spokesperson explained to eWEEK via e-mail April 13:

"GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification."

They key phrase is "update the existing July 2010 FISMA certification." The fact is that when a change is made to a FISMA-certifed package, GSA considers three factors:

  1. The change is so minor that it does not trigger a review.

  2. The change is noteworthy enough to be reviewed, but is not significant enough to require a new FISMA certification. The review focuses on the change itself and (if applicable) how the change interacts with the package as a whole. The certification remains for the orginial product, but is modified to include the change.

  3. The change is significant enough to warrant an entirely new certification.

The GSA believes Google Apps for Government falls into the second category. The existing Google Apps Premier certification will remain valid and the GSA is working with Google to evaluate the additional controls to determine if they can be rolled into the July 2010 certification.  

What Google is doing, then, is being a bit forward-thinking (and perhaps a little hopeful) in its claims that Google Apps for Government is FISMA certified. After all, Google believes it's the same product as Google Apps for Business, only with better security.

Google's attitude was best reflected in its blog post April 13, when its said the DOJ was "looking at a small technicality."

"In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification," wrote Eran Feigenbaum, director of security for Google Enterprise. "In other words, Google Apps for Government would not require a separate application."

What is a technicality for Google, appeared as a lie to the DOJ, Microsoft, and likely many others following the issue.

Google is rolling the dice here. The GSA could decide Google's enhanced security requires additional certification, which would force Google to change phrasing on its Website that Google Apps for Government is FISMA certified when, technically, it isn't.

A little risk and a lot of bad public relations, for the reward of achieving a credit that Microsoft does not yet have may be worth it for Google in the long run as it continues to press for hefty government contracts in collaboration software.

Or it could get the antitrust allegations percolating even hotter on Capitol Hill. Indeed, Senator Carper said "Given the potentially serious nature of this, I've asked my staff to follow up with your offices today on this issue so that we can get to the bottom of it."

Stay tuned.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel