Google Apps for Government Not Yet FISMA Certified: GSA

By Clint Boulton  |  Posted 2011-04-14

Google Apps for Government Not Yet FISMA Certified: GSA

The confusion about whether or not Google Apps for Government is really certified with Federal Information Security Management Act (FISMA) certification boiled over when a General Services Administration staff member said the product was not FISMA-certified.

Google Apps for Government is not FISMA certified as of this writing, but Google Apps Premier edition, now known as Google Apps for Business, has been FISMA certified since July 2010.  

Google, which argues that Google Apps for Government is the same product as Google Apps for Business, contends the argument that that the product does not require a separate certification.

Rather, Google believes it only needs recertification to reflect the fact that Google Apps for Government includes data location and government data segregation on separate servers from regular Google Apps users.

The GSA appears to be leaning toward agreeing with Google on this score, and told eWEEK it is working with Google to update the original FISMA documentation for Google Apps to incorporate Google Apps for Government.

While Google views the certification of Google Apps for Government is a foregone conclusion, anything can happen over the course of a recertification.

There are no guarantees in government contracts, as we learned when Microsoft's bid to provide its own Business Productivity Online Suite for the Department of Interior's 88,000 employees was halted by an injunction requested by Google. The search engine argued the DOI didn't lawfully consider Google Apps in the spirit of open competition.

It's come as no small irony then that Microsoft ignited the Google Apps hullaballoo April 11 when it cited statements in a court filing that it claims proves Google has been lying to the Justice Department about achieving FISMA for Google Apps for Government.

Google denied the allegation and claimed that Microsoft is trying to create a smokescreen for the fact that it doesn't have the Federal Information Security Management Act (FISMA) certification for its own rival BPOS software.

With claims of Google behaving in an anticompetitive manner flying about on Capitol Hill, the matter caught the eye of U.S. Senator Tom Carper (D-Del.), who convened April 12m as detailed by Business Insider.

GSA spokesman David McClure told Carper that while the GSA certified Google Apps Premier Edition with FISMA because it met the necessary security provisions required by government IT protocols, the GSA was working with Google to get Google Apps for Government the FISMA credit.

"It's a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes, you have to re-certify it. So that's what we're doing right now, we're actually going through a re-certification based on those changes that Google has announced with the "Apps for Government" product offering.

Google Apps for Government Not Yet FISMA Certified: GSA

title=Google Plays Fast and Loose with FISMA}

McClure's use of the word "recertification" can be misconstrued as a separate certification. This is not the case, as a GSA spokesperson explained to eWEEK via e-mail April 13:

"GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification."

They key phrase is "update the existing July 2010 FISMA certification." The fact is that when a change is made to a FISMA-certifed package, GSA considers three factors:

  1. The change is so minor that it does not trigger a review.

  2. The change is noteworthy enough to be reviewed, but is not significant enough to require a new FISMA certification. The review focuses on the change itself and (if applicable) how the change interacts with the package as a whole. The certification remains for the orginial product, but is modified to include the change.

  3. The change is significant enough to warrant an entirely new certification.

The GSA believes Google Apps for Government falls into the second category. The existing Google Apps Premier certification will remain valid and the GSA is working with Google to evaluate the additional controls to determine if they can be rolled into the July 2010 certification.  

What Google is doing, then, is being a bit forward-thinking (and perhaps a little hopeful) in its claims that Google Apps for Government is FISMA certified. After all, Google believes it's the same product as Google Apps for Business, only with better security.

Google's attitude was best reflected in its blog post April 13, when its said the DOJ was "looking at a small technicality."

"In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification," wrote Eran Feigenbaum, director of security for Google Enterprise. "In other words, Google Apps for Government would not require a separate application."

What is a technicality for Google, appeared as a lie to the DOJ, Microsoft, and likely many others following the issue.

Google is rolling the dice here. The GSA could decide Google's enhanced security requires additional certification, which would force Google to change phrasing on its Website that Google Apps for Government is FISMA certified when, technically, it isn't.

A little risk and a lot of bad public relations, for the reward of achieving a credit that Microsoft does not yet have may be worth it for Google in the long run as it continues to press for hefty government contracts in collaboration software.

Or it could get the antitrust allegations percolating even hotter on Capitol Hill. Indeed, Senator Carper said "Given the potentially serious nature of this, I've asked my staff to follow up with your offices today on this issue so that we can get to the bottom of it."

Stay tuned.


Rocket Fuel