Google Denies Microsoft Claim It Lied About FISMA Credit

By Clint Boulton  |  Posted 2011-04-12

Google Denies Microsoft Claim It Lied About FISMA Credit

Microsoft has uncovered details in a court filing that it claims proves Google has been lying to the Justice Department about achieving a government certification for its Google Apps collaboration software.

Google denied the allegation and claimed that Microsoft is trying to create a smokescreen for the fact that it doesn't have the Federal Information Security Management Act (FISMA) certification for its own rival Business Productivity Online Suite-Federal software.

FISMA accreditation means a product has passed a government agency's security requirements. Google achieved this credit for Google Apps last July, putting it in a favorable light for securing contracts with any of the dozens of government agencies.

The road to this latest skirmish is long and winding, steeped in semantics and imbued with what-have-yous and ins and outs. Last year, the Department of the Interior picked Microsoft BPOS, which would have let the software maker provide Web-based email for 88,000 government workers.

Google sued the DOI over the $59 million deal in October, claiming that it failed to look at Google Apps or any other suites in the market in the spirit of open competition.

Moreover, it pointed out that Microsoft's software was not FISMA certified, meaning it was unfit for use by the agency.

Google filed a motion for a preliminary injunction and secured the injunction. In at least three sections it claims that its Google Apps for Government product, which is tailored for government specs, is certified under FISMA.

But David Howard, Microsoft corporate vice president and deputy general counsel, discovered after some of the court papers were unsealed that the DOJ said that despite Google's claims, Google Apps for Government does not have FISMA certification.

Turns out Google's FISMA certification is for Google Apps Business edition (formerly known as Google Apps Premier edition), for which it charges $50 per user, per year. Google confirmed this for eWEEK, but said it did not mislead the court.

"Google Apps received a FISMA security authorization from the General Services Administration in July 2010," said David Mihalchik, a business development executive for Google's Enterprise group.

Here's where it gets tricky. Every government agency has different sets of requirements to fit its FISMA certification, so what works for the GSA may not work for the DOI, or even the DOJ. Google could achieve FISMA for Google Apps from one agency, but be told it needs to be more secure for another.

Google Denies It Lied to the Government

The DOJ's point is that Google Apps for Government, which is not FISMA certified, is a different product than Google Apps for Business, which is FISMA certified. The implication is that Google must go through a separate certification process for its government edition of collaboration software.  

Google believes Google Apps for Government is the same product as Google Apps for Business and that FISMA certification also applies to the newer suite, as Mihalchik said:

"Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements."

Google believes its disagreement with the DOJ is a difference of opinion, not evidence that it is lying to the court. Google said the reason it did not get specific FISMA certification clearance for Google Apps for Government is that it began its FISMA certification process for Google Apps for Business (then called Premier Edition) before it even launched Google Apps for Government.

Google has no plans to undertake a separate certification process with the GSA for the government edition because it believes that updating its documentation with the GSA to reflect the additional security enhancements should be enough to satisfy Google Apps for Government as FISMA certified.

If one hews to Microsoft's semantics, it appears Google played fast and loose with the definition of what is FISMA certified and what isn't.

For its part, Google clearly sees having FISMA certification, which again, Microsoft lacks, as a competitive differentiator as it vies for more government contracts such as the DOI bid. Google sees Microsoft's latest allegation that it lied to the government as a sideshow to the fact that the company has not attained FISMA.

"This case is about the Department of Interior limiting its proposal to one product that isn't even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers," Mihalchik said.

What the latest salvo underscores is the red-hot competition between Google and Microsoft for government contracts related to cloud collaboration software.

Unlike in search, Google is the pesky upstart here, poaching customers such as the GSA. Microsoft, with the benefit of its 25-plus years as an enterprise software maker, is trying to land bigger deals such as the DOI.

For Google, which relied on its search ad business to earn $29 billion last year, those deals are more about boosting its Google Apps profile than they are about making money.


Rocket Fuel