Update: Google responds. Please see the bottom of the post.
If Microsoft is correct, then Google has been consciously claiming to have certain safety certifications that, again according to the documents and how Microsoft interprets them, they do not have.
At the heart of this discussion is the Federal Information Security Management Act (FISMA) certification, a high water mark for application safety. Google currently claims that its Google Apps for Government product has FISMA certification. As proof, this is a screenshot of the Google Apps for Government page taken at the time of this post’s writing:
Let’s put Microsoft’s reading of the documents aside for now, and look at the text as written by the US government concerning the certification. The relevent sections:
On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google‟s Google Apps for Government does not have FISMA certification. […] We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court‟s attention. According to the GSA, Google‟s Google Apps Premier received FISMA certification on July 21, 2010. However, Google intends to offer Google Apps for Government as a more restrictive version of its product and, Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government. […] To be clear, in the view of GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government. [Emphasis TNW]
To be frank, the text seems plain: Google does not have FISMA certification, and to claim otherwise is misleading. Microsoft demands answers:
As I thought about this further, my second reaction was to wonder what Google is thinking as it continues to claim that Google Apps for Government has FISMA certification. I don’t pretend to have all the answers and I acknowledge that there are frequently two sides to a story. But what is the other side of the story in this instance?
Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?
This entire dustup began when Google sued over a contract that was awarded to Microsoft, citing the need for ‘open competition.’ Google cited its FISMA certification status as one of the chief reasons as to why its products deserved to be considered alongside with what Microsoft was offering.
This could merely be a mistake by Google, a miscommunication. However, that would be an uncharacteristic stumble by the company.
We expect Google to speak out on the issue shortly, and will update this post when that occurs.
UPDATE: From Google:
“This case is about the Department of Interior limiting its proposal to one product that isn’t even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers.
Even so, we did not mislead the court or our customers. Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we’re working with GSA to continuously update our documentation with these and other additional enhancements.”