The Google-Microsoft FISMA War entered its fourth day, with the two companies trading shots about which one really was authorized to sell to the U.S. federal government, and which one was lying about the other.
The U.S. federal government is a lucrative market for IT vendors, with a total IT budget of some US$ 78.5 billion this year alone. Consequently, it's not surprising that vendors get a little testy when going for a piece of it.
At the same time, it means the federal government has to be careful when selecting vendors, which is why it passed, in 2002, a 72-page bill creating the Federal Information Security Management Act (FISMA), delineating how agencies were supposed to procure IT hardware and software.
Google Started It
Last fall, Google filed suit over a particular bid process in the Department of the Interior, claiming it was unfair because it required any bidder to be compliant with Microsoft's Business Productivity Online Suite -- needless to say, a provision with which only Microsoft products could comply. As part of its complaint, it claimed that its product, Google Apps for Government, was FISMA-certified, and Microsoft's was not.
That's where the fun started.
It wasn't the first time Google had said that Google Apps for Government was FISMA-compliant. "We’re also pleased to announce that Google Apps is the first suite of cloud computing messaging and collaboration applications to receive Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. General Services Administration," Google said in July 2010 when it announced the application.
Remember the part about the government being picky? One of the things that it's picky about is whether something is entitled to being called "certified." And when the government responded to Google's lawsuit, it included this little footnote:
On December 16, 2010, counsel for the Government learned that, notwithstanding Google‟s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google‟s Google Apps for Government does not have FISMA certification. See Attachments 1-5 to this motion. We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court‟s attention. According to the GSA, Google‟s Google Apps Premier received FISMA certification on July 21, 2010. However, Google intends to offer Google Apps for Government as a more restrictive version of its product and, Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government. See Attachment 3. To be clear, in the view of GSA, the agency that certified Google‟s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government."
Microsoft Hit Back First
Microsoft got a copy of this document last week (it had been sealed by court order), and on Monday, David Howard, Microsoft's Corporate Vice President and Deputy General Counsel, blasted Google in a blog post for "misleading" the federal government about its FISMA certification.
The funny part is that Google Apps for Government is actually more secure than the certified Google Apps Premier, because governments tend to like secure things.
Google Strikes Back
Google, for its part, blasted back yesterday, in a blog post from Eran Feigenbaum, Director of Security, Google Enterprise.
FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements."
Regardless of whether the base application is certified, and the fact that Google Apps for Government is working its way through the certification process, the footnote does seem awfully definitive -- Google Apps for Government is not at the moment FISMA-certified.
However, Google may yet win the war; the company was granted an injunction in January on the contract.
Ironically, FISMA certification might not even have been necessary, as the requirement can be waived. This same week, it came out that the U.S. Agency for International Development was using Apple iPads even though the tablet device isn't FISMA-certified, because it had waived the requirement.