The court documents were disclosed by Microsoft, which has an axe to grind with Google over a lawsuit Google filed against the awarding of a Department of Interior (DoI) contract for cloud-based email services to Microsoft. Despite the source of the documents, it seems clear that the DoJ’s counsel reached the conclusion about Google’s FISMA certification claim independently.
“On December 16, 2010, counsel for the government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO [Government Accountability Office], and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification”, the court documents read.
The disclosure came as a result of the DoI’s investigation into Google Apps for Government in response to Google’s lawsuit alleging that the DoI’s request for proposal for the cloud-based email service unfairly favored Microsoft.
In disclosing the court documents, David Howard, deputy general counsel at Microsoft, said: “I learned that a batch of court documents had been unsealed and had revealed one particularly striking development: the United States Department of Justice had rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for government customers, has been certified under the Federal Information Security Management Act (FISMA). Given the number of times that Google has touted this claim, this was no small development….It’s time for Google to stop telling governments something that is not true.”
Google responded by denying it had misled the court, customers, or the government about FISMA certification. “Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements”, said David Mihalchik of Google Enterprise.
At issue is whether the FISMA certification issued by GSA for Google Apps includes the Google Apps for Government suite. Google believes it does, while Microsoft and the DoJ believe it does not.
At least one analyst believes that the evidence favors Microsoft and the DoJ in this case. Donald Retallack, an analyst at Directions on Microsoft, a research firm that focuses on Microsoft, told Computerworld that FISMA certification is specific to each system. "Just because you're certified with one system doesn't mean you're certified with others”, he stressed. "That would be like saying that because an electrician had met code on one house, he was certified for all the houses he built. Based on my experience with the government, each system certification is an individual process", he added.