Google Gets Government Agency Backing for FISMA Claim -- Redmondmag.com

Google Gets Government Agency Backing for FISMA Claim

By Kevin McCaney
04/14/2011

The U.S. General Services Administration (GSA) issued a statement suggesting that Google Apps for Government is FISMA certified, but that it was reviewing some "additional controls."

The GSA's statement appears to contradict claims made by Microsoft earlier this week. An attorney for Microsoft, citing a brief filed by the U.S. Department of Justice (DoJ), had said that the Google Apps for Government suite is not certified under the Federal Information Security Management Act (FISMA). FISMA is a 2002 law that requires agencies to certify information security processes for IT systems. The attorney suggested that Google was misleading users about the suite's status.

According to a Business Insider report published on Wednesday, the GSA issued the following statement verifying Google Apps for Government's certification status:

"GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification."

Google's Director of Security, Eran Feigenbaum, also countered Microsoft's accusations on Wednesday in a Google blog post.

"These allegations are false," Feigenbaum wrote. "We take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise."

The dispute goes back to a lawsuit Google had filed against the U.S. Department of Interior (DoI) in October. In that lawsuit, Google had claimed that the DoI did not give fair consideration to Google Apps when it was accepting bids for an agencywide e-mail system, instead favoring Microsoft's Business Productivity Online Suite (BPOS). BPOS, a Google Apps competitor for cloud-based services, is still under consideration to get FISMA certification for some applications, although Microsoft's cloud infrastructure has received FISMA approval.

In the DoJ brief unsealed on April 8, DoJ lawyers wrote that contrary to Google's claims, "it appears that Google's Google Apps for Government does not have FISMA certification." The upshot from the brief is that Google Apps Premier received FISMA certification in July 2010. Google Apps for Government is based on that product, but it has added security controls, and has been submitted for certification.

Microsoft cited that brief in a blog post on Monday by David Howard, Microsoft corporate vice president and deputy general counsel, that essentially accused Google of lying about the FISMA certification for Apps for Government, since that suite is different from the one certified.

In his response on Wednesday, Google's Feigenbaum wrote that Apps for Government's certification was being reviewed, but was covered under that of Premier.

"Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system," Feigenbaum wrote. "It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application."

GSA Associate Administrator David McClure described the process for Apps for Government as a recertification in Congressional testimony on Wednesday, according to the Business Insider's account:

"In July 2010, GSA did a FISMA security accreditation for 'Google Apps Premier.' That's what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product. If we do one accreditation, it's leveraged across many agencies. Since that time, Google has introduced what they're calling 'Google Apps for Government.' It's a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes: You have to recertify it. So that's what we're doing right now, we're actually going through a recertification based on those changes that Google has announced with the 'Apps for Government' product offering."

In his blog post, Feigenbaum said the GSA and FISMA recognize that products evolve and that recertification is part of the process.

"We regularly inform GSA of changes to our system and update our security documentation accordingly," Feigenbaum wrote. "The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements."

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.