Two days after Microsoft called Google out for “misleading” the U.S. government about a security certification for a Google product, the search giant responded with a blog post of its own — describing the allegations as false and saying it was “irresponsible” for Microsoft to make them.
“We take the federal government’s security requirements seriously and have delivered on our promise to meet them,” Google says.
In case you’re just tuning in to this soap opera, here’s the recap: Google is challenging the U.S. Department of Interior’s decision to only accept bids involving Microsoft technologies for a contract to upgrade the email system for the department’s 88,000 employees. As part of that challenge, Google said its Google Apps for Government had received certification under the Federal Information Security Management Act, in contrast with Microsoft’s competing product, which is still seeking certification.
In its blog post earlier this week, Microsoft pointed to newly unsealed court documents in which lawyers for the government said a different product, Google Apps Premier, had received the FISMA certification, but in the view of the GSA, the agency that granted that certification, “it appears that Google’s Google Apps for Government does not have FISMA certification.”
But in its post today, Google said the two are essentially different forms of the same product …
Let’s look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.
Here’s what a GSA official told a U.S. Senate committee about the issue, as quoted by Business Insider.
(Google Apps for Government is) a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes, you have to re-certify it. So that’s what we’re doing right now, we’re actually going through a re-certification based on those changes that Google has announced with the “Apps for Government” product offering.
That has led many to conclude that Google Apps for Government doesn’t currently have FISMA certification. But Google insists that isn’t the case. From its post today …
FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.
But that seems go to against the statements of the government lawyers in the court documents cited by Microsoft earlier this week. See page 13 of this PDF:
On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google‟s Google Apps for Government does not have FISMA certification. … To be clear, in the view of GSA, the agency that certified Google‟s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.
In other words, taking Google’s statements at face value, there appears to be confusion even inside the government about what’s going on. (Imagine that!) Stay tuned, if you dare.