Why Is Google Touting 'FISMA-certified' Apps for Government?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Google and Microsoft have been fighting pretty hard of late to win government cloud computing contracts. A few times they've even resorted to litigation to make their points. So far, Microsoft has won some and Google has won others. But this week, Microsoft may have snared the upper hand.


The company uncovered a Department of Justice brief indicating that Google's cloud-based offering, Google Apps for Government, has not been certified compliant with the Federal Information Security Management Act. In a blog post, Microsoft's VP and general counsel, David Howard, called for Google to stop misleading both the government and the public regarding the FISMA certification. He wrote:

While we wait for Google to provide its side of the story, perhaps it's time to ask another question: at the very least, isn't it past time for Google to issue a correction on its website? The Department of Justice has concluded squarely that Google Apps for Government does not have FISMA certification.

FierceGovernment points out that Google Apps Premier, of which Google Apps for Government is a subset, did receive FISMA certification in July 2010. But as the General Services Administration's David McClure explained:

As soon as we found out about [Google Apps for Government], as with all the other agencies, we have -- what you would normally do when a product changes -- you have to re-certify it. So that's what we're doing right now.

According to The Associated Press, Google denies misleading the government or the public. In response to Microsoft's accusations, Google points to the Google Apps Premier certification and merely says:

"Google Apps for Government" is the same system with enhanced security controls that go beyond FISMA requirements.

But as Microsoft's McClure notes, Google did file a separate application for FISMA certification specifically for Google Apps for Government. Why would the company do that if it wasn't aware, on some level, that additional certification would be required?


Even if Google Apps for Government is likely to receive its own certification, I'm sure we haven't heard the last of this.