Groklaw: Microsoft Cloud Services Aren't FISMA Certified

doperative writes with this excerpt from Groklaw: "If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in [actuality] its offering actually is. It calls Microsoft's FUD 'irresponsible.'"

Re:filter

[blair1q]

Yes. It's really simple. When those words enter your brain through your eyes, set your brain not to send a signal to your hand to click "Reply".

HTH.

Re:Crowd pleasing article

[freakingme]

Groklaw is actually wrong on the basic fact of certification. Google Apps for Government is not FISMA certified and google itself has stated it hopes to get the certification "updated soon"

Groklaw is right on this. Google Apps has been FISMA certified, and as such Google Apps for governments is too since it's the same platform. What they want to have updated is the explicit mention of 'google apps for govs' which is currently not in the certs.

Re:Big F*cking Surprise

[cbhacking]

Actually, I don't recall a single place where MS said their offering was FISMA certified. They weren't saying "Our offering is and Google's isn't, so choose us!" they were saying "Google is saying their oiffering is certified but it's not; they're lying to you." So far as I've seen, this is true. Microsoft never tried to hide that their offering wasn't certified yet, they're just a vendor calling out their competitor for lying to the client (the government).

Re:Big F*cking Surprise

[Anonymous Coward]

The GSA themselves have declared that Google's product is indeed FISMA certified ( http://gcn.com/articles/2011/04/14/google-fires-back-on-fisma-certification.aspx [gcn.com] and http://www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4 [businessinsider.com]) so Google's original argument that the Department of the Interior did not give Google fair consideration when selecting their vendor as Microsoft did not have FISMA certification is still valid. From what I understand, all this does is put more egg on Microsoft's face (along with the officials involved in vendor selection at the Department of the Interior).

Re:Did Microsoft ever claim it was?

[xactoguy]

The GSA has declared that Google's product does have FISMA certification [businessinsider.com] so (at least on this point) they are not lying.

Re:Uh, Where is the news here?

[turbidostato]

"I mean no offense, but as a student of history, aren't FUD and Microsoft synonymous?"

As a student of history you should know that FUD was an IBM invention, Microsoft is just an advanced student.

Re:Voice from the Other Side?

[517714]

Not if this is the trend. Where are the links to the original sources - DOI RFQ, Google's complaint, the DOJ brief, and the amicus briefs? This was the worst bit of reporting I have seen from Groklaw, and I believe Google's suit is valid.

If you read the RFQ you can see that the DOI did not issue a competitive request as they should have, but that FISMA certification was to be achieved after the contract was issued so it is a non-issue.

Google's complaint is whiny and overlong and full of irrrelevant facts that only weaken their position.

The DOJ brief said the Government is presumed to act fairly so Google's suit should be dismissed. The DOJ has our best and brightest?

But instead of dealing with the real issues it is about distractions. What is this, Reality TV?

Re:Big F*cking Surprise

[Anonymous Coward]

What Google said was completely true. Microsoft had a mole inside the government who claimed Google was lying but it was the mole and Microsoft who were lying, not Google. The GSA, who is responsible for FISMA certification said Google's offering was certified. FTFA:

We [Google] take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise.

Let's look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.

This was reflected in yesterday's Congressional testimony from the GSA: "...we're actually going through a re-certification based on those changes that Google has announced with the 'Apps for Government' product offering."

FISMA anticipates that systems will change over time and provides for regular reauthorization -- or re-certification -- of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.

Re:Did Microsoft ever claim it was?

[man_of_mr_e]

You do, huh? Then explain why PJ is making a big fuss over something that never happened.

Microsoft wasn't saying that Google should not be chosen because they weren't FISMA certified, they said that the Department of Justice, in court documents, stated that Google Apps for Goverment was not certified, and that the DOJ claimed that the GSA did not view them as certified. This is not an implication that their (MS's) product was certified, just that Google's wasn't as Google claimed. Somehow PJ inferred a claim that wasn't there, and then proceeded to make a big stink about said non-existent claim. Yeah, that's good research.

Googles response seems a bit odd. They claim that their Google Apps Premier certification carried over to the Google Apps for Government product, even though they admit that GAfG has several significant differences from GAP that requires it to be recertified, and that recertification was not yet complete. It's a bit like driving on a temporary drivers license, technically you have a valid license, but it's under review.

Claiming that GAfG was FISMA certified in their bid, and failing to mention that it needed to complete recertification was certainly misleading (the term Microsoft used). What if GAfG was chosen (specifically because Google had claimed it was certified) and then it failed recertification? What if the changes Google made proved to be insecure?

I think it's certainly understandable that Microsoft interpreted the need for recertification as admission that GAfG wasn't certified. That would seem the logical conclusion. If GAfG was still certified through the GAP certification, then that would be an incorrect (but logical) assumption.. especially given that the DOJ documents made the claim of lacking certification.

People in the blogosphere seem to be quick to throw the word "lied" around. Even Microsoft didn't say google Lied. In fact, Microsoft merely stated the fact that the Department of Justice made the claim that GAfG wasn't certified. The DOJ also made the claim that the GSA didn't view GAfG as certified. So it was apparently the DOJ that was wrong about the GSA's views.