Did Google Mislead Government About Its Security Certification for Google Apps for Government? (Updated)

Last year, the Department of the Interior decided to replace the 13 aging email system it provides to its 88,000 employees with Microsoft’s cloud-based offering. Google, which was also in the competition for this contract (which is worth an estimated $59 million over five years) filed a lawsuit shortly after the contract went to Microsoft, claiming that the process was not fair and open. In its filing for a preliminary injunction (PDF), Google claimed on multiple occasions that its offering was certified under the Federal Information Security Management Act (FISMA). Among other things, FISMA sets out to establish minimum security requirements for information systems used by the U.S. government. According to a brief by the Department of Justice, however, which was unsealed last week, “notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”

Note: See bottom of this post for a reponse from Google.

In its filing, Google claims (see page 18) that “Microsoft’s Certification and Accreditation package for BPOS (Business Productivity Online Suite) was submitted to GSA (U.S. General Services Administration) earlier this year has not yet been approved, whereas Google apps for Government received FISMA certification from GSA in July 2010.”

As Microsoft’s deputy general counsel David Howard notes in a blog post discussing the unsealed documents this morning, however, Google never received this certification for Google Apps for Government. What Google did receive its FISMA certification for in July 2010 was Google Apps Premiere. Indeed, Google makes the fact that it has supposedly received this certification one of the main selling points of Google Apps for Government on its website (“Google Apps for Government, now with FISMA certification), though the FISMA documentation is only available for review upon request.

FISMA certified cloud applications for government  Google Apps  Build 20110318052756

As Howard notes, “Google can’t be under the misimpression that FISMA certification for Google Apps Premier also covers Google Apps for Government. If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government? Nor does it seem likely that Google believes that the two offerings are so similar that the differences simply won’t matter to people.”

Microsoft has, of course, its own motivations for pushing this story. After looking at the documents, however, it definitely looks as if Google was willfully misleading the public and the U.S. government by making these claims.

It’s worth noting that Microsoft’s own FISMA application for its BPOS product has not been finalized yet and that it is still going through the certification process.

You can read Microsoft’s detailed statement here and Google’s court filings here (PDF).

We have asked Google for a statement and will update this post once we hear back from them.

Google Responds:

Here is a statement from Google’s David Mihalchik (Strategy and Business Development Lead Google Federal) regarding this issue:

This case is about the Department of Interior limiting its proposal to one product that isn’t even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers.

Even so, we did not mislead the court or our customers.  Google Apps received a FISMA security authorization from the General Services Administration in July 2010.   Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements.  As planned we’re working with GSA to continuously update our documentation with these and other additional enhancements.”

I contacted Microsoft to see if the company had any further comment now that Google had responded, but a Microsoft spokesperson told me that the company is “not commenting beyond what is provided in the David Howard blog post.”