In a blog post last week, Eran Feigenbaum, director of security with Google Enterprise, said that the GSA had certified Google Apps Premier Edition under FISMA in July 2010. He said that Google Apps for Government is the same system as Google Apps Premier Edition with the addition of two security enhancements for government customers: data location and segregation of government data.
“In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application”, Feigenbaum stressed.
This would contradict the DoJ’s finding in court documents released by Microsoft. In those documents, DoJ said: “On December 16, 2010, counsel for the government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO [Government Accountability Office], and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”
The disclosure came as a result of a government investigation into Google Apps for Government in response to Google’s lawsuit alleging that a Department of the Interior request for proposal for a cloud-based email service unfairly favored Microsoft.
In his blog post, Feigenbaum quoted GSA testimony last week before Congress: “we’re actually through a re-certification based on those changes that Google has announced with the ‘Apps for Government’ product offering.”
Feigenbaum explained the re-certification process: “FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.”
The GSA apparently is backing up Google on the issue. In a statement quoted by Business Insider but not provided on GSA’s website, the agency said: “GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification.”
The debate looks like the medieval controversy of how many angels can dance on the head of a pin. William Jackson with Government Computer News has an interesting discussion of what “FISMA certification” means and does not mean. What his discussion boils down to is that GSA has a blanket FISMA certification and accreditation process for cloud products, like Google Apps for Government, so they can operate through GSA’s apps.gov cloud storefront.