Groklaw: Microsoft Cloud Services Aren't FISMA Certified

doperative writes with this excerpt from Groklaw: "If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in [actuality] its offering actually is. It calls Microsoft's FUD 'irresponsible.'"

Voice from the Other Side?

[oldhack]

Maybe Groklaw should stick around?

Re:Voice from the Other Side?

[517714]

Not if this is the trend. Where are the links to the original sources - DOI RFQ, Google's complaint, the DOJ brief, and the amicus briefs? This was the worst bit of reporting I have seen from Groklaw, and I believe Google's suit is valid.

If you read the RFQ you can see that the DOI did not issue a competitive request as they should have, but that FISMA certification was to be achieved after the contract was issued so it is a non-issue.

Google's complaint is whiny and overlong and full of irrrelevant facts that only weaken their position.

The DOJ brief said the Government is presumed to act fairly so Google's suit should be dismissed. The DOJ has our best and brightest?

But instead of dealing with the real issues it is about distractions. What is this, Reality TV?

Re:Voice from the Other Side?

[Feltope]

But instead of dealing with the real issues it is about distractions. What is this, Reality TV?

Well since your talking about our government I am forced to ask one question. Is that a rhetorical question?

Re:filter

[blair1q]

Yes. It's really simple. When those words enter your brain through your eyes, set your brain not to send a signal to your hand to click "Reply".

HTH.

Getting worse by the minute

[Derekloffin]

When I first heard of this story, I thought it was just some government agency not dotting it's 'i's in the paper work. Now it's really starting to look like some serious BS was going on.

Re:Getting worse by the minute

[TubeSteak]

Now it's really starting to look like some serious BS was going on.

A lot of government procurement involves someone writing a list of requirements that can only be met by one company.
Sometimes it happens at the agency level, sometimes the requirements are attached to congressional appropriations.
Either way, it happens. A lot.

Re:Getting worse by the minute

[hawkinspeter]

In this case, it looks like the requirements were only met by one company, but they chose the other one anyway.

Re:Crowd pleasing article

[freakingme]

Groklaw is actually wrong on the basic fact of certification. Google Apps for Government is not FISMA certified and google itself has stated it hopes to get the certification "updated soon"

Groklaw is right on this. Google Apps has been FISMA certified, and as such Google Apps for governments is too since it's the same platform. What they want to have updated is the explicit mention of 'google apps for govs' which is currently not in the certs.

Dilbert on Certification

[v1]

NOT goatse

And she thought that groklaw was not worth doing

[WindBourne]

The fact is, that SCO was NEVER about SCO or Unix. It was MS and Sun behind this. Now, MS has moved on to many many more targets. She is needed more now than ever. If I were in Google, I might consider ways to help her out financially.

Re:filter

[hoytak]

Ok, done. Now what?

Re:ask me if I care?

[clang_jangle]

Google and Microsoft are in the same category nowadays....

Not quite. Google is actually pretty competent in a lot of their service offerings, and they don't try to hold all your data hostage to proprietary technologies. That alone is quite a sharp contrast.

It was tactful of Google to call microsoft's FUD "irresponsible" without condemning the government workers who chose to go with microsoft in violation of their own policies. It's probably likely that points to another very large difference between Google and microsoft -- Google isn't into bribing IT decision makers, they rely on the strength of their offerings.

Uh, Where is the news here?

[xkr]

I mean no offense, but as a student of history, aren't FUD and Microsoft synonymous?

Re:Uh, Where is the news here?

[turbidostato]

"I mean no offense, but as a student of history, aren't FUD and Microsoft synonymous?"

As a student of history you should know that FUD was an IBM invention, Microsoft is just an advanced student.

Did Microsoft ever claim it was?

[flimflammer]

Am I not mistaken that Microsofts original claim was that Google claimed to be but were not, essentially calling out their lie? Did Microsoft also claim they were and this proves them to be lying as well?

Re:Did Microsoft ever claim it was?

[Derekloffin]

I would say the claim was implied since they were producing the product that was competing. If the certification was irrelevant, than bringing it up (particularly falsely as they did) is highly suspect.

Re:Did Microsoft ever claim it was?

[cbhacking]

Microsoft never claimed that their offering was certified. Their claim was that Google was lying by claiming a certification that Google didn't have.

Apparently some people who have more hatred for MS than reading comprehension skill have twisted this into a claim that Google was pretending to have a certification that MS already has. That's not the case.

Re:Did Microsoft ever claim it was?

[xactoguy]

The GSA has declared that Google's product does have FISMA certification so (at least on this point) they are not lying.

Re:Did Microsoft ever claim it was?

[mystikkman]

Apparently some people who have more hatred for MS than reading comprehension skill have twisted this into a claim that Google was pretending to have a certification that MS already has. That's not the case.

No, apparently people with the ability to actually read and comprehend have to explain how Microsoft lied and had their non-security certified solution chosen over one that had a security certification. You see, I'll type slowly, Microsoft claimed Google's product wasn't certified. But the GSA, who does the certifying mind you, said that Google's product is and was certified. So clearly Microsoft lied. And I think people want it explained why a government agency that was looking for a solution to reduce security breaches chose a solution that was not certified (Microsoft's) over one that was certified (Google's).

That's what the summary says. That wasn't so difficult now, was it?

If you're gonna try to be snarky at about reading comprehension it'd be better if you actually tried reading with a little comprehension first.

Your post exemplifies how Groklaw FUDs gullible people into believing nonsense. First of all the headline, summary and Groklaw are flat out twisting the facts about 'it turns out MS is the one without certification' as if MS claimed it, which it never ever did, at any point. Groklaw is the one lying by implying that MS said it's offering was FISMA certified. If you're quoting the summary, then you're the one that's being misled.

You're the one that needs to read, and not read just Groklaw even if you think it's a good source, because it's not and it's blindly anti MS biased and will twist and hide facts to support anything anti-MS and will cheerlead the other side and hide all their faults regardless of merits.

If you do so, you will see that Google wanted to throw federal data along with other private customers' data in the same servers and infrastructure. So if there was a breach because of the private customer, federal data would be compromised and told the DOI to shove it when it was objected. MS agreed to have a dedicated infrastructure for the DoI (the reason it was more expensive) so the DoI notified that it was restricting bids to resellers of MS's offering. AFTER all this, Google announced Apps for Govt with a separate cloud for Federal, State and County government data(which the DoI may not be still happy with because of State data getting intermingled).

Re:Did Microsoft ever claim it was?

[man_of_mr_e]

You do, huh? Then explain why PJ is making a big fuss over something that never happened.

Microsoft wasn't saying that Google should not be chosen because they weren't FISMA certified, they said that the Department of Justice, in court documents, stated that Google Apps for Goverment was not certified, and that the DOJ claimed that the GSA did not view them as certified. This is not an implication that their (MS's) product was certified, just that Google's wasn't as Google claimed. Somehow PJ inferred a claim that wasn't there, and then proceeded to make a big stink about said non-existent claim. Yeah, that's good research.

Googles response seems a bit odd. They claim that their Google Apps Premier certification carried over to the Google Apps for Government product, even though they admit that GAfG has several significant differences from GAP that requires it to be recertified, and that recertification was not yet complete. It's a bit like driving on a temporary drivers license, technically you have a valid license, but it's under review.

Claiming that GAfG was FISMA certified in their bid, and failing to mention that it needed to complete recertification was certainly misleading (the term Microsoft used). What if GAfG was chosen (specifically because Google had claimed it was certified) and then it failed recertification? What if the changes Google made proved to be insecure?

I think it's certainly understandable that Microsoft interpreted the need for recertification as admission that GAfG wasn't certified. That would seem the logical conclusion. If GAfG was still certified through the GAP certification, then that would be an incorrect (but logical) assumption.. especially given that the DOJ documents made the claim of lacking certification.

People in the blogosphere seem to be quick to throw the word "lied" around. Even Microsoft didn't say google Lied. In fact, Microsoft merely stated the fact that the Department of Justice made the claim that GAfG wasn't certified. The DOJ also made the claim that the GSA didn't view GAfG as certified. So it was apparently the DOJ that was wrong about the GSA's views.

Re:Compared to?

[Locke2005]

Microsoft's FUD is better; all their employees are members of the FUD packer's union...

The Facts?

[wheresthefire]

Since when is a legal brief by one of the litigating parties an unbiased source of "facts"? Everything in this post and in the link is stated as fact, yet all of it comes from a single legal brief filed by Google. I thought /.'s standards for journalism were a little higher.

Re:The Facts?

[man_of_mr_e]

However, the Department of Justice rejected Googles claim that it was certified, and they claimed the GSA did not view it as certified. So, both sides seem to be at odds over what the GSA actually did or didn't do.

Re:Big F*cking Surprise

The reason MS falsely claimed that Google wasn't certified was to deflect attention away from their own lack. MS not having certification is just the motive for the lie.

Re:Big F*cking Surprise

The GSA themselves have declared that Google's product is indeed FISMA certified ( http://gcn.com/articles/2011/04/14/google-fires-back-on-fisma-certification.aspx and http://www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4) so Google's original argument that the Department of the Interior did not give Google fair consideration when selecting their vendor as Microsoft did not have FISMA certification is still valid. From what I understand, all this does is put more egg on Microsoft's face (along with the officials involved in vendor selection at the Department of the Interior).

Re:ask me if I care?

[RobbieThe1st]

Hey, if the government chose my competetors in clear violation of the rules, I sure as heck would sue too. It's one thing if the government had a fair choice between them, and chose microsoft. But as we are seeing here, this isn't happening. They arbitrarially decided on microsoft in violation of the policies, all while allowing Google to think it had a chance early on.

Re:ask me if I care?

[zooblethorpe]

Google isn't into bribing IT decision makers, they rely on the strength of their offerings.

These days, that practically *is* bribery right there -- oo, your software actually *does what it says on the tin*?? You mean I no longer have to guess which parts of your documentation are outright lies? Want!

'Course, the fact that I'm armpits-deep in trying to figure out MSO 2003 to 2007 formatting cruft issues might color my judgment somewhat. CSS makes a *lot* more sense than Microsoft's never-quite-baked styling. And don't get me started on the abomination that is Office "Open" XML, which I've recently had to become very familiar with in a file format conversion project here at work... >:-(

And then there's SDL's "wonderful" localization software, but that's niche enough I doubt anyone here would have much interest.

Cheers,

Re:ask me if I care?

[clang_jangle]

This is rich, as a description of the company suing the IT decision makers because they chose their competitor.

Only a microsoftie or fanboi could feel that way. Anyone rational would, as others have pointed out, be pleased that Google is suing. I don't want my tax dollars squandered on inferior technology and lost productivity due to incompetent implementations. You wouldn't either, if you had any sense.

Re:ask me if I care?

[clang_jangle]

Google isn't into bribing IT decision makers, they rely on the strength of their offerings.

These days, that practically *is* bribery right there

:) Microsoft has attempted to solicit favors from the feds by essentially claiming that Google has an unfair advantage because their technology is better, so ms can't compete. They clearly have no shame at all. Can anyone honestly say with a straight face that Balmer doesn't come off as a total dog-and-pony show operator? Not even an entertaining D & P operator -- at least Bill Gates and Steve Jobs were entertaining and have had some interesting things to say. Balmer? Dores anyone remember anythiing Balmer says, besides "developers, developers...?" Please... And now we know that bing's search results == last week's google search results, could microsoft's online services be more of a laughingstock? I think these deals where any business makes a small fortune at the taxpayers' expense need to be 100% open and transparent. No back room hookers and blow, just plain, honest business accountable to the taxpayers.

Re:Big F*cking Surprise

[Inzite]

Great! So can we kill the marketing departments now? Please?

I have it on good authority that these mindless jerks will be the first ones up against the wall when the Revolution comes.

Dept of Interior and IT

[AbrasiveCat]

Boy, talk about a agency with a bad record for IT issues. Isn't DOI the agency that was told by a court to disconnect from the Internet for their miss-dealing with the Indian Nations. Bozos. http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2352 Yea I can believe they made the choice before they let the RFQ.

Re:Big F*cking Surprise

What Google said was completely true. Microsoft had a mole inside the government who claimed Google was lying but it was the mole and Microsoft who were lying, not Google. The GSA, who is responsible for FISMA certification said Google's offering was certified. FTFA:

We [Google] take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise.

Let's look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.

This was reflected in yesterday's Congressional testimony from the GSA: "...we're actually going through a re-certification based on those changes that Google has announced with the 'Apps for Government' product offering."

FISMA anticipates that systems will change over time and provides for regular reauthorization -- or re-certification -- of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.

Re:ask me if I care?

[Nyder]

... Google isn't into bribing IT decision makers, they rely on the strength of their offerings.

That's not how free market works!!! You bride your way to the top.

Dang you Google!!!! Actually offering products that work and people might want!

Get with the program!

Re:Big F*cking Surprise

[BasilBrush]

What Google said was entirely true, as you'll find if you RTFA. Yes there's a lot of words there, but if you can't be bothered to read them, don't bother to comment.

Re:And she thought that groklaw was not worth doin

[BasilBrush]

As far as I recall, money isn't the issue. She just wants to move on and do something else with her life. Which is understandable.