Groklaw: Microsoft Cloud Services Aren't FISMA Certified

doperative writes with this excerpt from Groklaw: "If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part — it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in [actuality] its offering actually is. It calls Microsoft's FUD 'irresponsible.'"

Re:filter

[blair1q]

Yes. It's really simple. When those words enter your brain through your eyes, set your brain not to send a signal to your hand to click "Reply".

HTH.

Re:Crowd pleasing article

[freakingme]

Groklaw is actually wrong on the basic fact of certification. Google Apps for Government is not FISMA certified and google itself has stated it hopes to get the certification "updated soon"

Groklaw is right on this. Google Apps has been FISMA certified, and as such Google Apps for governments is too since it's the same platform. What they want to have updated is the explicit mention of 'google apps for govs' which is currently not in the certs.

Dilbert on Certification

[v1]

NOT goatse

And she thought that groklaw was not worth doing

[WindBourne]

The fact is, that SCO was NEVER about SCO or Unix. It was MS and Sun behind this. Now, MS has moved on to many many more targets. She is needed more now than ever. If I were in Google, I might consider ways to help her out financially.

Re:ask me if I care?

[clang_jangle]

Google and Microsoft are in the same category nowadays....

Not quite. Google is actually pretty competent in a lot of their service offerings, and they don't try to hold all your data hostage to proprietary technologies. That alone is quite a sharp contrast.

It was tactful of Google to call microsoft's FUD "irresponsible" without condemning the government workers who chose to go with microsoft in violation of their own policies. It's probably likely that points to another very large difference between Google and microsoft -- Google isn't into bribing IT decision makers, they rely on the strength of their offerings.

Uh, Where is the news here?

[xkr]

I mean no offense, but as a student of history, aren't FUD and Microsoft synonymous?

Re:Uh, Where is the news here?

[turbidostato]

"I mean no offense, but as a student of history, aren't FUD and Microsoft synonymous?"

As a student of history you should know that FUD was an IBM invention, Microsoft is just an advanced student.

Did Microsoft ever claim it was?

[flimflammer]

Am I not mistaken that Microsofts original claim was that Google claimed to be but were not, essentially calling out their lie? Did Microsoft also claim they were and this proves them to be lying as well?

Re:Did Microsoft ever claim it was?

[xactoguy]

The GSA has declared that Google's product does have FISMA certification so (at least on this point) they are not lying.

Re:Did Microsoft ever claim it was?

[mystikkman]

Apparently some people who have more hatred for MS than reading comprehension skill have twisted this into a claim that Google was pretending to have a certification that MS already has. That's not the case.

No, apparently people with the ability to actually read and comprehend have to explain how Microsoft lied and had their non-security certified solution chosen over one that had a security certification. You see, I'll type slowly, Microsoft claimed Google's product wasn't certified. But the GSA, who does the certifying mind you, said that Google's product is and was certified. So clearly Microsoft lied. And I think people want it explained why a government agency that was looking for a solution to reduce security breaches chose a solution that was not certified (Microsoft's) over one that was certified (Google's).

That's what the summary says. That wasn't so difficult now, was it?

If you're gonna try to be snarky at about reading comprehension it'd be better if you actually tried reading with a little comprehension first.

Your post exemplifies how Groklaw FUDs gullible people into believing nonsense. First of all the headline, summary and Groklaw are flat out twisting the facts about 'it turns out MS is the one without certification' as if MS claimed it, which it never ever did, at any point. Groklaw is the one lying by implying that MS said it's offering was FISMA certified. If you're quoting the summary, then you're the one that's being misled.

You're the one that needs to read, and not read just Groklaw even if you think it's a good source, because it's not and it's blindly anti MS biased and will twist and hide facts to support anything anti-MS and will cheerlead the other side and hide all their faults regardless of merits.

If you do so, you will see that Google wanted to throw federal data along with other private customers' data in the same servers and infrastructure. So if there was a breach because of the private customer, federal data would be compromised and told the DOI to shove it when it was objected. MS agreed to have a dedicated infrastructure for the DoI (the reason it was more expensive) so the DoI notified that it was restricting bids to resellers of MS's offering. AFTER all this, Google announced Apps for Govt with a separate cloud for Federal, State and County government data(which the DoI may not be still happy with because of State data getting intermingled).

Re:Did Microsoft ever claim it was?

[man_of_mr_e]

You do, huh? Then explain why PJ is making a big fuss over something that never happened.

Microsoft wasn't saying that Google should not be chosen because they weren't FISMA certified, they said that the Department of Justice, in court documents, stated that Google Apps for Goverment was not certified, and that the DOJ claimed that the GSA did not view them as certified. This is not an implication that their (MS's) product was certified, just that Google's wasn't as Google claimed. Somehow PJ inferred a claim that wasn't there, and then proceeded to make a big stink about said non-existent claim. Yeah, that's good research.

Googles response seems a bit odd. They claim that their Google Apps Premier certification carried over to the Google Apps for Government product, even though they admit that GAfG has several significant differences from GAP that requires it to be recertified, and that recertification was not yet complete. It's a bit like driving on a temporary drivers license, technically you have a valid license, but it's under review.

Claiming that GAfG was FISMA certified in their bid, and failing to mention that it needed to complete recertification was certainly misleading (the term Microsoft used). What if GAfG was chosen (specifically because Google had claimed it was certified) and then it failed recertification? What if the changes Google made proved to be insecure?

I think it's certainly understandable that Microsoft interpreted the need for recertification as admission that GAfG wasn't certified. That would seem the logical conclusion. If GAfG was still certified through the GAP certification, then that would be an incorrect (but logical) assumption.. especially given that the DOJ documents made the claim of lacking certification.

People in the blogosphere seem to be quick to throw the word "lied" around. Even Microsoft didn't say google Lied. In fact, Microsoft merely stated the fact that the Department of Justice made the claim that GAfG wasn't certified. The DOJ also made the claim that the GSA didn't view GAfG as certified. So it was apparently the DOJ that was wrong about the GSA's views.

The Facts?

[wheresthefire]

Since when is a legal brief by one of the litigating parties an unbiased source of "facts"? Everything in this post and in the link is stated as fact, yet all of it comes from a single legal brief filed by Google. I thought /.'s standards for journalism were a little higher.

Re:Big F*cking Surprise

The GSA themselves have declared that Google's product is indeed FISMA certified ( http://gcn.com/articles/2011/04/14/google-fires-back-on-fisma-certification.aspx and http://www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4) so Google's original argument that the Department of the Interior did not give Google fair consideration when selecting their vendor as Microsoft did not have FISMA certification is still valid. From what I understand, all this does is put more egg on Microsoft's face (along with the officials involved in vendor selection at the Department of the Interior).

Re:ask me if I care?

[RobbieThe1st]

Hey, if the government chose my competetors in clear violation of the rules, I sure as heck would sue too. It's one thing if the government had a fair choice between them, and chose microsoft. But as we are seeing here, this isn't happening. They arbitrarially decided on microsoft in violation of the policies, all while allowing Google to think it had a chance early on.

Re:Getting worse by the minute

[TubeSteak]

Now it's really starting to look like some serious BS was going on.

A lot of government procurement involves someone writing a list of requirements that can only be met by one company.
Sometimes it happens at the agency level, sometimes the requirements are attached to congressional appropriations.
Either way, it happens. A lot.

Re:Voice from the Other Side?

[517714]

Not if this is the trend. Where are the links to the original sources - DOI RFQ, Google's complaint, the DOJ brief, and the amicus briefs? This was the worst bit of reporting I have seen from Groklaw, and I believe Google's suit is valid.

If you read the RFQ you can see that the DOI did not issue a competitive request as they should have, but that FISMA certification was to be achieved after the contract was issued so it is a non-issue.

Google's complaint is whiny and overlong and full of irrrelevant facts that only weaken their position.

The DOJ brief said the Government is presumed to act fairly so Google's suit should be dismissed. The DOJ has our best and brightest?

But instead of dealing with the real issues it is about distractions. What is this, Reality TV?

Re:Big F*cking Surprise

What Google said was completely true. Microsoft had a mole inside the government who claimed Google was lying but it was the mole and Microsoft who were lying, not Google. The GSA, who is responsible for FISMA certification said Google's offering was certified. FTFA:

We [Google] take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise.

Let's look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.

This was reflected in yesterday's Congressional testimony from the GSA: "...we're actually going through a re-certification based on those changes that Google has announced with the 'Apps for Government' product offering."

FISMA anticipates that systems will change over time and provides for regular reauthorization -- or re-certification -- of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.