X

Microsoft, Google spar over security certification

Microsoft claims Google Apps for Government doesn't meet security certification that Google has touted. Google says Microsoft is wrong.

Jay Greene Former Staff Writer
Jay Greene, a CNET senior writer, works from Seattle and focuses on investigations and analysis. He's a former Seattle bureau chief for BusinessWeek and author of the book "Design Is How It Works: How the Smartest Companies Turn Products into Icons" (Penguin/Portfolio).
Jay Greene
3 min read

Microsoft today continued its cat fight with Google, calling out the company for apparently misleading customers about the security of its applications.

The software giant alleges that Google Apps for Government doesn't meet the level of security that Google claims. In a blog post, Microsoft's corporate vice president and deputy general counsel, David Howard, said that Google's Web-based productivity suite for government clients is not certified under the Federal Information Security Management Act.

Google Apps logo
Google

That's important because federal agencies, which are huge clients of both Microsoft and Google, buy technology based, in part, on whether it has FISMA certification. That certification demonstrates the technology is secure enough for federal business. In fact, the suit in which the FISMA revelations were unearthed was filed by Google over the Interior Department's decision to award Microsoft a contract to provide Web-based e-mail. That agency employs 88,000 workers.

The filing, unsealed on Friday, is a Justice Department brief in the case. "On December 16, 2010," the government says, "counsel for the government learned that, notwithstanding Google's representations to the public at large, its counsel, the GAO and this court, it appears that Google's Google Apps for Government does not have FISMA certification."

That would seem to run counter to Google's claims that its applications do have FISMA certification. On a site marketing its business software, the company writes "Google Apps for Government, now with FISMA certification." And the company goes on to explain the significance of the certification: "Obtaining Federal Information Security Management Act (FISMA) certification & accreditation for Google Apps is critical to our US federal government customers, who must comply with FISMA by law."

Google, though, says it's Microsoft that's off-base. It's received FISMA certification for Google Apps Premium. And Google Apps for Government is a version of that product with even better security, the company said.

"We did not mislead the court or our customers," David Mihalchik, an executive on Google's enterprise team, said in a statement. "Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements."

And Mihalchik notes that Microsoft's competing Business Productivity Online Suite, which won the Interior Department contract that triggered its suit, isn't FISMA certified.

Google may have a tough time convincing the court, though, according to Laura Taylor, the chief executive and founder of Relevant Technology, which specializes in security audits of financial institutions. She's the author of The FISMA Certification & Accreditation Handbook. Taylor says the General Services Administration, which issues so-called "authority to operate" letters under FISMA, are sticklers about even modest product changes. "They're pretty picky people," Taylor said.

When companies modify products, the GSA often wants them to seek new authorization, she said. Google, meanwhile, is merely trying to update its current FISMA certification to apply to Google Apps for Government. "My guess is that Google isn't going to win this," Taylor said.

The he said-she said claims are part of Microsoft's ongoing battles with Google, where it's challenged everything from Google's plans to buy travel data provider ITA software--a deal that regulators approved with conditions Friday--to the level of access to data it provides search rivals with in Europe, which led Microsoft to file a complaint with European regulators last month.

In this skirmish, Microsoft calls Google's integrity into question. "The Department of Justice has concluded squarely that Google Apps for Government does not have FISMA certification," Howard writes. "Open competition should involve accurate competition. It's time for Google to stop telling governments something that is not true."