The Public Eye with Eric Chabrow

Rare Confrontation Over Gov't IT Security

Not GOP Vs. Dems But Microsoft Vs. Google

Bickering over federal government IT security is rare, but one squabble caught the attention of Sen. Tom Carper during a congressional hearing he chaired on government IT efficiency Tuesday.

It wasn't verbal jousting between Republicans and Democrats but between Microsoft and Google over Microsoft's contention that Google falsely claims that Google's Apps for Government has been certified under provisions of the Federal Information Security Management Act. Microsoft Business Productivity Online Suite is a competing suite of cloud computing service.

Carper, D-Del., asked two witnesses before his subcommittee - Federal Chief Information Officer Vivek Kundra and David McClure, associate administrator of General Services Administration's Office of Citizen Services and Innovative Technologies - about Microsoft's claim, which he characterized as "potentially serious." McClure, whose agency certifies products under FISMA, responded first, saying that government had certified Google Apps Premier, a package of cloud computing services, and added:

Since that time, Google has introduced what they're calling Google Apps for Government, it's a subset for Google Apps Premier. As soon as we found about that, as with all the other agencies, what you would normally do when a product changes, you have to recertify it. So that's what we're doing right now. We're actually going through a recertification based upon those changes Google has announced with the apps for the government Premier offering."

McClure's point echoes one made by Microsoft Vice President and Deputy General Counsel David Howard in a blog that caught Carper's attention. Kundra, whose statutory title is administrator of IT and e-government in the Office of Management and Budget, didn't get into the fray between the two high-tech behemoths, explaining:

"From an OMB perspective, we don't actually get involved in individual procurement. We're more focused on the broader policy around the shift to cloud computing. "

Carper seemed satisfied with the two federal officials' responses, but said he asked his staff to follow up with McClure and Kundra "so we can try to get to the bottom of it."

In the blog, Howard wrote that court documents unsealed last week revealed the Justice Department had rejected Google's claim that Google Apps for Government was FISMA certified. Howard cited a Department of Justice brief that "notwithstanding Google's representations to the public at large, its counsel, the GAO (Government Accountability Office) and this court, it appears that Google's Google Apps for Government does not have FISMA certification." Howard observed:

"This revelation was apparently as striking to the lawyers at the Department of Justice as it was to me. The Justice Department brief states, 'We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the court's attention.'"

Google responded to this brouhaha in a statement from executive David Mihalchik:

"This case is about the Department of Interior limiting its proposal to one product that isn't even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers.
"Even so, we did not mislead the court or our customers. Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned, we're working with GSA to continuously update our documentation with these and other additional enhancements.

In several blog postings touting Google Apps for Government over the past year (see Introducing Google Apps for Government and U.S. General Services Administration Is Going Google), Google chimed that Google Apps received FISMA certification, but it didn't explicitly state whether it was Google Apps Premier or Google Apps for Government (indeed, the word Premier didn't appear in these items).

I sent an e-mail to Google asking why, in these and other postings, it wasn't explicit that the certification did not for Google Apps for Government? If and when Google responds, I'll post its answer here.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.