In a breathless blog post, Microsoft recently suggested we intentionally misled the U.S. government over our compliance with the Federal Information Security Management Act (FISMA). Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false.
We take the federal government’s security requirements seriously and have delivered on our promise to meet them. What’s more, we’ve been open and transparent with the government, and it’s irresponsible for Microsoft to suggest otherwise.
Let’s look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.
This was reflected in yesterday’s Congressional testimony from the GSA: “...we're actually going through a re-certification based on those changes that Google has announced with the ‘Apps for Government’ product offering.”
FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.
We’ve been very transparent about our FISMA authorization. Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers’ data secure.
We’ll continue to update our documentation to reflect new capabilities in Google Apps. This continuous innovation is an important reason government customers select our service. We’re confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization. We look forward to continuing to work with governments around the world to bring them the many benefits of cloud computing.