Google's FISMA certification: A technicality, misunderstanding or outright lie?

Google's FISMA certification: A technicality, misunderstanding or outright lie?

Summary: A question about Google's security certification for its Government Apps product - and the response from Google about it - is putting the company under an uncomfortable spotlight.

SHARE:

Google has suddenly found itself in hot water, exposed - by Microsoft, no less - for being a "liar, liar" when it comes to the security certification it has been touting for its Google Apps for Government offering.

After all, the revelation that Google's product, in fact, was not certified to be compliant under the Federal Information Security Management Act (FISMA) is pretty major. In part, that's because it's the Apps suite that was tailor-made for government agencies and security - extra security, actually - was one of its biggest selling points.

Now, before anyone gets into some panic over government data no longer being secure, there's little concern that Apps for Government isn't secure or that it won't eventually get its FISMA certification. Apps for Government, as Google explains it, is a more secure subset of Google Apps Premier, a product that obtained FISMA certification well before Government was announced last summer. With that rationale, it's no wonder that Google thought it was OK to go around and start touting Apps for Government as being FISMA-certified.

Unfortunately, the truth got in the way.

Google might have been naive about the way the government's FISMA certification process works and just assumed that since Premier was already certified, then Government must be certified, as well. But as we now know - thanks to Microsoft's discovery of a court document that tells otherwise - that's not how the certification process works.

Google says it has not applied for FISMA certification for Apps for Government, but instead is "updating the existing authorization." At a hearing in Washington earlier today, an official with the General Services Administration said that a product has to be re-certified if it changes - and, in essence, Government is a altered version of Premier. That official said Google's products are going through a re-certification based on the changes, according to a report on the Business Insider blog.

Google can spin this any way it wants but, at the end of the day, it has been deceptive in marketing Google Apps for Government as being FISMA-certified. Ignorance of the process is no excuse.

Simply said, Google - a company that has spent millions of dollars and countless hours developing this suite of applications specifically for government agencies - shouldn't be making assumptions about something as significant as FISMA-certification, especially when that's one of the biggest selling points over the competition. (Microsoft is currently awaiting FISMA-certification for its cloud apps offering, as well.) The only thing Google had to do was ask. Plain and simple.

Instead, Google has done itself a world of harm by making assumptions about government process. It's not only created a feeling of uncertainty around the security of its product but also created a perception of itself as a company that flirts with the truth for the sake of scoring a government contract. Does it really need to give its critics even more reason to argue that its motives are evil?

Sure, when all is said and done, Google will likely be granted FISMA certification for Apps for Government - but the damage will have already been done. Google says its product is FISMA-certified - but how do we really know? Google needs government agencies to take them on their word - but, for the moment, there's not much value behind that word.

Maybe we're splitting hairs here. Maybe this was just a technicality. Maybe it was all a misunderstanding. But as long as Google continues to stick by that lame argument about a certification for Premier also applying to Government, the company won't be able to shake the "Liar, Liar" image that it now has.

And the longer it waits to take its lumps, the harder it will be to shake that image.

Related:

Topics: Apps, Cloud, Google, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

    IF MS considers itself to be so damn ethical, how it it goes back and has another look at its "GetTheFacts" website . . . and then apologises the world for its own lies. And wouldn't it be nice if MS also apologised for telling us all about the "specials and extras" that it would release for Vista Ultimate . . . you know, the ones that never arrived! If Google has lied, deliberately lied, then it should be dealt-with. But let us never forget that MS has a much longer history of lying than Google.
    Wakemewhentrollsgone
    • So since MS lied, it's fine for every else to lie

      @ptorning
      and just say "sorry" when their caught? That is exactly what you're saying, isn't it?
      Will Farrell
      • It's a start

        @Will Farrell
        Microsoft, Google, and everyone else should at _least_ fess up and apologize. I have not seen this happen yet with either. I think ptorning's point is the irony of a prolific liar calling another, presumably less prolific, liar out. It's not lost on most of us.

        He also states:

        "If Google has lied, deliberately lied, then is should be dealt-with."

        Which would suggest that apologizing is not enough. So are you posting for posting's sake? If not, I missed the value-add of your post.
        Mr. Copro Encephalic to You
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @Mr Corpo<br><br>Thankyou! You are the only person who understood my use of irony and who seems to have read the very important words, "If Google has lied, deliberately lied, then it should be dealt-with." I thought that those words made my post moron-proof, but from the posts below, it seems that I was wrong.
        Wakemewhentrollsgone
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @Will Farrell thank you for sharing :D <a href="http://www.chanelhandbagsreplica.org">chanel replica</a> <a href="http://www.chanelhandbagsreplica.org">replica chanel bag</a> <a href="http://www.chanelhandbagsreplica.org">fake chanel bags</a>
        3shao
    • What does Vista Ultimate have to do with FISMA?

      @ptorning Are you that lame?
      Mr. Dee
    • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

      @ptorning

      you fail to see that this has nothing to do with what microsoft did in their past. this has everything to do with what google is doing now. they falsely claim they're certified when their not. that should illegal.

      and you're trying to defend google? seriously? when clearly they're in the wrong here? there are some sick people in this world.
      blazing_smiley_face
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @blazing_smiley_face <br><br>Do you understand basic English. If so, what do you think that these words mean, "If Google has lied, deliberately lied, then it should be dealt-with." They were in my original post, there for anyone to read. The words are simple and basic, but perhaps even simple and basic words are too much for people like you and Mr Dee and others. In no way have I supported Google; not one word. All I did was point-out the irony of MS calling a competitor a liar.
        Wakemewhentrollsgone
    • RE: Google's FISMA certification: A technicality, misunderstanding or outri

      @ptorning
      If my competitor is a compulsive liar or a thief, this does not give legitimacy to my lying or theft. So, bringing MS behavior related to the matter is irrelevant and uncalled for... That being said, however, the bloggers' tone, perception, and apparent intent about the "guilt" of Google is blown out of proportion. Yes, as much I understand from the news, Google was technically at fault for assuming the FISMA certification of a product which was much more securer and well past the criteria of FISMA certification on the basis of their previous certification for the Premier Apps. It is foolish to speculate that this is remotely related to being insecure. It is a premature thinking that they would do something like this deliberately despite of putting so much efforts and resources into this. Yes, it may be a mark on their credibility but I don't think that it is an irreparable damage, instead gives them an opportunity to improve on such fronts.
      ashwinipn
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @ashwinipn <br>"If my competitor is a compulsive liar or a thief, this does not give legitimacy to my lying or theft."<br><br>I agree. You might note that my original post includes the line, "If Google has lied, deliberately lied, then it should be dealt-with." I'm not sure how much clearer I can make it!
        Wakemewhentrollsgone
  • Message has been deleted.

    mwagner1
    • Nice to see the appologist up early today

      @mwagner1 (original)
      Sounds like Microsoft slander by Goofle.
      Will Farrell
    • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

      @mwagner1

      if the government who makes the purchasing of the apps will most likely know who is certified from who isn't, correct? therefore, since google apps for goverment is not certified that is why they were left out of the bidding process which is the process google is saying it was unlawfully left out of. Microsoft proved that was a lie and in fact the reason why google was left out is that google doesn't have proper certification.

      this whole article sounds like one from one of the BIGGEST google apologist i've seen in many months.
      blazing_smiley_face
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @blazing_smiley_face It's easy to imagine "the government" as a single sentient entity that knows what its right and left hands are doing, but that's not reality. I guarantee that if you were the average bureaucrat in the Department of Redundancy Department and you wanted to find out whether Google Maps meets FISMA, you would spend at least four hours trying to find the office where such knowledge resides, another two hours tracking down the individual who knows, only to discover that they don 't really know. I am not making this up; this is what life is really like inside the Federal Government. It is so big, and has so many moving parts, that even if you know how something works today, it will have changed by tomorrow.<br><br>You've probably seen the news stories about how if you call the IRS five times to ask a question, you will get five different answers, and sometimes all five will be wrong. Now imagine you work for Google and you call to find out whether your certification on one product applies to a new version. I'm just sayin'... It could happen.
        Robert Hahn
      • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

        @Robert Hahn
        that I understand, but if u read the OP's post, then you would see what I used that as my opening
        blazing_smiley_face
  • I will say it again. Google is immature in their engineering.

    The list goes on and on. Buzz. WiFi sniffing. FISMA. Google Books (who thought opt-out was a smart idea? Down right evil and stupid beyond belief).

    Google hires some of the smartest engineers out there but they often move too fast without thinking. When you are a small company, you can get away with lots of these things. When you are one of the largest companies on the planet, however, you really need to have oversight of your processes.

    What scares me about Page as CEO, he has stated he wants to remove even more oversight. As a share holder, this really scares me.
    Bruizer
    • @Bruizer

      I completely agree. I really like Google as a company, but they can't, as Page put it, behave like a start up because they are no longer a start up. I understand he wants Google to have its innovation edge back but I really think a lot of their products are incomplete and not well thought out in some ways (including legal). They need to narrow their focus on key products.
      anono
  • Why does the Govt buy non certified apps?

    So why does the US govt dept buy software WITHOUT FISMA certification in no bid contracts?

    That's what they did, that department decided to standardize on Microsoft online office offering, knowing it had no FISMA certification, not any package of it.

    Now they're looking for i not dotted and t's not crossed to cover themselves, and it's nice spin, but it's not the full story.
    guihombre
    • So that excuses &quot;lying&quot; about the certification?

      @guihombre

      Simple question. Or just not understanding how certification processes work in general.
      Bruizer
    • RE: Google's FISMA certification: A technicality, misunderstanding or outright lie?

      @guihombre ... They bought Microsoft online Federal which DOES have FISMA. FISMA is the minimum standard, DOI determined that with ISO 27001, SAS 70 Type II and a host of other processes and procedures, BPOS-F is vastly more secure than Google Apps. Please get your facts straight.
      rballard@...