decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books


Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook


Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

The Google-Microsoft Fight About FISMA Certification - Updated 3Xs
Thursday, April 14 2011 @ 12:18 AM EDT

If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part -- it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in actuality its offering is. It calls Microsoft's FUD "irresponsible".

The case is being heard in the United States Court of Federal Claims. Google filed what is called a bid protest. The context is that the Department of the Interior wished to procure a cloud solution to unify and streamline its email and other messaging systems "while simultaneously reducing its risk of data security breaches".

That's the amazing part. If it wanted to reduce the risk of data security breaches, why would it choose Microsoft?

Google has accused Microsoft and the Department of the Interior of colluding to give Microsoft the contract, even though Google was walked through the paces of applying and strung along to believe it actually was being considered. The accusation is that it was all a pretense, that the decision to go with Microsoft was made long before anyone else made a bid and that the Department of the Interior folks carefully crafted its list of requirements so that no one but Microsoft *could* qualify.

What does that have to do with FISMA certification? Because, since it turns out Microsoft's offering was not FISMA certified when it was chosen, and still isn't, and Google says its competing email solution was, it's claiming the choice violates procurement policies. I'll show you the document where I found that detail that explains it all. I don't know who is right, by the way, for sure in this dispute, although I think you'll be able to discern which direction the truth-o-meter seems to be pointing to, so at this point I'm just explaining what I found, so you can at least know what it's all been about.

Here it is [PDF], the document, Google's Motion for Judgment On the Administrative Record, Reply to Defendant's and Defendant-Intervenor's Oppositions to Plaintiffs' Motion for Preliminary Injunction, and Response to Defendant-Intervenor's Motion to Dismiss. I know. It's quite a mouthful, and the case is complicated. We don't need to understand all the ins and outs to grasp the overview, and in fact, it would be hard to understand everything, in that the documents are highly redacted. The title just means that Google thought there was enough on the table that it should win the issue being argued and get the relief asked for, while it also responds to some filings from the other side. This was back in December. A preliminary injunction, in fact, issued in January, blocking the Microsoft deal while the matter is adjudicated in the courts.

But to understand the dispute, we have to go back to when the DOI began studying how to move its email system to the cloud. I'll let Google describe what happened, as it views events:

For the reasons described herein, the Court should grant Plaintiffs' Motion on the grounds that the Department of the Interior ("DOI") improperly selected the Microsoft product on a sole-source basis to satisfy DOI's requirement for a unified, agency-wide messaging system. The Def. Opp. selectively described the facts to make it appear that, after conducting exhaustive market research into various messaging products and computing cloud models, DOI reasonably determined that only the Microsoft Business Productivity Online Suite-Federal ("BPOS-Federal") could satisfy DOI's minimum needs. In reality, the Administrative Record ("AR") paints a very different picture. The AR shows that DOI chose a Microsoft solution - one that preceded Microsoft' s launch of BPOS-Federal by many months - more than a year ago without a sole-source justification pursuant to Federal Acquisition Regulation ("FAR") Subpart 6.3 and solely because DOI had established the Microsoft Office suite as a departmental standard in a standardization memo issued in September 2002. DOI then developed its requirements or "minimum needs" collaboratively with Microsoft in the ensuing months, leading to the June 2010 "proof of concept" project to migrate the Bureau of Indian Affairs ("BIA") to the Microsoft solution and, ultimately, to DOI's Request for Quotations ("RFQ") issued on August 30, 2010 for the purpose of completing the migration to DOI's other offices and bureaus. DOI's so-called extensive market research was tailored after the fact in 2010 to support the 2009 sole-source selection of a Microsoft solution.

There is no dispute that DOI has had problems with its disjointed e-mail system, or that DOI needs a secure, unified messaging solution to replace the 13 systems currently owned and operated by the various DOI bureaus and offices. These problems and needs, however, do not trump the Competition in Contracting Act's ("CTCA") mandate for full and open competition, and DOI's post hoc justifications for the selection of Microsoft's solution do not stand up under close scrutiny. Google's messaging solution, Google Apps for Government, was given no serious consideration by DOI, and DOI did nothing to assess the security of Google's cloud model even though Google Apps is the only computing cloud to have successfully undergone the rigorous certification and accreditation ("C&A") process for Federal Information Security Management Act ("FISMA") authorization.

There is more than one responsible source for a secure, unified messaging solution provided in a cloud computing environment and, thus, DOI has improperly circumvented CICA's requirements for a competitive procurement....

DOI and Microsoft have been collaborating closely and extensively for more than a year to implement DOI's improper sole-source procurement of a unified messaging solution, all the while as DOI was falsely assuring Google that a messaging solution had not been chosen and that a full and open competition would be conducted....

The fact that DOI standardized to the Microsoft Office suite in 2002, or to Microsoft Outlook in 2006, does not dictate a "once Microsoft, forever Microsoft" result. While Microsoft's products likely were the industry standard in 2002, technological advancements in the computing industry have exploded and new, capable competitors have entered the market since then. ...In sum, DOI's decision in September 2009 that only the Microsoft messaging solution would satisfy DOI's need for a unified secure e-mail system was clearly contrary to law. The Court could - and we believe should - end its inquiry here.

So that's what the fight is about, that DOI secretly chose Microsoft and then colluded with it "to create a paper trail to support the decision already made by DOI to procure the Microsoft solution", so as to make it look like there was an open process where all bidders were given equal and fair consideration when in fact the reality was that the decision was already made. Then, to justify the choice, Google claims, DOI studied the market and then made a list of requirements that no one but Microsoft could meet. And did you notice that Google claimed that it has the only "computing cloud to have successfully undergone the rigorous certification and accreditation ... process for Federal Information Security Management Act ("FISMA") authorization"? This would mean, if demonstrated, that DOI chose a competing offering from Microsoft, its BPOS-Federal, instead of one that had been demonstrated to be secure enough to gain FISMA certification.

Later, it is made explicit, when on page 34, at the very bottom of the page, Google states, "Microsoft's solution is not FISMA-certified" and while DOI justified its choice by claiming it needed its own "private cloud", Google claims that Microsoft's offering runs in part on public servers anyhow and that DOI has confused what kind of cloud it actually says it wanted with what it got:

If DOI had defined a need for an infrastructure that was solely dedicated to DOI, it would be requiring a "private cloud." Although the BPOS-Federal solution might be available for purchase in a "private cloud," DOI' s requirement was not so limited. Since DOI allows the infrastructure (owned and managed by Microsoft) to be shared among any Federal government customers, it is procuring a "community cloud." By comparison, Google Apps for Government shares its infrastructure among Federal, state and local government customers of Google, a limited community with common security and privacy concerns. Thus, Google Apps for Government is also a "community cloud."

Defendant's and Defendant-Intervenor's attempts to mischaracterize the cloud model being procured by DOI and to then compare public and private clouds to support the pre-selection of the Microsoft product are misleading and irrelevant. The record shows that DOI never considered whether Google's community cloud product would satisfy DOI's essential needs.

So Google's position is that DOI's choice is irrational:
Thus, DOI's alleged "extensive" market research avoided any analysis of Google's government cloud, its features, or its FISMA-certified security controls. Consequently, DOI' s market research failed to examine all relevant data and it failed to articulate "a satisfactory explanation for its action including a rational connection betweèn the facts found and the choice made." Redland Genstar, Inc. y. United States, supra, 39 Fed.Cl. at 231 (holding that agency' s restrictive specification was invalid because, inter alia, the reports and analyses relied upon by the agency did not support the choice made by the agency).
"On February 24, 2010, Microsoft publicly announced its plans to launch BPOS-Federal," Google writes, with the hint in the air that it was being strung along while Microsoft developed precisely what DOI wanted. The date is surprising in that Google claims that DOI made its decision to go with Microsoft in 2009, which would be before Microsoft even had a solution to offer. "Microsoft's press release stated that BPOS-Federal 'is launching today for U.S. federal government agencies, related government contractors and others that require the highest levels of security features and protocols.'"

But because DOI had not yet announced the winning bidder, what happened next kind of threw a monkey wrench into the plan. Google, on July 26, 2010, "publicly announced that its Google Apps had received FISMA certification and that Google Apps for Government had been launched."

As you know, then the DOJ filed a document saying that it "appears" that Google was not FISMA-certified after all. Microsoft then pounced on that, the very day the document was filed, I gather. Heh heh. And it essentially called Google out for misrepresentations.

Google now has responded with a blog post, The Truth about Google Apps and FISMA:

In a breathless blog post, Microsoft recently suggested we intentionally misled the U.S. government over our compliance with the Federal Information Security Management Act (FISMA). Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false.

We take the federal government’s security requirements seriously and have delivered on our promise to meet them. What’s more, we’ve been open and transparent with the government, and it’s irresponsible for Microsoft to suggest otherwise.

Let’s look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.

This was reflected in yesterday’s Congressional testimony from the GSA: “...we're actually going through a re-certification based on those changes that Google has announced with the ‘Apps for Government’ product offering.”

FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.

We’ve been very transparent about our FISMA authorization. Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers’ data secure.

We’ll continue to update our documentation to reflect new capabilities in Google Apps. This continuous innovation is an important reason government customers select our service. We’re confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization. We look forward to continuing to work with governments around the world to bring them the many benefits of cloud computing.

Posted by Eran Feigenbaum, Director of Security, Google Enterprise

In short, the bottom line is that it's actually Microsoft that is not FISMA certified. And yet, the Department of the Interior chose them over an offering that is? How would that be rational, if the goal is to reduce security breaches? And that, precisely, is Google's question.

Remembering what happened in Switzerland, where the appeals court recently ruled that the government can choose Microsoft products without public bidding, in essence, I can't help but wonder if this Google claim is just the tip of the iceberg. Anyway, I thought you would like to understand what this fight is all about. Here's [PDF] Softchoice, a Microsoft reseller, telling why Google is all wet. Here are some more documents, so you can dig deeper is you'd like to:


Matt Rosoff at Business Insider has now written a strong piece, titled "Dear Microsoft: You Owe Google an Apology":

Microsoft called Google a liar. Turns out, Microsoft is wrong.

Google Apps for Government was, always has been, and still is certified under a government security spec called FISMA....Microsoft's competing product, BPOS-Federal, is not FISMA-certified.

Good for Business Insider. I commend them. So, here's my question. How did a US Senator immediately get inspired to arrange an investigation of Google? Instantly? And who inspired the DOJ? That's where everyone should be looking. And what about Google's allegations about Microsoft. Any US Senators planning on looking into that?

Here's what the GSA statement now says about Google and FISMA certification:

GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification.
So it was indeed Google who told the truth. How about Microsoft?

So, while I commend Business Insider for correcting the record, one hopes that Business Insider and every other media entity that ran with this anti-Google libel will now put an update on all those stories they wrote about Google lying blah blah.

And we need to be on our guard. Look at the power and influence used in this situation to make Google look bad. And it wasn't even true. When you get a whiff of a coordinated smear campaign, it is prudent to be on guard and look for such factors in the future.

Guys, don't you realize by now that Microsoft is Microsoft? You don't remember Get the Facts? All those "independent" studies that found Microsoft products to be the best thing since someone invented the wheel? Forewarned is forearmed.

Sometimes standard journalists criticize Groklaw, because we are a new kind of journalism. We're not the New York Times, true, or the Washington Post (not that we were trying to be), but we knew enough not to repeat this accusation but rather to wait and check and find out if it was true or not before writing about it. All things considered, might that be why so many readers trust Groklaw?

Update 2: Google Gets Government Agency Backing for FISMA Claim, on Redmond Magazine, also notes the GSA statement.

And I did some digging. Here are some earlier articles about FISMA certification, which might help us hone in even more on who is telling the truth:

  • Google Launches Cloud Apps for Government, July 26, 2010, Kenneth Corbin:
    Google is taking what it sees as a major step forward in its efforts to drive cloud computing in the government, releasing on Monday a version of its hosted suite of applications that meets the primary federal IT security certification. Google (NASDAQ: GOOG) touts the new edition of Google Apps, nearly a year in the making, as the first portfolio of cloud applications to have received certification under the Federal Information Security Management Act (FISMA). "We see the FISMA certification in the federal government environment as really the green light for federal agencies to move forward with the adoption of cloud computing for Google Apps," Google Business Development Executive David Mihalchik said this morning in a meeting with reporters.

  • Microsoft offers BPOS with extra security for the feds, Feb 24, 2010, Seattle PI:
    BPOS, which competes with services such as LotusLive Notes and Google Apps, already is in compliance with a bunch of security standards defined by cryptic acronyms and numbers: ISO 27001, SAS 70 Type I and Type II, HIPPA, FERPA, 21 CFR Part 11, FIPS 140-2 and TIC. (I just felt like writing that stuff.) Within the next six months, Microsoft will add Federal Information Security Management Act (FISMA) compliance to BPOS Federal. That’s when federal government agencies might get serious about the service.

  • The federal cloud: Another Microsoft vs. Google battleground, July 2010, Mary Jo Foley:
    On July 26, Google announced the launch of a government-focused version of Google Apps — known as Google Apps for Government. Microsoft announced in February 2010 a government-focused version of its Business Productivity Online Suite (BPOS). That collection of Microsoft-hosted business apps, known as BPOS Federal (BPOS-F), runs on a “separate, dedicated infrastructure in secured facilities,” not in the existing datacenters where Microsoft currently hosts BPOS.

    By August 2010, BPOS-F is slated to meet a wide range of standards and certifications, including: International Organization for Standardization (ISO) 27001, Statement on Auditing Standards (SAS) 70 Type I and Type II, Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA) Title 21 CFR Part 11 of the Code of Federal Regulations, Federal Information Processing Standard (FIPS) 140-2, and Trusted Internet Connections (TIC) compliance certification.

    Missing from the BPOS-F check list, however, is FISMA, the Federal Information Security Management Act (FISMA). FISMA specifies a “comprehensive framework to protect government information, operations and assets against natural or manmade threats.” Google Apps for Government “is the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government,” according to a Google blog post yesterday.

    FISMA certification and accreditation is confirmed by the General Services Administration — which just so happens to be deciding upon a new e-mail system. The GSA has been evaluating both Microsoft’s and Google’s cloud-hosted options, according to a recent Wall Street Journal story. FISMA certification is required for that project, which covers 15,000 user e-mail accounts. Microsoft isn’t providing an exact date as to when it will offer FISMA certification for BPOS-F, but says it should be “very soon.”

    The full statement from a Microsoft spokesperson: “Our messaging and collaboration BPOS offering already meets the most rigorous standards of any cloud service in market today. We have been working closely with the GSA and expect to receive official FISMA authorization very soon. We take our responsibility seriously to deliver powerful and easy-to-use applications that meet the government’s rigorous security and privacy needs, and we are humbled by the fact that nearly every Federal agency and arm of DoD trusts Microsoft Office, Exchange and SharePoint today.”

  • Cloud Computing: Google Apps Leads Microsoft in Federal Cloud Race: 10 Reasons Why It Matters, Clint Boulton, Aug. 8, 2010:
    Google has scored something of a coup versus Microsoft in its quest for credibility for its Google Apps collaboration software suite, which the company delivers over the cloud to end users. The company July 26 launched Google Apps for Government, a flavor of Google Apps that recently gained FISMA (Federal Information Security Management Act) certification. Awarded to Google from the U.S. government's General Services Administration, FISMA calls for all information systems used by U.S. federal government agencies to have solid security. Microsoft does not have FISMA certification yet for its rival cloud computing suite, but it’s working to get it.

  • Google Calls Microsoft's FISMA Allegations False, Thomas Claburn, InformationWeek:
    As Feigenbaum explained, Google received FISMA certification for Google Apps Premiere Edition (later renamed Google Apps for Business) from the General Services Administration last July. That same month, the company introduced Google Apps for Government. The two versions of Google Apps are the same system, except that Google Apps for Government stores data in a location suitable to federal rules and segregates it from other data for the same reason.

    The GSA, according to Feigenbaum, told Google that the name change and additional features could be covered under the company's existing FISMA certification. And because FISMA rules anticipate systems will change over time, re-authorization efforts don't void previous certifications. So Google Apps for Government is awaiting a FISMA certification update, but that doesn't mean is not certified, assuming Google's representations about its discussions with the GSA are accurate.

  • BPOS: Microsoft Business Productivity Online Standard Suite:
    Microsoft Online Services, including Business Productivity Online Standard Suite, uses multiple layers of security controls and multiple technologies for depth and breadth security. Currently Microsoft now meets a wide variety of industry standards and certifications, including but not limited to:

    • International Organization for Standardization (ISO) 27001
    • Statement on Auditing Standards (SAS) 70 Type I (BPOS-S) or Type II (BPOS –D and GFS)
    • Enable Health Insurance Portability and Accountability Act (HIPAA)
    • Enable Family Educational Rights and Privacy Act (FERPA)
    • Title 21 CFR Part 11 of the Code of Federal Regulations

    In addition, the Microsoft cloud infrastructure (GFS) has received Federal Information Security Management Act (FISMA) Authorization to Operate (ATO). The ATO covers Microsoft cloud infrastructure and certifies that it provides a trustworthy foundation for Microsoft cloud services. (Note that this is not at the application layer of the BPOS services.)

  • Microsoft Fights Google for Government Dollars:
    In a press release, Microsoft crowed that Portland Public Schools and University of Albany -- SUNY had chosen Microsoft over Google Apps. It also said that Winston-Salem, North Carolina, is migrating its 600 Google Apps business users and 2,150 Novell GroupWise users onto Microsoft's Business Process Online Suite.

    BPOS is Microsoft's hosted services offering that includes Exchange, Sharepoint and Office Live Meeting.

    Microsoft also said it was close to getting FISMA certification for its BPOS services. It has already achieved the certification for its data centers and expects to complete the process for the applications within a month or so, Kulcon said.

    The Federal Information Security Management Act (FISMA) is a stringent security standard that some federal agencies are required to comply with. Google Apps is already FISMA certified.

Also, I read Defendant's Opposition to Plaintiffs' Motion for a Preliminary Injunction, and they acknowledge that Google's offering was FISMA certified and Microsoft's was not, but they argue that DOI is allowed to choose a product and have it FISMA-certified later:
Plaintiffs accuse DOI of "excus[ing] or ignor[ing] the inadequacies of the Microsoft product" by permitting Microsoft and the awardee to "obtain[] a FISMA certification after contract award." Pl. Memo. 35. As noted above, plaintiffs' accusation reflects an obvious misunderstanding of BPOS-Federal.

Pursuant to FISMA, an agency may certify and accredit the security of an information system after testing its controls to ensure they work properly. In soliciting a private external cloud, DOI is requesting offerors to propose implementation of its pre-existing technology to meet DOI's specific needs. Accordingly, it follows that such a cloud cannot possibly obtain certification or accreditation because it has not yet been implemented to meet DOI's needs or actually tested. Thus, the lack of FISMA certification for DOI's personalized cloud is not a sign of lax security, as plaintiffs suggest; rather, it is a necessary step in acquiring a dedicated cloud.

Update 3, September 1, 2011: Judge Susan Braden has now stated: “There is a justifiable basis for me to find” violations of procurement laws. Bloomberg reports she said she had written a 41-page opinion and "will issue it next week after deciding whether to require the agency to hire an independent expert. That expert would evaluate whether Google’s products meet the agency’s security needs, she said. 'The public interest would be well-served by doing that,' she said."


The Google-Microsoft Fight About FISMA Certification - Updated 3Xs | 121 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
"Reduc[ing] the risk of data security breaches"
Authored by: Anonymous on Thursday, April 14 2011 @ 12:55 AM EDT
That part about "reduc[ing] the risk of data security breaches" sounds
especially funny considering that yesterday was an especially large Patch
Tuesday for Microsoft, wherein they had to fix more than a dozen serious
exploits, some of which are being actively exploited.

[ Reply to This | # ]

Off-Topic - On Topic Post Will be Punished!
Authored by: The Mad Hatter r on Thursday, April 14 2011 @ 01:01 AM EDT

Don't Forget to use HTML for Clickies

If you don't know how, ask, and someone will walk you through the process. We
all had to learn at one point!


[ Reply to This | # ]

Newspicks Discussions
Authored by: The Mad Hatter r on Thursday, April 14 2011 @ 01:03 AM EDT

Please Include the link to the Newspick you are discussing in case it has
scrolled off the front page.


[ Reply to This | # ]

Corrections Thread
Authored by: The Mad Hatter r on Thursday, April 14 2011 @ 01:04 AM EDT

Put all of the corrections if any here so that PJ can find them.


[ Reply to This | # ]

This does happen
Authored by: The Mad Hatter r on Thursday, April 14 2011 @ 01:17 AM EDT

Purchasing by specification. The salesman attempts to get the customer to
specify his company's product. It isn't 'Kosher' but it's one way to guarantee a

This is what the Swiss litigation we heard about a while ago was about. The
Swiss government specified 'Windows' so the only competition could be from
different Microsoft Distributors, cutting out the Free Software companies. Same
thing happened in Quebec as well.

When Microsoft talks about how things should be technology neutral, this is what
they mean.


[ Reply to This | # ]

US DOI - Full of corruption
Authored by: SpaceLifeForm on Thursday, April 14 2011 @ 01:59 AM EDT
Cocaine and prostitutes

BP Oil

Deepwater Horizon

Get the picture.


You are being MICROattacked, from various angles, in a SOFT manner.

[ Reply to This | # ]

[COMES] Comes v. MS transcripts
Authored by: Aladdin Sane on Thursday, April 14 2011 @ 02:34 AM EDT
We're still doing this thread, right?

There is nothing unknowable—only that which is yet to be known. —The Fourth Doctor (Tom Baker)

[ Reply to This | # ]

Hey! You! Get off of My Cloud!
Authored by: DaveJakeman on Thursday, April 14 2011 @ 03:31 AM EDT
"Private cloud" indeed. Heh. What kind of cloud is that? An

[ Reply to This | # ]

Microsoft's Certification
Authored by: Anonymous on Thursday, April 14 2011 @ 04:15 AM EDT
Remember Ed Curry

In 1994, Microsoft received its first, and as of this date (08-23-2000), only United States governmentally approved security rating for Windows NT: a Orange Book C2 rating for Windows NT 3.5 with service pack 3 running on three very specific machines with no floppy drive and no network interface. The man behind this was a Mr. Ed Curry, NSA- certified and NCSC trusted security technician. He was contracted, thorugh his company Lone Star Evaluation Laboratories (LSEL) by Microsoft to get NT its necessary certification for governmental use. He took the job. That was his mistake.

As part of this, LSEL needed to construct several diagnostics systems, and under the verbal promise by Microsoft that LSEL would sell "millions of copies" of this software (presumably it would be bundled with NT on any government purchase). In fact, within the written contracts, Microsoft agreed to help market and sell the product. No company would be foolish enough to turn down this kind of offer.

LSEL underwent necessary expansion to undertake such a massive contract, a contract awarded based on LSEL's "unique technical qualities required to work with Microsoft and computer hardware manufacturers in defending our products to the NCSC." (Ken Moss, Microsoft Government Evaluations Manager)

When NT 3.51 came out, Ed Curry was in a position to keep the certification current (he could get a system through the tests in under 45 days, a feat demonstrating how highly NCSC thought of him). But Microsoft was not willing to wait. At the NSA/NIST conference in 1995, Microsoft displayed a banner showing 3.51 as being C2 certified. NSA officials reportedly asked Microsoft to remove the banner. Things continued to go downhill, with Microsoft freely mixing literature describing NT 3.51 and NT 3.5 SP3. Deliberate or not, this mixing lead many to believe NT 3.51 was C2 certified. And Ed called them on that.

Almost overnight, Microsoft's support of LSEL vanished. They ceased assisting LSEL with continuing certification and dropped all mention of LSEL's diagnostics software. It was not long before LSEL went bankrupt. Throughout this time, Microsoft continued implying versions of NT (now up to 4.0) were C2 certified. No one cared to look at the facts and the U.S. government has purchased unknown numbers of NT boxes for use in secure locations under the premise that NT was C2 certified and even worse, Red Book certified.

Later, with support from people at the then existent Infoworld Electric forums, and direct support from Nick Petreley, Mr. Curry began trying to get the word out. He was not out to stomp all over Microsoft. He did not have a vendetta against them. He just was concerned about the way the government was doing its business, and how Microsoft was facilitating that. In his words, "I still believe in MS products, but am increasingly concerned over how they are running the business side of things."

Things began looking up, but they were incredibly stressful times for Ed, with his family on the verge of financial disaster, and until the story broke, he was nearly totally unable to get sufficient employment despite his enormous credentials. Unfortunately, just as things began to get better, Ed fell victim to a stroke and died on March 24, 1999. It was as if "one of the stars in an otherwise black corporate sky has gone out." (cslawson, Infoworld Forums)

[ Reply to This | # ]

A standard ploy from the Microsoft playbook
Authored by: jbb on Thursday, April 14 2011 @ 05:13 AM EDT
This is a classic use of dirty trick #3 and dirty trick #4 that I had mention ed before:
dirty trick #3
Attack your opponent's strength.
dirty trick #4
Accuse your opponent of doing the bad things you yourself are actual doing.
In this case, Google's strength was its FISMA certification and Microsoft's lack thereof. So Microsoft makes up an almost plausible story about Google lying about its FISMA certification and then makes a big stink about it. In addition, Microsoft had to lie to create this stink so part of their lie is the false accusation that Google had lied.

It is hard for me to imagine a company whose general policy seems to be to lie cheat and steal in order to sabotage good products (made by others) and force people to use their inferior products. This is almost like poisoning the technology well. They provide a disservice to our society for the sole purpose of enriching themselves. It is sociopathic behavior. When this type of behavior becomes prevalent it destroys the society. Plato gave an example of this in his description of the downfall of Atlantis:

... when the divine portion began to fade away, and became diluted too often with the mortal admixture, and the human nature got the upper hand, they then, being unable to bear their fortune, behaved unseemly, and to him who had an eye to see, grew visibly debased, for they were losing their precious gifts; but to those who had no eye to see the true happiness, they appeared glorious and blessed at the very time when they were full of avarice and unrighteous power.
It is extremely important that we don't sit idly by as this happens because we are all ultimately responsible for the survival of our society. As Edmund Burke probably didn't say:
All that is necessary for evil to triumph is that good men do nothing.

[ ] Obey DRM Restrictions
[X] Ignore DRM Restrictions

[ Reply to This | # ]

What we are up against.
Authored by: Anonymous on Thursday, April 14 2011 @ 07:02 AM EDT
Last night I was watching the UK TV program "Newsnight", and the topic
under discussion was the UK budget deficit. It transpired hat MS had pledged to
the UK government, in a meeting at Downing Street in January, that MS would
create 4000 jobs to help the UK economy. A representative from Microsoft went on
to say that these would not only be jobs at Microsoft but would represent 4000
jobs at both small and large IT companies that MS work with.

So 4000 MS partners working nationwide to *help* the UK government. How much
FLOSS software will they be recommending I wonder. Ugh!

The link to the program on the BBC Iplayer is

for those able to view it. It starts 40.14 minutes into the programme.

[ Reply to This | # ]

Not new but old journalism
Authored by: Anonymous on Thursday, April 14 2011 @ 05:41 PM EDT
This is not a new way to do journalism but the old proper way.

The need to get the facts first and make sure they are right.

[ Reply to This | # ]

Uh ALl of this from Google's Position Paper
Authored by: Anonymous on Thursday, April 14 2011 @ 06:19 PM EDT
Remember that at some level this is Google's position paper we are reading. Not

I am not taking a position one way or another on whether either side should have
said what they did.

However, I think this is another article where you may not have enough
information to really take some of the positions you have, PJ. You have what
amounts to party-based position papers from both sides.

-Clocks, not logged in.

[ Reply to This | # ]

The Google-Microsoft Fight About FISMA Certification - Updated
Authored by: Anonymous on Thursday, April 14 2011 @ 08:27 PM EDT
I think Microsoft said that the <u>DOJ</u> said that Google Apps for
Govt wasn't FISMA certified, which was accurate. And they (DOJ) got that from
GSA, who still states that Google Apps for Govt is still undergoing

The existing software maintains it's rating, but the revised software is not.
Google is twisting words here.

[ Reply to This | # ]

The Google-Microsoft Fight About FISMA Certification - Updated
Authored by: Anonymous on Thursday, April 14 2011 @ 08:44 PM EDT
Just out of interest, why is it that every single cited document is provided by
Google? THere is not a single representation of the government or the Microsoft
point of view here.

Also a clear lack of understanding on the technical aspects since you accept the
Google assertionthat it IS certified even when the GSA has stated in writing as
a clarification that it emphatically is NOT.

I expected better from you to be honest. I thought legal proceedings usually
heard bth sides of a story?

[ Reply to This | # ]

Truth in journalism
Authored by: Anonymous on Friday, April 15 2011 @ 03:09 AM EDT
Sometimes standard journalists criticize Groklaw, because we are a new kind of journalism. We're not the New York Times, true, or the Washington Post (not that we were trying to be), but we knew enough not to repeat this accusation but rather to wait and check and find out if it was true or not before writing about it. All things considered, might that be why so many readers trust Groklaw?
My wordy, but isn't this just the reason Groklaw needs to live?

[ Reply to This | # ]

The Google-Microsoft Fight About FISMA Certification - Updated 2Xs
Authored by: Anonymous on Friday, April 15 2011 @ 08:39 AM EDT
Microsoft's lawyer merely repeated what the DOJ said in its court filing -- that
Google had inaccurately represented Google Apps for Government as FISMA
certified. If the DOJ was wrong, then it's the DOJ that deserves condemnation
for its inaccuracy, not Microsoft. Your belittling of other journalists for
accepting Microsoft's claims without investigation is inane, because those other
journalists were proceeding based not on what Microsoft said, but rather based
on what the DOJ said in its court filing.

[ Reply to This | # ]

The Google-Microsoft Fight About FISMA Certification - Updated 2Xs
Authored by: Anonymous on Friday, April 15 2011 @ 08:48 AM EDT
While I can’t say who wins or who loses, I can say that every major government
contract is protested in some fashion. I also know that while one product has
FISMA certification, it does not always follow that adding a few capabilities
and a new name will allow that same certification to be used. As is so deftly
pointed out, GSA, in Congressional testimony says it is going through

Therefore, one could presume that the solution is not certified, although the
base solution is.

Having been through a number of certification processes, and the length of time
they can take, it is easy for me to take the rhetoric in stride between to
highly competitive companies. I have been on the losing and winning end of
major requests for proposals and know the pain and elation that many of your
readers do not.

Anyone can put up smoke screens to take attention away from the truth, or full
truth as it is being presented. For most of us, the decision by the courts does
not play into our daily lives, nor does it affect us. Of course, one could
respond that one is cheaper than the other and then there could be an effect;
and I would agree.

If those who reply to this post were actually from Google Federal and Microsoft
Federal then some of the replies might carry some credence.

[ Reply to This | # ]

PJ Updates to Go even further out of her league
Authored by: Anonymous on Friday, April 15 2011 @ 11:07 AM EDT
Ok, Look, i tried to help explain this via email.

Quoting PJ...
So, my tax dollars at work. If it's Microsoft, and it has no
FISMA certification, it can get it later. If it's Google,
and it has FISMA certification and then makes the product
even *more* secure with new features, and has applied for
the new features to be FISMA certified too but haven't
gotten them rubber stamped yet but which are inevitably
going to be approved in that they are more secure than what
already got certification -- that's worth a Senate

PJ, did you read your own linked filing?
I suggest you re-read

Page 25. DOI explains how google apps is a set solution and
the government offering is not organizationally isolated.
DOI's data would be on the same network as LAPD or City of
Denver, or anyone else who wanted to go into the
environment. Thats a problem.

Page 34. Despite Google's FISMA announcement, DOI remained
concerned because, even though the servers are in the United
States, they still host both Federal and non-Federal users
with widely divergent security standards.

Later on the same page... A close reading of the two-
sentence passage reveals that Google was not offering to
satisfy Googls requirements. The plain language of Google's
letter supports this" [t]he service for DOI can be
isolated to a single domain run on a logically separate
network. Further Google can run service
for DOI in a dedicated cloud run for U.S. Government
customers only´.

REMEMBER that Fisma has a solution level component where the
individual security needs of the data being stored or
managed on a system are used to determine which security
controls are neccessary. What DoI is saying here is that
Google said they will put us in this joint data center with
the same services provided to other agencies. Our
standards are different than other agencies and our FISMA
requirements therefore have to be different and what Google
is saying is we can be in a shared data center with other
agencies where we still are not being met on our agency
level needs.

DOI says as much on the following page, page 35...
The second sentence also attempts to redefine DOI's needs
because it indicates that Google will provide email
messaging service on a cloud dedicated to U.S. Government
customers, i.e., Federal, State, and local governments in
the United States.

Page 37 we learn why an environment which does not yet have
FISMA certification is ok... BECAUSE it doesnt exist yet!
Each BPOS-Federal environment is a dedicated environment
which is implemented for each customer using processes and
procedures which are standardized and then have conditional
common security criteria applied to them within the
environment to apply additional controls.

Quoting DOI..
Pursuant to FISMA, an agency may certify and accredit the
security of an information
system after testing its controls to ensure they work

So they say "of course it doesnt have FISMA, we cant certify
what is not yet built for us. We have assessed that the
capability is there but we cant say its FISMA compliant
until its in place and we test it".

"Ita erat quando hic adveni."

[ Reply to This | # ]

The things I read!
Authored by: Ian Al on Friday, April 15 2011 @ 11:41 AM EDT
PJ wrote
I'll show you the document where I found that detail that explains it all. I don't know who is right, by the way, for sure in this dispute, although I think you'll be able to discern which direction the truth-o-meter seems to be pointing to, so at this point I'm just explaining what I found, so you can at least know what it's all been about.
As she has always done she brings us links and updates and tells us to make up our minds, but don't presume to know what the court will eventually decide.

As she has always done, she quotes from the linked material and tells us what it seems to say to her.

I am concerned that folk here are accusing her of selective reporting. Please remember that she does not do that. If you think that what she has found is misleading, find your own material and supply your own reading of what it demonstrates.

Please leave the rest of us to come to our own conclusions.

Ian Al
Now, this is not the end. It is not even the beginning to the end. But it is, perhaps, the end of the beginning. - Winston Churchill

[ Reply to This | # ]

It's the Same-Old Same-Old at DOI
Authored by: Anonymous on Friday, April 15 2011 @ 07:35 PM EDT

The Department of the Interior has been performing this sort of shenanigans since (at least) the 1970's. Back then, it was a mainframe procurement that was wired to go to some particular vendor, significantly independent of the ability of that vendor to satisfy the requirements of the RFP. When the dust settled, after several years of fighting in the courts, DOI was barred from acquiring any computer systems for some number of years, causing massive headaches at constituent agencies, as they had to survive on 1960's legacy mainframe systems into the 1980's.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )