If you were as puzzled as I was by the blog fight, as Geekwire calls it, between Google and Microsoft over whether or not Google was FISMA certified, then you will be glad to know I gathered up some of the documents from the case, Google et al v. USA, and they cause the mists to clear. I'll show you what I found, but here's the funny part -- it turns out it's Microsoft whose cloud services for government aren't FISMA certified. And yet, the Department of the Interior chose Microsoft for its email and messaging cloud solution, instead of Google's offering even though Google today explains that in actuality its offering is. It calls Microsoft's FUD
The case is being heard in the United States Court of Federal Claims. Google filed what is called a bid protest. The context is that the Department of the Interior wished to procure a cloud solution to unify and streamline its email and other messaging systems "while simultaneously reducing its risk of data security breaches".
That's the amazing part. If it wanted to reduce the risk of data security breaches, why would it choose Microsoft?
Google has accused Microsoft and the Department of the Interior of colluding to give Microsoft the contract, even though Google was walked through the paces of applying and strung along to believe it actually was being considered. The accusation is that it was all a pretense, that the decision to go with Microsoft was made long before anyone else made a bid and that the Department of the Interior folks carefully crafted its list of requirements so that no one but Microsoft *could* qualify.
What does that have to do with FISMA certification? Because, since it turns out Microsoft's offering was not FISMA certified when it was chosen, and still isn't, and Google says its competing email solution was, it's claiming the choice violates procurement policies. I'll show you the document where I found that detail that explains it all. I don't know who is right, by the way, for sure in this dispute, although I think you'll be able to discern which direction the truth-o-meter seems to be pointing to, so at this point I'm just explaining what I found, so you can at least know what it's all been about.
Here it is [PDF], the document, Google's Motion for Judgment On the Administrative Record, Reply to Defendant's and Defendant-Intervenor's Oppositions to Plaintiffs' Motion for Preliminary Injunction, and Response to Defendant-Intervenor's Motion to Dismiss. I know. It's quite a mouthful, and the case is complicated. We don't need to understand all the ins and outs to grasp the overview, and in fact, it would be hard to understand everything, in that the documents are highly redacted. The title just means that Google thought there was enough on the table that it should win the issue being argued and get the relief asked for, while it also responds to some filings from the other side. This was back in December. A preliminary injunction, in fact, issued in January, blocking the Microsoft deal while the matter is adjudicated in the courts.
But to understand the dispute, we have to go back to when the DOI began studying how to move its email system to the cloud. I'll let Google describe what happened, as it views events:
For the reasons described herein, the Court should grant Plaintiffs' Motion on the grounds that the Department of the Interior ("DOI") improperly
selected the Microsoft product on a sole-source basis to satisfy DOI's requirement for a unified, agency-wide messaging system.
The Def. Opp. selectively described the facts to make it appear that, after conducting exhaustive market research into various messaging products and computing cloud models, DOI reasonably determined that only the Microsoft Business Productivity Online Suite-Federal ("BPOS-Federal") could satisfy DOI's minimum needs. In reality, the Administrative Record ("AR") paints a very different picture. The AR shows that DOI chose a Microsoft solution - one that preceded Microsoft' s launch of BPOS-Federal by many months - more than a year ago without a sole-source justification pursuant to Federal Acquisition Regulation ("FAR") Subpart 6.3 and solely because DOI had established the Microsoft Office suite as a departmental standard in a standardization memo issued in September 2002. DOI then developed its requirements or "minimum needs" collaboratively with Microsoft in the ensuing months, leading to the June 2010 "proof of concept" project to migrate the Bureau of Indian Affairs ("BIA") to the Microsoft solution and, ultimately, to DOI's Request for Quotations ("RFQ") issued on August 30, 2010 for the purpose of completing the migration to DOI's other offices and bureaus. DOI's so-called extensive market research was tailored after the fact in 2010 to support the 2009 sole-source selection of a Microsoft solution. So that's what the fight is about, that DOI secretly chose Microsoft and then colluded with it "to create a paper trail to support the decision already made by DOI to procure the
Microsoft solution", so as to make it look like there was an open process where all bidders were given equal and fair consideration when in fact the reality was that the decision was already made. Then, to justify the choice, Google claims, DOI studied the market and then made a list of requirements that no one but Microsoft could meet. And did you notice that Google claimed that it has the only "computing cloud to have successfully undergone the rigorous certification and accreditation ... process for Federal Information Security Management Act ("FISMA") authorization"? This would mean, if demonstrated, that DOI chose a competing offering from Microsoft, its BPOS-Federal, instead of one that had been demonstrated to be secure enough to gain FISMA certification.
There is no dispute that DOI has had problems with its disjointed e-mail system, or that DOI needs a secure, unified messaging solution to replace the 13 systems currently owned and operated by the various DOI bureaus and offices. These problems and needs, however, do not trump the Competition in Contracting Act's ("CTCA") mandate for full and open competition, and DOI's post hoc justifications for the selection of Microsoft's solution do not stand up under close scrutiny. Google's messaging solution, Google Apps for Government, was given no
serious consideration by DOI, and DOI did nothing to assess the security of Google's cloud model even though Google Apps is the only computing cloud to have successfully undergone the rigorous certification and accreditation ("C&A") process for Federal Information Security Management Act ("FISMA") authorization.
There is more than one responsible source for a secure, unified messaging solution provided in a cloud computing environment and, thus, DOI has improperly circumvented
CICA's requirements for a competitive procurement....
DOI and Microsoft have been collaborating closely and extensively for more than a year to implement DOI's improper sole-source procurement of a unified messaging solution, all the while as DOI was falsely assuring Google that a messaging solution had not been chosen and that a full and open competition would be conducted....
The fact that DOI standardized to the Microsoft Office suite in 2002, or to Microsoft Outlook in 2006, does not dictate a "once Microsoft, forever Microsoft" result.
While Microsoft's products likely were the industry standard in 2002, technological advancements in the computing industry have exploded and new, capable competitors have entered the market since then. ...In sum, DOI's decision in September 2009 that only the Microsoft messaging solution would satisfy DOI's need for a unified secure e-mail system was clearly contrary to law. The
Court could - and we believe should - end its inquiry here.
Later, it is made explicit, when on page 34, at the very bottom of the page, Google states, "Microsoft's solution is not
FISMA-certified" and while DOI justified its choice by claiming it needed its own "private cloud", Google claims that Microsoft's offering runs in part on public servers anyhow and that DOI has confused what kind of cloud it actually says it wanted with what it got:
If DOI had defined a need for an infrastructure that was solely dedicated to DOI, it would
be requiring a "private cloud." Although the BPOS-Federal solution might be available for purchase in a "private cloud," DOI' s requirement was not so limited. Since DOI allows the infrastructure (owned and managed by Microsoft) to be shared among any Federal government customers, it is procuring a "community cloud." By comparison, Google Apps for Government shares its infrastructure among Federal, state and local government customers of Google, a limited community with common security and privacy concerns. Thus, Google Apps for Government is also a "community cloud."
So Google's position is that DOI's choice is irrational:
Defendant's and Defendant-Intervenor's attempts to mischaracterize the cloud model being procured by DOI and to then compare public and private clouds to support the pre-selection of the Microsoft product are misleading and irrelevant. The record shows that DOI never considered whether Google's community cloud product would satisfy DOI's essential needs.
Thus, DOI's alleged "extensive" market research avoided any analysis of Google's government cloud, its features, or its FISMA-certified
security controls. Consequently, DOI' s market research failed to examine all relevant data and it failed to articulate "a satisfactory explanation for its action including a rational connection
betweèn the facts found and the choice made." Redland Genstar, Inc. y. United States, supra, 39 Fed.Cl. at 231 (holding that agency' s restrictive specification was invalid because, inter alia, the reports and analyses relied upon by the agency did not support the choice made by the agency).
"On February 24, 2010, Microsoft publicly announced its plans to launch BPOS-Federal," Google writes, with the hint in the air that it was being strung along while Microsoft developed precisely what DOI wanted. The date is surprising in that Google claims that DOI made its decision to go with Microsoft in 2009, which would be before Microsoft even had a solution to offer. "Microsoft's press release stated that BPOS-Federal 'is launching today for U.S. federal government agencies, related government contractors and others that require the highest levels of security features and protocols.'"
But because DOI had not yet announced the winning bidder, what happened next kind of threw a monkey wrench into the plan. Google, on July 26, 2010, "publicly announced that its Google Apps had received
FISMA certification and that Google Apps for Government had been launched."
As you know, then the DOJ filed a document saying that it "appears" that Google was not FISMA-certified after all. Microsoft then pounced on that, the very day the document was filed, I gather. Heh heh. And it essentially called Google out for misrepresentations.
Google now has responded with a blog post,
The Truth about Google Apps and FISMA:
In a breathless blog post, Microsoft recently suggested we intentionally misled the U.S. government over our compliance with the Federal Information Security Management Act (FISMA). Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false.
In short, the bottom line is that it's actually Microsoft that is not FISMA certified. And yet, the Department of the Interior chose them over an offering that is? How would that be rational, if the goal is to reduce security breaches? And that, precisely, is Google's question.
We take the federal government’s security requirements seriously and have delivered on our promise to meet them. What’s more, we’ve been open and transparent with the government, and it’s irresponsible for Microsoft to suggest otherwise.
Let’s look at the facts. We received FISMA authorization for Google Apps from the General Services Administration (GSA) in July 2010. Google Apps for Government is the same technology platform as Google Apps Premier Edition, not a separate system. It includes two added security enhancements exclusively for government customers: data location and segregation of government data. In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification. In other words, Google Apps for Government would not require a separate application.
This was reflected in yesterday’s Congressional testimony from the GSA: “...we're actually going through a re-certification based on those changes that Google has announced with the ‘Apps for Government’ product offering.”
FISMA anticipates that systems will change over time and provides for regular reauthorization—or re-certification—of systems. We regularly inform GSA of changes to our system and update our security documentation accordingly. The system remains authorized while the changes are evaluated by the GSA. We submitted updates earlier this year that included, among other changes, a description of the Google Apps for Government enhancements.
We’ve been very transparent about our FISMA authorization. Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers’ data secure.
We’ll continue to update our documentation to reflect new capabilities in Google Apps. This continuous innovation is an important reason government customers select our service. We’re confident that Microsoft will also re-authorize their applications on a regular basis, once they receive FISMA authorization. We look forward to continuing to work with governments around the world to bring them the many benefits of cloud computing.
Posted by Eran Feigenbaum, Director of Security, Google Enterprise
Remembering what happened in Switzerland, where the appeals court recently ruled that the government can choose Microsoft products without public bidding, in essence, I can't help but wonder if this Google claim is just the tip of the iceberg. Anyway, I thought you would like to understand what this fight is all about. Here's [PDF] Softchoice, a Microsoft reseller, telling why Google is all wet. Here are some more documents, so you can dig deeper is you'd like to:
Matt Rosoff at Business Insider has now written a strong piece, titled "Dear Microsoft: You Owe Google an Apology":
Microsoft called Google a liar. Turns out, Microsoft is wrong. Good for Business Insider. I commend them. So, here's my question. How did a US Senator immediately get inspired to arrange an investigation of Google? Instantly? And who inspired the DOJ? That's where everyone should be looking. And what about Google's allegations about Microsoft. Any US Senators planning on looking into that?
Google Apps for Government was, always has been, and still is certified under a government security spec called FISMA....Microsoft's competing product, BPOS-Federal, is not FISMA-certified.
Here's what the GSA statement now says about Google and FISMA certification:
GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification.
So it was indeed Google who told the truth. How about Microsoft?
So, while I commend Business Insider for correcting the record, one hopes that Business Insider and every other media entity that ran with this anti-Google libel will now put an update on all those stories they wrote about Google lying blah blah.
And we need to be on our guard. Look at the power and influence used in this situation to make Google look bad. And it wasn't even true. When you get a whiff of a coordinated smear campaign, it is prudent to be on guard and look for such factors in the future.
Guys, don't you realize by now that Microsoft is Microsoft? You don't remember Get the Facts? All those "independent" studies that found Microsoft products to be the best thing since someone invented the wheel? Forewarned is forearmed.
Sometimes standard journalists criticize Groklaw, because we are a new kind of journalism. We're not the New York Times, true, or the Washington Post (not that we were trying to be), but we knew enough not to repeat this accusation but rather to wait and check and find out if it was true or not before writing about it. All things considered, might that be why so many readers trust Groklaw?
Update 2: Google Gets Government Agency Backing for FISMA Claim, on Redmond Magazine, also notes the GSA statement.
And I did some digging.
Here are some earlier articles about FISMA certification, which might help us hone in even more on who is telling the truth:
Also, I read Defendant's Opposition to Plaintiffs' Motion for a Preliminary Injunction, and they acknowledge that Google's offering was FISMA certified and Microsoft's was not, but they argue that DOI is allowed to choose a product and have it FISMA-certified later:
Google Launches Cloud Apps for Government,
July 26, 2010,
Google is taking what it sees as a major step forward in its efforts to drive cloud computing in the government, releasing on Monday a version of its hosted suite of applications that meets the primary federal IT security certification.
Google (NASDAQ: GOOG) touts the new edition of Google Apps, nearly a year in the making, as the first portfolio of cloud applications to have received certification under the Federal Information Security Management Act (FISMA).
"We see the FISMA certification in the federal government environment as really the green light for federal agencies to move forward with the adoption of cloud computing for Google Apps," Google Business Development Executive David Mihalchik said this morning in a meeting with reporters.
Microsoft offers BPOS with extra security for the feds, Feb 24, 2010, Seattle PI:
BPOS, which competes with services such as LotusLive Notes and Google Apps, already is in compliance with a bunch of security standards defined by cryptic acronyms and numbers: ISO 27001, SAS 70 Type I and Type II, HIPPA, FERPA, 21 CFR Part 11, FIPS 140-2 and TIC. (I just felt like writing that stuff.)
Within the next six months, Microsoft will add Federal Information Security Management Act (FISMA) compliance to BPOS Federal. That’s when federal government agencies might get serious about the service.
The federal cloud: Another Microsoft vs. Google battleground,
Mary Jo Foley:
On July 26, Google announced the launch of a government-focused version of Google Apps — known as Google Apps for Government. Microsoft announced in February 2010 a government-focused version of its Business Productivity Online Suite (BPOS). That collection of Microsoft-hosted business apps, known as BPOS Federal (BPOS-F), runs on a “separate, dedicated infrastructure in secured facilities,” not in the existing datacenters where Microsoft currently hosts BPOS.
By August 2010, BPOS-F is slated to meet a wide range of standards and certifications, including: International Organization for Standardization (ISO) 27001, Statement on Auditing Standards (SAS) 70 Type I and Type II, Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA) Title 21 CFR Part 11 of the Code of Federal Regulations, Federal Information Processing Standard (FIPS) 140-2, and Trusted Internet Connections (TIC) compliance certification.
Missing from the BPOS-F check list, however, is FISMA, the Federal Information Security Management Act (FISMA). FISMA specifies a “comprehensive framework to protect government information, operations and assets against natural or manmade threats.” Google Apps for Government “is the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government,” according to a Google blog post yesterday.
FISMA certification and accreditation is confirmed by the General Services Administration — which just so happens to be deciding upon a new e-mail system. The GSA has been evaluating both Microsoft’s and Google’s cloud-hosted options, according to a recent Wall Street Journal story. FISMA certification is required for that project, which covers 15,000 user e-mail accounts.
Microsoft isn’t providing an exact date as to when it will offer FISMA certification for BPOS-F, but says it should be “very soon.”
The full statement from a Microsoft spokesperson:
“Our messaging and collaboration BPOS offering already meets the most rigorous standards of any cloud service in market today. We have been working closely with the GSA and expect to receive official FISMA authorization very soon. We take our responsibility seriously to deliver powerful and easy-to-use applications that meet the government’s rigorous security and privacy needs, and we are humbled by the fact that nearly every Federal agency and arm of DoD trusts Microsoft Office, Exchange and SharePoint today.”
Cloud Computing: Google Apps Leads Microsoft in Federal Cloud Race: 10 Reasons Why It Matters,
Clint Boulton, Aug. 8, 2010:
Google has scored something of a coup versus Microsoft in its quest for credibility for its Google Apps collaboration software suite, which the company delivers over the cloud to end users. The company July 26 launched Google Apps for Government, a flavor of Google Apps that recently gained FISMA (Federal Information Security Management Act) certification. Awarded to Google from the U.S. government's General Services Administration, FISMA calls for all information systems used by U.S. federal government agencies to have solid security. Microsoft does not have FISMA certification yet for its rival cloud computing suite, but it’s working to get it.
- Google Calls Microsoft's FISMA Allegations False,
Thomas Claburn, InformationWeek:
As Feigenbaum explained, Google received FISMA certification for Google Apps Premiere Edition (later renamed Google Apps for Business) from the General Services Administration last July. That same month, the company introduced Google Apps for Government. The two versions of Google Apps are the same system, except that Google Apps for Government stores data in a location suitable to federal rules and segregates it from other data for the same reason.
The GSA, according to Feigenbaum, told Google that the name change and additional features could be covered under the company's existing FISMA certification. And because FISMA rules anticipate systems will change over time, re-authorization efforts don't void previous certifications.
So Google Apps for Government is awaiting a FISMA certification update, but that doesn't mean is not certified, assuming Google's representations about its discussions with the GSA are accurate.
BPOS: Microsoft Business Productivity Online Standard Suite:
Microsoft Online Services, including Business Productivity Online Standard Suite, uses multiple layers of security controls and multiple technologies for depth and breadth security. Currently Microsoft now meets a wide variety of industry standards and certifications, including but not limited to:
• International Organization for Standardization (ISO) 27001
• Statement on Auditing Standards (SAS) 70 Type I (BPOS-S) or Type II (BPOS –D and GFS)
• Enable Health Insurance Portability and Accountability Act (HIPAA)
• Enable Family Educational Rights and Privacy Act (FERPA)
• Title 21 CFR Part 11 of the Code of Federal Regulations
In addition, the Microsoft cloud infrastructure (GFS) has received Federal Information Security Management Act (FISMA) Authorization to Operate (ATO). The ATO covers Microsoft cloud infrastructure and certifies that it provides a trustworthy foundation for Microsoft cloud services. (Note that this is not at the application layer of the BPOS services.)
Microsoft Fights Google for Government Dollars:
In a press release, Microsoft crowed that Portland Public Schools and University of Albany -- SUNY had chosen Microsoft over Google Apps. It also said that Winston-Salem, North Carolina, is migrating its 600 Google Apps business users and 2,150 Novell GroupWise users onto Microsoft's Business Process Online Suite.
BPOS is Microsoft's hosted services offering that includes Exchange, Sharepoint and Office Live Meeting.
Microsoft also said it was close to getting FISMA certification for its BPOS services. It has already achieved the certification for its data centers and expects to complete the process for the applications within a month or so, Kulcon said.
The Federal Information Security Management Act (FISMA) is a stringent security standard that some federal agencies are required to comply with. Google Apps is already FISMA certified.
Plaintiffs accuse DOI of "excus[ing] or ignor[ing] the inadequacies of the Microsoft product" by permitting Microsoft and the awardee to "obtain a FISMA certification after contract award." Pl. Memo. 35. As noted above, plaintiffs' accusation reflects an obvious misunderstanding of BPOS-Federal.
Update 3, September 1, 2011: Judge Susan Braden has now stated: “There is a justifiable basis for me to find” violations of procurement laws. Bloomberg reports she said
she had written a 41-page opinion and "will issue it next week after deciding whether to require the agency to hire an independent expert. That expert would evaluate whether Google’s products meet the agency’s security needs, she said.
'The public interest would be well-served by doing that,' she said."
Pursuant to FISMA, an agency may certify and accredit the security of an information system after testing its controls to ensure they work properly. In soliciting a private external cloud, DOI is requesting offerors to propose implementation of its pre-existing technology to meet DOI's specific needs. Accordingly, it follows that such a cloud cannot possibly obtain certification or accreditation because it has not yet been implemented to meet DOI's needs or actually tested. Thus, the lack of FISMA certification for DOI's personalized cloud is not a sign of lax security, as plaintiffs suggest; rather, it is a necessary step in acquiring a dedicated cloud.