Wednesday, April 13, 2011

Google's FISMA certification: A technicality, misunderstanding or outright lie?


Google has suddenly found itself in hot water, exposed - by Microsoft, no less - for being a “liar, liar” when it comes to the security certification it has been touting for its Google Apps for Government offering.
After all, the revelation that Google’s product, in fact, was not certified to be compliant under the Federal Information Security Management Act (FISMA) is pretty major. In part, that’s because it’s the Apps suite that was tailor-made for government agencies and security - extra security, actually - was one of its biggest selling points.
Now, before anyone gets into some panic over government data no longer being secure, there’s little concern that Apps for Government isn’t secure or that it won’t eventually get its FISMA certification. Apps for Government, as Google explains it, is a more secure subset of Google Apps Premier, a product that obtained FISMA certification well beforeGovernment was announced last summer. With that rationale, it’s no wonder that Google thought it was OK to go around and start touting Apps for Government as being FISMA-certified.
Unfortunately, the truth got in the way.
Google might have been naive about the way the government’s FISMA certification process works and just assumed that since Premier was already certified, then Government must be certified, as well. But as we now know - thanks to Microsoft’s discovery of a court document that tells otherwise - that’s not how the certification process works.
Google says it has not applied for FISMA certification for Apps for Government, but instead is “updating the existing authorization.” At a hearing in Washington earlier today, an official with the General Services Administration said that a product has to be re-certified if it changes - and, in essence, Government is a altered version of Premier. That official said Google’s products are going through a re-certification based on the changes, according to a report on the Business Insider blog.
Google can spin this any way it wants but, at the end of the day, it has been deceptive in marketing Google Apps for Government as being FISMA-certified. Ignorance of the process is no excuse.
Simply said, Google - a company that has spent millions of dollars and countless hours developing this suite of applications specifically for government agencies - shouldn’t be making assumptions about something as significant as FISMA-certification, especially when that’s one of the biggest selling points over the competition. (Microsoft is currently awaiting FISMA-certification for its cloud apps offering, as well.) The only thing Google had to do was ask. Plain and simple.
Instead, Google has done itself a world of harm by making assumptions about government process. It’s not only created a feeling of uncertainty around the security of its product but also created a perception of itself as a company that flirts with the truth for the sake of scoring a government contract. Does it really need to give its critics even more reason to argue that its motives are evil?
Sure, when all is said and done, Google will likely be granted FISMA certification for Apps for Government - but will the damage will have already been done. Google says its product is FISMA-certified - but how do we really know? Google needs government agencies to take them on their word - but, for the moment, there’s not much value behind that word.
Maybe we’re splitting hairs here. Maybe this was just a technicality. Maybe it was all a misunderstanding. But as long as Google continues to stick by that lame argument about a certification for Premier also applying to Government, the company won’t be able to shake the “Liar, Liar” image that it now has.
And the longer it waits to take its lumps, the harder it will be to shake that image.