Google, Microsoft and the Feds: The Plot Thickens

In the competitive federal information technology market, Google thought it was a good idea to challenge the U.S. Interior Department on a potentially rich procurement for hosted messaging services. Google claimed that Interior failed to observe government contracting policies by focusing on Microsoft offerings to the exclusion of Google’s products.

At first, Google’s move looked smart, as a federal court admonished the Interior Department for faulty practices.

Now, it looks as though Google’s plan may fall into the “be careful what you wish for” realm.

Using documents that just surfaced from the court case, Microsoft unloaded on Google, essentially claiming that it lied about the security capabilities of its cloud-oriented Apps for Government. In a blogging duel, Google retorted that Microsoft’s comments were hogwash.

Aside from being a great spectator sport for geeks, the rift between the two technology giants could make the atmosphere for federal use of cloud technologies considerably more, well, cloudy. Under the gun to migrate quickly to cloud platforms, already reticent federal contract officers may use the claim and counterclaim tactics of big vendors to slow down — or even pass up — cloud adoptions.

Technical Capability and Spin

“The marketing spin can become excessive. Some agency people can sift through this stuff, but for others it’s a challenge,” Shawn McCarthy, an analyst with IDC Government Insights, told the E-Commerce Times.

The tiff between Google and Microsoft is about whether Google’s Apps for Government has met certification standards of the Federal Information Security Management Act (FISMA). Google claims its cloud-based product is currently the only government-oriented offering with a FISMA certification. That capability is important, as it can facilitate cloud adoption by reducing the burden on federal agencies to implement a FISMA certification protocol each time they want to incorporate any vendor’s cloud platform.

The significance of FISMA certification has been acknowledged by David Howard, corporate vice president and deputy general counsel at Microsoft.

“I’ll be the first to grant that FISMA certification amounts to something,” he said in a blog post earlier this month. “The Act creates a process for federal agencies to accredit and certify the security of information management systems like e-mail, so FISMA-certification suggests that a particular solution has proven that it has met an adequate level of security for a specific need.”

Until last week, Google had been humming along, asserting its FISMA capability for the Apps for Government product at almost every opportunity. Then something happened.

At this point, a brief review of the saga is in order.

The Interior Department began a review of its internal messaging capability in 2006 — or even earlier. During that long process, Interior examined its security requirements and discussed them with consultants and vendors, including Microsoft and Google. On July 15, 2010, Interior concluded that a hosted environment utilizing Microsoft’s BPOS-Federal offering best met its requirements. Interior initiated a procurement effort to seek vendors with Microsoft platform capabilities.

On July 22, just a week after Interior decided to pursue a Microsoft solution, Google publicly launched its Apps for Government product, asserting that the offering was FISMA-certified, a feature that Microsoft lacked in terms of the Interior project. Interior gave Google another look, but in August 2010, it determined that Microsoft still had the edge in meeting the department’s risk and security criteria.

In October 2010, Google filed a pre-award protest with the U.S. Court of Federal Claims, asserting that Interior’s contracting procedure was flawed. In January 2011, the court issued a temporary injunction against Interior and admonished the agency to review its procedures before making an award to Microsoft or anybody else.

So Google prevailed in a preliminary round of the legal skirmish.

Court Documents Spur Dispute

However, a week or so ago, when it became known that some documents had been unsealed by the court, it turned out that that Google’s claims of FISMA certification were questionable. The documents revealed that the U.S. Justice Department, acting on behalf of Interior, determined in December 2010 that “Google does not have FISMA certification for Google Apps for Government.” Justice cited General Services Administration (GSA) sources.

Microsoft pounced.

“As a result of the lawsuit, it looks like we finally are beginning to get some answers,” Microsoft’s Howard blogged. “It’s time for Google to stop telling governments something that is not true.”

Google, not surprisingly, fired back. “These allegations are false,” said Director of Security Eran Feigenbaum in an April 13 post.

Google said GSA provided FISMA certification for Google’s Apps Premier offering. Google then characterized its Apps for Government product as a derivative of Apps Premier, and claimed that the FISMA certification was valid for both offerings.

Apps for Government uses the same platform as Premier, but it includes two security enhancements exclusively for government customers: data location and segregation of government data, Google said.

“In consulting with GSA last year, it was determined that the name change and enhancements could be incorporated into our existing FISMA certification,” Feigenbaum said.

Well, maybe — but if the blanket certification covers both offerings, it raises the question of why Google is working with GSA to “recertify” its offering to definitively include Apps for Government.

That issue surfaced at Senate hearing on federal information technology last week. Sen. Thomas Carper, D-Del., asked David McClure, an associate administrator at GSA, about the conflict.

“In July 2010, GSA did a FISMA security accreditation for Google Apps Premier. That’s what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product,” McClure said.

“If we do one accreditation, it’s leveraged across many agencies. Since that time, Google has introduced what they’re calling Apps for Government. It’s a subset of Google Apps Premier, and as soon as we found out about that, as with all other agencies, we have what you would normally do when a product changes, you have to recertify it. So that’s what we’re doing right now, we’re actually going through a recertification based on those changes that Google has announced with the Apps for Government offering,” McClure explained.

Carper said his staff may seek additional information “to get to the bottom of this.”

Microsoft claims the recertification reinforces its point that Apps for Government was never properly FISMA-certified. Google says the recertification is just part of a continuing process to maintain the validity of its products as they evolve.

Neither Microsoft nor Google responded directly to questions from the E-Commerce Times on the dispute, but instead cited their respective blogs.

However, Microsoft provided a statement through spokesperson Kim Kuresman about the FISMA status of its product.

“Microsoft BPOS-Federal was released in 2010, and is currently going through FISMA certification with the U.S. Department of Agriculture (USDA). Microsoft has a temporary FISMA authority to operate from USDA, and final FISMA certification is coming soon,” the company said.

For its part, the Interior Department is staying out of the fray. “This is ongoing litigation on which we do not comment,” department spokesperson Frank Quimby told the E-Commerce Times.

At some point, both companies are likely to gain the definitive FISMA credentials — but it is the fog of war that disturbs observers such as IDC’s McCarthy.

“Government agency people should be focusing on their core missions,” he said. Distractions associated with vendor disputes are clearly not helpful.

“All the black eyes and hoopla surrounding this and other recent cloud solutions show just how competitive this space has become,” McCarthy observed. “Cloud computing for government is becoming a very stormy place. It’s important that agencies sort through all the marketing noise and ambiguous claims when making their purchasing decisions.”