Today, the U.S. government agreed with Microsoft's accusation that Google had provided misleading information about whether or not its Google Apps for Government is certified under the Federal Information Security Management Act (FISMA).
According to Business Insider, a government agent agreed with Microsoft in front of the U.S. Senate, testifying that the product in question was currently going through the recertification process.
Update: A Google spokesperson got in touch to say that "The Business Insider story is totally wrong," and said they would provide further statement. We are still awaiting that statement.
Update #2: Google has posted on a blog on the the topic:
Microsoft claims we filed a separate FISMA application for Google Apps for Government, then leaps to the conclusion that Google Apps for Government is not FISMA certified. These allegations are false.
We take the federal government's security requirements seriously and have delivered on our promise to meet them. What's more, we've been open and transparent with the government, and it's irresponsible for Microsoft to suggest otherwise.
Google offers a full rebuttal on its blog.
Update #3: The U.S. General Services Administration offered the following statement:
"GSA certified the Google Apps Premier environment as FISMA compliant in July of 2010. Google Apps for Government uses the Google Apps Premier infrastructure, but adds additional controls in order to meet requirements requested by specific government agencies. The original FISMA certification remains intact while GSA works with Google to review the additional controls to update the existing July 2010 FISMA certification."
David McClure, an associate administrator with the U.S. General Services Administration, testified before a hearing led by U.S. Senator Tom Carper, in which Carper asked if McCure would "comment on these recent reports and discuss how OMB and GSA are addressing the concerns that are raised by them." His answer, as quoted in Business Insider (with their emphasis):
MCCLURE (GSA): Sure, I'd be glad to bring some clarity to it. In July 2010, GSA did a FISMA security accreditation for "Google Apps Premier." That's what the Google product was called, and it passed our FISMA accreditation process. We actually did that so other agencies could use the Google product. If we do one accreditation, it's leveraged across many agencies. Since that time, Google has introduced what they're calling "Google Apps for Government." It's a subset of Google Apps Premier, and as soon as we found out about that, as with all the other agencies, we have what you would normally do when a product changes, you have to re-certify it. So that's what we're doing right now, we're actually going through a re-certification based on those changes that Google has announced with the "Apps for Government" product offering.
Google does have FISMA certification for Google Apps Premiere, but not for the Apps for Government, although that claim does appear on its website.
When we wrote about this topic earlier this week, Google's David Mihalchik told us that "we did not mislead the court or our customers. Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements."