Google responds to Microsoft’s FISMA certification accusations

April 11, 2011, 9:32 PM UTC

Earlier this morning Microsoft accused Google of false advertising.  Google responds.

This morning, David Howard, Corporate Vice President & Deputy General Counsel at Microsoft (MSFT) took the opportunity to look at unsealed documents to point out something, that if true or genuine, would seem to be a pretty big deal.

Last Friday afternoon, I learned that a batch of court documents had been unsealed and had revealed one particularly striking development: the United States Department of Justice had rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for government customers, has been certified under the Federal Information Security Management Act (FISMA). Given the number of times that Google has touted this claim, this was no small development.

Ouch.  Would Google lie about being FISMA certified when it got rejected?  Seems like a seemingly stupid and risky move.  But later on, some clarification came to light.

The Justice Department acknowledges that the General Services Administration (GSA) had certified a different Google offering, Google Apps Premier, for its own particular use under FISMA last July. As the DOJ’s brief explains, “However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government.” Lest there be any doubt about the situation, the brief adds, “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.”

It appears that Google’s (GOOG) General Apps product, the one for mom and pop businesses up to huge companies like Genentech, was FISMA approved for use by the General Services Administration in July 2010.   The more restrictive version of Apps, for Government, is still going through the application process.

So a less secure version of Apps is certified and a newer, more secure version of Apps for Government isn’t.  Interestingly, Microsoft’s own product, Business Productivity Online Standard, is not FISMA approved. It is interesting that Microsoft has taken this strategy to support which exposes a weakness.

Google’s David Mihalchik, Google Enterprise told me:

This case is about the Department of Interior limiting its proposal to one product that isn’t even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers.

Even so, we did not mislead the court or our customers.  Google Apps received a FISMA security authorization from the General Services Administration in July 2010.   Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements.  As planned we’re working with GSA to continuously update our documentation with these and other additional enhancements.

The Government version of Apps should indeed be certified for FISMA certification.  The question is: Why hasn’t the more secure version been approved.  My understanding is red tape but we’ll look to Google for more information on the matter.

More on Fortune: