Dueling fanbois for Google, Microsoft, and FISMA (with a detour into my biometric world)

This post isn't about Microsoft or Google, but about their fanbois.

First, the latest salvo - David Howard, Microsoft's Corporate Vice President & Deputy General Counsel, wrote this post earlier today regarding a contested U.S. Department of the Interior bid between Microsoft and Google. Microsoft was awarded the contract, and Google sued (something that happens on occasion when someone loses a procurement). Google alleged that the procurement specifications were designed to favor Microsoft. But today, Microsoft raised another issue.

Google filed a motion for a preliminary injunction telling the court three times in a single document (see pages 18, 29, & 37), that Google Apps for Government is certified under FISMA.

Google has repeated this statement in many other places as well. Indeed, for several months and as recently as this morning, Google’s website states, “Google Apps for Government – now with FISMA certification.” And as if that’s not sufficient, Google goes farther on another webpage and states "Google Apps for Government is certified and accredited under the Federal Information Security Management Act (FISMA)."

After explaining what FISMA is, Howard made his announcement:

There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) “On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.”...

The Justice Department acknowledges that the General Services Administration (GSA) had certified a different Google offering, Google Apps Premier, for its own particular use under FISMA last July. As the DOJ’s brief explains, “However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government.” Lest there be any doubt about the situation, the brief adds, “To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government.”

In essence, Google was - and is - making claims in procurements, press releases, and web pages that are not true.

But now it's time for the fanboi spin - and there are a lot of fanbois on both sides, as the comments to the post show. Here's an example of a Microsoft fanboi:

"I hope the very worst for Microsoft" -- Really? They employ over 88,000 people, and so really? Is it ok if one company allows untruths to propagate in order to gain a sale? In 25 years of dealing with them I've NEVER known MS to lie to us and I trust them with our data compared with some others. Anyone worth their weight in salt who has worked in the IT field for a few years would likely agree that Microsoft is pretty serious about security. Sure there are bugs that pop up which could have some serious ramifications if left unaddressed, but they generally provide a workaround, patch them quickly and give a reasonable disclosure about it. Understand that my intention is not to knock the competition, but in cases like this where it appears a competitor is gaining an unfair advantage by not making an issue clear (FISMA issue), then MS (or anyone else for that matter) has every right to say something.

However, there are also Google fanbois. A couple of examples:

There's only one thing you need to remember about Microsoft: it's a trap. They routinely fund front companies to cause legal troubles for competitors and structure their entire business model around trapping their customers.

Plus, their products and services are generally just buggy and insecure.

Here comes another one:

I'm on Google side, even with a few million lies, I'd still trust them over anything MS says or does. I hope the very worst for Microsoft.

Incidentally, Seth Weintraub has published Google's response, courtesy David Mihalchik:

This case is about the Department of Interior limiting its proposal to one product that isn't even FISMA certified, so this question is unrelated to our request that DOI allow for a true competition when selecting its technology providers.

Even so, we did not mislead the court or our customers. Google Apps received a FISMA security authorization from the General Services Administration in July 2010. Google Apps for Government is the same system with enhanced security controls that go beyond FISMA requirements. As planned we're working with GSA to continuously update our documentation with these and other additional enhancements.

In essence, Google is saying that the same product was certified, and that this is just a nit-picky issue.

However, I've been involved in proposals and certifications long enough to know that governments can get very nit-picky.

For example, my industry is governed by a "certified products list" maintained by the FBI. These are products that are certified to work with the FBI's (old) IAFIS fingerprint system. There is a company called Biometrics4All (run by a former Motorola co-worker) that, among other things, implements "live-scan" systems that can work with the FBI's IAFIS system. Biometrics4All has had to get five separate live-scan certifications over the past few years. One certification won't do - if you change a component here or there, you have to get the whole thing recertified. Here are the descriptions of some of Biometrics4All's certified products:

LiveScan 200 (LS200) livescan fingerprint system, incorporating either the Smiths Heimann Biometrics Lite-Xe device (Appendix F), 5/05, or the Identix TP-3000 device, or the Identix TP-3100 device, or the Identix TP-3500 device, or the Identix TP-4100 device, or the Cross Match Guardian device, or the Cross Match ID-500 device, or the Cross Match ID-1000 device, each operating at 500 ppi without membrane, (Appendix F)

LiveScan 300 (LS300) livescan fingerprint system, incorporating the Identix TP-3800 device operating at 500 ppi without membrane, (Appendix F)

LiveScan 500 (LS500) High Definition Law Enforcement, incorporating the Smiths Heimann Biometrics LScan-1000P fingerprint/palmprint livescan device at 1000ppi (without membrane), (Appendix F)

LiveScan 200, incorporating the Cross Match Technologies LSCAN 1000T Green fingerprint livescan device at 500 and 1000ppi, with and without membrane, (Appendix F)

LiveScan300 (LS300) Law Enforcement, incorporating the Smiths Heimann Biometrics Lite-Ue fingerprint/palmprint livescan device at 500ppi,(no membrane), (Appendix F)

I'd be willing to bet that all five of these devices use the same software, but just have different models of capture scanners from two different companies (Smiths Heimann and Cross Match are pretty much the same company). But the FBI required Biometrics4All to get a new certification every time. Oh...and Biometrics4All must also get all of its products certified at the STATE level, too.

So Google's claim that the FISMA certification for Google Apps Premier effectively serves as a FISMA certification for Google Apps for Government is an extremely weak claim.

If I'm wrong, my friend and former co-worker Edward at Biometrics4All could have saved a lot of money when he was getting his products certified.

[RELEVANT DISCLOSURES: BIOMETRICS4ALL IS A COMPETITOR TO MY EMPLOYER. CROSS MATCH IS A SUPPLIER TO MY EMPLOYER. IDENTIX IS NOW PART OF L-1, WHICH MY EMPLOYER IS TRYING TO PURCHASE. AND EDWARD WOULD LAUGH IF HE KNEW THE ACRONYM THAT SOME PEOPLE WERE USING FOR OUR MORPHOBIS PRODUCT.]