Google on Tuesday unveiled Google Apps for Government. It also announced that Google Apps has received federal information security (FISMA) certification.
“With Google Apps for Government, we’ve gone beyond FISMA certification,” Google spokesperson Andrew Kovacs told TechNewsWorld.
Meanwhile, Google will next week face a review of a major government project — moving the City of Los Angeles’ employees over to Gmail from their current system. That effort has apparently run into trouble.
About Google Apps for Government
Gmail, Google Calendar, Google Docs, Google Sites and Video are the apps Google currently offers for government use.
Google charges US$50 per user per year for the apps.
Data for Gmail and Google Calendar produced in Google Apps for Government is stored in a segregated system that’s reserved exclusively for government agencies. This center is located exclusively in the United States, according to Kripa Krishnan, a Google technical manager.
Google obtained FISMA certification July 22, its spokesperson, Kovacs, said.
The FISMA Fizz
FISMA, the Federal Information Security Management Act of 2002, requires each federal agency to develop, document and implement an agency-wide program to provide security for the data and the information systems that support its operations and assets. Such systems include those provided or managed by another agency, contractor or other source.
The Act requires agency program officials, chief information officers, and inspectors general to review agencies’ information security annually and report the results to the Office of Management and Budget.
FISMA requires the National Institute of Standards and Technology (NIST) to develop standards, guidelines and associated methods and techniques for providing adequate information security. These will apply to all agency operations and assets but exclude national security systems.
“FISMA-moderate certification is what most federal email systems are certified at today, and is an appropriate level of certification for systems that handle sensitive but unclassified (SBU) data,” Kovacs pointed out. “The vast majority of data created and transmitted by federal employees is at the SBU level or below.”
What Is FISMA Anyhow?
“FISMA is a federal law, and it calls for a lot of things,” Matthew Scholl, a group manager at the NIST‘s computer security division, told TechNewsWorld.
That being the case, it’s not clear just what FISMA certification for an app means.
“The phrase ‘FISMA compliant’ is often used in ways that it’s not really intended to mean,” Scholl pointed out. “Perhaps it means in this case that a government agency has approved an application for use within its systems and, because FISMA requires a federal agency to have an information security program, the application is claimed to be FISMA compliant. Unless I know which government agency did this, and the context in which the claim is being made, it’s difficult to evaluate it,” he said.
“FISMA is a process review and not an in-depth audit,” Rob Enderle, principal analyst at the Enderle Group, pointed out. “It may be a requirement for certain kinds of work, but it is minimal and likely not strong enough on its own for most government agencies.”
What happens if data in Google Apps for Government is accidentally disclosed on the public Internet?
For example, in January, Google reportedly had to apologize after mistakenly emailing potentially sensitive business data from Local Business Center to third parties. This affected several thousand businesses registered with the center.
“Google has had many privacy problems, and Eric Schmidt has said in an interview that, if you want privacy, then Google is not for you,” Randy Abrams, director of technical education at ESET, told TechNewsWorld.
“Whether or not Google can offer secure enough apps isn’t the question,” Abrams pointed out. “Google certainly will not offer secure enough apps because advertising, not privacy or security, is its business.”
The LA Caper
Fears about security have, in fact, slowed down one of Google’s showcase government projects — the moving of 30,000 Los Angeles city employees off their Novell Groupwise email system and onto Google Apps.
Trouble began when the Los Angeles Police Department reportedly stated it had concerns about the data encryption of Google Apps and the segregation of city data from other data maintained by Google. The LAPD also had concerns about whether Google employees with access to police department information had been given background checks.
Further, L.A.P.D. employees who had been using Google Apps on a trial basis had reportedly suffered delays in receiving their email, which was unacceptable to the department.
“It’s not surprising that such a large government initiative would hit a few speed bumps along the way, and we’re working closely with CSC and the city to meet their evolving requirements in a timely manner,” Google’s Kovacs said. CSC, or Computer Science Corp., is Google’s partner in the Los Angeles project.
“We’re working with CSC and Los Angeles to address requirements that were not included in the original contract,” Kovacs said.
The L.A.P.D. did not respond to requests for comment by press time.