While state and federal agencies enforce consumer protections, the agencies themselves have a responsibility to protect their own data.  Fulfilling this responsibility helps protect consumer privacy and it is fiscally responsible: it is better to invest in secure systems now then to pay to plug holes and undo damage caused by security breaches later.


The Federal Information Security Management Act (FISMA) codifies this commonsense approach to IT security and requires federal agencies to implement IT security technologies and practices developed by the National Institute of Standards and Technology (NIST).  In other words, when it comes to IT security, FISMA helps ensure that federal agencies—and taxpayers—get what they need and what they’re paying for.


In recent months, Google has been marketing Google Apps for Government to agencies with the declaration that its product is FISMA certified (see, for example, this page and this page).  The company even filed a lawsuit over a U.S. Department of Interior contract, claiming that its FISMA-certified offering had not been allowed to compete.


However, last week, an unsealed case document—a filing from U.S. Department of Justice—revealed that Google Apps for Government was in fact not FISMA-certified, stating:


On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO, and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.


It appears, therefore, that Google was misrepresenting the security of its product to the public and government customer.


On April 12, Senator Tom Carper (D-DE), Chairman of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, asked General Services Administration (GSA) Associate Administrator David McClure to shine light on this matter. McClure then acknowledged that a different Google product had been FISMA certified, but not Google Apps for Government. (See here for coverage.)


In many commercial sectors, industry self-regulation plays an effective and efficient role.  Government IT security—including security of highly sensitive information held by the U.S. Departments of Defense, Homeland Security, and Justice—is another matter altogether.  FISMA does not allow self-certification—and Google surely knows this.


Google’s apparent (and repeated) misrepresentations to government agencies about FISMA certification are troubling, at the very least.  In general, contractor deception undermines agencies’ ability to procure the best product for the best value for taxpayers.  Google filed suit against the U.S. government for unfairly restricting contracting—but now it appears that Google has unfairly won government contracts based on misleading information.


For consumers, this matter has larger implications as well.  Google essentially asks millions of consumers to trust the company with private information—about their email, their web searches and surfing, their purchasing and reading habits, and so on.  In the online marketplace, consumers in fact often provide Google with information without directly choosing to do so—just by visiting websites that use Google Analytics, sending email to Gmail addresses, and viewing online ads served by Google.


In many areas of the Internet, Google’s market dominance has also limited alternatives for consumers. Google is the dominant provider of online videos, maps, search, and search advertising.  If Google is the only choice, it has less marketplace incentive to protect consumer privacy and security.  And if Google is misleading government agencies on security, why should consumers expect to be treated any better?