GOOGLE, INC. et al v. USA
Filing
71
ORDER granting 69 70 Motion for Enlargement of Time. Reply Briefs and Witness Statement due by 4/22/2011. Signed by Judge Susan G. Braden. (rr2)
In the United States Court of Federal Claims
No. 10-743C
Filed: April 15, 2011
*******************************************
*
*
GOOGLE, INC., et al,
*
*
Plaintiff,
*
*
v.
*
*
THE UNITED STATES,
*
*
Defendant,
*
*
and
*
*
SOFTCHOICE CORPORATION,
*
*
Defendant-Intervenor.
*
*
*******************************************
*
Timothy Sullivan, Thompson Coburn, LLP, Washington D.C., Counsel for Plaintiff.
Christopher L. Krafchek, United States Department of Justice, Commercial Litigation
Division, Washington, D.C., Counsel for Defendant.
Steven J. Rosenbaum, Covington & Burling, LLP, Washington, D.C., and William A. Shook,
Shook, Doran, Koehl LLP, Washington, D.C., Counsel for Defendant-Intervenor.
ORDER
On November 19, 2010, the Government filed an Opposition to Plaintiff’s Motion for a
Preliminary Injunction, under seal, pursuant to a November 5, 2010 Protective Order. On
Friday, April 8, 2011 at 5:19 p.m. EST, however, the Government decided to place a redacted
version of this brief on the public record via the Case Management/Electronic Case Filing
System (“CM/ECF System”).
On December 17, 2010, the Government filed a Cross-Motion for Judgment Upon the
Administrative Record and Response To Plaintiff’s Motion for Judgment Upon the
Administrative Record, under seal, pursuant to a November 5, 2010 Protective Order. On
Friday, April 8, 2011, at 5:16 p.m. EST, the Government also decided to place a redacted version
of this brief on the public record via the CM/ECF System. During an April 14, 2011 telephone
conference, the court learned that on Friday, April 8, 2011, at 5:52 p.m. EST, counsel for
Softchoice Corp. forwarded a copy of these briefs to Mr. David Howard, Corporate Vice
President & Deputy General Counsel of Microsoft Corp., that is represented by the same law
firm.
On Monday, April 11, 2011, at 9:00 a.m., Mr. Howard issued a press release/blog post 1
stating: “Last Friday afternoon, I learned that a batch of court documents had been unsealed and
had revealed one particularly striking development: the United States Department of Justice had
rejected Google’s claim that Google Apps for Government, Google’s cloud-based suite for
government customers, has been certified under the Federal Information Security Management
Act (FISMA).” David Howard, Google’s Misleading Security Claims to the Government Raise
Serious Questions, MICROSOFT ON THE ISSUES (Apr. 11, 2011, 9:00 AM), http://blogs.technet.co
m/b/microsoft_on_the_issues/archive/2011/04/11/google-s-misleading-security-claims-to-the-go
vernment-raise-serious-questions.aspx (emphasis added). This-1,054 word blog post concluded
with the following statement:
The Department of Justice has concluded squarely that Google Apps for
Government does not have FISMA certification. Open competition should
involve accurate competition. It’s time for Google to stop telling governments
something that is not true. Google Apps for Government does not have FISMA
certification. Open competition should involve accurate competition.
Id. 2
The next day, on April 12, 2011, Senator Tom Carper, Chairman of the Senate
Committee on Homeland Security and Governmental Affairs’ Subcommittee on Federal
Financial Management, convened a hearing on “Examining the President’s Plan For Eliminating
Wasteful Spending in Information Technology.” Matt Rosoff, Google in Trouble Over Lying
About Security of Apps to the Government, BUSINESS INSIDER (Apr. 12, 2011, 4:56 PM),
http://www.businessinsider.com/government-agrees-with-microsoft-google-lied-2011-4. One of
the witnesses was Mr. David McClure, Associate Administrator of the Office of Citizen Services
and Innovative Technologies, United States General Services Administration. Id. During the
hearing, the following exchange took place:
SENATOR CARPER: According to press reports the Department of Justice
notified Google in December of 2010 that its Apps for Government was not in
fact FISMA compliant. To help provide some greater clarity on this issue, I'd like
1
This blog post was brought to the court’s attention by a librarian for the United States
Court of Appeals for the Federal Circuit.
2
Mr. Howard’s comments have been widely reported in the media. The Google search
engine returns over 100,000 hits for the terms "Google Microsoft FISMA" in the period
following Mr. Howard's April 11, 2011 blog post.
2
to ask both of you if you would to comment on these recent reports and discuss
how OMB and GSA are addressing the concerns that are raised by them.
MR. MCCLURE: Sure, I’d be glad to bring some clarity to it. In July 2010, GSA
did a FISMA security accreditation for ‘Google Apps Premier.’ That's what the
Google product was called, and it passed our FISMA accreditation process. We
actually did that so other agencies could use the Google product. If we do one
accreditation, it's leveraged across many agencies. Since that time, Google has
introduced what they're calling ‘Google Apps for Government.’ It's a subset of
Google Apps Premier, and as soon as we found out about that, as with all the
other agencies, we have what you would normally do when a product changes,
you have to re-certify it. So that's what we're doing right now, we're actually
going through a re-certification based on those changes that Google has
announced with the ‘Apps for Government’ product offering.
Id.
Based on Mr. McClure’s Senate testimony, it appears that Google received FISMA
accreditation from GSA for the “Google Apps Premier” product in July 2010, and that GSA is
currently reviewing the “Google Apps for Government” “subset” product.
To the extent that the April 11, 2011 blog post by Microsoft Corp.’s Deputy General
Counsel was intended to convey the impression that the court, sua sponte, decided to “unseal”
portions of the Administrative Record that bear on the status of GSA’s FISMA certification of
Google’s products, that did not happen. Instead, the Commercial Litigation Branch of the Civil
Division of the Department of Justice decided to place selected portions of these two briefs on
the public record that present their views about this issue. The court, however, has made no
decision about the merits of the Government’s arguments, and emphasizes that no substantive
judgment has been made regarding the pending motions or arguments therein.
The Government’s December 17, 2010 Cross Motion, now on the public record, argues:
[Google] place[s] great weight on Google’s FISMA certification by GSA . . . . Yet
that certification merely means that Google Apps for Government, assuming it
even has FISMA certification, is secure enough for GSA. This fact has no direct
impact upon whether the cloud’s security is sufficient for [the Department of the
Interior]. Contrary to Google’s suggestion, its FISMA certification is not a
blanket endorsement of Google Apps across the entire Federal government. [The
Department of the Interior] acted rationally in refusing to treat it as such.
December 17, 2010 Gov’t Cross Motion at 38 (emphasis in original).
3
In a footnote therein, the Government further states:
There is now serious question whether Google Apps for Government is actually
certified by GSA at all. In fact, all evidence suggests that GSA certified Google
Apps Premier (Google’s public cloud) and not Google Apps for Government.
Id. at 38 n.13 (emphasis in original). Further on in the Government’s brief, the court is informed
that “the absence of FISMA certification is not a glaring weakness in Microsoft BPOSFederal . . . ; rather, it is a necessary step in acquiring a dedicated cloud. The terms of the
solicitation require the winning contractor to comply with FISMA mandates after award.” Id. at
39-40 (citation omitted) (emphasis added).
Contrary to the Government’s argument, whether or not Google Apps Premier and/or
Google Apps for Government are FISMA certified is central to resolve the issues presented in
this case. The RFQ requires FISMA certification in addition to DOI-specific security
requirements:
At all times, the contractor shall comply and the Contractor shall cause Microsoft
to agree to comply with the Federal Information Security Management Act
(FISMA) and OMB Circular A-130. This compliance shall be shown through the
completion and the maintaining of a Certification and Accreditation (C&A) of the
Microsoft BPOS-Federal service and adherence to DOI Policies on IT Security
Management. The Maintenance of the C&A is a requirement of the business
relationship between DOI, the Contractor and Microsoft.
AR 817. 3
Google’s December 30, 2010 Amended Complaint (“Am. Compl.”) alleges that the
Department of the Interior acted arbitrarily and capriciously in selecting Microsoft BPOSFederal over Google Apps, based on security concerns. Am. Compl. ¶ 62. The thrust of
Google’s argument is that the Department of the Interior’s determination that Google lacked
adequate security features was arbitrary and capricious in light of the fact that its product was
FISMA certified, while Microsoft BPOS-Federal was not FISMA certified or tested, and appears
to be dependent on software that contains a number of security vulnerabilities. Am. Compl. ¶¶
19, 21, 23, 49-53.
The Administrative Record proffered by the Government does not clearly reflect the
current status of GSA’s FISMA certification of the Microsoft and Google products nominally
being considered by the Department of the Interior in this procurement. Therefore, the court has
determined that supplementation of the record as to these issues is “necessary in order not ‘to
frustrate effective judicial review.’” Axiom Res. Mgmt., Inc. v. United States, 564 F.3d 1374,
3
Although this portion of the RFQ was initially placed under seal, it is discussed in the
Government’s April 8, 2010 redacted Cross-Motion For Judgment Upon The Administrative
Record and therefore is now in the public record. December 17, 2010 Gov’t Cross Motion at 1415, 28, 37-40.
4
1381 (Fed. Cir. 2009) (citation omitted); see also id. (“The focus of jurisdictional review of
agency action remains the administrative record, which should be supplemented only if the
existing record is insufficient to permit necessary review consistent with the APA.”).
Accordingly, on or before Friday, April 22, 2011, the Government will submit a sworn
statement by Mr. McClure addressing the status of Google’s FISMA certification. If Plaintiff
wishes to cross-examine Mr. McClure, the court will schedule a hearing to provide this
opportunity. At present, the Government and Softchoice have requested additional time to file
reply briefs. The Government and Softchoice should file these briefs on or before Friday, April
22, 2011.
IT IS SO ORDERED.
s/Susan G. Braden
SUSAN G. BRADEN
Judge
5
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?