Reporting Highlights
- “Cloud First”: To maneuver federal businesses to the cloud, the federal government created a program often called FedRAMP, whose job was to make sure the safety of recent know-how.
- Safety Breakdown: ProPublica discovered that FedRAMP approved a Microsoft product known as GCC Excessive to deal with delicate authorities knowledge, regardless of years of considerations about its safety.
- Potential Battle of Curiosity: The federal government depends, partially, on third-party corporations to vet cloud know-how, however these corporations are employed and paid by the corporate being assessed.
These highlights have been written by the reporters and editors who labored on this story.
In late 2024, the federal authorities’s cybersecurity evaluators rendered a troubling verdict on one in every of Microsoft’s largest cloud computing choices.
The tech large’s “lack of correct detailed safety documentation” left reviewers with a “insecurity in assessing the system’s general safety posture,” based on an inside authorities report reviewed by ProPublica.
Or, as one member of the group put it: “The package deal is a pile of shit.”
For years, reviewers stated, Microsoft had tried and failed to completely clarify the way it protects delicate info within the cloud because it hops from server to server throughout the digital terrain. On condition that and different unknowns, authorities consultants couldn’t vouch for the know-how’s safety.
Such judgments can be damning for any firm searching for to promote its wares to the U.S. authorities, however it ought to have been significantly devastating for Microsoft. The tech large’s merchandise had been on the coronary heart of two main cybersecurity assaults towards the U.S. in three years. In a single, Russian hackers exploited a weak point to steal delicate knowledge from a variety of federal businesses, together with the Nationwide Nuclear Safety Administration. Within the different, Chinese language hackers infiltrated the e-mail accounts of a Cupboard member and different senior authorities officers.
The federal authorities may very well be additional uncovered if it couldn’t confirm the cybersecurity of Microsoft’s Authorities Neighborhood Cloud Excessive, a set of cloud-based providers meant to safeguard a number of the nation’s most delicate info.
But, in a extremely uncommon transfer that also reverberates throughout Washington, the Federal Danger and Authorization Administration Program, or FedRAMP, approved the product anyway, bestowing what quantities to the federal authorities’s cybersecurity seal of approval. FedRAMP’s ruling — which included a type of “purchaser beware” discover to any federal company contemplating GCC Excessive — helped Microsoft broaden a authorities enterprise empire price billions of {dollars}.
“BOOM SHAKA LAKA,” Richard Wakeman, one of many firm’s chief safety architects, boasted in a web based discussion board, celebrating the milestone with a meme of Leonardo DiCaprio in “The Wolf of Wall Avenue.” Wakeman didn’t reply to requests for remark.
It was not the kind of consequence that federal policymakers envisioned a decade and a half in the past once they embraced the cloud revolution and created FedRAMP to assist safeguard the federal government’s cybersecurity. This system’s layers of evaluate, which included an evaluation by outdoors consultants, have been supposed to make sure that service suppliers like Microsoft may very well be entrusted with the federal government’s secrets and techniques. However ProPublica’s investigation — drawn from inside FedRAMP memos, logs, emails, assembly minutes, and interviews with seven former and present authorities staff and contractors — discovered breakdowns at each juncture of that course of. It additionally discovered a exceptional deference to Microsoft, whilst the corporate’s merchandise and practices have been central to 2 of probably the most damaging cyberattacks ever carried out towards the federal government.
This isn’t safety. That is safety theater.
Tony Sager, former NSA pc scientist
FedRAMP first raised questions on GCC Excessive’s safety in 2020 and requested Microsoft to supply detailed diagrams explaining its encryption practices. However when the corporate produced what FedRAMP thought of to be solely partial info in suits and begins, program officers didn’t reject Microsoft’s software. As an alternative, they repeatedly pulled punches and allowed the evaluate to tug out for the higher a part of 5 years. And since federal businesses have been allowed to deploy the product throughout the evaluate, GCC Excessive unfold throughout the federal government in addition to the protection trade. By late 2024, FedRAMP reviewers concluded that that they had little alternative however to authorize the know-how — not as a result of their questions had been answered or their evaluate was full, however largely on the grounds that Microsoft’s product was already getting used throughout Washington.
At present, key components of the federal authorities, together with the Justice and Power departments, and the protection sector depend on this know-how to guard extremely delicate info that, if leaked, “may very well be anticipated to have a extreme or catastrophic opposed impact” on operations, belongings and people, the federal government has stated.
“This isn’t a cheerful story by way of the safety of the U.S.,” stated Tony Sager, who spent greater than three a long time as a pc scientist on the Nationwide Safety Company and now could be an govt on the nonprofit Heart for Web Safety.
For years, the FedRAMP course of has been equated with precise safety, Sager stated. ProPublica’s findings, he stated, shatter that facade.
“This isn’t safety,” he stated. “That is safety theater.”
ProPublica is exposing the federal government’s reservations about this well-liked product for the primary time. We’re additionally revealing Microsoft’s yearslong incapability to supply the encryption documentation and proof the federal reviewers sought.
The revelations come because the Justice Division ramps up scrutiny of the federal government’s know-how contractors. In December, the division introduced the indictment of a former worker of Accenture who allegedly misled federal businesses concerning the safety of the corporate’s cloud platform and its compliance with FedRAMP’s requirements. She has pleaded not responsible. Accenture, which was not charged with wrongdoing, has stated that it “proactively introduced this matter to the federal government’s consideration” and that it’s “devoted to working with the best moral requirements.”
Microsoft has additionally confronted questions on its disclosures to the federal government. As ProPublica reported final yr, the corporate failed to tell the Protection Division about its use of China-based engineers to keep up the federal government’s cloud techniques, regardless of Pentagon guidelines stipulating that “No International individuals could have” entry to its most delicate knowledge. The division is investigating the observe, which officers say may have compromised nationwide safety.
Microsoft has defended its program as “tightly monitored and supplemented by layers of safety mitigations,” however after ProPublica’s story revealed final July, the corporate introduced that it will cease utilizing China-based engineers for Protection Division work.
In response to written questions for this story and in an interview, Microsoft acknowledged the yearslong confrontation with FedRAMP but in addition stated it offered “complete documentation” all through the evaluate course of and “remediated findings the place potential.”
“We stand by our merchandise and the excellent steps we’ve taken to make sure all FedRAMP-authorized merchandise meet the safety and compliance necessities crucial,” a spokesperson stated in an announcement, including that the corporate would “proceed to work with FedRAMP to repeatedly evaluate and consider our providers for continued compliance.”
However nowadays, ProPublica discovered, there aren’t many individuals left at FedRAMP to work with.
This system was an early goal of the Trump administration’s Division of Authorities Effectivity, which slashed its employees and finances. Even FedRAMP acknowledges it’s working “with an absolute minimal of help employees” and “restricted customer support.” The roughly two dozen staff who stay are “fully targeted on” delivering authorizations at a document tempo, FedRAMP’s director has stated. At present, its annual finances is simply $10 million, its lowest in a decade, even because it has boasted document numbers of recent authorizations for cloud merchandise.
The consequence of all this, individuals who have labored for FedRAMP informed ProPublica, is that this system now could be little greater than a rubber stamp for trade. The implications of such a downsizing for federal cybersecurity are far-reaching, particularly as the administration encourages businesses to undertake cloud-based synthetic intelligence instruments, which draw upon reams of delicate info.
The Basic Providers Administration, which homes FedRAMP, defended this system, saying it has undergone “important reforms to strengthen governance” since GCC Excessive arrived in 2020. “FedRAMP’s position is to evaluate if cloud providers have offered enough info and supplies to be satisfactory for company use, and this system at the moment operates with strengthened oversight and accountability mechanisms to do precisely that,” a GSA spokesperson stated in an emailed assertion.
The company didn’t reply to written questions relating to GCC Excessive.
A “Cloud First” World
About twenty years in the past, federal officers predicted that the cloud revolution, offering on-demand entry to shared computing by way of the web, would usher in an period of cheaper, safer and extra environment friendly info know-how.
Shifting to the cloud meant shifting away from on-premises servers owned and operated by the federal government to these in huge knowledge facilities maintained by tech corporations. Some company leaders have been reluctant to relinquish management, whereas others couldn’t wait to.
In an effort to speed up the transition, the Obama administration issued its “Cloud First” coverage in 2011, requiring all businesses to implement cloud-based instruments “at any time when a safe, dependable, cost-effective” choice existed. To facilitate adoption, the administration created FedRAMP, whose job was to make sure the safety of these instruments.
FedRAMP’s “do as soon as, use many occasions” system was meant to streamline and strengthen the federal government procurement course of. Beforehand, every company utilizing a cloud service vetted it individually, typically making use of totally different interpretations of federal safety necessities. Underneath the brand new program, businesses would be capable to skip redundant safety opinions as a result of FedRAMP authorization indicated that the product had already met standardized necessities. Licensed merchandise can be listed on a authorities web site often called the FedRAMP Market.
On paper, this system was an train in effectivity. However in observe, the small FedRAMP group couldn’t sustain with the flood of demand from tech corporations that needed their merchandise approved.
The gradual approval course of annoyed each the tech trade, longing for a share within the billions of federal {dollars} up for grabs, and authorities businesses that have been below stress emigrate to the cloud. These dynamics typically pitted the cloud trade and company officers collectively towards FedRAMP. The backlog additionally prompted many businesses to take an alternate path: performing their very own opinions of the merchandise they needed to undertake, utilizing FedRAMP’s requirements.
It was via this “company path” that GCC Excessive entered the federal bloodstream, with the Justice Division paving the best way. Initially, some Justice officers have been nervous concerning the cloud and who may need entry to its info, which incorporates extremely delicate court docket and regulation enforcement information, a Justice Division official concerned within the resolution informed ProPublica. The division’s cybersecurity program required it to make sure that solely U.S. residents “entry or help within the growth, operation, administration, or upkeep” of its IT techniques, until a waiver was granted. Justice’s IT specialists advisable pursuing GCC Excessive, believing it may meet the elevated safety wants, based on the official, who spoke on situation of anonymity as a result of they weren’t approved to debate inside issues.
Pursuant to FedRAMP’s guidelines, Microsoft had GCC Excessive evaluated by a so-called third-party evaluation group, which is meant to supply an impartial evaluate of whether or not the product has met federal requirements. The Justice Division then carried out its personal analysis of GCC Excessive utilizing these requirements and dominated the providing acceptable.
By early 2020, Melinda Rogers, Justice’s deputy chief info officer, made the choice official and shortly deployed GCC Excessive throughout the division.
It was a milestone for all concerned. Rogers had ushered the Justice Division into the cloud, and Microsoft had gained a major foothold within the cutthroat marketplace for the federal authorities’s cloud computing enterprise.
Furthermore, Rogers’ resolution positioned GCC Excessive on the FedRAMP Market, the federal government’s influential on-line clearinghouse of all of the cloud suppliers which can be below evaluate or already approved. Its mere point out as “in course of” was a boon for Microsoft, amounting to free promoting on an internet site utilized by organizations searching for to buy cloud providers bearing what’s extensively seen as the federal government’s cybersecurity seal of approval.
That April, GCC Excessive landed at FedRAMP’s workplace for evaluate, the ultimate cease on its bureaucratic journey to full authorization.
Microsoft’s Lacking Info
In concept, there shouldn’t have been a lot for FedRAMP’s group to do after the third-party assessor and Justice reviewed GCC Excessive, as a result of all events have been alleged to be following the identical necessities.
Nevertheless it was round this time that the Authorities Accountability Workplace, which investigates federal applications, found breakdowns within the course of, discovering that company opinions typically have been missing in high quality. Regardless of lacking particulars, FedRAMP went on to authorize many of those packages. Acknowledging these shortcomings, FedRAMP started to take a tougher take a look at new packages, a former reviewer stated.
This was the setting through which Microsoft’s GCC Excessive software entered the pipeline. The title GCC Excessive was an umbrella masking many providers and options inside Workplace 365 that every one wanted to be reviewed. FedRAMP reviewers shortly observed key materials was lacking.
The group homed in on what it seen as a basic doc known as a “knowledge circulate diagram,” former members informed ProPublica. The illustration is meant to indicate how knowledge travels from Level A to Level B — and, extra importantly, the way it’s protected because it hops from server to server. FedRAMP requires knowledge to be encrypted whereas in transit to make sure that delicate supplies are protected even when they’re intercepted by hackers.
However when the FedRAMP group requested Microsoft to supply the diagrams displaying how such encryption would occur for every service in GCC Excessive, the corporate balked, saying the request was too difficult. So the reviewers advised beginning with simply Trade On-line, the favored e mail platform.
“This was our litmus check to say, ‘This isn’t the one factor that’s required, however should you’re not doing this, we aren’t even shut but,’” stated one reviewer who spoke on situation of anonymity as a result of they weren’t approved to debate inside issues. As soon as they reached the suitable stage of element, they’d transfer from Trade to different providers inside GCC Excessive.
It was the type of element that different main cloud suppliers corresponding to Amazon and Google routinely offered, members of the FedRAMP group informed ProPublica. But Microsoft took months to reply. When it did, the previous reviewer stated, it submitted a white paper that mentioned GCC Excessive’s encryption technique however neglected the main points of the place on the journey knowledge really turns into encrypted and decrypted — so FedRAMP couldn’t assess that it was being executed correctly.
A Microsoft spokesperson acknowledged that the corporate had “articulated a problem associated to illustrating the amount of knowledge being requested in diagram type” however “discovered alternate methods to share that info.”
Rogers, who was employed by Microsoft in 2025, declined to be interviewed. In response to emailed questions, the corporate offered an announcement saying that she “stands by the rigorous analysis that contributed to” her authorization of GCC Excessive. A spokesperson stated there was “completely no connection” between her hiring and the choices within the GCC Excessive course of, and that she and the corporate complied with “all guidelines, rules, and moral requirements.”
The Justice Division declined to answer written questions from ProPublica.
A Struggle Over “Spaghetti Pies”
As 2020 got here to an in depth, a nationwide safety disaster hit Washington that underscored the implications of cyber weak point. Russian state-sponsored hackers had been quietly working their manner via federal pc techniques for a lot of the yr and vacuuming up delicate knowledge and emails from U.S. businesses — together with the Justice Division.
On the time, many of the blame fell on a Texas-based firm known as SolarWinds, whose software program offered hackers their preliminary opening and whose title grew to become synonymous with the assault. However, as ProPublica has reported, the Russians leveraged that opening to use a long-standing weak point in a Microsoft product — one which the corporate had refused to repair for years, regardless of repeated warnings from one in every of its engineers. Microsoft has defended its resolution to not handle the flaw, saying that it obtained “a number of opinions” and that the corporate weighs quite a lot of elements when making safety selections.
Within the aftermath, the Biden administration took steps to bolster the nation’s cybersecurity. Amongst them, the Justice Division introduced a cyber-fraud initiative in 2021 to crack down on corporations and people that “put U.S. info or techniques in danger by knowingly offering poor cybersecurity services or products, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to observe and report cybersecurity incidents and breaches.”
Deputy Legal professional Basic Lisa Monaco stated the division would use the False Claims Act to pursue authorities contractors “once they fail to observe required cybersecurity requirements — as a result of we all know that places all of us in danger.”
But when Microsoft felt any stress from the SolarWinds assault or from the Justice Division’s announcement, it didn’t manifest within the FedRAMP talks, based on former members of the FedRAMP group.
The discourse between FedRAMP and Microsoft fell right into a sample. The events would meet. Months would go by. Microsoft would return with a response that FedRAMP deemed incomplete or irrelevant. To bolster the probabilities of getting the data it needed, the FedRAMP group offered Microsoft with a template, describing the extent of element it anticipated. However the diagrams Microsoft returned by no means met these expectations.
“We by no means bought previous Trade,” one former reviewer stated. “We by no means bought that stage of element. We had no visibility inside.”
In an interview with ProPublica, John Bergin, the Microsoft official who grew to become the federal government’s predominant contact, acknowledged the extended back-and-forth however blamed FedRAMP, equating its requests for diagrams to a “rock fetching train.”
“We have been perhaps incompetent in how we drew drawings as a result of there was no commonplace to attract them to,” he stated. “Did we not do it precisely how they needed? Completely. There was all the time one thing lacking as a result of there was no commonplace.”
A Microsoft spokesperson stated with out such a regular, “cloud suppliers have been left to interpret the extent of abstraction and illustration on their very own,” creating “inconsistency and confusion, not an unwillingness to be clear.”
However even Microsoft’s personal engineers had struggled over time to map the structure of its merchandise, based on two individuals concerned in constructing cloud providers utilized by federal clients. At challenge, based on individuals acquainted with Microsoft’s know-how, was the decades-old code of its legacy software program, which the corporate utilized in constructing its cloud providers.
One FedRAMP reviewer in contrast it to a “pile of spaghetti pies.” The information’s path from Level A to Level B, the individual stated, was like touring from Washington to New York with detours by bus, ferry and airplane moderately than simply taking a fast journey on Amtrak. And every a kind of detours represents a chance for a hijacking if the info isn’t correctly encrypted.
Different main cloud suppliers corresponding to Amazon and Google constructed their techniques from the bottom up, stated Sager, the previous NSA pc scientist, who labored with all three corporations throughout his time in authorities.
Microsoft’s system is “not designed for this sort of isolation of ‘safe’ from ‘not safe,’” Sager stated.
A Microsoft spokesperson acknowledged the corporate faces a novel problem however maintained that its cloud merchandise meet federal safety necessities.
“In contrast to suppliers that began later with a narrower product scope, Microsoft operates one of many broadest enterprise and authorities platforms on this planet, supporting continuity for hundreds of thousands of consumers whereas concurrently modernizing at scale,” the spokesperson stated in emailed responses. “That complexity just isn’t ‘spaghetti,’ however it does imply the work of disentangling, isolating, and hardening techniques is steady.”
The spokesperson stated that since 2023, Microsoft has made “safety‑first architectural redesign, legacy danger discount, and stronger isolation ensures a prime, firm‑large precedence.”
Assessors Again-Channel Cyber Considerations
The FedRAMP group was not the one social gathering with reservations about GCC Excessive. Microsoft’s third-party evaluation organizations additionally expressed considerations.
The corporations are alleged to be impartial however are employed and paid by the corporate being assessed. Acknowledging the potential for conflicts of curiosity, FedRAMP has inspired the evaluation corporations to confidentially back-channel to its reviewers any unfavorable suggestions that they have been unwilling to deliver on to their shoppers or replicate in official reviews.
In 2020, two third-party assessors employed by Microsoft, Coalfire and Kratos, did simply that. They informed FedRAMP that they have been unable to get the total image of GCC Excessive, a former FedRAMP reviewer informed ProPublica.
“Coalfire and Kratos each readily admitted that it was tough to not possible to get the data required out of Microsoft to correctly do a enough evaluation,” the reviewer informed ProPublica.
The again channel helped floor cybersecurity points that in any other case would possibly by no means have been identified to the federal government, individuals who have labored with and for FedRAMP informed ProPublica. On the identical time, they acknowledged its existence undermined the very spirit and intent of getting impartial assessors.
A spokesperson for Coalfire, the agency that originally dealt with the GCC Excessive evaluation, requested written questions from ProPublica, then declined to reply.
A spokesperson for Kratos, which changed Coalfire because the GCC Excessive assessor, declined an interview request. In an emailed response to written questions, the spokesperson stated the corporate stands by its official evaluation and suggestion of GCC Excessive and “completely refutes” that it “ever would log out on a product we have been unable to completely vet.” The corporate “has open and frank conversations” with all clients, together with Microsoft, which “submitted all requisite diagrams to fulfill FedRAMP-defined necessities,” the spokesperson stated.
Kratos stated it “spent intensive time working collaboratively with FedRAMP of their evaluate” and doesn’t think about such discussions to be “backchanneling.”
FedRAMP, nevertheless, was dissatisfied with Kratos’ ongoing work and believed the agency “ought to be pushing again” on Microsoft extra, the previous reviewer stated. It positioned Kratos on a “corrective motion plan,” which may finally lead to lack of accreditation. The corporate stated it didn’t agree with FedRAMP’s motion however offered “extra trainings for some inside assessors” in response to it.
The Microsoft spokesperson informed ProPublica the corporate has “all the time been conscious of requests” from Kratos and FedRAMP. “We’re not conscious of any backchanneling, nor will we imagine that backchanneling would have been crucial given our transparency and cooperation with auditor requests,” the spokesperson stated.
In response to questions from ProPublica concerning the course of, the GSA stated in an e mail that FedRAMP’s system “doesn’t create an inherent battle of curiosity for skilled auditors who meet moral and contractual efficiency expectations.”
GSA didn’t reply to questions on back-channeling however stated the “right course of” is for a third-party assessor to “state these issues formally in a discovering throughout the safety evaluation in order that the cloud service supplier has a chance to repair the difficulty.”
FedRAMP Ends Talks
The back-and-forth between the FedRAMP reviewers and Microsoft’s group went on for years with little progress. Then, in the summertime of 2023, this system’s interim director, Brian Conrad, bought a name from the White Home that might alter the course of the evaluate.
Chinese language state-sponsored hackers had infiltrated GCC, the lower-cost model of Microsoft’s authorities cloud, and stolen knowledge and emails from the commerce secretary, the U.S. ambassador to China and different high-ranking authorities officers. Within the aftermath, Chris DeRusha, the White Home’s chief info safety officer, needed a briefing from FedRAMP, which had approved GCC.
The choice predated Conrad’s tenure, however he informed ProPublica that he left the dialog with a number of takeaways. First, FedRAMP should maintain all cloud suppliers — together with Microsoft — to the identical requirements. Second, he had the backing of the White Home in standing agency. Lastly, FedRAMP would really feel the political warmth if any cloud service with a FedRAMP authorization have been hacked.
DeRusha confirmed Conrad’s account of the cellphone name however declined to remark additional.
Inside months, Conrad knowledgeable Microsoft that FedRAMP was ending the engagement on GCC Excessive.
We are able to’t even quantify the unknowns, which makes us very uncomfortable.
FedRAMP reviewer of GCC Excessive
“After three years of collaboration with the Microsoft group, we nonetheless lack visibility into the safety gaps as a result of there are unknowns that Microsoft has failed to deal with,” Conrad wrote in an October 2023 e mail. This, he added, was not for FedRAMP’s lack of attempting. Staffers had spent 480 hours of evaluate time, had performed 18 “technical deep dive” classes and had quite a few e mail exchanges with the corporate over time. But they nonetheless lacked the info circulate diagrams, essential info “since visibility into the encryption standing of all knowledge flows and shops is so vital,” he wrote.
If Microsoft nonetheless needed FedRAMP authorization, Conrad wrote, it will want to begin over.
A FedRAMP reviewer, explaining the choice to the Justice Division, stated the group was “not asking for something above and past what we’ve requested from each different” cloud service supplier, based on assembly minutes reviewed by ProPublica. However the request was significantly justified in Microsoft’s case, the reviewer informed the Justice officers, as a result of “every time we’ve really been capable of get visibility right into a black field, we’ve uncovered a problem.”
“We are able to’t even quantify the unknowns, which makes us very uncomfortable,” the reviewer stated, based on the minutes.
Microsoft and the Justice Division Push Again
Microsoft was livid. Failing to acquire authorization and beginning the method over would sign to the market that one thing was mistaken with GCC Excessive. Clients have been already confused and anxious concerning the drawn-out evaluate, which had develop into a sizzling matter in a web based discussion board utilized by authorities and know-how insiders. There, Wakeman, the Microsoft cybersecurity architect, deflected blame, saying the federal government had been “dragging their toes on it for years now.”
In the meantime, to construct help for Microsoft’s case, Bergin, the corporate’s level individual for FedRAMP and a former Military official, reached out to authorities leaders, together with one from the Justice Division.
The Justice official, who spoke on situation of anonymity as a result of they weren’t approved to debate the matter, stated Bergin complained that the delay was hampering Microsoft’s capacity “to get this out into the market full sail.” Bergin then pushed the Justice Division to “throw round our weight” to assist safe FedRAMP authorization, the official stated.
That December, because the events gathered to hash issues out at GSA’s Washington headquarters, Justice did simply that. Rogers, who by then had been promoted to the division’s chief info officer, sat beside Bergin — on the other facet of the desk from Conrad, the FedRAMP director.
Rogers and her Justice colleagues had a stake within the consequence. Since authorizing and deploying GCC Excessive, she had obtained accolades for her work modernizing the division’s IT and cybersecurity. However with out FedRAMP’s stamp of approval, she can be the federal government official left holding the bag if GCC Excessive have been concerned in a critical hack. On the identical time, the Justice Division couldn’t simply again out of utilizing GCC Excessive as a result of as soon as a know-how is extensively deployed, pulling the plug could be expensive and technically difficult. And from its perspective, the cloud was an enchancment over the previous government-run knowledge facilities.
Shortly after the assembly kicked off, Bergin interrupted a FedRAMP reviewer who had been presenting PowerPoint slides. He stated the Justice Division and third-party assessor had already reviewed GCC Excessive, based on assembly minutes. FedRAMP “ought to primarily simply settle for” their findings, he stated.
Then, in a shock to the FedRAMP group, Rogers backed him up and went on to criticize FedRAMP’s work, based on two attendees.
In its assertion, Microsoft stated Rogers maintains that FedRAMP’s method “was misguided and improperly dismissed the intensive evaluations carried out by DOJ personnel.”
Bergin didn’t dispute the account, telling ProPublica that he had been attempting to argue that it’s the purview of third-party assessors corresponding to Kratos — not FedRAMP — to judge the safety of cloud merchandise. And since FedRAMP should approve the third-party evaluation corporations, this system ought to have taken its points up with Kratos.
“When you find yourself the regulatory company who determines who the auditors are and also you refuse to simply accept your auditors’ solutions, that’s not a ‘me’ downside,” Bergin informed ProPublica.
The GSA didn’t reply to questions concerning the assembly. The Justice Division declined to remark.
Strain Mounts on FedRAMP
If there was any doubt concerning the position of FedRAMP, the White Home issued a memorandum in the summertime of 2024 that outlined its views. FedRAMP, it stated, “have to be able to conducting rigorous opinions” and requiring cloud suppliers to “quickly mitigate weaknesses of their safety structure.” The workplace ought to “constantly assess and validate cloud suppliers’ advanced architectures and encryption schemes.”
However by that time, GCC Excessive had unfold to different federal businesses, with the Justice Division’s authorization serving as a sign that the know-how met federal requirements.
It additionally unfold to the protection sector, since the Pentagon required that cloud merchandise utilized by its contractors meet FedRAMP requirements. Whereas it didn’t have FedRAMP authorization, Microsoft marketed GCC Excessive as assembly the necessities, promoting it to corporations corresponding to Boeing that analysis, develop and preserve navy weapons techniques.
However with the FedRAMP authorization up within the air, some contractors started to fret that by utilizing GCC Excessive, they have been out of compliance. That might threaten their contracts, which, in flip, may influence Protection Division operations. Pentagon officers known as FedRAMP to inquire concerning the authorization stalemate.
The Protection Division acknowledged however didn’t reply to written questions from ProPublica.
Rogers additionally stored urgent FedRAMP to “get this factor over the road,” former staff of the GSA and FedRAMP stated. It was the “opinion of the employees and the contractors that she merely was not keen to place warmth to Microsoft on this” and that the Justice Division “was too sympathetic to Microsoft’s claims,” Eric Mill, then GSA’s govt director for cloud technique, informed ProPublica.
Authorization Regardless of a “Damning” Evaluation
In the summertime of 2024, FedRAMP employed a brand new everlasting director, authorities know-how insider Pete Waterman. Inside a couple of month of taking the job, he restarted the workplace’s evaluate of GCC Excessive with a brand new group, which put apart the talk over knowledge circulate diagrams and as a substitute tried to look at proof from Microsoft. However these reviewers quickly arrived on the identical conclusion, with the group’s chief complaining about “getting stiff-armed” by Microsoft.
“He got here again and stated, ‘Yeah, this factor sucks,’” Mill recalled.
Whereas the group was capable of work via solely two of the various providers included in GCC Excessive, Trade On-line and Groups, that was sufficient for it to determine “points which can be basic” to danger administration, together with “well timed remediation of vulnerabilities and vulnerability scanning,” based on a abstract of the group’s findings reviewed by ProPublica.
These points, in addition to a scarcity of “correct detailed safety documentation” from Microsoft, restrict “visibility and understanding of the system” and “impair the flexibility to make knowledgeable danger selections.”
The group concluded, “There’s a insecurity in assessing the system’s general safety posture.”
A Microsoft spokesperson stated in an announcement that the corporate “by no means obtained this suggestions in any of its communications with FedRAMP.”
When ProPublica learn the findings to Bergin, the Microsoft liaison, he stated he was stunned.
“That’s fairly damning,” Bergin stated, including that it gave the impression of language that “would’ve usually been related to a discovering of ‘undeserving.’ If an assessor wrote that, I might be nervous.”
Regardless of the findings, to the FedRAMP group, turning Microsoft down didn’t seem to be an choice. “Not issuing an authorization would influence a number of businesses which can be already utilizing GCC-H,” the abstract doc stated. The group decided that it was a “higher worth” to challenge an authorization with circumstances for continued authorities oversight.
Whereas authorizations with oversight circumstances weren’t uncommon, arriving at one below these circumstances was. GCC Excessive reviewers noticed issues in every single place, each in what they have been capable of consider and what they weren’t. To them, many of the package deal remained an enormous wilderness of untold danger.
Nonetheless, FedRAMP and Microsoft reached an settlement, and the day after Christmas 2024, GCC Excessive obtained its FedRAMP authorization. FedRAMP appended a canopy report back to the package deal laying out its deficiencies and noting it carried unknown dangers, based on individuals acquainted with the report.
It emphasised that businesses ought to rigorously evaluate the package deal and have interaction instantly with Microsoft on any questions.
“Unknown Unknowns” Persist
Microsoft informed ProPublica that it has met the circumstances of the settlement and has “stayed inside the efficiency metrics required by FedRAMP” to make sure that “dangers are recognized, tracked, remediated, and transparently communicated.”
However below the Trump administration, there aren’t many individuals left at FedRAMP to verify.
Whereas the Biden-era steering stated FedRAMP “have to be an professional program that may analyze and validate the safety claims” of cloud suppliers, the GSA informed ProPublica that this system’s position is “to not decide if a cloud service is safe sufficient.” Fairly, it’s “to make sure businesses have enough info to make these danger selections.”
The issue is that businesses usually lack the employees and assets to do thorough opinions, which implies the entire system is leaning on the claims of the cloud corporations and the assessments of the third-party corporations they pay to judge them. Underneath the present imaginative and prescient, critics say, FedRAMP has misplaced the plot.
“FedRAMP’s job is to look at the American individuals’s again relating to sharing their knowledge with cloud corporations,” stated Mill, the previous GSA official, who additionally co-authored the 2024 White Home memo. “When there’s a safety challenge, the general public doesn’t count on FedRAMP to say they’re only a paper-pusher.”
When there’s a safety challenge, the general public doesn’t count on FedRAMP to say they’re only a paper-pusher.
Eric Mill, former GSA govt director for cloud technique
In the meantime, on the Justice Division, officers are discovering out what FedRAMP meant by the “unknown unknowns” in GCC Excessive. Final yr, for instance, they found that Microsoft relied on China-based engineers to service their delicate cloud techniques regardless of the division’s prohibition towards non-U.S. residents aiding with IT upkeep.
Officers discovered about this association — which was additionally utilized in GCC Excessive — not from FedRAMP or from Microsoft however from a ProPublica investigation into the observe, based on the Justice worker who spoke with us.
A Microsoft spokesperson acknowledged that the written safety plan for GCC Excessive that the corporate submitted to the Justice Division didn’t point out international engineers, although he stated Microsoft did talk that info to Justice officers earlier than 2020. Nonetheless, Microsoft has since ended its use of China-based engineers in authorities techniques.
Former and present authorities officers fear about what different dangers could also be lurking in GCC Excessive and past.
The GSA informed ProPublica that, on the whole, “if there’s credible proof {that a} cloud service supplier has made materially false representations, that matter is then appropriately referred to investigative authorities.”
Paradoxically, the last word arbiter of whether or not cloud suppliers or their third-party assessors reside as much as their claims is the Justice Division itself. The latest indictment of the previous Accenture worker suggests it’s keen to make use of this energy. In a court docket doc, the Justice Division alleges that the ex-employee made “false and deceptive representations” concerning the cloud platform’s safety to assist the corporate “receive and preserve profitable federal contracts.” She can be accused of attempting to “affect and hinder” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to hide the “true state of the system” throughout demonstrations, the division stated. She has pleaded not responsible.
There isn’t any public indication that such a case has been introduced towards Microsoft or anybody concerned within the GCC Excessive authorization. The Justice Division declined to remark. Monaco, the deputy lawyer common who launched the division’s initiative to pursue cybersecurity fraud instances, didn’t reply to requests for remark.
She left her authorities place in January 2025. Microsoft employed her to develop into its president of worldwide affairs.
An organization spokesperson stated Monaco’s hiring complied with “all guidelines, rules, and moral requirements” and that she “doesn’t work on any federal authorities contracts or have oversight over or involvement with any of our dealings with the federal authorities.”
![[The Slingshot] Christmas is chilly in Den Haag](https://www.rappler.com/tachyon/2025/12/DUTERTE-XMAS-2.jpg "[The Slingshot] Christmas is chilly in Den Haag")
