ProPublica's investigation reveals that FedRAMP, the federal government's cloud security authorization program, approved Microsoft's GCC High cloud product in December 2024 despite years of unresolved security concerns. Internal documents show FedRAMP reviewers called the package 'a pile of shit' and concluded they lacked confidence in assessing its security posture. Microsoft repeatedly failed to provide required data flow diagrams showing how sensitive data is encrypted in transit. The authorization was ultimately granted not because security questions were answered, but because GCC High had already spread across federal agencies and the defense sector, making rejection politically and operationally untenable. The investigation also highlights structural flaws: third-party assessors are paid by the companies they evaluate, the Justice Department pressured FedRAMP to approve the product, and the Trump administration's DOGE cuts have left FedRAMP operating as little more than a rubber stamp. The former Deputy AG who launched cybersecurity fraud initiatives was later hired by Microsoft as president of global affairs.

30m read timeFrom propublica.org
Post cover image
Table of contents
Reporting HighlightsA “Cloud First” WorldMicrosoft’s Missing InformationA Fight Over “Spaghetti Pies”Assessors Back-Channel Cyber ConcernsFedRAMP Ends TalksMicrosoft and the Justice Department Push BackPressure Mounts on FedRAMPAuthorization Despite a “Damning” Assessment“Unknown Unknowns” Persist

Sort: