Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

ProPublica's investigation reveals that FedRAMP, the federal government's cloud security authorization program, approved Microsoft's GCC High cloud product in December 2024 despite years of unresolved security concerns. Internal documents show FedRAMP reviewers called the package 'a pile of shit' and concluded they lacked confidence in assessing its security posture. Microsoft repeatedly failed to provide required data flow diagrams showing how sensitive data is encrypted in transit. The authorization was ultimately granted not because security questions were answered, but because GCC High had already spread across federal agencies and the defense sector, making rejection politically and operationally untenable. The investigation also highlights structural flaws: third-party assessors are paid by the companies they evaluate, the Justice Department pressured FedRAMP to approve the product, and the Trump administration's DOGE cuts have left FedRAMP operating as little more than a rubber stamp. The former Deputy AG who launched cybersecurity fraud initiatives was later hired by Microsoft as president of global affairs.