A federal program created to protect the government against cyber threats authorized a sprawling Microsoft cloud product, despite the company’s inability to fully explain how it protects sensitive data.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

ProPublica's investigation reveals that FedRAMP, the federal government's cloud security authorization program, approved Microsoft's GCC High cloud product in December 2024 despite years of unresolved security concerns. Internal documents show FedRAMP reviewers called the package 'a pile of shit' and concluded they lacked confidence in assessing its security posture. Microsoft repeatedly failed to provide required data flow diagrams showing how sensitive data is encrypted in transit. The authorization was ultimately granted not because security questions were answered, but because GCC High had already spread across federal agencies and the defense sector, making rejection politically and operationally untenable. The investigation also highlights structural flaws: third-party assessors are paid by the companies they evaluate, the Justice Department pressured FedRAMP to approve the product, and the Trump administration's DOGE cuts have left FedRAMP operating as little more than a rubber stamp. The former Deputy AG who launched cybersecurity fraud initiatives was later hired by Microsoft as president of global affairs.

Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

Microsoft and the Justice Department Push Back

Authorization Despite a “Damning” Assessment