Yuyun Lusiyani
In a decision reverberating through Washington, federal cybersecurity evaluators in late 2024 granted a critical seal of approval to one of Microsoft’s most expansive cloud computing offerings, the Government Community Cloud High (GCC High), despite internal assessments that found its security documentation severely lacking. This controversial authorization, detailed in an internal government report reviewed by ProPublica, came even as evaluators expressed a profound "lack of confidence in assessing the system’s overall security posture," with one team member bluntly calling the package "a pile of shit." The move has sparked widespread concern among cybersecurity experts and former government officials, who warn that the nation’s most sensitive information may be exposed to undue risk.
The Federal Risk and Authorization Management Program, known as FedRAMP, is the gatekeeper for cloud services seeking to serve the U.S. government. Its mission is to ensure that these providers meet stringent security standards before handling federal data. However, ProPublica’s investigation, drawing from internal FedRAMP memos, emails, meeting minutes, and interviews with current and former government employees and contractors, reveals a process riddled with "breakdowns at every juncture" and an "unusual deference to Microsoft." This lax oversight is particularly alarming given Microsoft products’ central role in two significant cyberattacks against the U.S. government within three years, including incidents involving Russian and Chinese state-sponsored hackers.
The Heart of the Controversy: Missing Documentation and Technical Opacity
At the core of FedRAMP’s reservations was Microsoft’s persistent failure to provide adequate security documentation, specifically detailed "data flow diagrams." These diagrams are crucial for illustrating how sensitive government data travels across servers and, critically, how it is encrypted at each stage to prevent interception by malicious actors. FedRAMP reviewers began raising these questions as early as 2020, requesting such diagrams for individual services within GCC High, starting with Exchange Online, the popular email platform.
According to former FedRAMP team members, while other major cloud providers like Amazon and Google routinely furnished such detailed information, Microsoft struggled. A company spokesperson acknowledged "a challenge related to illustrating the volume of information being requested in diagram form" but claimed they "found alternate ways to share that information." However, reviewers consistently found Microsoft’s submissions incomplete or irrelevant, often amounting to white papers discussing encryption strategy without the granular detail necessary to verify proper implementation. One former reviewer lamented, "We never got past Exchange. We never got that level of detail. We had no visibility inside." This opacity left evaluators unable to confirm the integrity of the data’s protection mechanisms.
A Troubling Track Record and Escalating Cyber Threats
The decision to authorize GCC High, despite these profound security questions, unfolds against a backdrop of increasing cyber threats and Microsoft’s own problematic history with federal cybersecurity. In late 2020, Russian state-sponsored hackers exploited a long-standing weakness in a Microsoft product, leveraging the SolarWinds supply chain attack to steal sensitive data and emails from numerous federal agencies, including the Justice Department and the National Nuclear Security Administration. ProPublica previously reported that Microsoft had refused to fix this flaw for years despite internal warnings.
More recently, in the summer of 2023, Chinese state-sponsored hackers infiltrated a lower-cost version of Microsoft’s government cloud, GCC, compromising email accounts of high-ranking officials, including the Commerce Secretary and the U.S. ambassador to China. These incidents underscored the severe consequences of cybersecurity vulnerabilities and the critical need for robust vetting of government technology. The federal government could face further exposure if it cannot verify the cybersecurity of GCC High, a suite of cloud-based services designed to safeguard some of the nation’s most sensitive information, capable of causing "severe or catastrophic adverse effect" if compromised.
FedRAMP’s Dilemma: A System Under Strain
FedRAMP was established in 2011 as part of the Obama administration’s "Cloud First" policy, which mandated federal agencies to prioritize cloud-based solutions for their IT infrastructure. The program’s "do once, use many times" system was designed to streamline procurement and ensure standardized security reviews, preventing each agency from conducting redundant assessments. Cloud providers that passed FedRAMP’s rigorous multi-layered review, which included assessments by independent third-party experts, would be listed on the FedRAMP Marketplace, effectively a government "cybersecurity seal of approval."
However, FedRAMP itself has been significantly weakened over the past decade. An early target of budget cuts under the Trump administration, the program now operates with an "absolute minimum of support staff." With an annual budget of just $10 million—its lowest in a decade—and a team of only about two dozen employees, FedRAMP struggles to keep pace with the demand for authorizations. Critics contend that this under-resourcing has transformed the program into little more than a "rubber stamp for industry," rather than the robust cybersecurity watchdog it was intended to be. Tony Sager, a former computer scientist at the National Security Agency and an executive at the nonprofit Center for Internet Security, bluntly stated, "This is not security. This is security theater."
The "Agency Path" and Premature Deployment
Adding another layer of complexity to the GCC High saga was its early adoption through an alternative procurement route known as the "agency path." In early 2020, the Justice Department, under then-Deputy Chief Information Officer Melinda Rogers, made the decision to deploy GCC High across the department. Justice officials, initially wary of cloud services for sensitive court and law enforcement records, believed GCC High could meet their elevated security needs, including a requirement that only U.S. citizens access or assist in IT system maintenance. This internal approval and subsequent deployment effectively placed GCC High on the FedRAMP Marketplace as "in process," granting Microsoft significant market visibility and a perceived stamp of preliminary approval long before full authorization.
This early adoption created an irreversible momentum. Once a technology is widely deployed across government agencies, pulling the plug becomes both technically challenging and prohibitively expensive. By late 2024, when FedRAMP finally rendered its judgment, GCC High was already deeply embedded within key parts of the federal government, including the Justice and Energy departments, and the defense sector. This widespread usage became a significant factor in FedRAMP’s eventual decision to authorize the product, not because their questions were answered, but largely because the system was already operational across Washington.
The Technical Challenge: "Spaghetti Pies"
Microsoft’s difficulties in providing comprehensive data flow diagrams were, according to some experts, rooted in the inherent architectural complexity of its legacy software. One FedRAMP reviewer described Microsoft’s system as a "pile of spaghetti pies," implying a tangled and convoluted architecture where data paths are opaque and difficult to trace. This contrasts with other major cloud providers like Amazon and Google, which built their cloud systems from the ground up, allowing for clearer mapping and isolation of secure environments.
Tony Sager noted that Microsoft’s system is "not designed for this kind of isolation of ‘secure’ from ‘not secure.’" A Microsoft spokesperson acknowledged facing a "unique challenge" compared to providers with narrower product scopes, stating, "That complexity is not ‘spaghetti,’ but it does mean the work of disentangling, isolating, and hardening systems is continuous." The company affirmed that since 2023, it has prioritized "security-first architectural redesign, legacy risk reduction, and stronger isolation guarantees" company-wide.
Compromised Oversight: The Role of Third-Party Assessors
FedRAMP’s system relies heavily on third-party assessment organizations (3PAOs), which are hired and paid by the cloud providers they evaluate. This arrangement inherently creates a potential for conflicts of interest. In 2020, two 3PAOs hired by Microsoft—Coalfire and Kratos—reportedly "back-channeled" concerns to FedRAMP reviewers, admitting they were "unable to get the full picture of GCC High" from Microsoft. While this informal communication helped surface issues, its very existence undermines the principle of independent assessment.
Kratos, which became the primary assessor for GCC High, "absolutely refutes" that it signed off on a product it couldn’t fully vet and denied that its discussions with FedRAMP constituted "back-channeling." However, FedRAMP placed Kratos on a "corrective action plan," suggesting dissatisfaction with the firm’s rigor. This incident highlights a systemic vulnerability in the FedRAMP process, where the financial relationship between cloud providers and their auditors can compromise the integrity of security evaluations. The General Services Administration (GSA), which houses FedRAMP, defended the system, stating it "does not create an inherent conflict of interest for professional auditors who meet ethical and contractual performance expectations."
White House Intervention and FedRAMP’s Brief Stance
The summer 2023 Chinese cyberattack on Microsoft’s GCC platform served as a stark wake-up call. Chris DeRusha, the White House’s chief information security officer, convened a briefing with FedRAMP’s interim director, Brian Conrad. Following this, Conrad informed Microsoft in October 2023 that FedRAMP was ending its engagement on GCC High. He cited "three years of collaboration" that still yielded "unknowns that Microsoft has failed to address," emphasizing the critical lack of data flow diagrams. FedRAMP staff had dedicated 480 hours to review, conducted 18 "technical deep dive" sessions, and engaged in countless exchanges, yet still lacked crucial information. Conrad stated that if Microsoft wanted authorization, it would need to "start over."
A FedRAMP reviewer explained to the Justice Department that the team was "not asking for anything above and beyond what we’ve asked from every other" cloud service provider. The reviewer added, "each time we’ve actually been able to get visibility into a black box, we’ve uncovered an issue," concluding, "We can’t even quantify the unknowns, which makes us very uncomfortable."
Intense Pressure and a Capitulation
Microsoft reacted with fury to Conrad’s decision. Its chief security architect, Richard Wakeman, publicly blamed the government for "dragging their feet." John Bergin, Microsoft’s liaison for FedRAMP and a former Army official, began lobbying government leaders, including from the Justice Department, to "throw around our weight" to secure authorization.
In a December 2023 meeting at GSA headquarters, Melinda Rogers, by then the Justice Department’s Chief Information Officer and a strong proponent of GCC High, sat alongside Bergin, directly opposing FedRAMP Director Conrad. Rogers, whose reputation for modernizing the Justice Department’s IT rested partly on GCC High’s success, criticized FedRAMP’s approach. Microsoft later stated that Rogers believed FedRAMP’s stance "was misguided and improperly dismissed the extensive evaluations performed by DOJ personnel." Bergin contended that FedRAMP was overstepping its bounds by re-evaluating 3PAO findings, essentially questioning its own approved auditors.
Pressure continued to mount. The White House, in a summer 2024 memorandum, reiterated that FedRAMP "must be capable of conducting rigorous reviews." Pentagon officials, whose contractors relied on GCC High for sensitive defense information, also inquired about the authorization stalemate, fearing compliance issues. With GCC High already pervasive across government and the defense industry, the consequences of a denial were deemed too disruptive.
Authorization Despite a "Damning" Assessment
In the summer of 2024, Pete Waterman was hired as FedRAMP’s new permanent director. He restarted the GCC High review with a fresh team, shifting focus from data flow diagrams to examining available evidence. Yet, this new team arrived at the same unsettling conclusion. Its leader complained of "getting stiff-armed" by Microsoft, and the internal summary of findings reiterated a "lack of proper detailed security documentation" and "issues that are fundamental" to risk management, including "timely remediation of vulnerabilities and vulnerability scanning." The report concluded, "There is a lack of confidence in assessing the system’s overall security posture."
When ProPublica presented these findings to Bergin, the Microsoft liaison, he expressed surprise, calling them "pretty damning" and typical of a "not worthy" verdict. Despite this, FedRAMP felt cornered. The summary document explicitly stated, "Not issuing an authorization would impact multiple agencies that are already using GCC-H." The team determined it was a "better value" to issue an authorization with conditions for continued government oversight.
On December 26, 2024, GCC High received its FedRAMP authorization. This came with a caveat: a cover report appended to the package, detailing its deficiencies and noting "unknown risks." It explicitly advised agencies to "carefully review the package and engage directly with Microsoft on any questions," effectively a "buyer beware" notice for a product handling the nation’s most sensitive data. Microsoft’s chief security architect, Richard Wakeman, celebrated this milestone in an online forum with a "BOOM SHAKA LAKA" and a meme of Leonardo DiCaprio from "The Wolf of Wall Street."
"Unknown Unknowns" Persist and the Revolving Door
Microsoft claims it has met the conditions of the agreement, ensuring "risks are identified, tracked, remediated, and transparently communicated." However, critics argue that with FedRAMP’s diminished capacity, the oversight mechanisms are insufficient. The GSA now states FedRAMP’s role is "not to determine if a cloud service is secure enough," but "to ensure agencies have sufficient information to make these risk decisions." Eric Mill, former GSA executive director for cloud strategy and co-author of the 2024 White House memo, countered, "When there’s a security issue, the public doesn’t expect FedRAMP to say they’re just a paper-pusher."
The "unknown unknowns" cited by FedRAMP reviewers have already materialized. Last year, the Justice Department discovered, not from FedRAMP or Microsoft, but from a ProPublica investigation, that Microsoft relied on China-based engineers to service sensitive cloud systems, including GCC High, despite the department’s explicit prohibition against non-U.S. citizens assisting with IT maintenance. While Microsoft acknowledged that its written security plan for GCC High did not mention foreign engineers, it stated that it had communicated this information to Justice officials before 2020 and has since ended the practice for government systems.
The systemic vulnerabilities and potential for conflicts of interest in federal technology contracting are under increasing scrutiny. The Justice Department, which launched a cyber-fraud initiative in 2021 to hold contractors accountable for deficient cybersecurity, recently indicted a former Accenture employee for allegedly misleading federal agencies about cloud security and FedRAMP compliance. She has pleaded not guilty.
Perhaps the most glaring illustration of the "revolving door" between government oversight and the tech industry came in January 2025. Lisa Monaco, the former Deputy Attorney General who spearheaded the Justice Department’s initiative to pursue cybersecurity fraud cases against contractors, left her government position and was subsequently hired by Microsoft to become its president of global affairs. A Microsoft spokesperson stated that Monaco’s hiring complied with "all rules, regulations, and ethical standards" and that she "does not work on any federal government contracts or have oversight over or involvement with any of our dealings with the federal government." Nevertheless, the optics raise profound questions about the impartiality of government oversight when the very officials tasked with ensuring accountability later transition to lucrative positions within the companies they once regulated. The authorization of GCC High, despite grave internal warnings, stands as a testament to the persistent challenges in safeguarding national security in an increasingly cloud-dependent world.
Joko Widodo
Nila Kartika Wati
Jia Lissa
Eva Lovia
Nana Wu