{"id":196968,"date":"2026-03-18T06:00:00","date_gmt":"2026-03-18T10:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/18\/despite-doubts-federal-cyber-experts-approved-microsoft-cloud-service-propublica\/"},"modified":"2026-03-18T07:30:12","modified_gmt":"2026-03-18T11:30:12","slug":"despite-doubts-federal-cyber-experts-approved-microsoft-cloud-service-propublica","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/18\/despite-doubts-federal-cyber-experts-approved-microsoft-cloud-service-propublica\/","title":{"rendered":"Despite Doubts, Federal Cyber Experts Approved Microsoft Cloud Service \u2014 ProPublica"},"content":{"rendered":"

Despite Doubts, Federal Cyber Experts Approved Microsoft Cloud Service \u2014 ProPublica<\/a><\/p>\n

https:\/\/www.propublica.org\/article\/microsoft-cloud-fedramp-cybersecurity-government<\/a><\/p>\n

Publish Date: 2026-03-18 06:00:00<\/a><\/p>\n

Source Domain: www.propublica.org<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Reporting Highlights<\/p>\n

\u201cCloud First\u201d: To move federal agencies to the cloud, the government created a program known as FedRAMP, whose job was to ensure the security of new technology.\u00a0<\/p>\n

Security Breakdown: ProPublica found that FedRAMP authorized a Microsoft product called GCC High to handle sensitive government data, despite years of concerns about its security.<\/p>\n

Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.<\/p>\n

These highlights were written by the reporters and editors who worked on this story.<\/p>\n

In late 2024, the federal government\u2019s cybersecurity evaluators rendered a troubling verdict on one of Microsoft\u2019s biggest cloud computing offerings.<\/p>\n

The tech giant\u2019s \u201clack of proper detailed security documentation\u201d left reviewers with a \u201clack of confidence in assessing the system\u2019s overall security posture,\u201d according to an internal government report reviewed by ProPublica.<\/p>\n

Or, as one member of the team put it: \u201cThe package is a pile of shit.\u201d<\/p>\n

For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn\u2019t vouch for the technology\u2019s security.<\/p>\n

Such judgments would be damning for any company seeking to sell its wares to the U.S. government, but it should have been particularly devastating for Microsoft. The tech giant\u2019s products had been at the heart of two major cybersecurity attacks against the U.S. in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials.<\/p>\n

The federal government could be further exposed if it couldn\u2019t verify the cybersecurity of Microsoft\u2019s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation\u2019s most sensitive information.<\/p>\n

Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government\u2019s cybersecurity seal of approval. FedRAMP\u2019s ruling \u2014 which included a kind of \u201cbuyer beware\u201d notice to any federal agency considering GCC High \u2014 helped Microsoft expand a government business empire worth billions of dollars.<\/p>\n

\u201cBOOM SHAKA LAKA,\u201d Richard Wakeman, one of the company\u2019s chief security architects, boasted in an online forum, celebrating the milestone with a meme of Leonardo DiCaprio in \u201cThe Wolf of Wall Street.\u201d Wakeman did not respond to requests for comment.<\/p>\n

It was not the type of outcome that federal policymakers envisioned a decade and a half ago when they embraced the cloud revolution and created FedRAMP to help safeguard the government\u2019s cybersecurity. The program\u2019s layers of review, which included an assessment by outside experts, were supposed to ensure that service providers like Microsoft could be entrusted with the government\u2019s secrets. But ProPublica\u2019s investigation \u2014 drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors \u2014 found breakdowns at every juncture of that process. It also found a remarkable deference to Microsoft, even as the company\u2019s products and practices were central to two of the most damaging cyberattacks ever carried out against the government.<\/p>\n

This is not security. This is security theater. Tony Sager, former NSA computer scientist<\/p>\n

FedRAMP first raised questions about GCC High\u2019s security in 2020 and asked Microsoft to provide detailed diagrams explaining its encryption practices. But when the company produced what FedRAMP considered to be only partial information in fits and starts, program officials did not reject Microsoft\u2019s application. Instead, they repeatedly pulled punches and allowed the review to drag out for the better part of five years. And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology \u2014 not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft\u2019s product was already being used across Washington.<\/p>\n

Today, key parts of the federal government, including the Justice and Energy departments, and the defense sector rely on this technology to protect highly sensitive information that, if leaked, \u201ccould be expected to have a severe or catastrophic adverse effect\u201d on operations, assets and individuals, the government has said.<\/p>\n

\u201cThis is not a happy story in terms of the security of the U.S.,\u201d said Tony Sager, who spent more than three decades as a computer scientist at the National Security Agency and now is an executive at the nonprofit Center for Internet Security.<\/p>\n

For years, the FedRAMP process has been equated with actual security, Sager said. ProPublica\u2019s findings, he said, shatter that facade.<\/p>\n

\u201cThis is not security,\u201d he said. \u201cThis is security theater.\u201d<\/p>\n

Despite a \u201clack of confidence in assessing\u201d the security of Microsoft\u2019s GCC High, FedRAMP authorized the product anyway. Alex Wong\/Getty Images<\/p>\n

ProPublica is exposing the government\u2019s reservations about this popular product for the first time. We are also revealing Microsoft\u2019s yearslong inability to provide the encryption documentation and evidence the federal reviewers sought.<\/p>\n

The revelations come as the Justice Department ramps up scrutiny of the government\u2019s technology contractors. In December, the department announced the indictment of a former employee of Accenture who allegedly misled federal agencies about the security of the company\u2019s cloud platform and its compliance with FedRAMP\u2019s standards. She has pleaded not guilty. Accenture, which was not charged with wrongdoing, has said that it \u201cproactively brought this matter to the government\u2019s attention\u201d and that it is \u201cdedicated to operating with the highest ethical standards.\u201d<\/p>\n

Microsoft has also faced questions about its disclosures to the government. As ProPublica reported last year, the company failed to inform the Defense Department about its use of China-based engineers to maintain the government\u2019s cloud systems, despite Pentagon rules stipulating that \u201cNo Foreign persons may have\u201d access to its most sensitive data. The department is investigating the practice, which officials say could have compromised national security.<\/p>\n

Microsoft has defended its program as \u201ctightly monitored and supplemented by layers of security mitigations,\u201d but after ProPublica\u2019s story published last July, the company announced that it would stop using China-based engineers for Defense Department work.<\/p>\n

In response to written questions for this story and in an interview, Microsoft acknowledged the yearslong confrontation with FedRAMP but also said it provided \u201ccomprehensive documentation\u201d throughout the review process and \u201cremediated findings where possible.\u201d<\/p>\n

\u201cWe stand by our products and the comprehensive steps we\u2019ve taken to ensure all FedRAMP-authorized products meet the security and compliance requirements necessary,\u201d a spokesperson said in a statement, adding that the company would \u201ccontinue to work with FedRAMP to continuously review and evaluate our services for continued compliance.\u201d<\/p>\n

But these days, ProPublica found, there aren\u2019t many people left at FedRAMP to work with.<\/p>\n

The program was an early target of the Trump administration\u2019s Department of Government Efficiency, which slashed its staff and budget. Even FedRAMP acknowledges it is operating \u201cwith an absolute minimum of support staff\u201d and \u201climited customer service.\u201d The roughly two dozen employees who remain are \u201centirely focused on\u201d delivering authorizations at a record pace, FedRAMP\u2019s director has said. Today, its annual budget is just $10 million, its lowest in a decade, even as it has boasted record numbers of new authorizations for cloud products.<\/p>\n

The consequence of all this, people who have worked for FedRAMP told ProPublica, is that the program now is little more than a rubber stamp for industry. The implications of such a downsizing for federal cybersecurity are far-reaching, especially as the administration encourages agencies to adopt cloud-based artificial intelligence tools, which draw upon reams of sensitive information.<\/p>\n

The General Services Administration, which houses FedRAMP, defended the program, saying it has undergone \u201csignificant reforms to strengthen governance\u201d since GCC High arrived in 2020. \u201cFedRAMP\u2019s role is to assess if cloud services have provided sufficient information and materials to be adequate for agency use, and the program today operates with strengthened oversight and accountability mechanisms to do exactly that,\u201d a GSA spokesperson said in an emailed statement.<\/p>\n

The agency did not respond to written questions regarding GCC High.<\/p>\n

A \u201cCloud First\u201d World<\/p>\n

About two decades ago, federal officials predicted that the cloud revolution, providing on-demand access to shared computing via the internet, would usher in an era of cheaper, more secure and more efficient information technology.\u00a0<\/p>\n

Moving to the cloud meant shifting away from on-premises servers owned and operated by the government to those in massive data centers maintained by tech companies. Some agency leaders were reluctant to relinquish control, while others couldn\u2019t wait to.<\/p>\n

In an effort to accelerate the transition, the Obama administration issued its \u201cCloud First\u201d policy in 2011, requiring all agencies to implement cloud-based tools \u201cwhenever a secure, reliable, cost-effective\u201d option existed. To facilitate adoption, the administration created FedRAMP, whose job was to ensure the security of those tools.\u00a0<\/p>\n

FedRAMP\u2019s \u201cdo once, use many times\u201d system was intended to streamline and strengthen the government procurement process. Previously, each agency using a cloud service vetted it separately, sometimes applying different interpretations of federal security requirements. Under the new program, agencies would be able to skip redundant security reviews because FedRAMP authorization indicated that the product had already met standardized requirements. Authorized products would be listed on a government website known as the FedRAMP Marketplace.<\/p>\n

On paper, the program was an exercise in efficiency. But in practice, the small FedRAMP team could not keep up with the flood of demand from tech companies that wanted their products authorized.\u00a0<\/p>\n

The slow approval process frustrated both the tech industry, eager for a share in the billions of federal dollars up for grabs, and government agencies that were under pressure to migrate to the cloud. These dynamics sometimes pitted the cloud industry and agency officials together against FedRAMP. The backlog also prompted many agencies to take an alternative path: performing their own reviews of the products they wanted to adopt, using FedRAMP\u2019s standards.\u00a0<\/p>\n

It was through this \u201cagency path\u201d that GCC High entered the federal bloodstream, with the Justice Department paving the way. Initially, some Justice officials were nervous about the cloud and who might have access to its information, which includes highly sensitive court and law enforcement records, a Justice Department official involved in the decision told ProPublica. The department\u2019s cybersecurity program required it to ensure that only U.S. citizens \u201caccess or assist in the development, operation, management, or maintenance\u201d of its IT systems, unless a waiver was granted. Justice\u2019s IT specialists recommended pursuing GCC High, believing it could meet the elevated security needs, according to the official, who spoke on condition of anonymity because they were not authorized to discuss internal matters.<\/p>\n

Pursuant to FedRAMP\u2019s rules, Microsoft had GCC High evaluated by a so-called third-party assessment organization, which is supposed to provide an independent review of whether the product has met federal standards. The Justice Department then performed its own evaluation of GCC High using those standards and ruled the offering acceptable.<\/p>\n

Melinda Rogers, former chief information officer for the Department of Justice U.S. Department of Justice archives<\/p>\n

By early 2020, Melinda Rogers, Justice\u2019s deputy chief information officer, made the decision official and soon deployed GCC High across the department.<\/p>\n

It was a milestone for all involved. Rogers had ushered the Justice Department into the cloud, and Microsoft had gained a significant foothold in the cutthroat market for the federal government\u2019s cloud computing business.\u00a0<\/p>\n

Moreover, Rogers\u2019 decision placed GCC High on the FedRAMP Marketplace, the government\u2019s influential online clearinghouse of all the cloud providers that are under review or already authorized. Its mere mention as \u201cin process\u201d was a boon for Microsoft, amounting to free advertising on a website used by organizations seeking to purchase cloud services bearing what is widely seen as the government\u2019s cybersecurity seal of approval.<\/p>\n

That April, GCC High landed at FedRAMP\u2019s office for review, the final stop on its bureaucratic journey to full authorization.\u00a0<\/p>\n

Microsoft\u2019s Missing Information<\/p>\n

In theory, there shouldn\u2019t have been much for FedRAMP\u2019s team to do after the third-party assessor and Justice reviewed GCC High, because all parties were supposed to be following the same requirements.<\/p>\n

But it was around this time that the Government Accountability Office, which investigates federal programs, discovered breakdowns in the process, finding that agency reviews sometimes were lacking in quality. Despite missing details, FedRAMP went on to authorize many of these packages. Acknowledging these shortcomings, FedRAMP began to take a harder look at new packages, a former reviewer said.<\/p>\n

This was the environment in which Microsoft\u2019s GCC High application entered the pipeline. The name GCC High was an umbrella covering many services and features within Office 365 that all needed to be reviewed. FedRAMP reviewers quickly noticed key material was missing.<\/p>\n

The team homed in on what it viewed as a fundamental document called a \u201cdata flow diagram,\u201d former members told ProPublica. The illustration is supposed to show how data travels from Point A to Point B \u2014 and, more importantly, how it\u2019s protected as it hops from server to server. FedRAMP requires data to be encrypted while in transit to ensure that sensitive materials are protected even if they\u2019re intercepted by hackers.<\/p>\n

But when the FedRAMP team asked Microsoft to produce the diagrams showing how such encryption would happen for each service in GCC High, the company balked, saying the request was too challenging. So the reviewers suggested starting with just Exchange Online, the popular email platform.<\/p>\n

\u201cThis was our litmus test to say, \u2018This isn\u2019t the only thing that\u2019s required, but if you\u2019re not doing this, we are not even close yet,\u2019\u201d said one reviewer who spoke on condition of anonymity because they were not authorized to discuss internal matters. Once they reached the appropriate level of detail, they would move from Exchange to other services within GCC High.<\/p>\n

It was the kind of detail that other major cloud providers such as Amazon and Google routinely provided, members of the FedRAMP team told ProPublica. Yet Microsoft took months to respond. When it did, the former reviewer said, it submitted a white paper that discussed GCC High\u2019s encryption strategy but left out the details of where on the journey data actually becomes encrypted and decrypted \u2014 so FedRAMP couldn\u2019t assess that it was being done properly.<\/p>\n

A Microsoft spokesperson acknowledged that the company had \u201carticulated a challenge related to illustrating the volume of information being requested in diagram form\u201d but \u201cfound alternate ways to share that information.\u201d<\/p>\n

Rogers, who was hired by Microsoft in 2025, declined to be interviewed. In response to emailed questions, the company provided a statement saying that she \u201cstands by the rigorous evaluation that contributed to\u201d her authorization of GCC High. A spokesperson said there was \u201cabsolutely no connection\u201d between her hiring and the decisions in the GCC High process, and that she and the company complied with \u201call rules, regulations, and ethical standards.\u201d<\/p>\n

The Justice Department declined to respond to written questions from ProPublica.<\/p>\n

A Fight Over \u201cSpaghetti Pies\u201d<\/p>\n

As 2020 came to a close, a national security crisis hit Washington that underscored the consequences of cyber weakness. Russian state-sponsored hackers had been quietly working their way through federal computer systems for much of the year and vacuuming up sensitive data and emails from U.S. agencies \u2014 including the Justice Department.\u00a0<\/p>\n

At the time, most of the blame fell on a Texas-based company called SolarWinds, whose software provided hackers their initial opening and whose name became synonymous with the attack. But, as ProPublica has reported, the Russians leveraged that opening to exploit a long-standing weakness in a Microsoft product \u2014 one that the company had refused to fix for years, despite repeated warnings from one of its engineers. Microsoft has defended its decision not to address the flaw, saying that it received \u201cmultiple reviews\u201d and that the company weighs a variety of factors when making security decisions.<\/p>\n

In the aftermath, the Biden administration took steps to bolster the nation\u2019s cybersecurity. Among them, the Justice Department announced a cyber-fraud initiative in 2021 to crack down on companies and individuals that \u201cput U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.\u201d<\/p>\n

Deputy Attorney General Lisa Monaco said the department would use the False Claims Act to pursue government contractors \u201cwhen they fail to follow required cybersecurity standards \u2014 because we know that puts all of us at risk.\u201d<\/p>\n

Former Deputy Attorney General Lisa Monaco. After Russian state-sponsored hackers stole sensitive data from U.S. agencies, Monaco said the Department of Justice would hold government contractors accountable for failing to uphold cybersecurity standards. Stefani Reynolds\/AFP via Getty Images<\/p>\n

But if Microsoft felt any pressure from the SolarWinds attack or from the Justice Department\u2019s announcement, it didn\u2019t manifest in the FedRAMP talks, according to former members of the FedRAMP team.<\/p>\n

The discourse between FedRAMP and Microsoft fell into a pattern. The parties would meet. Months would go by. Microsoft would return with a response that FedRAMP deemed incomplete or irrelevant. To bolster the chances of getting the information it wanted, the FedRAMP team provided Microsoft with a template, describing the level of detail it expected. But the diagrams Microsoft returned never met those expectations.<\/p>\n

\u201cWe never got past Exchange,\u201d one former reviewer said. \u201cWe never got that level of detail. We had no visibility inside.\u201d<\/p>\n

In an interview with ProPublica, John Bergin, the Microsoft official who became the government\u2019s main contact, acknowledged the prolonged back-and-forth but blamed FedRAMP, equating its requests for diagrams to a \u201crock fetching exercise.\u201d\u00a0<\/p>\n

\u201cWe were maybe incompetent in how we drew drawings because there was no standard to draw them to,\u201d he said. \u201cDid we not do it exactly how they wanted? Absolutely. There was always something missing because there was no standard.\u201d<\/p>\n

A Microsoft spokesperson said without such a standard, \u201ccloud providers were left to interpret the level of abstraction and representation on their own,\u201d creating \u201cinconsistency and confusion, not an unwillingness to be transparent.\u201d\u00a0<\/p>\n

But even Microsoft\u2019s own engineers had struggled over the years to map the architecture of its products, according to two people involved in building cloud services used by federal customers. At issue, according to people familiar with Microsoft\u2019s technology, was the decades-old code of its legacy software, which the company used in building its cloud services.\u00a0<\/p>\n

One FedRAMP reviewer compared it to a \u201cpile of spaghetti pies.\u201d The data\u2019s path from Point A to Point B, the person said, was like traveling from Washington to New York with detours by bus, ferry and airplane rather than just taking a quick ride on Amtrak. And each one of those detours represents an opportunity for a hijacking if the data isn\u2019t properly encrypted.<\/p>\n

Other major cloud providers such as Amazon and Google built their systems from the ground up, said Sager, the former NSA computer scientist, who worked with all three companies during his time in government.<\/p>\n

Microsoft\u2019s system is \u201cnot designed for this kind of isolation of \u2018secure\u2019 from \u2018not secure,\u2019\u201d Sager said.<\/p>\n

A Microsoft spokesperson acknowledged the company faces a unique challenge but maintained that its cloud products meet federal security requirements.<\/p>\n

\u201cUnlike providers that started later with a narrower product scope, Microsoft operates one of the broadest enterprise and government platforms in the world, supporting continuity for millions of customers while simultaneously modernizing at scale,\u201d the spokesperson said in emailed responses. \u201cThat complexity is not \u2018spaghetti,\u2019 but it does mean the work of disentangling, isolating, and hardening systems is continuous.\u201d<\/p>\n

The spokesperson said that since 2023, Microsoft has made \u201csecurity\u2011first architectural redesign, legacy risk reduction, and stronger isolation guarantees a top, company\u2011wide priority.\u201d<\/p>\n

Assessors Back-Channel Cyber Concerns<\/p>\n

The FedRAMP team was not the only party with reservations about GCC High. Microsoft\u2019s third-party assessment organizations also expressed concerns.The firms are supposed to be independent but are hired and paid by the company being assessed. Acknowledging the potential for conflicts of interest, FedRAMP has encouraged the assessment firms to confidentially back-channel to its reviewers any negative feedback that they were unwilling to bring directly to their clients or reflect in official reports.<\/p>\n

In 2020, two third-party assessors hired by Microsoft, Coalfire and Kratos, did just that. They told FedRAMP that they were unable to get the full picture of GCC High, a former FedRAMP reviewer told ProPublica.<\/p>\n

\u201cCoalfire and Kratos both readily admitted that it was difficult to impossible to get the information required out of Microsoft to properly do a sufficient assessment,\u201d the reviewer told ProPublica.<\/p>\n

The back channel helped surface cybersecurity issues that otherwise might never have been known to the government, people who have worked with and for FedRAMP told ProPublica. At the same time, they acknowledged its existence undermined the very spirit and intent of having independent assessors.<\/p>\n

A spokesperson for Coalfire, the firm that initially handled the GCC High assessment, requested written questions from ProPublica, then declined to respond.\u00a0<\/p>\n

A spokesperson for Kratos, which replaced Coalfire as the GCC High assessor, declined an interview request. In an emailed response to written questions, the spokesperson said the company stands by its official assessment and recommendation of GCC High and \u201cabsolutely refutes\u201d that it \u201cever would sign off on a product we were unable to fully vet.\u201d The company \u201chas open and frank conversations\u201d with all customers, including Microsoft, which \u201csubmitted all requisite diagrams to meet FedRAMP-defined requirements,\u201d the spokesperson said.<\/p>\n

Kratos said it \u201cspent extensive time working collaboratively with FedRAMP in their review\u201d and does not consider such discussions to be \u201cbackchanneling.\u201d<\/p>\n

FedRAMP, however, was dissatisfied with Kratos\u2019 ongoing work and believed the firm \u201cshould be pushing back\u201d on Microsoft more, the former reviewer said. It placed Kratos on a \u201ccorrective action plan,\u201d which could eventually result in loss of accreditation. The company said it did not agree with FedRAMP\u2019s action but provided \u201cadditional trainings for some internal assessors\u201d in response to it.\u00a0<\/p>\n

The Microsoft spokesperson told ProPublica the company has \u201calways been responsive to requests\u201d from Kratos and FedRAMP. \u201cWe are not aware of any backchanneling, nor do we believe that backchanneling would have been necessary given our transparency and cooperation with auditor requests,\u201d the spokesperson said.<\/p>\n

In response to questions from ProPublica about the process, the GSA said in an email that FedRAMP\u2019s system \u201cdoes not create an inherent conflict of interest for professional auditors who meet ethical and contractual performance expectations.\u201d<\/p>\n

GSA did not respond to questions about back-channeling but said the \u201ccorrect process\u201d is for a third-party assessor to \u201cstate these problems formally in a finding during the security assessment so that the cloud service provider has an opportunity to fix the issue.\u201d<\/p>\n

FedRAMP Ends Talks<\/p>\n

FedRAMP is housed under the General Services Administration within the federal government. Al Drago\/Bloomberg via Getty Images<\/p>\n

The back-and-forth between the FedRAMP reviewers and Microsoft\u2019s team went on for years with little progress. Then, in the summer of 2023, the program\u2019s interim director, Brian Conrad, got a call from the White House that would alter the course of the review.<\/p>\n

Chinese state-sponsored hackers had infiltrated GCC, the lower-cost version of Microsoft\u2019s government cloud, and stolen data and emails from the commerce secretary, the U.S. ambassador to China and other high-ranking government officials. In the aftermath, Chris DeRusha, the White House\u2019s chief information security officer, wanted a briefing from FedRAMP, which had authorized GCC.<\/p>\n

The decision predated Conrad\u2019s tenure, but he told ProPublica that he left the conversation with several takeaways. First, FedRAMP must hold all cloud providers \u2014 including Microsoft \u2014 to the same standards. Second, he had the backing of the White House in standing firm. Finally, FedRAMP would feel the political heat if any cloud service with a FedRAMP authorization were hacked.<\/p>\n

DeRusha confirmed Conrad\u2019s account of the phone call but declined to comment further.<\/p>\n

Within months, Conrad informed Microsoft that FedRAMP was ending the engagement on GCC High.<\/p>\n

We can\u2019t even quantify the unknowns, which makes us very uncomfortable. FedRAMP reviewer of GCC High<\/p>\n

\u201cAfter three years of collaboration with the Microsoft team, we still lack visibility into the security gaps because there are unknowns that Microsoft has failed to address,\u201d Conrad wrote in an October 2023 email. This, he added, was not for FedRAMP\u2019s lack of trying. Staffers had spent 480 hours of review time, had conducted 18 \u201ctechnical deep dive\u201d sessions and had numerous email exchanges with the company over the years. Yet they still lacked the data flow diagrams, crucial information \u201csince visibility into the encryption status of all data flows and stores is so important,\u201d he wrote.<\/p>\n

If Microsoft still wanted FedRAMP authorization, Conrad wrote, it would need to start over.<\/p>\n

A FedRAMP reviewer, explaining the decision to the Justice Department, said the team was \u201cnot asking for anything above and beyond what we\u2019ve asked from every other\u201d cloud service provider, according to meeting minutes reviewed by ProPublica. But the request was particularly justified in Microsoft\u2019s case, the reviewer told the Justice officials, because \u201ceach time we\u2019ve actually been able to get visibility into a black box, we\u2019ve uncovered an issue.\u201d<\/p>\n

\u201cWe can\u2019t even quantify the unknowns, which makes us very uncomfortable,\u201d the reviewer said, according to the minutes.<\/p>\n

Microsoft and the Justice Department Push Back<\/p>\n

Microsoft was furious. Failing to obtain authorization and starting the process over would signal to the market that something was wrong with GCC High. Customers were already confused and concerned about the drawn-out review, which had become a hot topic in an online forum used by government and technology insiders. There, Wakeman, the Microsoft cybersecurity architect, deflected blame, saying the government had been \u201cdragging their feet on it for years now.\u201d<\/p>\n

Meanwhile, to build support for Microsoft\u2019s case, Bergin, the company\u2019s point person for FedRAMP and a former Army official, reached out to government leaders, including one from the Justice Department.<\/p>\n

The Justice official, who spoke on condition of anonymity because they were not authorized to discuss the matter, said Bergin complained that the delay was hampering Microsoft\u2019s ability \u201cto get this out into the market full sail.\u201d Bergin then pushed the Justice Department to \u201cthrow around our weight\u201d to help secure FedRAMP authorization, the official said.<\/p>\n

John Bergin in 2019, while serving as deputy assistant secretary of the Army for financial information management. He was later hired by Microsoft and served as the company\u2019s liaison with FedRAMP during the GCC High debate. Defense Visual Information Distribution Service<\/p>\n

That December, as the parties gathered to hash things out at GSA\u2019s Washington headquarters, Justice did just that. Rogers, who by then had been promoted to the department\u2019s chief information officer, sat beside Bergin \u2014 on the opposite side of the table from Conrad, the FedRAMP director.<\/p>\n

Rogers and her Justice colleagues had a stake in the outcome. Since authorizing and deploying GCC High, she had received accolades for her work modernizing the department\u2019s IT and cybersecurity. But without FedRAMP\u2019s stamp of approval, she would be the government official left holding the bag if GCC High were involved in a serious hack. At the same time, the Justice Department couldn\u2019t easily back out of using GCC High because once a technology is widely deployed, pulling the plug can be costly and technically challenging. And from its perspective, the cloud was an improvement over the old government-run data centers.<\/p>\n

Shortly after the meeting kicked off, Bergin interrupted a FedRAMP reviewer who had been presenting PowerPoint slides. He said the Justice Department and third-party assessor had already reviewed GCC High, according to meeting minutes. FedRAMP \u201cshould essentially just accept\u201d their findings, he said.<\/p>\n

Then, in a shock to the FedRAMP team, Rogers backed him up and went on to criticize FedRAMP\u2019s work, according to two attendees.<\/p>\n

In its statement, Microsoft said Rogers maintains that FedRAMP\u2019s approach \u201cwas misguided and improperly dismissed the extensive evaluations performed by DOJ personnel.\u201d<\/p>\n

Bergin did not dispute the account, telling ProPublica that he had been trying to argue that it is the purview of third-party assessors such as Kratos \u2014 not FedRAMP \u2014 to evaluate the security of cloud products. And because FedRAMP must approve the third-party assessment firms, the program should have taken its issues up with Kratos.<\/p>\n

\u201cWhen you are the regulatory agency who determines who the auditors are and you refuse to accept your auditors\u2019 answers, that\u2019s not a \u2018me\u2019 problem,\u201d Bergin told ProPublica.<\/p>\n

The GSA did not respond to questions about the meeting. The Justice Department declined to comment.<\/p>\n

Pressure Mounts on FedRAMP<\/p>\n

If there was any doubt about the role of FedRAMP, the White House issued a memorandum in the summer of 2024 that outlined its views. FedRAMP, it said, \u201cmust be capable of conducting rigorous reviews\u201d and requiring cloud providers to \u201crapidly mitigate weaknesses in their security architecture.\u201d The office should \u201cconsistently assess and validate cloud providers\u2019 complex architectures and encryption schemes.\u201d<\/p>\n

But by that point, GCC High had spread to other federal agencies, with the Justice Department\u2019s authorization serving as a signal that the technology met federal standards.<\/p>\n

It also spread to the defense sector, since the Pentagon required that cloud products used by its contractors meet FedRAMP standards. While it did not have FedRAMP authorization, Microsoft marketed GCC High as meeting the requirements, selling it to companies such as Boeing that research, develop and maintain military weapons systems.<\/p>\n

But with the FedRAMP authorization up in the air, some contractors began to worry that by using GCC High, they were out of compliance. That could threaten their contracts, which, in turn, could impact Defense Department operations. Pentagon officials called FedRAMP to inquire about the authorization stalemate.<\/p>\n

The Defense Department acknowledged but did not respond to written questions from ProPublica.<\/p>\n

Rogers also kept pressing FedRAMP to \u201cget this thing over the line,\u201d former employees of the GSA and FedRAMP said. It was the \u201copinion of the staff and the contractors that she simply was not willing to put heat to Microsoft on this\u201d and that the Justice Department \u201cwas too sympathetic to Microsoft\u2019s claims,\u201d\u00a0 Eric Mill, then GSA\u2019s executive director for cloud strategy, told ProPublica.<\/p>\n

Authorization Despite a \u201cDamning\u201d Assessment\u00a0<\/p>\n

In the summer of 2024, FedRAMP hired a new permanent director, government technology insider Pete Waterman. Within about a month of taking the job, he restarted the office\u2019s review of GCC High with a new team, which put aside the debate over data flow diagrams and instead attempted to examine evidence from Microsoft. But these reviewers soon arrived at the same conclusion, with the team\u2019s leader complaining about \u201cgetting stiff-armed\u201d by Microsoft.<\/p>\n

\u201cHe came back and said, \u2018Yeah, this thing sucks,\u2019\u201d Mill recalled.<\/p>\n

Pete Waterman, FedRAMP director hired in 2024 FedRAMP<\/p>\n

While the team was able to work through only two of the many services included in GCC High, Exchange Online and Teams, that was enough for it to identify \u201cissues that are fundamental\u201d to risk management, including \u201ctimely remediation of vulnerabilities and vulnerability scanning,\u201d according to a summary of the team\u2019s findings reviewed by ProPublica.<\/p>\n

Those issues, as well as a lack of \u201cproper detailed security documentation\u201d from Microsoft, limit \u201cvisibility and understanding of the system\u201d and \u201cimpair the ability to make informed risk decisions.\u201d<\/p>\n

The team concluded, \u201cThere is a lack of confidence in assessing the system\u2019s overall security posture.\u201d\u00a0<\/p>\n

A Microsoft spokesperson said in a statement that the company \u201cnever received this feedback in any of its communications with FedRAMP.\u201d<\/p>\n

When ProPublica read the findings to Bergin, the Microsoft liaison, he said he was surprised.<\/p>\n

\u201cThat\u2019s pretty damning,\u201d Bergin said, adding that it sounded like language that \u201cwould\u2019ve generally been associated with a finding of \u2018not worthy.\u2019 If an assessor wrote that, I would be nervous.\u201d<\/p>\n

Despite the findings, to the FedRAMP team, turning Microsoft down didn\u2019t seem like an option. \u201cNot issuing an authorization would impact multiple agencies that are already using GCC-H,\u201d the summary document said. The team determined that it was a \u201cbetter value\u201d to issue an authorization with conditions for continued government oversight.<\/p>\n

While authorizations with oversight conditions weren\u2019t unusual, arriving at one under these circumstances was. GCC High reviewers saw problems everywhere, both in what they were able to evaluate and what they weren\u2019t. To them, most of the package remained a vast wilderness of untold risk.<\/p>\n

Nevertheless, FedRAMP and Microsoft reached an agreement, and the day after Christmas 2024, GCC High received its FedRAMP authorization. FedRAMP appended a cover report to the package laying out its deficiencies and noting it carried unknown risks, according to people familiar with the report.<\/p>\n

It emphasized that agencies should carefully review the package and engage directly with Microsoft on any questions.<\/p>\n

\u201cUnknown Unknowns\u201d Persist<\/p>\n

Microsoft told ProPublica that it has met the conditions of the agreement and has \u201cstayed within the performance metrics required by FedRAMP\u201d to ensure that \u201crisks are identified, tracked, remediated, and transparently communicated.\u201d<\/p>\n

But under the Trump administration, there aren\u2019t many people left at FedRAMP to check.<\/p>\n

While the Biden-era guidance said FedRAMP \u201cmust be an expert program that can analyze and validate the security claims\u201d of cloud providers, the GSA told ProPublica that the program\u2019s role is \u201cnot to determine if a cloud service is secure enough.\u201d Rather, it is \u201cto ensure agencies have sufficient information to make these risk decisions.\u201d<\/p>\n

The problem is that agencies often lack the staff and resources to do thorough reviews, which means the whole system is leaning on the claims of the cloud companies and the assessments of the third-party firms they pay to evaluate them. Under the current vision, critics say, FedRAMP has lost the plot.<\/p>\n

\u201cFedRAMP\u2019s job is to watch the American people\u2019s back when it comes to sharing their data with cloud companies,\u201d said Mill, the former GSA official, who also co-authored the 2024 White House memo. \u201cWhen there\u2019s a security issue, the public doesn\u2019t expect FedRAMP to say they\u2019re just a paper-pusher.\u201d<\/p>\n

When there\u2019s a security issue, the public doesn\u2019t expect FedRAMP to say they\u2019re just a paper-pusher. Eric Mill, former GSA executive director for cloud strategy<\/p>\n

Meanwhile, at the Justice Department, officials are finding out what FedRAMP meant by the \u201cunknown unknowns\u201d in GCC High. Last year, for example, they discovered that Microsoft relied on China-based engineers to service their sensitive cloud systems despite the department\u2019s prohibition against non-U.S. citizens assisting with IT maintenance.<\/p>\n

Officials learned about this arrangement \u2014 which was also used in GCC High \u2014 not from FedRAMP or from Microsoft but from a ProPublica investigation into the practice, according to the Justice employee who spoke with us.<\/p>\n

A Microsoft spokesperson acknowledged that the written security plan for GCC High that the company submitted to the Justice Department did not mention foreign engineers, though he said Microsoft did communicate that information to Justice officials before 2020. Nevertheless, Microsoft has since ended its use of China-based engineers in government systems.<\/p>\n

Former and current government officials worry about what other risks may be lurking in GCC High and beyond.<\/p>\n

The GSA told ProPublica that, in general, \u201cif there is credible evidence that a cloud service provider has made materially false representations, that matter is then appropriately referred to investigative authorities.\u201d<\/p>\n

Ironically, the ultimate arbiter of whether cloud providers or their third-party assessors are living up to their claims is the Justice Department itself. The recent indictment of the former Accenture employee suggests it is willing to use this power. In a court document, the Justice Department alleges that the ex-employee made \u201cfalse and misleading representations\u201d about the cloud platform\u2019s security to help the company \u201cobtain and maintain lucrative federal contracts.\u201d She is also accused of trying to \u201cinfluence and obstruct\u201d Accenture\u2019s third-party assessors by hiding the product\u2019s deficiencies and telling others to conceal the \u201ctrue state of the system\u201d during demonstrations, the department said. She has pleaded not guilty.<\/p>\n

There is no public indication that such a case has been brought against Microsoft or anyone involved in the GCC High authorization. The Justice Department declined to comment. Monaco, the deputy attorney general who launched the department\u2019s initiative to pursue cybersecurity fraud cases, did not respond to requests for comment.<\/p>\n

She left her government position in January 2025. Microsoft hired her to become its president of global affairs.<\/p>\n

A company spokesperson said Monaco\u2019s hiring complied with \u201call rules, regulations, and ethical standards\u201d and that she \u201cdoes not work on any federal government contracts or have oversight over or involvement with any of our dealings with the federal government.\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Despite Doubts, Federal Cyber Experts Approved Microsoft Cloud Service \u2014 ProPublica https:\/\/www.propublica.org\/article\/microsoft-cloud-fedramp-cybersecurity-government Publish Date: 2026-03-18…<\/p>\n","protected":false},"author":1,"featured_media":196969,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.propublica.org\/wp-content\/uploads\/2025\/12\/20260225-Gordon-fed-ramp-tech-project-social_maxHeight_3000_maxWidth_3000.jpg?resize=2000,1050","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[20,24,31,27],"class_list":["post-196968","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-artificial-intelligence","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196968"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=196968"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196968\/revisions"}],"predecessor-version":[{"id":196970,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196968\/revisions\/196970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/196969"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=196968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=196968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=196968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}