Despite Doubts, Federal Cyber Experts Approved Microsoft Cloud Service

Reporting Highlights

“Cloud First”: To move federal agencies to the cloud, the government created a program known as FedRAMP, whose job was to ensure the security of new technology.
Security Breakdown: ProPublica found that FedRAMP authorized a Microsoft product called GCC High to handle sensitive government data, despite years of concerns about its security.
Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.

In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings.

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica. Or, as one member of the team put it: “The package is a pile of shit.”

For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.

Such judgments would be damning for any company seeking to sell its wares to the U.S. government, but it should have been particularly devastating for Microsoft. The tech giant’s products had been at the heart of two major cybersecurity attacks against the U.S. in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials.

Yet, in a highly unusual move, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway. FedRAMP’s ruling — which included a kind of “buyer beware” notice to any federal agency considering GCC High — helped Microsoft expand a government business empire worth billions of dollars.

ProPublica’s investigation found breakdowns at every juncture of that process. It also found a remarkable deference to Microsoft. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered, but largely on the grounds that Microsoft’s product was already being used across Washington.

“This is not security,” said Tony Sager, who spent more than three decades as a computer scientist at the National Security Agency. “This is security theater.”

Today, key parts of the federal government rely on this technology to protect highly sensitive information. Meanwhile, FedRAMP has become an early target of budget cuts, operating with an absolute minimum of support staff and a budget of just $10 million, its lowest in a decade.