In late 2024, federal cybersecurity evaluators delivered a troubling assessment of one of Microsoft’s major cloud computing products, yet granted it authorization despite serious security concerns.
ProPublica reports that Federal Risk and Authorization Management Program (FedRAMP) reviewers found themselves unable to verify the security of Microsoft’s Government Community Cloud High (GCC High) after years of incomplete documentation from the technology giant. According to an internal government report, Microsoft’s “lack of proper detailed security documentation” left reviewers with “a lack of confidence in assessing the system’s overall security posture.” One team member described the authorization package as “a pile of shit.”
Despite these assessments, FedRAMP authorized GCC High anyway in December 2024, granting what amounts to the federal government’s cybersecurity seal of approval. The decision came after a contentious five-year review process marked by Microsoft’s repeated failure to provide requested security documentation and diagrams explaining how the system protects sensitive government data.
The authorization is particularly significant given Microsoft’s role in two major cyberattacks against the United States government. Russian hackers exploited a Microsoft weakness to steal sensitive data from federal agencies including the National Nuclear Security Administration. Later, Chinese hackers infiltrated email accounts of a Cabinet member and other senior officials through Microsoft systems.
GCC High entered the federal authorization pipeline through the Justice Department in early 2020. When FedRAMP reviewers began their assessment, they immediately identified missing documentation, focusing on data flow diagrams that should illustrate how information travels through the system and how encryption protects it during transit.
Microsoft struggled to provide the requested diagrams for years. When Microsoft finally responded after months of delay, it submitted a white paper discussing encryption strategy without the specific details FedRAMP needed. The request was routine, according to former FedRAMP team members, who said other major cloud providers like Amazon and Google regularly provided such documentation.
The protracted negotiations revealed deeper issues with Microsoft’s cloud architecture. People involved in building Microsoft’s federal cloud services said the company faces unique challenges because it built its cloud products on top of decades-old legacy software code. One reviewer compared the system to a “pile of spaghetti pies,” with data taking circuitous routes rather than direct paths.
The third-party assessment firms hired by Microsoft to evaluate GCC High echoed these concerns. In 2020, two firms, Coalfire and Kratos, confidentially told FedRAMP that they were unable to get a complete picture of GCC High’s security. “Coalfire and Kratos both readily admitted that it was difficult to impossible to get the information required out of Microsoft to properly do a sufficient assessment,” a former FedRAMP reviewer said.
Despite the negative assessment, FedRAMP determined that refusing authorization was not feasible because multiple agencies were already using GCC High. The program concluded it was a “better value” to issue an authorization with conditions. GCC High received its FedRAMP authorization the day after Christmas 2024.
Last year, Breitbart News reported on the alarming revelation that Microsoft was using Chinese engineers to update code for the most sensitive corners of the U.S. government including the Pentagon:
The system relies on U.S. workers with security clearances, known as “digital escorts,” to supervise the Chinese engineers and serve as a firewall against malicious activities. However, ProPublica found that these escorts often lack the advanced technical skills needed to effectively monitor the foreign workers, who possess far greater coding expertise. Some escorts are ex-military with little software engineering experience, earning barely above minimum wage.
While Microsoft claims it has disclosed details of this escort model to the government, former U.S. officials interviewed said they were unaware of the arrangement. Cybersecurity experts were also surprised, noting that this setup presents a prime opportunity for Chinese operatives to infiltrate U.S. networks.
Read more at ProPublica here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
