Federal Evaluation Reveals Documentation Gaps
In late 2024, federal cybersecurity evaluators examined Microsoft's Government Community Cloud High and found a "lack of proper detailed security documentation," according to an internal government report. This led to a "lack of confidence in assessing the system's overall security posture," as one team member bluntly described the package as "a pile of shit." FedRAMP reviewers could not verify encryption practices, a critical gap given Microsoft's products were central to two major cyberattacks against the government in three years.
Microsoft's Role in Past Cyberattacks
Microsoft's products were central to two major cyberattacks in recent years, including one where Russian hackers exploited a weakness to steal data from federal agencies like the National Nuclear Security Administration. In another incident, Chinese hackers infiltrated email accounts of a Cabinet member and other senior officials. Despite these events, FedRAMP authorized GCC High, helping Microsoft expand its government business worth billions of dollars, as Richard Wakeman, a company chief security architect, celebrated with a "BOOM SHAKA LAKA" meme in an online forum.
FedRAMP's Prolonged Review Process
FedRAMP first raised concerns about GCC High's security in 2020 and requested detailed diagrams for its encryption practices, but Microsoft provided only partial information over five years. Brian Conrad, interim FedRAMP director, informed Microsoft in an October 2023 email that the process needed restarting. Microsoft was furious, fearing that restarting would signal market problems with GCC High.
Justice Department's Influence on Approval
Melinda Rogers, Justice Department's deputy chief information officer, deployed GCC High across the department by early 2020 after her own evaluation, paving the way for its spread. During a December meeting at GSA headquarters, Rogers backed Microsoft's John Bergin in criticizing FedRAMP's demands, arguing the product had already been vetted. FedRAMP authorized GCC High on December 26, 2024, with conditions for oversight. The decision came despite reviewers identifying fundamental issues in services like Exchange Online, largely because GCC High was already deployed across multiple federal agencies.
National Security Implications and Criticisms
Today, departments such as Justice and Energy rely on GCC High to protect information that could cause "severe or catastrophic adverse effects" if leaked, raising alarms from Tony Sager, a former National Security Agency computer scientist. Sager called the situation "security theater," highlighting how FedRAMP's breakdowns allowed potential vulnerabilities to persist. The program's annual budget has dropped to $10 million, its lowest in a decade, leaving roughly two dozen staff focused on authorizations. Eric Mill, former GSA executive director for cloud strategy, and others who worked for FedRAMP say the program has become little more than a rubber stamp for industry.
Microsoft's Response and Ongoing Concerns
Microsoft acknowledged the yearslong confrontation with FedRAMP but claimed it provided "comprehensive documentation" and remediated findings. A company spokesperson stated that its products meet security requirements, attributing challenges to the broad scope of its systems. However, third-party assessors like Coalfire and Kratos admitted struggles to obtain full information from Microsoft, and FedRAMP placed Kratos on a corrective action plan for not pushing back enough.
The authorization of GCC High despite these issues means government agencies must now scrutinize their own systems for hidden risks, potentially affecting public data security and national defenses.
FedRAMP reviewers spent 480 hours reviewing GCC High and conducted 18 'technical deep dive' sessions over the three-year period before Conrad's October 2023 decision to restart the process.