Federal cybersecurity evaluators authorized Microsoft's Government Community Cloud High (GCC High) in late 2024 despite serious security concerns stemming from incomplete documentation and a lack of confidence in assessing the system's security. The authorization followed a five-year review process marked by Microsoft's repeated failure to provide necessary documentation, raising concerns given Microsoft's history with cyberattacks on the US government.
In late 2024, federal cybersecurity evaluators delivered a troubling assessment of one of Microsoft ’s major cloud computing products, yet granted it authorization despite serious security concerns.that Federal Risk and Authorization Management Program reviewers found themselves unable to verify the security of Microsoft ’s Government Community Cloud High after years of incomplete documentation from the technology giant.
According to an internal government report, Microsoft’s “lack of proper detailed security documentation” left reviewers with “a lack of confidence in assessing the system’s overall security posture.” One team member described the authorization package as “a pile of shit.” Despite these assessments, FedRAMP authorized GCC High anyway in December 2024, granting what amounts to the federal government’s cybersecurity seal of approval. The decision came after a contentious five-year review process marked by Microsoft’s repeated failure to provide requested security documentation and diagrams explaining how the system protects sensitive government data. The authorization is particularly significant given Microsoft’s role in two major cyberattacks against the United States government. Russian hackersa Microsoft weakness to steal sensitive data from federal agencies including the National Nuclear Security Administration. Later, Chinese hackers infiltrated email accounts of a Cabinet member and other senior officials through Microsoft systems. GCC High entered the federal authorization pipeline through the Justice Department in early 2020. When FedRAMP reviewers began their assessment, they immediately identified missing documentation, focusing on data flow diagrams that should illustrate how information travels through the system and how encryption protects it during transit. Microsoft struggled to provide the requested diagrams for years. When Microsoft finally responded after months of delay, it submitted a white paper discussing encryption strategy without the specific details FedRAMP needed. The request was routine, according to former FedRAMP team members, who said other major cloud providers like Amazon and Google regularly provided such documentation. The protracted negotiations revealed deeper issues with Microsoft’s cloud architecture. People involved in building Microsoft’s federal cloud services said the company faces unique challenges because it built its cloud products on top of decades-old legacy software code. One reviewer compared the system to a “pile of spaghetti pies,” with data taking circuitous routes rather than direct paths. The third-party assessment firms hired by Microsoft to evaluate GCC High echoed these concerns. In 2020, two firms, Coalfire and Kratos, confidentially told FedRAMP that they were unable to get a complete picture of GCC High’s security. “Coalfire and Kratos both readily admitted that it was difficult to impossible to get the information required out of Microsoft to properly do a sufficient assessment,” a former FedRAMP reviewer said.Despite the negative assessment, FedRAMP determined that refusing authorization was not feasible because multiple agencies were already using GCC High. The program concluded it was a “better value” to issue an authorization with conditions. GCC High received its FedRAMP authorization the day after Christmas 2024.on the alarming revelation that Microsoft was using Chinese engineers to update code for the most sensitive corners of the U.S. government including the Pentagon: The system relies on U.S. workers with security clearances, known as “digital escorts,” to supervise the Chinese engineers and serve as a firewall against malicious activities. However, ProPublica found that these escorts often lack the advanced technical skills needed to effectively monitor the foreign workers, who possess far greater coding expertise. Some escorts are ex-military with little software engineering experience, earning barely above minimum wage. While Microsoft claims it has disclosed details of this escort model to the government, former U.S. officials interviewed said they were unaware of the arrangement. Cybersecurity experts were also surprised, noting that this setup presents a prime opportunity for Chinese operatives to infiltrate U.S. networks.Trump Issues Ultimatum to Iran to Open Strait of HormuzMarlow: Anti-Trump Forces on Left and Right Openly Rooting Against AmericaRobert Mueller, Former FBI Director, Special Counsel For Russiagate Hoax, Dies at 81Ted Cruz Suggests Splitting ICE, CBP Funding from DHS Funding
Microsoft Cybersecurity Fedramp Cloud Computing Government
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Children's ibuprofen recall: FDA issues notice for Taro Pharmaceuticals' productNearly 90,000 bottles of a children’s pain reliever have been recalled due to reports of particles and other possible contaminants. The Food and Drug Administration posted an online notice about the recall of Taro Pharmaceuticals' Children’s Ibuprofen Oral Suspension. The medication comes in a berry-flavored formula for children as young as 2.
Read more »
‘A Pile of Sh*t:’ Government Reviewers Blasted Microsoft’s Cloud Security, Approved It AnywaySource of breaking news and analysis, insightful commentary and original reporting, curated and written specifically for the new generation of independent and conservative thinkers.
Read more »
BitFuFu cuts self-mined Bitcoin in 2025, shifts focus to cloud miningThe most recent news about crypto industry at Cointelegraph. Latest news about bitcoin, ethereum, blockchain, mining, cryptocurrency prices and more
Read more »
‘A Rigged and Dangerous Product’: The Wildest Week for Prediction Markets YetAs the prediction market boom continues, backlash is growing too, with Arizona filing criminal charges against Kalshi and public outcry after Polymarket traders threatened a journalist.
Read more »
Shoppers Say This Oprah-Approved Lounge Set Is ‘Like Sleeping in a Cloud’—On Sale NowOprah touted the Softies Waffle Marshmallow V-Neck Lounge Set in her Favorite Things list. Now, it's 20% off at Amazon.
Read more »
Colorado weather blog: Historically high temperatures and high fire danger Saturday, March 21The Denver7 news team is tracking the latest weather impacts and alerts amid historically high temperatures and red flag warnings
Read more »