FedRAMP approval questioned
Investigations found federal cyber experts approved a Microsoft cloud product for government use despite internal concerns about its security posture, exposing tensions in vendor‑paid audit reliance. The reporting raises questions about transparency and the need for independent, ongoing scrutiny of cloud platforms that support municipal services. (propublica.org)
ProPublica’s March 18, 2026 investigation reports that FedRAMP granted authorization to Microsoft’s Government Community Cloud High (GCC High) in late 2024 even though internal reviewers documented a “lack of proper detailed security documentation” and one reviewer wrote the package was “a pile of shit.” (propublica.org ) (propublica.org) Reviewers told ProPublica they had a “lack of confidence in assessing the system’s overall security posture,” and the piece ties those concerns to two prior major incidents: a late‑2020 Russian exploitation of a Microsoft product and a summer‑2023 Chinese intrusion of a lower‑cost government cloud environment. (propublica.org ) (propublica.org) ProPublica’s reporting says the Justice Department had already deployed GCC High after a decision by then‑DOJ IT leadership, placing the platform inside criminal and civil investigation workflows; DOJ CIO records show Melinda Rogers led the department’s IT portfolio during that period. (propublica.org ) (justice.gov ) (propublica.org) The piece highlights FedRAMP’s structural reliance on vendor‑paid third‑party assessment organizations (3PAOs), noting reviewers and documents flagged vendor‑funded audits as a potential conflict that complicated independent verification. (propublica.org ) (cisa.gov ) (propublica.org) GSA has been running a FedRAMP reform effort since March 24, 2025 under the “FedRAMP 20x” initiative and boasted authorization‑process milestones in an August 11, 2025 release even as the program has faced staff reductions and throughput pressure. (gsa.gov ) (gsa.gov ) (gsa.gov) Separately, ProPublica reported on July 15, 2025 that Microsoft used China‑based engineers under a “digital escort” model to support U.S. government cloud systems, and Microsoft announced it would end China‑based support for Defense Department projects within days of that reporting. (propublica.org ) (cnbc.com ) (propublica.org) Multiple analyses cited by ProPublica and follow‑up reporting explain the practical reason FedRAMP moved forward despite gaps: several federal agencies were already operating on GCC High, and revocation would have created compliance and operational disruptions for those missions. (propublica.org ) (byteiota.com ) (propublica.org)
