Federal OK for Microsoft Cloud
U.S. federal cyber authorities approved a major Microsoft cloud service despite ongoing doubts about the company’s ability to fully explain its security posture—raising fresh questions about vendor risk and evidence requirements for regulated workloads. The decision spotlights the pressure internal compliance teams will face to demand compensating controls and clearer automated reporting when onboarding large cloud providers. (propublica.org)
ProPublica’s March 18, 2026 investigation says federal reviewers in late 2024 judged Microsoft’s Government Community Cloud High (GCC High) security package with a “lack of confidence” and one reviewer called the submission “a pile of shit,” even though FedRAMP ultimately authorized the offering. (ProPublica: ) Microsoft’s public posts state Office 365 GCC High was listed in the FedRAMP marketplace as authorized on Dec. 26, 2024, and Microsoft says GCC High maintains agency ATOs including DHS, DOJ and other federal customers. (Microsoft Tech Community: Microsoft Learn: ) The internal government assessment obtained by ProPublica flagged a “lack of proper detailed security documentation” and explicitly said reviewers lacked confidence in assessing the system’s overall security posture. (ProPublica: ) FedRAMP’s model depends on FedRAMP-accredited Third-Party Assessment Organizations (3PAOs) to perform security assessments and those 3PAOs are engaged and paid through the vendor or sponsoring agency per FedRAMP guidance. (FedRAMP Help: ) Microsoft identified Kratos Defense & Security Solutions as the 3PAO that assessed Office 365 GCC High in its public documentation. (Microsoft Tech Community: ) ProPublica’s July 2025 reporting documented that Microsoft relied for years on China‑based engineers to support Pentagon and other federal cloud systems, and subsequent reporting records show Microsoft publicly said on July 18, 2025 it would stop using China‑based engineers for DoD cloud support. (ProPublica: CNBC: ) The GSA launched FedRAMP 20x on March 24, 2025 to move FedRAMP toward automation and Key Security Indicators (KSIs) that rely on machine-readable, continuous evidence rather than paper artifacts. (GSA FedRAMP 20x announcement: FedRAMP KSIs: ) FedRAMP’s Phase 2 20x pilot documentation shows the program targeted roughly 10 Moderate pilot authorizations and set submission and pilot deadlines through January–March 2026 as it formalized KSI and automated evidence requirements. (FedRAMP Phase Two: )
