Federal OK despite red flags

ProPublica published its investigation on March 18, 2026, drawing on internal FedRAMP review documents from late 2024. (propublica.org) Microsoft’s Office 365 Government (GCC High) was listed as FedRAMP High with a final authorization entry dated December 26, 2024, according to Microsoft’s public posts about the authorization. (techcommunity.microsoft.com) Two FedRAMP-accredited third‑party assessment firms, Coalfire and Kratos, told FedRAMP in 2020 that they were unable to get a complete picture of GCC High’s security during their assessments, according to documents reviewed by ProPublica. (propublica.org) The Department of Justice had rolled GCC High out internally by early 2020 after a decision by then‑Deputy CIO Melinda Rogers, a deployment reviewers later said made unwinding agency use operationally disruptive. (propublica.org) FedRAMP’s final package for GCC High included a marketplace notice that amounted to a “buyer beware” flag about unresolved questions even as the service was authorized. (propublica.org) Microsoft told reporters it worked with the FedRAMP Program Management Office to address items and asserted it remediated findings, while the General Services Administration’s FedRAMP pages describe recent program reforms and continuous monitoring requirements for authorized services. (techcommunity.microsoft.com) FedRAMP and Microsoft documentation both state that ultimate risk acceptance remains with individual agency Authorizing Officials, placing the onus on agencies to document and formally accept any residual traceability or compliance gaps when they adopt an authorized service. (techcommunity.microsoft.com)