10) “We stand by our products and the comprehensive steps we’ve taken to ensure all FedRAMP-authorized products meet the security and compliance requirements necessary,” a Microsoft spokesperson said.
9) Rogers declined to be interviewed, but Microsoft said she stands by her decision to approve GCC High. Monaco did not respond to requests for comment. Microsoft said their hirings had “absolutely no connection” to GCC High and complied with all rules and regulations.
7) Rogers now works for Microsoft. So does former deputy AG Monaco, who became the company’s head of global affairs last year.
6) FedRAMP ultimately authorized GCC High in late 2024, even though reviewers thought it was a vast wilderness of untold risk.
Today, key parts of the federal government use GCC High to protect highly sensitive data.
5) It was the “opinion of the staff and the contractors that she simply was not willing to put heat to Microsoft on this” and that DOJ “was too sympathetic to Microsoft’s claims,” a former GSA official told me.
4) Rogers had approved the product, called GCC High, for DOJ’s use in 2020. Although federal cyber evaluators at FedRAMP later raised concerns about its potential risks, Rogers pressed them to authorize it anyway.
3) At the same time, Melinda Rogers, a top official at the Justice Department, was showing a remarkable deference to Microsoft, which was struggling to answer basic cybersecurity questions about one of its cloud products.
2) In 2021, Deputy AG Lisa Monaco pledged to get tough on tech companies that “fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
1) In my latest investigation into @microsoft.com's business with the federal government, the revolving door is in full swing. THREAD 🧵
12) But we found there aren’t many people left at FedRAMP to work with, and the program is essentially a rubber stamp. The General Services Administration, which houses FedRAMP, defended the program, saying it has undergone “significant reforms.” It did not answer questions about GCC High.
11) Microsoft acknowledged the yearslong confrontation with FedRAMP but also said it provided “comprehensive documentation” throughout the review and would “continue to work with FedRAMP to continuously review and evaluate our services for continued compliance.”
10) In response to questions, a Microsoft spokesperson told me: “We stand by our products and the comprehensive steps we’ve taken to ensure all FedRAMP-authorized products meet the security and compliance requirements necessary.”
9) “This is not a happy story in terms of the security of the U.S.,” said Tony Sager, who spent more than three decades as an NSA computer scientist and now is an executive at the Center for Internet Security. “This is not security,” he said. “This is security theater.”
8) Yet my investigation — drawn from internal memos, logs, emails, meeting minutes, and interviews with 7 former/current gov employees & contractors — found breakdowns at every juncture of that process, as well as a remarkable deference to Microsoft.
www.propublica.org/article/micr...
7) This was not the type of outcome federal policymakers envisioned years ago when they embraced the cloud and created the FedRAMP program to help protect US cybersecurity. It was supposed to ensure that providers like Microsoft could be entrusted with government secrets.
6) FedRAMP’s ruling helped Microsoft expand a government business empire worth billions. “BOOM SHAKA LAKA,” Richard Wakeman, one of the company’s chief security architects, boasted online, celebrating with a meme of Leonardo DiCaprio in “The Wolf of Wall Street”
5) The government ultimately authorized Microsoft’s product not because its review was complete, but because it felt it had little choice.
4) What I discovered is that government officials had painted themselves into a corner.
Agencies were allowed to deploy GCC High during the review process. So even as reviewers were raising red flags about the product, the Justice Department and others were already using it.
3) The federal government could be exposed if it couldn’t verify the cybersecurity of the cloud product in question: Microsoft’s Government Community Cloud High, or GCC High.
So why did it bestow its seal of approval?
2) By late 2024, Microsoft’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence,” an internal government report said.
It wasn’t a one-off. For years, reviewers said, Microsoft failed to fully explain how it protects sensitive info in the cloud.
1) THREAD: Federal cybersecurity reviewers said this @microsoft.com cloud package was “a pile of shit.”
They gave it their seal of approval anyway.
Here’s how it happened 👇
This is a long article, but very much worth your time.
It also tells the story of how FedRAMP has turned into a rubber stamp for well funded software vendors.
And yet it still serves as a barrier to entry for new contenders.
Meanwhile, the USG suffers massive tech debt, despite massive spending.
Expert: “This is not a happy story in terms of the security of the U.S. This is not security. This is security theater." Incredible reporting from @propublica.org 's @reneedudley.bsky.social with research by Doris Burke www.propublica.org/article/micr...
NEW: Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
A program created to protect the government against cyber threats authorized a sprawling Microsoft cloud product, despite the company’s inability to fully explain how it protects sensitive data.
NEW: The Defense Department has tightened cybersecurity requirements for its cloud services providers. The changes come after ProPublica revealed how Microsoft’s use of China-based engineers left sensitive government data vulnerable to hacking.
By @reneedudley.bsky.social
BREAKING: Microsoft failed to disclose key details about its use of China-based engineers in Defense Department IT work, according to security document obtained by @propublica.org: www.propublica.org/article/micr...
In addition to its work for the Pentagon, Microsoft has used overseas employees, including China-based personnel, to support the cloud systems of federal departments such as parts of the DOJ, Treasury and Commerce, ProPublica has learned.
By @reneedudley.bsky.social, w/ research by Doris Burke
