Federal Cyber Experts Slammed Microsoft Cloud as ‘Garbage’ Before Approval
▼ Summary
– FedRAMP lacks the resources for thorough reviews, relying instead on cloud companies’ claims and the assessments of their paid third-party evaluators.
– Critics argue FedRAMP’s role should be to protect the public’s data, not just act as a bureaucratic “paper-pusher” during security issues.
– The Justice Department discovered Microsoft used China-based engineers for its sensitive GCC High cloud system, contrary to its policies, via a ProPublica investigation, not from FedRAMP or Microsoft.
– The Justice Department, as the ultimate enforcer, has indicted a former Accenture employee for allegedly making false security claims to obtain federal contracts, though no such case is public against Microsoft regarding GCC High.
– After leaving the Justice Department, the former deputy attorney general who pursued cybersecurity fraud cases was hired by Microsoft, with the company stating she does not work on federal contracts or government dealings.
Federal cybersecurity experts have expressed severe criticism of the Microsoft Cloud environment used by government agencies, labeling it as fundamentally flawed prior to its official authorization. The core issue stems from a systemic reliance on the claims of cloud providers and the assessments of third-party firms they fund, as many agencies lack the internal staffing and resources to conduct their own thorough, independent security reviews. This dynamic has led critics to argue that the Federal Risk and Authorization Management Program (FedRAMP), designed to safeguard public data in the cloud, has strayed from its essential mission of rigorous oversight.
The fundamental responsibility of FedRAMP is to protect the American public when their data is entrusted to cloud service providers. When security failures occur, the expectation is not for the program to act as a mere administrative body processing paperwork. This gap between expectation and reality became starkly apparent at the Department of Justice, which encountered significant “unknown unknowns” within the Microsoft Government Community Cloud High (GCC High) environment. A critical discovery was made that Microsoft utilized engineers based in China to service sensitive cloud systems, a direct violation of the department’s policy prohibiting non-U.S. citizens from IT maintenance work on such platforms.
Officials did not learn of this arrangement from FedRAMP or from Microsoft directly. Instead, the information came to light through an external media investigation. A Microsoft spokesperson confirmed that the formal security plan submitted to the Justice Department omitted any mention of foreign engineers, though the company stated it had communicated that information verbally prior to 2020. Following this revelation, Microsoft discontinued the use of China-based engineers for government systems. However, this incident has fueled deep concern among current and former officials about what other undisclosed risks may exist within GCC High and other authorized cloud services.
The General Services Administration (GSA) maintains that credible evidence of materially false representations by a cloud provider would be referred to investigative authorities. Ironically, the ultimate authority for determining whether cloud providers or their third-party assessors have made false claims often falls to the Justice Department itself. This power was demonstrated in a recent case involving a former employee of a consulting firm, who was indicted for allegedly making false statements about a cloud platform’s security to secure federal contracts and for attempting to obstruct third-party assessors by concealing the system’s deficiencies.
There is no public indication of a similar case being brought against Microsoft or individuals involved in the GCC High authorization. The situation is further complicated by a notable personnel move: the former deputy attorney general who launched the Justice Department’s initiative to pursue cybersecurity fraud cases left her government role and was subsequently hired by Microsoft as its president of global affairs. The company states that this hiring complied with all ethical standards and that she has no involvement with federal government contracts or dealings, a claim that underscores the complex and often intertwined relationships between regulatory oversight and the industry it is meant to police.
(Source: Ars Technica)
