ProPublica Investigation: Federal Experts Called Microsoft's Cloud 'A Pile of Shit' — Then Approved It Anyway
In late 2024, federal cybersecurity evaluators delivered a damning assessment of Microsoft's Government Community Cloud High (GCC High): the tech giant's "lack of proper detailed security documentation" left reviewers unable to assess the system's overall security posture.
Or, as one team member put it more bluntly: "The package is a pile of shit."
The Context
Microsoft's products were at the heart of two major cybersecurity attacks against the U.S. government in three years:
- Russian hackers exploited a weakness to steal sensitive data from multiple federal agencies, including the National Nuclear Security Administration
- Chinese hackers infiltrated email accounts of a Cabinet member and other senior government officials
Given this track record, FedRAMP's security review of GCC High should have been rigorous. Instead, it became a five-year saga of deferred accountability.
The Breakdown
ProPublica's investigation — drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees — found breakdowns at every juncture:
- FedRAMP first raised questions about GCC High's security in 2020 and asked Microsoft to provide detailed diagrams explaining its encryption practices
- Microsoft delivered what reviewers considered partial information in fits and starts over five years
- FedRAMP officials never rejected Microsoft's application, instead repeatedly pulling punches
- Federal agencies were allowed to deploy the product during the review, so GCC High spread across the government
- By late 2024, reviewers authorized the technology not because questions were answered, but because it was already everywhere
The Conflict of Interest
A structural flaw undercuts the entire process: the government relies on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed. Microsoft's own security architect celebrated the authorization with a "BOOM SHAKA LAKA" and a Wolf of Wall Street meme.
The Impact
Today, key parts of the federal government — including the Justice and Energy departments and the defense sector — rely on GCC High to protect highly sensitive information that, if leaked, "could be expected to have a severe or catastrophic adverse effect" on operations, assets, and individuals.
"This is not security. This is security theater." — Tony Sager, former NSA computer scientist
What It Means
The investigation exposes a fundamental tension in government cloud adoption: the pressure to modernize vs. the ability to properly vet technology. FedRAMP, designed 15 years ago to safeguard government cybersecurity, appears to have become a rubber stamp for the dominant vendor.
Source: ProPublica | HN Discussion