FedRAMP Security Concerns: Microsoft, Cloud Risks & DOJ Oversight

by priyanka.patel tech editor

The U.S. Government’s system for vetting cloud service providers, designed to ensure the security of sensitive federal data, is facing increasing scrutiny after revelations that internal assessments flagged Microsoft’s Azure cloud as having significant security flaws – flaws that were reportedly dismissed in favor of expediency. The concerns, which surfaced in recent reporting, highlight a growing tension between the need for robust cybersecurity and the pressure to rapidly adopt cloud technologies. This situation raises critical questions about the effectiveness of the Federal Risk and Authorization Management Program (FedRAMP) and the security of government data stored in the cloud.

At the heart of the issue is Microsoft’s Government Community Cloud High (GCC High), a segregated instance of Azure designed for highly sensitive government workloads. According to sources familiar with the assessments, federal cyber experts privately characterized the platform as a “pile of shit,” citing fundamental security shortcomings. Despite these concerns, the system was ultimately authorized for use, raising alarms among current and former officials about the potential risks to national security. The debate over FedRAMP authorization and cloud security comes as agencies increasingly rely on cloud services for critical operations.

The problem, as many within the government acknowledge, is a lack of internal resources. Agencies often lack the staff and expertise to conduct thorough security reviews, leading them to rely heavily on the claims made by cloud companies and the assessments performed by third-party firms hired by those same companies. Eric Mill, a former GSA official who co-authored a 2024 White House memo on cloud security, explained that “FedRAMP’s job is to watch the American people’s back when it comes to sharing their data with cloud companies,” and that the public expects more than just “paper-pushing” when security issues arise.

Recent discoveries at the Justice Department underscore the potential vulnerabilities within the GCC High environment. Last year, officials learned that Microsoft had been utilizing China-based engineers to provide technical support for sensitive cloud systems, a practice explicitly prohibited by the department due to national security concerns. This information didn’t arrive from FedRAMP or Microsoft directly, but rather from an investigation by ProPublica, according to a Justice Department employee who spoke on condition of anonymity. Microsoft acknowledged that its initial security plan submitted to the Justice Department did not disclose the use of foreign engineers, though the company claims to have communicated this information to officials prior to 2020. Microsoft has since ended the practice of using China-based engineers for government systems.

The incident with the China-based engineers isn’t an isolated case. It highlights a broader concern among government officials about the potential for hidden risks within GCC High and other authorized cloud environments. The GSA has stated that if credible evidence emerges of false representations by cloud service providers, the matter will be referred to investigative authorities. Still, the ultimate responsibility for enforcing these standards rests with the Justice Department.

The Justice Department has demonstrated a willingness to pursue cases of fraud related to FedRAMP authorizations. A recent indictment of a former Accenture employee illustrates this point. According to court documents, the ex-employee allegedly made “false and misleading representations” about the security of a cloud platform to support the company secure federal contracts. She is also accused of attempting to obstruct third-party assessors by concealing deficiencies during demonstrations. The employee has pleaded not guilty. Hogan Lovells provides further analysis of the case.

While the Justice Department has pursued legal action against individuals involved in fraudulent FedRAMP authorizations, there is currently no public indication that similar charges have been brought against Microsoft or anyone involved in the GCC High authorization process. The Justice Department declined to comment on the matter, and Deputy Attorney General Lisa Monaco, who launched the department’s initiative to pursue cybersecurity fraud cases, did not respond to requests for comment.

Adding another layer of complexity to the situation, Lisa Monaco left her government position in January 2025 to become Microsoft’s president of global affairs. A company spokesperson stated that Monaco’s hiring complied with all applicable rules and regulations, and that she does not work on federal government contracts or oversee dealings with the federal government.

Microsoft’s Azure cloud platform has faced scrutiny over security concerns related to its FedRAMP authorization.

The ongoing concerns surrounding FedRAMP and cloud security have prompted calls for greater oversight and reform. The program, established to provide a standardized approach to security and risk assessment for cloud products and services, is now facing questions about its effectiveness in safeguarding sensitive government data. The GSA recently launched a Technical Advisory Group (TAG) in May 2024, aiming to leverage technical expertise from across the federal government to improve the program’s decision-making processes.

The future of FedRAMP and the security of federal cloud infrastructure will likely depend on the Justice Department’s willingness to investigate potential wrongdoing and hold cloud providers accountable for their security claims. The department’s actions, or lack thereof, will send a clear signal about the government’s commitment to protecting sensitive data in the cloud era. The next key development will be the TAG’s initial report on its findings and recommendations, expected by the end of 2026.

Share your thoughts on the evolving landscape of federal cloud security in the comments below.

You may also like

Leave a Comment