Microsoft Cloud Security: A "Pile of Shit"?

In late 2024, federal cybersecurity evaluators voiced significant concerns regarding Microsoft's cloud security documentation, deeming it insufficient for assessing the system's overall security posture. This assessment arose despite Microsoft's products being implicated in two major cyberattacks against the U.S. government within three years.

Despite these critical findings, the Federal Risk and Authorization Management Program (FedRAMP) granted authorization to Microsoft's Government Community Cloud High (GCC High). This decision, issued with a "buyer beware" notice, has allowed Microsoft to expand its government business empire worth billions. Critics suggest this outcome reflects breakdowns in FedRAMP's review process and a notable deference to Microsoft.

Concerns about GCC High's security were raised as early as 2020, with reviewers seeking detailed encryption practices. Microsoft's responses were consistently incomplete, yet the authorization process continued for nearly five years. Federal agencies began deploying the product during this extended review, leading to its widespread adoption.

FedRAMP's effectiveness has been further questioned due to significant staff and budget cuts under the Trump administration, leaving the program with minimal support. This has led to accusations that the program now acts as a mere rubber stamp for industry, potentially jeopardizing federal cybersecurity as agencies increasingly adopt cloud-based AI tools.

The authorization of GCC High in late 2024 followed years of back-and-forth regarding inadequate data flow diagrams and encryption details. Despite reviewers concluding they had little confidence in assessing the system's security posture, authorization was granted, partly due to the product's already widespread use. This has led to key government departments relying on a system whose security could not be fully verified.