In late 2024, federal cybersecurity evaluators delivered a stark assessment of Microsoft‘s Government Community Cloud High, a key cloud computing offering. According to an internal government report, reviewers found a “lack of proper detailed security documentation” from the tech giant, which led to a “lack of confidence in assessing the system’s overall security posture.” One team member bluntly summarized the package as “a pile of shit.” For years, Microsoft had struggled to fully explain how it protects sensitive data as it moves across servers in the cloud, leaving government experts unable to verify the technology’s security.
This judgment should have been particularly damaging for Microsoft, given its recent history. The company’s products were central to two major cybersecurity attacks against the U.S. within three years. Russian hackers exploited a weakness to steal sensitive data from federal agencies, including the National Nuclear Security Administration. In a separate incident, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior officials. Without reliable security verification for GCC High, designed to safeguard highly sensitive information, the federal government faced increased exposure to further breaches.
Despite these concerns, the Federal Risk and Authorization Management Program, or FedRAMP, took an unusual step by authorizing GCC High anyway. This decision granted what amounts to the federal government’s cybersecurity seal of approval, even as it included a “buyer beware” notice for agencies considering the product. The ruling has had significant repercussions, helping Microsoft expand its government business, which is valued in the billions of dollars, while raising questions about the balance between security assessments and commercial approvals in federal procurement.
