Federal cyber experts had condemned Microsoft's cloud as a 'pile of shit,' but were pressured into approving it.
Microsoft offers '
Despite Doubts, Federal Cyber Experts Approved Microsoft Cloud Service — ProPublica
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
In recent years, the U.S. government has been promoting a shift from government-owned and operated servers to cloud servers managed by technology companies. In 2011, under the Barack Obama administration, FedRAMP was established to promote the adoption of cloud services. FedRAMP is an organization that reviews whether the security of cloud services meets standards, and services approved by FedRAMP become available to all government agencies, which was expected to improve procurement efficiency.
However, in reality, the FedRAMP team was too small to meet the demand, resulting in a situation where they couldn't keep up with requests from technology companies seeking product certification. This led to frustration for both the technology industry, which was vying for federal funding, and government agencies, which wanted to move towards cloud services. As a result, many agencies opted to use FedRAMP standards to conduct their own independent audits of cloud services.
Amidst these developments, the Department of Justice, which was exploring ways to process highly confidential court and law enforcement records in the cloud, promoted the adoption of Microsoft's cloud service, GCCH. The Department of Justice evaluated whether GCCH met federal standards through independent third-party checks and its own checks, and by early 2020, Melinda Rogers, then Deputy Chief Information Officer of the Department of Justice, announced its implementation. Soon after, GCCH was rolled out throughout the Department of Justice, and Microsoft established a foothold in the federal government's cloud business market.
However, when FedRAMP finally began its review of GCCH in April 2020, it found that the Department of Justice's checks were of poor quality and lacked crucial information for the investigation. A former FedRAMP member who testified to ProPublica said the review team asked Microsoft to submit a 'data flow diagram' showing how data moves from point A to point B and how it is protected as it moves between servers. FedRAMP is also calling on cloud providers to encrypt data in transit so that sensitive information is protected even if it is intercepted by hackers.
GCCH encompasses many services and features within Office 365, and FedRAMP requested that Microsoft submit data flow diagrams for each service included in GCCH. However, Microsoft refused, citing the request as too complex, so FedRAMP suggested that they first submit a data flow diagram for Exchange Online, the email platform.
According to FedRAMP members, other cloud providers like Amazon and Google routinely provide this kind of detailed information. However, Microsoft took several months to respond, and the documents they submitted omitted details about 'at what stage the data is actually encrypted and decrypted,' making it impossible for FedRAMP to assess whether the encryption was being done properly.
After that, the exchange between FedRAMP and Microsoft stalled, with FedRAMP providing Microsoft with a template outlining what they wanted answered, only for Microsoft to provide incomplete or irrelevant responses months later. A former FedRAMP reviewer told ProPublica, 'We never got past Exchange Online. We didn't get detailed information about Exchange Online and had no idea what was going on inside.'
John Bergin, Microsoft's point of contact in negotiations with FedRAMP, claims the prolonged exchange was due to FedRAMP's failure to provide clear criteria. However, according to two sources involved in building cloud services used by federal government clients, even Microsoft engineers are struggling to decipher the architecture of their own products. The problem, it is believed, lies in the code of legacy software from decades ago that Microsoft used to build its cloud services.
One FedRAMP judge pointed out that the GCCH's data flow is like taking a roundabout route from Washington to New York by bus, ferry, and plane instead of using a truck. He explained that if the data is not properly encrypted, each of these detours becomes an opportunity for data interception. A Microsoft spokesperson acknowledged that the company faces unique challenges but maintained that its cloud products meet federal security requirements.
As communication stalled into 2023, Chinese hackers infiltrated Microsoft's government cloud service and stole emails from high-ranking government officials. Following this incident, Brian Conrad, who was the interim head of FedRAMP, spoke with Chris DeRuscha, the federal government's chief information security officer, and decided to take tough action against Microsoft. Conrad informed Microsoft that they would be ending their efforts regarding GCCH.
Chinese hacking group found to have illegally accessed US government mailboxes - GIGAZINE
For Microsoft, ending communication with FedRAMP would send a signal to the market that 'GCCH has security concerns.' Therefore, Microsoft's Bergin and others reportedly lobbied Department of Justice officials to help GCCH obtain FedRAMP approval.
The person who assisted in this matter was Mr. Rogers, who had been promoted to Chief Information Officer of the Department of Justice at the time. Mr. Rogers highly valued the IT advancements brought about by the introduction of GCCH, but he was in a position where he would be held responsible if GCCH were hacked unless FedRAMP approved it. Furthermore, the Department of Justice also had an incentive to push for GCCH approval, as retracting GCCH, which had already been widely implemented, would involve significant costs and technical difficulties.
Ultimately, under pressure from multiple sources, FedRAMP agreed to re-examine GCCH in the summer of 2024. According to a summary of the findings obtained by ProPublica, FedRAMP was only able to examine two of the many services included in GCCH: Exchange Online and Teams. However, even these two services alone identified fundamental risk management issues, and it was reported that Microsoft still had not provided sufficient security documentation. One team member reportedly criticized GCCH, saying, 'This package is a pile of shit.'
Despite these findings, FedRAMP did not have the option of rejecting GCCH. Documents obtained by ProPublica stated that 'failure to issue approval would affect multiple institutions already using GCCH,' and ultimately FedRAMP issued approval on the condition of continued government oversight. GCCH received FedRAMP certification at the end of December 2024, but it has been reported that in the documentation attached to the certification package, FedRAMP listed GCCH's shortcomings and pointed out the existence of unknown risks.
GCCH has continued to be used by government agencies, but in 2025 it was revealed that Microsoft was using Chinese engineers to maintain the Department of Defense's systems. According to a Department of Justice official who testified to ProPublica, Microsoft had not informed the Department of Justice about this practice, and they only learned of the use of Chinese engineers through ProPublica's report at the time.
Microsoft is using Chinese engineers to maintain the Department of Defense's systems, putting highly sensitive data at risk of hacking - GIGAZINE
In 2025, Accenture employees were sued for making false reports regarding the security of the Army's cloud platform. ProPublica points out that, ironically, it is the Department of Justice itself that will decide whether the cloud provider is delivering the services it claims to be providing.
Incidentally, Rogers, who promoted GCCH as a senior official in the Department of Justice, joined Microsoft in June 2025. When ProPublica inquired about this matter with Microsoft, a spokesperson asserted that there was no connection whatsoever between Rogers' hiring and the decisions made in the GCCH selection process, and that all rules, regulations, and ethical standards were being followed.
Related Posts:
in Web Service, Security, Posted by log1h_ik