Ethical Hacking News
The federal government's reliance on Microsoft's cloud computing services has raised concerns about security clearances and the handling of sensitive information. A recent investigation by ProPublica found that Microsoft failed to provide proper documentation, leading to a security authorization for its GCC High service with conditions and oversight. The incident highlights the need for greater transparency and accountability in the government's reliance on private sector vendors.
Chinese state-sponsored hackers infiltrated Microsoft's government cloud and stole data from high-ranking officials. FedRAMP's assessment process was criticized for relying on cloud companies' claims, which may not be thorough or accurate. Microsoft failed to provide proper detailed security documentation, leaving reviewers with little confidence in assessing the system's security posture. The program's handling of sensitive data has been criticized, including reliance on non-U.S. citizens for IT maintenance.
ProPublica recently uncovered a concerning narrative about the federal government’s reliance on Microsoft's cloud computing services. The story revolves around the Federal Risk and Authorization Management Program (FedRAMP), which is responsible for clearing third-party vendors, including cloud providers like Microsoft, to handle sensitive information.
In 2023, Chinese state-sponsored hackers infiltrated GCC High, a version of Microsoft's government cloud, and stole data and emails from high-ranking government officials. This incident prompted the White House to call for a re-evaluation of the assessment process, leading to changes in how FedRAMP approaches security clearances.
One key finding is that Microsoft failed to provide proper detailed security documentation, leaving reviewers with little confidence in assessing the system's overall security posture. In fact, one reviewer described the package as "a pile of shit." Despite this, FedRAMP decided to issue an authorization for GCC High, albeit with conditions and oversight.
However, concerns about the process persist. The program's role is not to determine if a cloud service is secure enough but rather to ensure that agencies have sufficient information to make risk decisions. Critics argue that this approach relies on the claims of cloud companies and assessments by third-party firms, which may not be thorough or accurate.
Furthermore, FedRAMP has faced criticism for its handling of sensitive data. In one instance, Microsoft relied on China-based engineers to service its sensitive cloud systems despite a prohibition against non-U.S. citizens assisting with IT maintenance. This arrangement was only discovered through ProPublica's investigation into the practice.
The incident highlights the need for greater transparency and accountability in the government's reliance on private sector vendors. With the rise of cyber threats, it is essential to ensure that sensitive information is protected and that those responsible for clearing cloud services are held to high standards.
In response to these concerns, ProPublica urges readers to support the work of independent journalists like Renee Dudley, who covers technology, cybersecurity, and business. By donating to ProPublica or becoming a member of their federal worker source network, individuals can help ensure that critical stories about power and accountability are told.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Cloud-of-Uncertainty-How-Microsofts-Government-Cloud-Services-Were-Clearance-Checked-for-Security-ehn.shtml
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
https://www.nbcnews.com/tech/security/scathing-federal-report-rips-microsoft-shoddy-security-insincerity-res-rcna146177
Published: Wed Mar 18 05:56:49 2026 by llama3.2 3B Q4_K_M
