Ethical Hacking News
The Federal Risk and Authorization Management Program (FedRAMP) has been criticized for its role in authorizing Microsoft's Government Community Cloud High despite a lack of confidence in its overall security posture, as expressed by government cybersecurity evaluators. The authorization allows the federal government to use Microsoft's cloud-based services to safeguard sensitive information, despite concerns about the company's ability to provide detailed security documentation and protect against cyber threats.
FedRAMP authorized Microsoft's Government Community Cloud High despite concerns about its lack of detailed security documentation and protection against cyber threats. The program was criticized for its inadequate evaluation processes and lack of transparency, leading to criticism that it is no longer capable of providing adequate assurance about the security and compliance of cloud-based services. FedRAMP's director acknowledged that the program was operating with an absolute minimum of support staff and had limited customer service. The annual budget for FedRAMP has been decreasing, from $10 million in 2025 to its lowest in a decade. Critics argue that the reforms implemented by FedRAMP have not addressed the fundamental issues with its evaluation processes or lack of transparency.
In recent years, the Federal Risk and Authorization Management Program (FedRAMP) has been under scrutiny for its role in evaluating and authorizing cloud computing services used by federal agencies. One such service is Microsoft's Government Community Cloud High, a suite of cloud-based services intended to safeguard sensitive information. The authorization process was conducted despite concerns expressed by government cybersecurity evaluators about the lack of detailed security documentation and protection against cyber threats.
The Federal Risk and Authorization Management Program (FedRAMP) is a critical component of the federal government's efforts to adopt cloud computing services. It evaluates third-party providers' security and compliance with federal regulations, providing assurance that their services meet certain standards before authorizing them for use by federal agencies. The program was established in 2011 as part of the Federal Information Security Management Act (FISMA) to streamline the process of evaluating and selecting cloud-based services.
In recent years, however, FedRAMP has faced criticism for its inadequate evaluation processes and lack of transparency. One notable example is Microsoft's Government Community Cloud High, a suite of cloud-based services intended to safeguard sensitive information. Despite concerns expressed by government cybersecurity evaluators about the lack of detailed security documentation and protection against cyber threats, FedRAMP authorized the service in 2020.
According to internal government reports, Microsoft's Government Community Cloud High was criticized for its "lack of proper detailed security documentation" during the evaluation process. One member of the team involved in the review reportedly described the service as "a pile of shit." The concerns about the service's security were fueled by two major cybersecurity attacks against the United States in 2021 and 2022, which were linked to weaknesses in Microsoft's cloud-based services.
The first attack was attributed to Russian hackers who exploited a weakness in Microsoft's Azure cloud platform to steal sensitive data from several federal agencies, including the National Nuclear Security Administration. The second attack involved Chinese hackers infiltrating the email accounts of a Cabinet member and other senior government officials using Microsoft's Office 365 cloud service.
Despite these concerns, FedRAMP authorized the Government Community Cloud High despite its lack of confidence in the service's overall security posture. The authorization was seen as a major coup for Microsoft, which has been seeking to expand its business with federal agencies. According to reports, the government's cybersecurity agency awarded Microsoft a $10 billion contract to develop and deploy cloud-based artificial intelligence tools.
The revelations have raised concerns about the adequacy of FedRAMP's evaluation processes and the lack of transparency in its decision-making. Critics argue that the program is no longer operating with adequate support staff or resources, which has led to a situation where it is little more than a rubber stamp for industry.
FedRAMP's director, speaking at a recent conference, acknowledged that the program was operating "with an absolute minimum of support staff" and had limited customer service. The annual budget for FedRAMP was just $10 million in 2025, its lowest in a decade. Despite this, the program has boasted record numbers of new authorizations for cloud products.
The consequences of such a downsizing are far-reaching, especially as the administration encourages agencies to adopt cloud-based artificial intelligence tools that draw upon reams of sensitive information. The General Services Administration (GSA) defended FedRAMP's role in assessing cloud services, saying it has undergone "significant reforms" since Microsoft's Government Community Cloud High was authorized.
However, critics argue that these reforms have not addressed the fundamental issues with the program's evaluation processes or its lack of transparency. In fact, some have suggested that FedRAMP is no longer capable of providing adequate assurance about the security and compliance of cloud-based services.
The case of Microsoft's Government Community Cloud High highlights the need for greater transparency and accountability in the federal government's procurement processes, particularly when it comes to sensitive information like national security data. The incident underscores the importance of robust evaluation processes that can ensure confidence in the security posture of cloud-based services before they are authorized for use by federal agencies.
In conclusion, the authorization of Microsoft's Government Community Cloud High by FedRAMP highlights the need for greater scrutiny and accountability in the federal government's procurement processes, particularly when it comes to sensitive information like national security data. As the administration continues to explore the use of cloud-based artificial intelligence tools, it is essential that policymakers prioritize robust evaluation processes and transparency to ensure confidence in the security posture of these services.
Related Information:
https://www.ethicalhackingnews.com/articles/Unpacking-FedRAMP-How-a-Flawed-Security-Evaluation-Led-to-a-Billions-Dollar-Deal-with-Microsoft-ehn.shtml
https://gizmodo.com/federal-cyber-experts-thought-microsofts-cloud-was-garbage-they-approved-it-anyway-2000735237
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
Published: Wed Mar 18 16:31:06 2026 by llama3.2 3B Q4_K_M
