The issue is that businesses usually lack the workers and sources to do thorough opinions, which suggests the entire system is leaning on the claims of the cloud corporations and the assessments of the third-party companies they pay to guage them. Below the present imaginative and prescient, critics say, FedRAMP has misplaced the plot.
“FedRAMP’s job is to look at the American folks’s again in the case of sharing their information with cloud corporations,” mentioned Mill, the previous GSA official, who additionally co-authored the 2024 White Home memo. “When there’s a safety challenge, the general public doesn’t anticipate FedRAMP to say they’re only a paper-pusher.”
In the meantime, on the Justice Division, officers are discovering out what FedRAMP meant by the “unknown unknowns” in GCC Excessive. Final yr, for instance, they found that Microsoft relied on China-based engineers to service their delicate cloud methods regardless of the division’s prohibition towards non-US residents aiding with IT upkeep.
Officers discovered about this association—which was additionally utilized in GCC Excessive—not from FedRAMP or from Microsoft however from a ProPublica investigation into the observe, in accordance with the Justice worker who spoke with us.
A Microsoft spokesperson acknowledged that the written safety plan for GCC Excessive that the corporate submitted to the Justice Division didn’t point out overseas engineers, although he mentioned Microsoft did talk that data to Justice officers earlier than 2020. However, Microsoft has since ended its use of China-based engineers in authorities methods.
Former and present authorities officers fear about what different dangers could also be lurking in GCC Excessive and past.
The GSA informed ProPublica that, usually, “if there’s credible proof {that a} cloud service supplier has made materially false representations, that matter is then appropriately referred to investigative authorities.”
Mockingly, the final word arbiter of whether or not cloud suppliers or their third-party assessors live as much as their claims is the Justice Division itself. The current indictment of the previous Accenture worker suggests it’s prepared to make use of this energy. In a court docket doc, the Justice Division alleges that the ex-employee made “false and deceptive representations” in regards to the cloud platform’s safety to assist the corporate “receive and preserve profitable federal contracts.” She can also be accused of making an attempt to “affect and hinder” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to hide the “true state of the system” throughout demonstrations, the division mentioned. She has pleaded not responsible.
There isn’t any public indication that such a case has been introduced towards Microsoft or anybody concerned within the GCC Excessive authorization. The Justice Division declined to remark. Monaco, the deputy lawyer basic who launched the division’s initiative to pursue cybersecurity fraud circumstances, didn’t reply to requests for remark.
She left her authorities place in January 2025. Microsoft employed her to develop into its president of worldwide affairs.
An organization spokesperson mentioned Monaco’s hiring complied with “all guidelines, laws, and moral requirements” and that she “doesn’t work on any federal authorities contracts or have oversight over or involvement with any of our dealings with the federal authorities.”
This story initially appeared on ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Join The Massive Story e-newsletter to obtain tales like this one in your inbox.
