Federal Cybersecurity Review Raises Concerns Over Microsoft’s Cloud Product

In late 2024, evaluators from federal cybersecurity agencies issued a troubling assessment of a key Microsoft cloud product, yet still approved it despite considerable security concerns.

According to a report, the Federal Risk and Authorization Management Program (FedRAMP) reviewers struggled to assess the security of Microsoft’s Government Community Cloud High (GCC High). This was largely due to years of incomplete documentation from Microsoft. An internal government report stated that Microsoft’s insufficient security documentation left reviewers lacking confidence in their assessment of the system’s overall security, with one reviewer calling the certification package a “heap of junk.”

Nonetheless, FedRAMP certified GCC High in December 2024, granting it a federal cybersecurity seal of approval. This decision followed a contentious five-year review process during which Microsoft repeatedly failed to provide necessary security documentation and diagrams explaining how it protects sensitive government data.

This certification is particularly concerning given Microsoft’s involvement in significant cyberattacks against the U.S. government. Russian hackers exploited vulnerabilities in Microsoft systems to obtain sensitive data from various federal agencies, including the National Nuclear Security Administration. Following this, Chinese hackers breached email accounts of high-ranking officials through Microsoft platforms.

GCC High began its federal licensing journey with the Department of Justice in early 2020. Once FedRAMP reviewers started their evaluation, they quickly identified gaps in documentation, especially regarding data flow diagrams that detail how information is transmitted and safeguarded through encryption.

Microsoft took years to deliver the required diagrams. When it finally responded after lengthy delays, the company presented a white paper outlining its encryption strategy—but this fell short of FedRAMP’s specific requirements. Former reviewers noted that requests for such documentation were standard, with other prominent cloud providers like Amazon and Google routinely supplying these details.

Discussions during the review revealed larger problems with Microsoft’s cloud infrastructure. Officials working on Microsoft’s federal cloud services pointed out that the company faced unique obstacles due to the reliance on decades-old software code. One commentator described the setup as a confusing “spaghetti pie stack,” indicating that data follows an indirect path rather than a streamlined one.

The third-party evaluators hired by Microsoft for GCC High echoed these concerns, admitting in 2020 that they didn’t have a full understanding of the system’s security. A former FedRAMP reviewer mentioned that both Coalfire and Kratos expressed challenges in obtaining the necessary information from Microsoft for a comprehensive evaluation.

Despite the unfavorable assessment, FedRAMP concluded that denying authorization wasn’t feasible since multiple agencies were already utilizing GCC High. They determined it was “more advantageous” to issue conditional authorizations. Consequently, GCC High received FedRAMP’s approval shortly after Christmas 2024.

In a related issue, it was reported last year that Microsoft employed Chinese engineers to work on code for sensitive departments within the U.S. government, including the Department of Defense.

The setup supposedly involves American workers with security clearances, referred to as “digital escorts,” who oversee Chinese engineers to mitigate the risk of malicious activities. However, reports indicated that many of these monitors possess insufficient technical skills for effective oversight. Some are former military personnel with limited software experience, earning slightly above minimum wage.

Microsoft argues it has informed the government about this escort model, yet former officials expressed a lack of awareness regarding the arrangement. Cybersecurity experts highlighted that this could create significant vulnerabilities, offering an opportunity for foreign operatives to infiltrate U.S. networks.