The issue is that businesses usually lack the workers and sources to do thorough critiques, which suggests the entire system is leaning on the claims of the cloud firms and the assessments of the third-party companies they pay to guage them. Beneath the present imaginative and prescient, critics say, FedRAMP has misplaced the plot.
“FedRAMP’s job is to observe the American individuals’s again in relation to sharing their knowledge with cloud firms,” stated Mill, the previous GSA official, who additionally co-authored the 2024 White Home memo. “When there’s a safety challenge, the general public doesn’t count on FedRAMP to say they’re only a paper-pusher.”
In the meantime, on the Justice Division, officers are discovering out what FedRAMP meant by the “unknown unknowns” in GCC Excessive. Final 12 months, for instance, they found that Microsoft relied on China-based engineers to service their sensitive cloud systems regardless of the division’s prohibition in opposition to non-US residents helping with IT upkeep.
Officers discovered about this association—which was additionally utilized in GCC Excessive—not from FedRAMP or from Microsoft however from a ProPublica investigation into the practice, in line with the Justice worker who spoke with us.
A Microsoft spokesperson acknowledged that the written safety plan for GCC Excessive that the corporate submitted to the Justice Division didn’t point out international engineers, although he stated Microsoft did talk that data to Justice officers earlier than 2020. Nonetheless, Microsoft has since ended its use of China-based engineers in authorities methods.
Former and present authorities officers fear about what different dangers could also be lurking in GCC Excessive and past.
The GSA instructed ProPublica that, on the whole, “if there may be credible proof {that a} cloud service supplier has made materially false representations, that matter is then appropriately referred to investigative authorities.”
Paradoxically, the final word arbiter of whether or not cloud suppliers or their third-party assessors reside as much as their claims is the Justice Division itself. The current indictment of the previous Accenture worker suggests it is willing to make use of this energy. In a court docket doc, the Justice Division alleges that the ex-employee made “false and deceptive representations” concerning the cloud platform’s safety to assist the corporate “acquire and preserve profitable federal contracts.” She can also be accused of attempting to “affect and hinder” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to hide the “true state of the system” throughout demonstrations, the division stated. She has pleaded not responsible.
There isn’t a public indication that such a case has been introduced in opposition to Microsoft or anybody concerned within the GCC Excessive authorization. The Justice Division declined to remark. Monaco, the deputy lawyer normal who launched the division’s initiative to pursue cybersecurity fraud circumstances, didn’t reply to requests for remark.
She left her authorities place in January 2025. Microsoft employed her to turn out to be its president of worldwide affairs.
An organization spokesperson stated Monaco’s hiring complied with “all guidelines, rules, and moral requirements” and that she “doesn’t work on any federal authorities contracts or have oversight over or involvement with any of our dealings with the federal authorities.”
This story initially appeared on ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Join The Big Story newsletter to obtain tales like this one in your inbox.
