Federal cyber experts called Microsoft's cloud a "pile of shit," approved it anyway

In late 2024, federal cybersecurity evaluators raised serious concerns about Microsoft's Government Community Cloud High (GCC High), criticizing its inadequate documentation and lack of transparency regarding protective measures for sensitive information. Despite these alarming assessments, which included a blunt characterization of the product as a "pile of shit," the Federal Risk and Authorization Management Program (FedRAMP) granted it approval, allowing Microsoft to expand its government contracts. This decision has sparked significant questions about the integrity of the approval process, particularly given Microsoft's history of cybersecurity breaches linked to Russian and Chinese hackers. An investigation by ProPublica revealed that FedRAMP reviewers struggled to obtain essential security documentation from Microsoft, especially concerning data encryption practices. Critics, including former NSA officials, have labeled the FedRAMP process as a mere rubber stamp for cloud service providers, raising concerns about the security of sensitive government data. This situation underscores the risks of deploying inadequately vetted technology in critical government operations and highlights the urgent need for more rigorous evaluation and accountability in cloud service authorizations to safeguard national security.

Why This Matters

This article matters because it highlights the potential risks of deploying AI and cloud technologies without thorough security assessments. The approval of Microsoft's cloud service, despite serious security concerns, raises questions about the reliability of federal cybersecurity evaluations and the implications for national security. Understanding these risks is crucial as AI systems become increasingly integrated into government operations, where vulnerabilities can have far-reaching consequences.