Federal cyber experts label Microsoft’s cloud a “pile of shit,” yet approve it anyway.

FedRAMP’s decision to certify Microsoft’s Government Community Cloud High (GCC High) came after a protracted review that began in 2020, when the agency first asked Microsoft for “detailed diagrams explaining its encryption practices” (Ars Technica). The internal FedRAMP memo obtained by ProPublica shows that reviewers repeatedly flagged “lack of proper detailed security documentation” and expressed “lack of confidence in assessing the system’s overall security posture” (Ars Technica). One evaluator summed up the frustration in a blunt email: “The package is a pile of shit.” Yet, despite those red flags, the program issued an authorization in late 2024, attaching a “buyer beware” disclaimer for agencies that might consider GCC High (Ars Technica).

The approval was not merely symbolic; it unlocked a multi‑billion‑dollar market for Microsoft. After the FedRAMP seal, the company’s chief security architect, Richard Wakeman, celebrated on an online forum with a Leonardo DiCaprio “Wolf of Wall Street” meme and the caption “BOOM SHAKA LAKA” (Ars Technica). While Wakeman declined to comment for this story, the public reaction underscored how the authorization translated into immediate commercial momentum for Microsoft’s government‑cloud division.

The decision is especially striking given Microsoft’s recent track record with federal data breaches. In the past three years, Russian actors exploited a vulnerability in a Microsoft service to pilfer data from the National Nuclear Security Administration, and Chinese hackers compromised the email accounts of a Cabinet member and other senior officials (Ars Technica). Those incidents, which ProPublica links directly to Microsoft’s cloud infrastructure, were cited by FedRAMP reviewers as evidence that the agency “could not vouch for the technology’s security” (Ars Technica). Nonetheless, the agency’s final ruling placed the onus on individual federal customers to assess risk, rather than withholding the seal outright.

ProPublica’s investigation, which draws on internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors, paints a picture of “remarkable deference” to Microsoft throughout the review process (Ars Technica). The report notes breakdowns at every stage of FedRAMP’s layered assessment, including the external expert review that was supposed to serve as a safeguard against corporate influence. According to the investigation, the program’s original purpose—established in the early 2000s to protect government data as agencies migrated to the cloud—has been eroded by a combination of bureaucratic inertia and the market power of a single vendor.

Critics argue that the “buyer beware” approach undermines the very rationale for FedRAMP’s existence. The program was created to provide a uniform, rigorous security baseline so that agencies could rely on a single authorization rather than conducting duplicate assessments (Ars Technica). By granting the seal despite documented deficiencies, FedRAMP has set a precedent that could embolden other cloud providers to sidestep comprehensive documentation, knowing that a waiver may be possible. The long‑term implications for federal cybersecurity posture remain uncertain, but the episode has already sparked calls within the Pentagon and the Office of Management and Budget for a review of FedRAMP’s authority and oversight mechanisms.