FedRAMP Authorizes Microsoft GCC High Despite Shortcomings
In late 2024, ProPublica found federal cybersecurity evaluators concluded Microsoft’s Government Community Cloud High lacked proper encryption documentation, yet the Federal Risk and Authorization Management Program authorized the product after a protracted five-year review. Internal memos, logs, and interviews show deference to Microsoft amid prior major breaches and FedRAMP staffing cuts, raising concerns about agencies relying on under-assessed cloud services.
Key Points
- 1Finds FedRAMP authorized GCC High despite insufficient encryption documentation and incomplete security assessment
- 2Highlights systemic issues: prolonged review, deference to Microsoft, and understaffed FedRAMP operations
- 3Raises risk that agencies use under-vetted cloud services, impacting protection of classified and sensitive data
Scoring Rationale
Strong investigative evidence and wide federal implications, tempered by reliance on ProPublica's reporting rather than formal government adjudication.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
