The issue is that companies usually lack the workers and sources to do thorough critiques, which suggests the entire system is leaning on the claims of the cloud corporations and the assessments of the third-party corporations they pay to guage them. Below the present imaginative and prescient, critics say, FedRAMP has misplaced the plot.
“FedRAMP’s job is to look at the American folks’s again relating to sharing their information with cloud corporations,” stated Mill, the previous GSA official, who additionally co-authored the 2024 White Home memo. “When there’s a safety problem, the general public doesn’t count on FedRAMP to say they’re only a paper-pusher.”
In the meantime, on the Justice Division, officers are discovering out what FedRAMP meant by the “unknown unknowns” in GCC Excessive. Final yr, for instance, they found that Microsoft relied on China-based engineers to service their delicate cloud methods regardless of the division’s prohibition in opposition to non-US residents aiding with IT upkeep.
Officers realized about this association—which was additionally utilized in GCC Excessive—not from FedRAMP or from Microsoft however from a ProPublica investigation into the apply, based on the Justice worker who spoke with us.
A Microsoft spokesperson acknowledged that the written safety plan for GCC Excessive that the corporate submitted to the Justice Division didn’t point out international engineers, although he stated Microsoft did talk that info to Justice officers earlier than 2020. Nonetheless, Microsoft has since ended its use of China-based engineers in authorities methods.
Former and present authorities officers fear about what different dangers could also be lurking in GCC Excessive and past.
The GSA instructed ProPublica that, typically, “if there may be credible proof {that a} cloud service supplier has made materially false representations, that matter is then appropriately referred to investigative authorities.”
Mockingly, the last word arbiter of whether or not cloud suppliers or their third-party assessors live as much as their claims is the Justice Division itself. The latest indictment of the previous Accenture worker suggests it’s keen to make use of this energy. In a court docket doc, the Justice Division alleges that the ex-employee made “false and deceptive representations” in regards to the cloud platform’s safety to assist the corporate “acquire and keep profitable federal contracts.” She can be accused of attempting to “affect and hinder” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to hide the “true state of the system” throughout demonstrations, the division stated. She has pleaded not responsible.
There is no such thing as a public indication that such a case has been introduced in opposition to Microsoft or anybody concerned within the GCC Excessive authorization. The Justice Division declined to remark. Monaco, the deputy lawyer normal who launched the division’s initiative to pursue cybersecurity fraud instances, didn’t reply to requests for remark.
She left her authorities place in January 2025. Microsoft employed her to develop into its president of world affairs.
An organization spokesperson stated Monaco’s hiring complied with “all guidelines, laws, and moral requirements” and that she “doesn’t work on any federal authorities contracts or have oversight over or involvement with any of our dealings with the federal authorities.”
This story initially appeared on ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Join The Massive Story publication to obtain tales like this one in your inbox.
