The issue is that agencies often lack the staff and resources to do thorough reviews, which implies the entire system is leaning on the claims of the cloud firms and the assessments of the third-party firms they pay to guage them. Under the present vision, critics say, FedRAMP has lost the plot.
“FedRAMP’s job is to look at the American people’s back in the case of sharing their data with cloud firms,” said Mill, the previous GSA official, who also co-authored the 2024 White House memo. “When there’s a security issue, the general public doesn’t expect FedRAMP to say they’re only a paper-pusher.”
Meanwhile, on the Justice Department, officials are checking out what FedRAMP meant by the “unknown unknowns” in GCC High. Last yr, for instance, they found that Microsoft relied on China-based engineers to service their sensitive cloud systems despite the department’s prohibition against non-US residents assisting with IT maintenance.
Officials learned about this arrangement—which was also utilized in GCC High—not from FedRAMP or from Microsoft but from a ProPublica investigation into the practice, in accordance with the Justice worker who spoke with us.
A Microsoft spokesperson acknowledged that the written security plan for GCC High that the corporate submitted to the Justice Department didn’t mention foreign engineers, though he said Microsoft did communicate that information to Justice officials before 2020. Nevertheless, Microsoft has since ended its use of China-based engineers in government systems.
Former and current government officials worry about what other risks could also be lurking in GCC High and beyond.
The GSA told ProPublica that, usually, “if there’s credible evidence that a cloud service provider has made materially false representations, that matter is then appropriately referred to investigative authorities.”
Satirically, the last word arbiter of whether cloud providers or their third-party assessors live as much as their claims is the Justice Department itself. The recent indictment of the previous Accenture worker suggests it’s willing to make use of this power. In a court document, the Justice Department alleges that the ex-employee made “false and misleading representations” in regards to the cloud platform’s security to assist the corporate “obtain and maintain lucrative federal contracts.” She can also be accused of attempting to “influence and obstruct” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to hide the “true state of the system” during demonstrations, the department said. She has pleaded not guilty.
There isn’t any public indication that such a case has been brought against Microsoft or anyone involved within the GCC High authorization. The Justice Department declined to comment. Monaco, the deputy attorney general who launched the department’s initiative to pursue cybersecurity fraud cases, didn’t reply to requests for comment.
She left her government position in January 2025. Microsoft hired her to change into its president of world affairs.
An organization spokesperson said Monaco’s hiring complied with “all rules, regulations, and ethical standards” and that she “doesn’t work on any federal government contracts or have oversight over or involvement with any of our dealings with the federal government.”
