In late 2024, federal cybersecurity evaluators delivered a stark assessment of Microsoft‘s Government Community Cloud High, a key cloud offering designed for sensitive government data. According to an internal report reviewed by ProPublica, reviewers cited a “lack of proper detailed security documentation” from Microsoft, which led to a “lack of confidence in assessing the system’s overall security posture.” One team member summarized the package bluntly as “a pile of shit.”
For years, Microsoft had struggled to fully explain how it secures sensitive information as it moves across servers in the cloud, leaving government experts unable to verify the technology’s security. This failure was particularly concerning given Microsoft’s recent history: its products were central to two major cyberattacks against the U.S. in three years. In one incident, Russian hackers exploited a weakness to steal data from agencies like the National Nuclear Security Administration, while in another, Chinese hackers infiltrated email accounts of a Cabinet member and other senior officials.
The inability to confirm the cybersecurity of GCC High posed a significant risk, as this suite is intended to protect some of the nation’s most sensitive information. Yet, in a move that continues to resonate in Washington, the Federal Risk and Authorization Management Program authorized the product anyway. FedRAMP’s decision, which included a “buyer beware” notice for agencies considering GCC High, helped Microsoft expand its government business, valued at billions of dollars.
