On Microsoft’s Lousy Cloud Security

ProPublica has a scoop:

In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings.

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.

Or, as one member of the team put it: “The package is a pile of shit.”

For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.

[…]

The federal government could be further exposed if it couldn’t verify the cybersecurity of Microsoft’s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation’s most sensitive information.

Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government’s cybersecurity seal of approval. FedRAMP’s ruling—which included a kind of “buyer beware” notice to any federal agency considering GCC High—helped Microsoft expand a government business empire worth billions of dollars.

Tags: , , , ,

Posted on April 9, 2026 at 6:51 AM5 Comments

Comments

Clive Robinson April 9, 2026 8:23 AM

@ Bruce, ALL,

As noted in the article,

The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.

Or, as one member of the team put it: “The package is a pile of shit.”

Do others remember a few months back, a small company doing “lesser crimes” got the full “Go to Jail do not pass Go” treatment?

But “Big’old Micro$haft” just gets handed “mucho dineros” by the container load for their much worse crimes…

Talk about,

“It’s not What you know, but Who you know, to pay off, that counts”

Kind of tells you why the government wants to “nickel and dime” every last tax payer…

Winter April 9, 2026 10:39 AM

The GCC case is like every other “product” of MS. It was built by cobbling together every piece of program code they had.

Think the OOXML standard which is nothing but a serialized memory dump of MS word data structures. Even MS have no idea what’s really in there.

So MS ended up with linking up all network able applications into GCC. However, there was never any attempt to document anything. Encryption was used whenever they felt like it.

So when FedRAMP asked for a flow chart of encrypted information in GCC, there was no way MS could ever deliver that. They simply have no documentation of how and when information is encrypted.

This is no surprise. MS have always put products on the market the moment they could sell them, whatever the state of the product. Quality is just a loss.

Trevor April 9, 2026 11:11 AM

It got pushed through approval because the government was desperate to have a second source over Amazon.

mark April 9, 2026 12:14 PM

I have several issues: first, was the approval in ’24, or ’25 (after the Idiot’s inauguration, and DOGE)?

Second, does this mean that they are not even following PCI-DSS rules, to have all communication between two computers encrypted?

I’ll also note that a few years ago, I think it was the UK who said “no, thanks” to cloud, because they could not be guaranteed that government data would remain solely on their country’s soil.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.