One Microsoft product was approved despite years of concerns about its security.

FedRAMP first raised questions about GCC High’s security in 2020 and asked Microsoft to provide detailed diagrams explaining its encryption practices. But when the company produced what FedRAMP considered to be only partial information in fits and starts, program officials did not reject Microsoft’s application. Instead, they repeatedly pulled punches and allowed the review to drag out for the better part of five years. And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology - not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

  • Get_Off_My_WLAN@fedia.io
    3·
    2 hours ago

    By early 2020, Melinda Rogers, Justice’s deputy chief information officer, made the decision official and soon deployed GCC High across the department. . . . Rogers, who was hired by Microsoft in 2025

    Deputy Attorney General Lisa Monaco said the department would use the False Claims Act to pursue government contractors “when they fail to follow required cybersecurity standards—because we know that puts all of us at risk.” . . . There is no public indication that such a case has been brought against Microsoft or anyone involved in the GCC High authorization. The Justice Department declined to comment. Monaco, . . . did not respond to requests for comment. She left her government position in January 2025. Microsoft hired her to become its president of global affairs.

    This shouldn’t be fucking legal.