FedRAMP approved Microsoft’s GCC High cloud product despite years of internal concerns about its security posture, according to ProPublica’s investigation.
Investigative reporting traced a pattern of incomplete security diagrams and overreliance on third‑party assessors, even as the government’s review spanned multiple years and agencies began deploying GCC High.
The reporting also disclosed that Microsoft used China‑based engineers to service sensitive government systems, a practice the Defense Department had prohibited, and that Justice Department later moved to end that arrangement; Microsoft said it has since stopped the practice.
Critics argue that FedRAMP has drifted from its mandate to protect the public, instead acting as a regulator rubber stamp due to staffing shortages and a shrinking workforce, with as few as two dozen staff remaining in some years.
In response, federal officials and watchdogs call for stronger governance, greater transparency from cloud providers, and a reassessment of how GCC High and similar services are reviewed, especially given the security stakes for sensitive government data.
