Federal reviewers have been wrestling with Microsoft’s GCC High government cloud for years, struggling to obtain basic encryption documentation. One reviewer even described the system as a “pile of spaghetti pies,” illustrating how data travels in a convoluted manner, reminiscent of a trip from Chicago to New York. Each leg of that journey poses a risk, yet despite these glaring issues, the system received approval in December 2024 because too many agencies were already using it.
The situation has left cybersecurity educators like Brian Greenberg at a loss for words. He pointed out that the approval process felt less like a security review and more like a hostage negotiation. With Microsoft’s federal cloud built on legacy code that the company can’t fully document, there’s a lot to be concerned about. Adding to the unease, “digital escorts”—often ex-military personnel with limited software engineering experience—serve as the barrier between Chinese engineers and classified U.S. networks.
Perhaps the most alarming takeaway from this ProPublica investigation is the conclusion reached by FedRAMP: refusing authorization wasn’t an option because agencies were already using the product. This raises serious questions about the integrity of the security review process, suggesting it was driven by sunk costs rather than actual risk assessment.
Greenberg’s post resonated with many, gathering significant engagement. The concerns he raised about the state of cybersecurity and the implications of such decisions are clearly striking a chord with professionals in the field.
