The problem is that agencies often lack the staff and resources to conduct thorough reviews, meaning the entire system is dependent on the claims of cloud companies and the evaluations of third-party companies they pay to evaluate them. Critics say that under the current approach, FedRAMP has lost the plot.
“FedRAMP’s job is to watch the American people’s backs when it comes to sharing their data with cloud companies,” said Mill, the former GSA official who also co-authored the 2024 White House memo. “When there is a security issue, the public should not expect FedRAMP to say they are just someone printing paper.”
Meanwhile, at the Justice Department, officials are figuring out what FedRAMP means by “unknown unknowns” at GCC High. For example, last year they discovered that Microsoft was relying on China-based engineers to service its sensitive cloud systems, despite the department’s ban against non-U.S. citizens assisting in IT maintenance.
According to the Justice employee who spoke to us, officials learned about this arrangement — which was also used at GCC High — not from FedRAMP or Microsoft, but from a ProPublica investigation into the practice.
A Microsoft spokesperson acknowledged that the written security plan the company submitted to the Justice Department for GCC High did not mention foreign engineers, although he said Microsoft had provided that information to Justice officials prior to 2020. Nevertheless, Microsoft has since ended the use of China-based engineers in government systems.
Former and current government officials are concerned about what other risks may lurk at GCC High and beyond.
GSA told ProPublica that, in general, “if there is credible evidence that a cloud service provider made a material misrepresentation, that matter is referred to investigative authorities as appropriate.”
The irony is that the Justice Department is the final arbiter of whether cloud providers or their third-party evaluators are living up to their claims. The recent indictment of a former Accenture employee shows that it is willing to use this power. In a court document, the Justice Department alleged that the former employee made “false and misleading representations” about the security of the cloud platform to help the company “obtain and retain lucrative federal contracts.” He is also accused of trying to “influence and hinder” Accenture’s third-party evaluators by hiding product deficiencies and asking others to conceal “the actual state of the system” during demonstrations, the department said. He has declared himself innocent.
There is no public indication that any such case has been brought against Microsoft or anyone involved in the GCC High Authority. The Justice Department declined to comment. Monaco, the deputy attorney general who started the department’s initiative to pursue cybersecurity fraud cases, did not respond to requests for comment.
He left his government post in January 2025. Microsoft appointed him to become President of Global Affairs.
A company spokesperson said Monaco’s appointment complied with “all rules, regulations and ethical standards” and that she “does not work on any federal government contracts or oversee or participate in any of our dealings with the federal government.”
<a href