The Federal Government Just Told You Its Cloud Security Process Is Broken

On March 18, 2026, ProPublica published an investigation that should alarm every organization that relies on FedRAMP authorization as a trust signal for cloud security. The story is straightforward: Federal cybersecurity reviewers spent nearly five years trying — and failing — to verify how Microsoft protects sensitive government data within GCC High, its cloud suite designed for some of the most sensitive unclassified information the government handles.

Key Takeaways

1. FedRAMP authorized Microsoft GCC High despite nearly five years of unresolved security concerns — because the product was already too embedded across the federal government to reject. Federal reviewers spent 480 hours and 18 technical deep dives yet concluded they had a “lack of confidence” in the product’s overall security posture.
2. Microsoft could not show FedRAMP how it encrypts sensitive government data in transit — a basic requirement that Amazon and Google routinely documented. Reviewers never got past a single service, Exchange Online, before the engagement collapsed.
3. The third-party firms hired to independently assess GCC High privately told FedRAMP they couldn’t fully vet the product — while their official reports said otherwise. Both Coalfire and Kratos back-channeled concerns they wouldn’t put in writing for the client paying them.
4. DOGE budget cuts reduced FedRAMP to roughly two dozen staffers focused on issuing authorizations at record pace — not conducting meaningful security reviews. The program’s $10 million annual budget is its lowest in a decade, even as agencies accelerate adoption of cloud-based AI tools.
5. Compliance labels are not security — organizations need cloud architectures that deliver verifiable, continuous protection regardless of who stamped the certificate. The Kiteworks 2026 Data Security and Compliance Risk Forecast found that 38% of government organizations still rely on manual or periodic compliance processes.

They authorized it anyway. Not because their questions were answered. Not because the review was complete. Because the product was already too deeply embedded across the Justice Department, the Energy Department, and the defense industrial base to say no.

One member of the FedRAMP review team summarized the security documentation Microsoft provided in terms that don’t require a cybersecurity degree to understand. Another reviewer told the DOJ they couldn’t even quantify the unknowns that remained. Tony Sager, a former NSA computer scientist who spent three decades in government, used five words that should end the debate about what FedRAMP authorization actually means: “This is not security. This is security theater.”

What Microsoft Couldn’t — or Wouldn’t — Show

The core issue was deceptively simple. FedRAMP wanted data flow diagrams: technical illustrations showing how data moves from Point A to Point B and, critically, how it is encrypted along the way. When data travels through cloud infrastructure — hopping between servers, load balancers, and storage layers — encryption in transit prevents interception. Verifying this encryption requires seeing the full path.

Microsoft called the request too challenging. FedRAMP compromised and suggested starting with just one service: Exchange Online. Microsoft submitted a white paper about encryption strategy but omitted the specific details showing where encryption and decryption actually occur. That omission meant FedRAMP couldn’t verify the protection was happening at all.

Other major cloud providers — Amazon and Google among them — routinely supplied this level of documentation. The 2026 CrowdStrike Global Threat Report makes the urgency clear: 82% of detections are now malware-free, meaning attackers bypass traditional defenses through identity abuse and credential theft. In that environment, encryption and visibility into data flows aren’t optional security nice-to-haves. They’re the last line of defense.

The problem, according to people familiar with Microsoft’s technology, is architectural. The company’s cloud services were built on top of decades-old legacy code. One FedRAMP reviewer compared the resulting data paths to a tangled mess — data traveling from Washington to New York by bus, ferry, and airplane instead of taking a direct route. Each extra hop is another opportunity for interception if the data isn’t properly encrypted.

The Assessor Conflict Nobody Talks About

There is a structural problem baked into FedRAMP that the GCC High saga makes impossible to ignore. The third-party assessment firms tasked with independently evaluating cloud products are hired and paid by the cloud companies themselves.

In 2020, both of Microsoft’s assessors — Coalfire and Kratos — privately told FedRAMP they couldn’t get the information needed to fully evaluate GCC High. They said this through a confidential back channel, not in their official reports. FedRAMP eventually placed Kratos on a corrective action plan for not pushing back on Microsoft hard enough.

This is the structural equivalent of a building inspector being paid by the developer, finding cracks in the foundation, and whispering the findings to the city while signing off on the permit. The 2026 Black Kite Third-Party Breach Report quantifies where this leads at scale: Among the 50 most-connected third-party vendors, 70% had a CISA KEV-listed flaw, 84% had critical vulnerabilities with a CVSS score of 8 or higher, and 62% had corporate credentials circulating in stealer logs. High compliance scores and serious security gaps coexist comfortably, and the assessment model itself is part of the reason.

The World Economic Forum’s 2026 Global Cybersecurity Outlook confirms that supply chain risk management is treated as a compliance checklist rather than a dynamic process. Only 27% of organizations simulate cyber incidents or conduct recovery exercises with supply chain partners. Only 33% comprehensively map their supply chain ecosystems. The assessor model feeds this complacency by producing certifications that look authoritative but don’t require the depth of evidence that actual security demands.

“Too Big to Fail” Became “Too Embedded to Reject”

The GCC High story isn’t just about one product. It’s about what happens when cloud adoption outpaces security validation.

When the DOJ’s Melinda Rogers authorized GCC High in early 2020, the product entered the FedRAMP Marketplace as “in process.” That listing — on a government website used by procurement teams across the federal government — functioned as an implicit endorsement. Other agencies adopted it. The Pentagon required its contractors to meet FedRAMP standards, and Microsoft marketed GCC High to defense companies like Boeing as meeting those requirements, even without full authorization.

By the time FedRAMP’s review team concluded the product had fundamental issues, pulling the plug would have disrupted multiple federal agencies and countless defense contractors. FedRAMP’s own summary acknowledged the reality: Not authorizing it “would impact multiple agencies that are already using GCC-H.” So they authorized it with conditions — a “buyer beware” notice that shifted the responsibility to individual agencies.

The Kiteworks 2025 MFT Survey Report found that 72% of organizations report thoroughly evaluating vendor security, yet the incident rate remains at 59%. Thorough evaluation doesn’t close security gaps when the evaluation itself is built on incomplete information. And when the vendor is too large and too embedded to refuse, the evaluation becomes academic.

DOGE Cuts Made a Bad Situation Worse

If the FedRAMP process was already strained, the Department of Government Efficiency made it structurally incapable. The program’s staff was slashed, its budget cut to $10 million — the lowest in a decade — and the remaining two dozen or so employees were directed to focus on delivering authorizations at record speed.

The Kiteworks 2026 Data Security and Compliance Risk Forecast found that government organizations have a 24-point gap between formal governance models (86% adoption) and automated compliance enforcement (62% adoption). That gap means documentation exists, but the infrastructure to act on it doesn’t. FedRAMP after the DOGE cuts is the institutional version of this same problem: The program exists, but its capacity to do meaningful work has been hollowed out.

This matters far beyond Microsoft. As the federal government accelerates adoption of cloud-based AI tools — tools that require access to enormous volumes of sensitive data — the program that is supposed to validate cloud security has fewer resources, less expertise, and more pressure to approve quickly than at any point in its history. The Biden White House issued a memorandum saying FedRAMP “must be capable of conducting rigorous reviews.” The current administration’s GSA responded that FedRAMP’s job is “not to determine if a cloud service is secure enough” but to “ensure agencies have sufficient information to make these risk decisions.” That’s a meaningful downgrade in ambition. And most agencies don’t have the staff to pick up the slack.

The Revolving Door That Completes the Picture

The ProPublica investigation documented something else that deserves attention: the movement of key decision-makers between government and Microsoft. Melinda Rogers, the DOJ official who authorized GCC High and later sat beside Microsoft’s liaison in a meeting pushing FedRAMP to approve the product, was hired by Microsoft in 2025. Lisa Monaco, the deputy attorney general who launched the DOJ’s initiative to hold government contractors accountable for cybersecurity fraud, left government in January 2025. Microsoft hired her as president of global affairs.

Microsoft stated both hirings complied with all ethics rules. That may be true. But the optics — combined with the five years of deference FedRAMP showed a company whose products were central to two of the worst cyberattacks against the U.S. government — illustrate a broader dynamic. The companies being evaluated, the people doing the evaluating, and the people enforcing the rules are all part of the same ecosystem. Independence in that environment requires structural safeguards, not just good intentions.

Architecture Over Authorization: How Kiteworks Approaches Federal Cloud Security

The GCC High case illustrates what happens when organizations treat compliance authorization as a proxy for security. Kiteworks takes the opposite approach: Build the security architecture first and let the compliance evidence flow from the controls themselves.

Kiteworks has maintained continuous FedRAMP Moderate Authorization since June 2017 — nearly nine years of uninterrupted federal security validation. Its Secure Gov Cloud has advanced to FedRAMP High In Process, with an active agency partner reviewing the security package for Authority to Operate at the High impact level. The progression — Moderate since 2017, High Ready in February 2025, High In Process in 2026 — reflects a track record, not a marketing claim.

Where the GCC High case exposed gaps in encryption documentation and data flow visibility, Kiteworks delivers a single-tenant, hardened virtual appliance with embedded security controls — network firewall, web application firewall, intrusion detection — that require zero customer configuration. Double encryption at rest uses separate keys at the file and disk levels. FIPS 140-3 validated cryptographic modules meet the standards that 69% of government respondents and 59% of financial services respondents require, according to Kiteworks survey data. Every sensitive data exchange — email, file sharing, SFTP, MFT, data forms, APIs — generates a complete, real-time audit trail with no throttling and no delays.

The architectural difference matters. Where Microsoft’s FedRAMP reviewers described a system they couldn’t see inside, Kiteworks provides complete visibility into every data flow across every exchange channel. Where third-party assessors struggled to get the full picture, Kiteworks’ purpose-built compliance dashboards map controls to 14+ regulatory frameworks from a single platform.

What Organizations Should Do Now — Without Waiting for FedRAMP to Fix Itself

First, stop treating FedRAMP authorization as a security guarantee. It is one input in a risk assessment, not a conclusion. Any cloud provider handling sensitive data should be able to demonstrate encryption architecture, data flow visibility, and audit trail completeness at a level of detail your security team can independently verify.

Second, demand data flow documentation from your cloud providers. The fact that Microsoft struggled for five years to produce what Amazon and Google provided as routine should change how you evaluate vendor security posture. If a provider can’t show you exactly how your data is encrypted in transit and at rest, that’s a finding, not a conversation.

Third, audit your assessor relationships. The back-channel dynamic between Coalfire, Kratos, and FedRAMP reveals a systemic conflict of interest. According to the World Economic Forum, only 33% of organizations comprehensively map their supply chain ecosystems to understand threat exposure. Your third-party risk program should include independent verification that doesn’t depend on the vendor’s own assessors.

Fourth, evaluate your cloud architecture for vendor concentration risk. The 2026 Black Kite Third-Party Breach Report identified 136 verified third-party breach events affecting approximately 26,000 companies. When a single cloud provider becomes too embedded to reject — as GCC High did — your organization inherits every security gap that provider carries.

Fifth, prioritize continuous compliance monitoring over periodic assessments. The Kiteworks Forecast data shows that 25% of organizations still use manual or periodic compliance as their primary approach. In a threat environment where eCrime breakout time averages 29 minutes, according to the 2026 CrowdStrike Global Threat Report, quarterly compliance reviews are a relic.

The GCC High case didn’t create the gap between compliance and security. It just made the gap impossible to deny. Organizations that act on this information — by demanding architectural proof over authorization labels — will be in a fundamentally better position than those waiting for the next investigation to tell them what they should have already known.