ProPublica investigation reveals federal cloud security approvals are largely rubber-stamps, with Microsoft's GCC High hiding China-based engineers from DOJ contracts.
A ProPublica investigation found that FedRAMP, the federal cloud security certification program, approved Microsoft's GCC High environment despite internal reviewers calling it a 'pile of shit.' The Justice Department discovered — not from FedRAMP or Microsoft, but from a prior ProPublica report — that China-based engineers were servicing sensitive government cloud systems in violation of DOJ policy. Microsoft's written security plan submitted to DOJ did not disclose the use of foreign engineers. The systemic issue is that FedRAMP relies heavily on self-reported data from cloud vendors and third-party assessors paid by those same vendors, creating a structural conflict of interest.
If you're building on GCC High or any FedRAMP-authorized environment, the compliance guarantees you're inheriting are weaker than advertised. The vendor-paid assessor model means the authorization boundary documents you're trusting for your own security posture may have undisclosed gaps — foreign access, subcontractor chains, or architectural decisions never surfaced in the SSP. This isn't a theoretical risk; DOJ found a live violation through a news article, not a security audit.
Pull the System Security Plan (SSP) for any FedRAMP-authorized service your product relies on and cross-reference the 'personnel security' and 'supply chain' control families against your own data residency and access requirements — if those sections are vague, your compliance posture has a gap.
Go to marketplace.fedramp.gov, search for any cloud service your stack uses, download its authorization package, and search the SSP PDF for 'foreign national' or 'subcontractor' — note what's disclosed vs. what's left blank.
Tags
Signals by role
Also today
Tools mentioned