FedRAMP Greenlit Microsoft's GCC High Despite Reviewers Calling Security Docs 'A Pile of Shit'

Federal cybersecurity evaluators flagged Microsoft’s Government Community Cloud High in late 2024 as essentially unassessable, citing missing detailed security documentation that left reviewers unable to verify how sensitive data is protected as it traverses Microsoft’s cloud infrastructure. One team member’s blunt assessment of the submission package was that it was ‘a pile of shit,’ and reviewers reported years of failed attempts to get adequate technical explanations from the vendor.

Despite that verdict, FedRAMP authorized the product anyway, attaching an unusual buyer-beware caveat for agencies considering it. GCC High is the tier intended to hold some of the most sensitive non-classified federal data, so the decision to approve a system the assessors couldn’t vouch for is a meaningful concession driven by Microsoft’s entrenched position in federal IT.

The episode illustrates how vendor lock-in distorts the supposedly rigorous FedRAMP process: when the alternative is disrupting a multi-billion-dollar government dependency, ‘authorized with reservations’ becomes the path of least resistance, and the security baseline that FedRAMP exists to enforce gets quietly negotiated downward.