Mastodon Feed: Post

Mastodon Feed

Boosted by jwz:
jalefkowit@vmst.io ("Jason Lefkowitz") wrote:

Hard to read this as anything other than a torpedo directly under the waterline of FedRAMP's credibility

https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government

The program’s layers of review, which included an assessment by outside experts, were supposed to ensure that service providers like Microsoft could be entrusted with the government’s secrets. But ProPublica’s investigation — drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors — found breakdowns at every juncture of that process. It also found a remarkable deference to Microsoft, even as the company’s products and practices were central to two of the most damaging cyberattacks ever carried out against the government. FedRAMP first raised questions about GCC High’s security in 2020 and asked Microsoft to provide detailed diagrams explaining its encryption practices. But when the company produced what FedRAMP considered to be only partial information, program officials did not reject Microsoft’s application. Instead, they repeatedly pulled punches and allowed the review to drag out for five years. And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but on the grounds that Microsoft’s product was already being used across Washington.