> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
Think it's very important to criticize FedRAMP. The FedRAMP board is extremely slow moving and continuously disregards industry feedback. As a result, FedRAMP is essentially a Palantir tax, where nearly every startup hoping to sell to government (including larger ones like Anthropic, xAI, Cognition AND OpenAI) is forced to pay Palantir to deploy in their FedRAMP enclave. This has a sticker price of 200-500k/y before we get into compute premiums.
Going through FedRAMP yourself requires a staff who is willing to put in a dedicated effort on the compliance paperwork (not the controls, which you could knock out in ~1mo easily, just the paperwork) for 6-8mo before getting into a line to hopefully get a 3PAO audit and then remediations followed by another audit which is followed by needing to get agency sponsorship for a FedRAMP board review. This costs $2-3M minimum including the amount of security software needed for evidencing and policy, which rules out nearly every small business. This process also can easily take 2-3 years of waiting, which forces out enterprise. So anyone entering the ecosystem is essentially forced to pay Palantir (or 2F which is a distant 2nd) a tax that is entirely enforced by government regulation.
They are not any kind of 'Federal Cyber Experts' either as that work is primarily outsourced to Schellman etc.
I dunno, but for me ensuring security means reducing the number of problematic parts, and making sure the ones that have control over the ones that exist.
The most secure thing I could think of is a cluster of servers running in my basement under lock and key, running a conservative set of well-tested software.
Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting stuff may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each other. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.
The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?
It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.
I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.
If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
Once the government decided they wanted the product, they were going to find a patsy.
Was this approval before or after evaluators discovered this?
> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.
I don't have much experience with Azure but I was amazed at how many things in AWS GovCloud don't meet FedRAMP encryption requirements. For example, none of the lambda runtimes have FIPS certified encryption libraries available, and you have to bring you own, which is rather complicated to do.
This is my opinion only, I'm sure some have had different experiences - but:
Azure's success as a cloud provider is mostly a result of their sales team and having an existing relationship with non-technical leadership. "We already pay them for Office and Exchange, let's just buy this new 'cloud' thing from them too".
Azure is barely considered an option at all within tech companies, yet is surprisingly widely adopted by non-technical companies that don't know any better (ie, that don't have a technical / engineering voice or representation within leadership).
AWS = Likely technically the best, for now. Mostly unreasonable pricing, and less motivation to seriously negotiate given they are the 'default' cloud provider for most of the industry. Kind of feels like they have peaked though, and are slipping more recently. Inevitable, or bad leadership changes?
OCI = New-comer, attractive pricing and hungry for business. Might be able to avoid mistakes other providers have made? Reliability struggles though. Parent company has a bad reputation in some circles - but probably not with decision makers. Making huge (unwise?) investments - that will either come crashing down in 5 years, or seriously pay off. Layoffs, but going for massive growth...huh?
GCP = Notably different underlying technical choices than other providers. Folks are maybe a bit less pragmatic, and more academic. This helps them in unique services (Spanner?) but hurts in most other areas. They've matured, and are btwn AWS and OCI in reliability. They are probably not as hungry for business as they should be given how far behind they are.
+10000 that Azure is a steaming pile of shit. Like what's this -- azcopy broken at head, and the working one doesn't guarantee correctness after a copy (99.6% copied successfully! good luck figuring out what went wrong!) compare that to migrating data with GCS or S3 -- they provide first class tools that do it right quickly (aws-cli, gsutil).
Want a VM? You'll also need this network security group, network interface, network manager, ip, virtual network... and maybe it'll be connected to the internet so you can SSH in? Compare to GCP or EC2 -- you just pick an instance and start it. You can SSH in directly, or even do it in the browser.
Billing also a nightmare: if you're running a startup, AWS and Google make it relatively easy to see how many credits you have left. The Azure dashboard makes you navigate a maze, and the button to click that says "Azure Credits" is _invisible_ for 30s until ostensibly some backend system finds your credits, then it magically shows up. Most people don't wait around and just assume there's no button.
And if you click it, maybe you will happen to be in the correct billing profile, maybe not! Don't get confused: billing profile and billing scope are different concepts too! And in your invoice, costs just magically get deducted, until they don't. No mention of any credits. Credits inaccessible through API (claude tried everything).
VMs, bucket storage, and copying data are the _simplest_ parts of the stack. Why would anyone bother trying to use other services if they can't get these right?
They literally give startups 2x the credits as GCP, 20x the credits of AWS and nobody wants to use them.
EVERYTHING about the federal government contracts program sucks ass! In the beginning, it was good as you didn't want people forcing through their brother, mother, 2nd cousin, next door neighbor, Satya Nadella and their "company" as a contractor without oversight cough Kristi Noem cough. However, it has devolved into a mess. The entire thing needs to be scrapped and re-engineered.
The vendor lock-in angle is the real story. Once you have AD, Exchange, Teams, and Azure all tangled together, the exit cost is enormous. I've watched orgs get approval for a full cloud migration based on cost savings projections that completely ignored the engineering cost of the decade-long migration that follows. The security issues are real but the procurement inertia is what keeps them renewing.
“GCC High reviewers saw problems everywhere, both in what they were able to evaluate and what they weren’t. To them, most of the package remained a vast wilderness of untold risk. Nevertheless, FedRAMP and Microsoft reached an agreement, and the day after Christmas 2024, GCC High received its FedRAMP authorization.”
Azure is bad. But to be fair, every security summary of IT services I’ve ever read — or written! — for over 25 years has also been a “pile of shit”. It seems to be inherent to the cybersecurity game that everything is judged based on meaningless check boxes and nonsensical explanations. Meanwhile the actual security posture is obscured and ignored.
Entropy is real. Microsoft has lessened the friction of purchasing vs their competitors. Public Sector this may be their only choice because they set the groundwork decades ago to do business with most organizations. It may not be the best solution, but it offers the least resistance to getting something up and running.
> Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.
Hah. First time looking at FedRAMP?
The real reason for this, of course, is accounting, it moves it off of the government's books.
225 comments
> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
> Not criticizing FedRAMP
Think it's very important to criticize FedRAMP. The FedRAMP board is extremely slow moving and continuously disregards industry feedback. As a result, FedRAMP is essentially a Palantir tax, where nearly every startup hoping to sell to government (including larger ones like Anthropic, xAI, Cognition AND OpenAI) is forced to pay Palantir to deploy in their FedRAMP enclave. This has a sticker price of 200-500k/y before we get into compute premiums.
Going through FedRAMP yourself requires a staff who is willing to put in a dedicated effort on the compliance paperwork (not the controls, which you could knock out in ~1mo easily, just the paperwork) for 6-8mo before getting into a line to hopefully get a 3PAO audit and then remediations followed by another audit which is followed by needing to get agency sponsorship for a FedRAMP board review. This costs $2-3M minimum including the amount of security software needed for evidencing and policy, which rules out nearly every small business. This process also can easily take 2-3 years of waiting, which forces out enterprise. So anyone entering the ecosystem is essentially forced to pay Palantir (or 2F which is a distant 2nd) a tax that is entirely enforced by government regulation.
They are not any kind of 'Federal Cyber Experts' either as that work is primarily outsourced to Schellman etc.
They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.
The most secure thing I could think of is a cluster of servers running in my basement under lock and key, running a conservative set of well-tested software.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.
If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
Thats why you have Windows in the Pentagon instead of something secure.
> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
Once the government decided they wanted the product, they were going to find a patsy.
> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.
Ref: https://www.cnbc.com/2025/07/18/microsoft-china-digital-esco...
Azure's success as a cloud provider is mostly a result of their sales team and having an existing relationship with non-technical leadership. "We already pay them for Office and Exchange, let's just buy this new 'cloud' thing from them too".
Azure is barely considered an option at all within tech companies, yet is surprisingly widely adopted by non-technical companies that don't know any better (ie, that don't have a technical / engineering voice or representation within leadership).
AWS = Likely technically the best, for now. Mostly unreasonable pricing, and less motivation to seriously negotiate given they are the 'default' cloud provider for most of the industry. Kind of feels like they have peaked though, and are slipping more recently. Inevitable, or bad leadership changes?
OCI = New-comer, attractive pricing and hungry for business. Might be able to avoid mistakes other providers have made? Reliability struggles though. Parent company has a bad reputation in some circles - but probably not with decision makers. Making huge (unwise?) investments - that will either come crashing down in 5 years, or seriously pay off. Layoffs, but going for massive growth...huh?
GCP = Notably different underlying technical choices than other providers. Folks are maybe a bit less pragmatic, and more academic. This helps them in unique services (Spanner?) but hurts in most other areas. They've matured, and are btwn AWS and OCI in reliability. They are probably not as hungry for business as they should be given how far behind they are.
azcopybroken at head, and the working one doesn't guarantee correctness after a copy (99.6% copied successfully! good luck figuring out what went wrong!) compare that to migrating data with GCS or S3 -- they provide first class tools that do it right quickly (aws-cli, gsutil).Want a VM? You'll also need this network security group, network interface, network manager, ip, virtual network... and maybe it'll be connected to the internet so you can SSH in? Compare to GCP or EC2 -- you just pick an instance and start it. You can SSH in directly, or even do it in the browser.
Billing also a nightmare: if you're running a startup, AWS and Google make it relatively easy to see how many credits you have left. The Azure dashboard makes you navigate a maze, and the button to click that says "Azure Credits" is _invisible_ for 30s until ostensibly some backend system finds your credits, then it magically shows up. Most people don't wait around and just assume there's no button.
And if you click it, maybe you will happen to be in the correct billing profile, maybe not! Don't get confused: billing profile and billing scope are different concepts too! And in your invoice, costs just magically get deducted, until they don't. No mention of any credits. Credits inaccessible through API (claude tried everything).
VMs, bucket storage, and copying data are the _simplest_ parts of the stack. Why would anyone bother trying to use other services if they can't get these right?
They literally give startups 2x the credits as GCP, 20x the credits of AWS and nobody wants to use them.
> Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.
Hah. First time looking at FedRAMP?
The real reason for this, of course, is accounting, it moves it off of the government's books.