"The tech giant's "lack of proper detailed security documentation" left reviewers with a "lack of confidence in assessing the system's overall security posture," according to an internal government report reviewed by ProPublica. For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain."
"Such judgments would be damning for any company seeking to sell its wares to the US government, but it should have been particularly devastating for Microsoft. The tech giant's products had been at the heart of two major cybersecurity attacks against the US in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration."
"Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government's cybersecurity seal of approval."
Microsoft's Government Community Cloud High, a cloud service designed to protect sensitive federal information, received federal cybersecurity authorization from FedRAMP despite significant security concerns. Government evaluators found the product lacked proper security documentation and couldn't adequately assess its overall security posture. This approval is particularly troubling given Microsoft's history of security failures, including breaches by Russian hackers targeting federal agencies and Chinese hackers infiltrating senior government officials' email accounts. The authorization proceeded despite experts' inability to verify how the system protects sensitive data as information moves across servers, raising concerns about potential exposure of classified information.
#microsoft-security-vulnerabilities #federal-cybersecurity-approval #cloud-computing-risks #government-data-protection #fedramp-authorization
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]