Federal Cyber Experts Call Microsoft Cloud Security a Pile of Shit

In late 2024, federal cybersecurity evaluators concluded that Microsoft’s cloud computing offering lacked sufficient security documentation to allow a confident assessment of its overall security posture, according to an internal government report reviewed by ProPublica and reported by Ars Technica in March 2025.

The evaluation, conducted by unnamed federal cybersecurity experts, found that Microsoft’s “lack of proper detailed security documentation” left reviewers unable to verify key aspects of the system’s security controls. One member of the evaluation team was quoted in the report as describing the offering as “a pile of shit.” Despite these concerns, the service was ultimately approved for federal use.

The specific cloud service evaluated was not named in the Ars Technica report, but the timing and context suggest it may have been related to Microsoft Azure Government or a similarly designated offering intended for U.S. Federal agencies. Federal cloud services must undergo rigorous authorization processes under the Federal Risk and Authorization Management Program (FedRAMP), which requires vendors to provide detailed security documentation, including system security plans, vulnerability assessments, and continuous monitoring strategies.

FedRAMP authorization is mandatory for most cloud services used by U.S. Federal agencies. The program evaluates whether a provider’s security controls meet the requirements outlined in National Institute of Standards and Technology (NIST) Special Publication 800-53. A lack of detailed documentation can impede the evaluation process, as assessors rely on these materials to verify that technical and administrative safeguards are properly implemented and maintained.

Microsoft has not publicly responded to the specific allegations raised in the internal report. The company maintains an extensive compliance portfolio for its cloud services, including FedRAMP High authorization for Azure Government, which supports departments handling controlled unclassified information. Microsoft’s Trust Center publishes detailed compliance reports, attestations, and security white papers for its cloud offerings, though the depth and accessibility of such documentation can vary by service and audience.

Government cybersecurity evaluations often involve classified or sensitive assessments that are not made public. Internal reports like the one cited by ProPublica may reflect preliminary findings, technical disagreements, or concerns about documentation clarity rather than confirmed vulnerabilities. The fact that the service was approved despite the negative feedback suggests that either the concerns were addressed during review, deemed non-blocking, or overridden through formal risk acceptance procedures.

The incident highlights ongoing tensions between cloud providers and federal assessors over the balance between innovation speed and security rigor. As agencies accelerate migration to cloud environments, ensuring that vendors provide transparent, assessable security documentation remains a critical component of maintaining trust in federal IT systems. Any perception that security shortcuts are being made—even if later resolved—can erode confidence in the authorization process itself.

As of March 2025, Microsoft’s Azure Government services remain listed as authorized on the FedRAMP Marketplace. No public enforcement actions, withdrawals of authorization, or security incidents tied to this specific evaluation have been reported by federal agencies or oversight bodies such as the Government Accountability Office or the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).