Microsoft Cloud Security: FedRAMP Concerns & DOJ Investigation

March 22, 2026 Rachel Kim – Technology Editor Technology

The Justice Department is investigating potential security breaches related to Microsoft’s Government Cloud High (GCC High) environment, a secure enclave used by federal agencies for sensitive data, according to a ProPublica investigation and confirmed by recent government actions.

The inquiry stems from revelations that Microsoft employed China-based engineers to maintain aspects of its cloud infrastructure, including systems within GCC High, despite prohibitions against such access for non-U.S. Citizens. The Justice Department learned of this arrangement not through direct notification from Microsoft or FedRAMP, the federal program responsible for cloud security authorization, but through reporting by ProPublica last year.

A Microsoft spokesperson acknowledged the company’s initial security plan submitted to the Justice Department did not disclose the use of foreign engineers, but stated the information was communicated to officials prior to 2020. Microsoft has since ceased utilizing China-based engineers for government systems.

The situation has prompted concerns among current and former government officials regarding other potential vulnerabilities within GCC High and other authorized cloud environments. FedRAMP’s role in identifying and addressing such risks has come under scrutiny, with critics arguing the program relies too heavily on self-reporting from cloud providers and the assessments of third-party firms hired by those same companies.

“FedRAMP’s job is to watch the American people’s back when it comes to sharing their data with cloud companies,” said a former GSA official who co-authored a 2024 White House memo on cloud security. “When there’s a security issue, the public doesn’t expect FedRAMP to say they’re just a paper-pusher.”

The GSA has stated that credible evidence of false representations by cloud service providers will be referred to investigative authorities. The Justice Department, however, remains the ultimate arbiter of compliance. A recent indictment of a former Accenture employee illustrates this point; the department alleges the employee made “false and misleading representations” about a cloud platform’s security to secure federal contracts and attempted to obstruct third-party assessments by concealing deficiencies.

There is no public indication that similar charges have been brought against Microsoft or anyone involved with the GCC High authorization. The Justice Department declined to comment on the matter. Monaco, the deputy attorney general who launched the department’s initiative to pursue cybersecurity fraud cases, also did not respond to requests for comment.

Adding to the complexity, Lisa Monaco, the Deputy Attorney General who initiated the Justice Department’s cybersecurity fraud initiative, left her government position in January 2025 to become President of Global Affairs at Microsoft. A company spokesperson stated her hiring complied with all applicable rules and ethical standards, and that she does not work on federal government contracts or oversee dealings with the federal government.

The GSA recently moved forward with an overhaul of FedRAMP priorities, and has loaded a new FedRAMP Board with top Agency IT Officials, according to recent announcements. The program also recently appointed Pete Waterman as its permanent director, filling a position vacant for three years.