I’ve spent greater than twenty years constructing and defending the techniques that federal companies belief with their most delicate knowledge. I maintain a CISSP. I served within the Navy. I’ve led incident response throughout a zero-day assault on our personal platform and labored in lockstep with Mandiant to guard our prospects. I’ve sat throughout the desk from FedRAMP reviewers, third-party assessor organizations (3PAOs) and company authorizing officers extra instances than I can depend.
So when ProPublica reported that FedRAMP spent 5 years making an attempt to confirm how Microsoft Authorities Neighborhood Cloud (GCC) Excessive encrypts authorities knowledge in transit — and by no means obtained the reply — I didn’t learn it as a narrative about one product. I learn it as a narrative about what occurs when compliance replaces safety. That distinction issues extra proper now than it ever has.
The structure is the story
The main points within the ProPublica investigation are putting, however crucial one is straightforward to overlook. FedRAMP didn’t ask Microsoft for something uncommon. They requested for knowledge stream diagrams — technical illustrations exhibiting how knowledge strikes via the system and the place it’s encrypted alongside the way in which. Amazon and Google supplied this routinely.
Microsoft mentioned it was too difficult. FedRAMP narrowed the request to a single service: Change On-line. Microsoft submitted a white paper on encryption philosophy however omitted the specifics exhibiting the place encryption and decryption happen. With out that, the reviewers couldn’t confirm the safety was operational.
5 years. Eighteen deep dives. 4 hundred eighty hours. They by no means obtained previous one service.
In case you perceive cloud structure, this tells you one thing particular: The shortcoming to provide knowledge stream diagrams isn’t a documentation drawback. It’s an structure drawback. When a cloud product is constructed on many years of legacy code — with knowledge bouncing via layers of inherited infrastructure — mapping the encryption path turns into terribly tough. One reviewer in contrast it to touring from Washington to New York by bus, ferry and airplane as a substitute of taking Amtrak. Each hop with out verified encryption is an publicity level.
The 2026 Thales Information Menace Report discovered that solely 33% of organizations have full data of the place their knowledge is saved. When your cloud supplier can’t map its personal structure, you inherit that blind spot.
The assessor mannequin did what its incentives informed it to
The 3PAOs deserve simply as a lot consideration. Coalfire and Kratos had been employed by Microsoft to independently consider GCC Excessive. Each privately informed FedRAMP they couldn’t get the complete image. They mentioned this via a again channel — not of their official studies. FedRAMP positioned Kratos on a corrective motion plan for not pushing again laborious sufficient.
The assessor mannequin has a structural battle constructed into its basis. The seller hires the assessor. The seller pays the assessor. If the assessor raises too many flags, the seller can exchange them. That doesn’t imply each evaluation is compromised. Nevertheless it means the inducement construction pushes in a single course, and with out sturdy oversight to counterbalance it, the output displays that strain.
The 2026 Black Kite Third-Celebration Breach Report quantifies what this appears to be like like at scale: Throughout roughly 200,000 monitored organizations, greater than half had at the least one vital vulnerability whereas carrying a median cyber grade of A. Excessive marks and actual danger coexist. The GCC Excessive case explains precisely how.
You personal the verification now
Even at full capability, FedRAMP was by no means designed to be a steady safety assure. This system evaluates a point-in-time snapshot. Authorizations are granted based mostly on documentation submitted in the course of the evaluation window — not on ongoing, real-time validation of how a supplier handles your knowledge. GSA itself has mentioned that FedRAMP’s function is “not to determine if a cloud service is secure enough.” When this system’s personal management frames its mandate that narrowly, companies want to know what FedRAMP authorization truly represents — and what it doesn’t.
For chief info safety officers and authorizing officers, this implies one factor: You personal the verification now. Not FedRAMP. Not the assessor. You.
I’ve run Kiteworks’ FedRAMP program since we achieved Average Authorization in 2017. We’ve maintained it repeatedly for practically 9 years. Our Safe Gov Cloud is FedRAMP Excessive In Course of with an lively company assessment underway. I do know what it takes to provide the proof that reviewers demand.
The documentation Microsoft couldn’t present must be desk stakes for any FedRAMP-authorized platform. Single-tenant architectures make knowledge stream mapping simple as a result of every buyer atmosphere is remoted and observable by design. Actual-time, full audit trails — not throttled or gated behind premium licensing tiers — must be a baseline expectation, not a differentiator. When a platform is purpose-built for delicate knowledge safety moderately than tailored from a general-purpose productiveness suite, the proof that reviewers want is a pure output of the structure, not a particular request that takes 5 years to fill.
One query this quarter
Ask your cloud suppliers: Are you able to present me — not inform me, present me — precisely the place my knowledge is encrypted because it strikes via your system?
If the reply is a white paper about encryption philosophy, you’ve got a discovering. If the reply is an information stream diagram with each encryption and decryption level documented, you’ve got a supplier you possibly can confirm independently.
The federal government spent 5 years asking that query. Don’t wait 5 years for yours.
Frank Balonis is chief info safety officer and senior vice chairman of operations at Kiteworks.
Copyright
© 2026 Federal Information Community. All rights reserved. This web site isn’t supposed for customers positioned inside the European Financial Space.
