**Federal Cyber Experts Call Microsoft's Cloud Service "Shambolic," Still Approve It** In the world of cybersecurity, Nigeria's National Information Technology Development Agency (NITDA) and the National Identity Management Commission (NIMC) are working to ensure that data shared with cloud companies is secure. However, in the United States, it appears that this goal has been compromised. The Federal Risk and Authorization Management Program (FedRAMP) is supposed to oversee cloud services used by federal agencies. However, it seems that FedRAMP lacks the resources and staff to thoroughly review these services. As a result, the program relies heavily on the claims made by cloud companies and the assessments of third-party firms they hire. Critics say that FedRAMP has lost its way and is no longer effectively protecting American citizens' data. "The public expects FedRAMP to keep their data safe," says a former official with the General Services Administration (GSA). "Instead, they seem to be just rubber-stamping cloud services without a proper review." One example of this is Microsoft's cloud service, GCC High. Although FedRAMP officials called it a "pile of shit," they still approved it. However, when the Justice Department investigated further, they discovered that Microsoft had been using Chinese engineers to service their sensitive cloud systems, despite a prohibition against non-US citizens assisting with IT maintenance. This information was uncovered by a ProPublica investigation, not by FedRAMP or Microsoft. A Microsoft spokesperson acknowledged that they had communicated this information to Justice officials before 2020, but it was not reflected in their written security plan. Former and current government officials are now concerned about what other risks may be lurking in GCC High and beyond. They worry that FedRAMP's lack of resources and oversight may be putting American citizens' data at risk. In response to these concerns, the General Services Administration (GSA) stated that if there is credible evidence of a cloud company making false representations, the matter is referred to investigative authorities. However, it seems that the ultimate arbiter of this process is the Justice Department, which is ironic given their own experience with Microsoft's cloud service.