I really don’t understand how this happened. Here’s why: Before I retired I supported various parts of the DoD, primarily the Department of the Air Force (Air and Space) with technologies that ‘supported’ both the SIPR and NIPR networks. MEaning secure and nonsecure networks.
We signed off on documents about having ONLY US citizens on US soil or territories or on base touching or supporting these systems.
My employer drilled us and made us certify we understood compliance with this - up to and including termination, fines, civil and criminal individual prosecution.
I will have to fault our government for this - agreeing to a contract that would allow the CCP to even get near it.
Microsoft is actually quite good at all things FedRamp, even FedRamp high. So I am baffled here.
Who is accountable?
While no one has taken direct responsibility, several entities share accountability:
Microsoft: The company developed and implemented the workaround and reportedly omitted key details about its practices in its security filings with the Defense Department.
Defense Information Systems Agency (DISA): This agency is responsible for granting provisional authorization for cloud platforms. There appears to have been a lack of awareness within DISA about the program’s operations.
Pentagon Oversight: The program operated for years under multiple administrations, indicating a systemic failure of oversight within the Pentagon’s contracting processes