> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
> Not criticizing FedRAMP
Think it's very important to criticize FedRAMP. The FedRAMP board is extremely slow moving and continuously disregards industry feedback. As a result, FedRAMP is essentially a Palantir tax, where nearly every startup hoping to sell to government (including larger ones like Anthropic, xAI, Cognition AND OpenAI) is forced to pay Palantir to deploy in their FedRAMP enclave. This has a sticker price of 200-500k/y before we get into compute premiums.
Going through FedRAMP yourself requires a staff who is willing to put in a dedicated effort on the compliance paperwork (not the controls, which you could knock out in ~1mo easily, just the paperwork) for 6-8mo before getting into a line to hopefully get a 3PAO audit and then remediations followed by another audit which is followed by needing to get agency sponsorship for a FedRAMP board review. This costs $2-3M minimum including the amount of security software needed for evidencing and policy, which rules out nearly every small business. This process also can easily take 2-3 years of waiting, which forces out enterprise. So anyone entering the ecosystem is essentially forced to pay Palantir (or 2F which is a distant 2nd) a tax that is entirely enforced by government regulation.
They are not any kind of 'Federal Cyber Experts' either as that work is primarily outsourced to Schellman etc.
It's why these enterprise vendors want foot in the door at all costs.
They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.
That's false that Government agencies have 0 cost ceiling. Maybe DoD does, but most offices have extremely tight budgets.
As far as I know numbers aren't reported, but there's probably at least as many DIB GCC-H customers as government, who in part use it because the government does and it's compliant. Once they're locked in it's very hard to migrate.
I dunno, but for me ensuring security means reducing the number of problematic parts, and making sure the ones that have control over the ones that exist.
The most secure thing I could think of is a cluster of servers running in my basement under lock and key, running a conservative set of well-tested software.