#fedramp — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #fedramp, aggregated by home.social.
-
I'm trying to understand why I would choose a regular AWS endpoint over FIPS. I know why and when I have to use FIPS. Given that I have a subset of customers that require it, why not just use it for all customers? One would hope if the ciphers in FIPS are good enough for the government, they're good enough for regular use.
-
Ryan has some thoughts about the recent FedRamp approval for Microsoft, even though the feds called it 💩. In The Long Run, maybe you should be able to explain how things like encryption and security controls work in your environment? #TheCloudPod #NewEpisode #FedRamp #Microsoft
-
Federal Cyber Experts Thought Microsoft’s Cloud Was “A Pile Of Shit.” They Approved It Anyway.
-
Federal Cyber Experts Thought Microsoft’s Cloud Was “A Pile Of Shit.” They Approved It Anyway.
-
Federal Cyber Experts Thought Microsoft’s Cloud Was “A Pile Of Shit.” They Approved It Anyway.
-
Federal Cyber Experts Thought Microsoft’s Cloud Was “A Pile Of Shit.” They Approved It Anyway.
-
Federal Cyber Experts Thought Microsoft’s Cloud Was “A Pile Of Shit.” They Approved It Anyway.
-
I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:
🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻♂️The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy
If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.
https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec -
I find myself at a point where I'm encountering irreconcilable differences between my moral, ethical, and technical objections to the use of LLMs, and my employer's leadership's desire to force the use of LLMs into every aspect of day to day operations. As a result, I find myself #OpenToWork .
I have decades of experience in the #SysAdmin / #SRE / #DevOps / #CICD / #CloudComputing range of skills. Currently acting as a subject matter expert on #Kubernetes , #Terraform , and #Observability . Mostly supporting #GCP platforms these days, but I am comfortable pivoting to other #cloud platforms like #AWS or even #OnPrem . Can do #ProjectManagement and #TeamLeadership. Experienced in #DevSecOps and #FedRAMP processes.
I would strongly prefer to deal with no LLM tooling at all, but will settle for having to use it less than in the current environment.
Location: #Canada (remote), #WaterlooRegion (Ontario) (hybrid).
-
"For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.
Such judgments would be damning for any company seeking to sell its wares to the U.S. government, but it should have been particularly devastating for Microsoft. The tech giant’s products had been at the heart of two major cybersecurity attacks against the U.S. in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials.
The federal government could be further exposed if it couldn’t verify the cybersecurity of Microsoft’s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation’s most sensitive information.
Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government’s cybersecurity seal of approval. FedRAMP’s ruling — which included a kind of “buyer beware” notice to any federal agency considering GCC High — helped Microsoft expand a government business empire worth billions of dollars."
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
#Microsoft #FedRAMP #USA #Trump #CyberSecurity #Cloud #CloudComputing
-
Half of my brain: surely this comes as a surprise to no one: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
Other half of my brain:
#fedramp #infosec #Microsoft #xkcd2501 #xkcd #funny -
Half of my brain: surely this comes as a surprise to no one: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
Other half of my brain:
#fedramp #infosec #Microsoft #xkcd2501 #xkcd #funny -
Half of my brain: surely this comes as a surprise to no one: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
Other half of my brain:
#fedramp #infosec #Microsoft #xkcd2501 #xkcd #funny -
Half of my brain: surely this comes as a surprise to no one: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
Other half of my brain:
#fedramp #infosec #Microsoft #xkcd2501 #xkcd #funny -
Half of my brain: surely this comes as a surprise to no one: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
Other half of my brain:
#fedramp #infosec #Microsoft #xkcd2501 #xkcd #funny -
IT-Security-Leute der US-Regierung sollten die MS-Cloud auf Tauglichkeit für geheime Daten prüfen. Wertung:
"Pile of shit"
“lack of proper detailed security documentation”
“lack of confidence in assessing the system’s overall security posture”Auch wird der Vergleich zu #AWS und #GCP gezogen - dort wäre das Design auf die Anforderungen angepasst, Microsoft hätte einfach bestehendes irgendwie zurechtgegaffat.
Wurde nach politischem Druck natürlich trotzdem für geheime Dokumente zugelassen.
https://www.propublica.org/article/microsoft-cloud-fedramp-cybersecurity-government
-
Where's my "fry_shocked_face.gif" when I need it?
-
A rather technical deep dive into verification systems run by #Persona, followed by some interesting questions that deserve answers.
Persona seems to use the same code base for a #KYC system that verifies potential customers that want to sign up with #OpenAI to use GPT-5; as well as for another system that does #FedRAMP security assessments for #US government agencies (including automated notifications of agencies in special cases).
(Read "0x11 - the architecture" first)
https://vmfunc.re/blog/persona/
via @raptor
-
Why FedRAMP Authorization and CMMC Level 2 Are Now Table Stakes for GovCon AI
#HackerNews #FedRAMP #CMMC #GovCon #AI #Compliance #Cybersecurity
-
When you wake up and you see a new message in the (cancelled) `#fedramp-[project name]` channel 😱
-
Plans, Policies, and Procedures: FedRAMP
A government program that provides a standardized approach to security assessment, and continuous monitoring for cloud products and services used by federal agencies.
https://blackcatwhitehatsecurity.com
#FedRAMP #Governance #Risk #Compliance #Programming -
Imagine getting enterprise-grade container security without the enterprise price tag. Docker’s new catalog offers rapid 7-day patches, vetted by experts and even FedRAMP-ready—perfect for startups looking to level up their defense. Curious how?
#dockersecurity
#containersecurity
#smallbusiness
#hardenedimages
#cybersecurity
#fedramp
#devsecops
#vulnerabilitymanagement
#cloudsecurity -
🚀 NEW on We ❤️ Open Source 🚀
Compliance = growth? You bet. benny Vasquez (@benny) explores how standards like FIPS and FedRAMP are powering open source adoption by building trust, attracting innovators, and proving reliability.
https://allthingsopen.org/articles/compliance-driving-open-source-adoption
#WeLoveOpenSource #OpenSource #Compliance #FOSS #FedRAMP #Linux
-
#Google is offering its full #AIplatform to #federalagencies for #47cents per agency for the first year. The platform includes enterprise search, image and video generation, NotebookLM, and agentic AI, all backed by #FedRAMP. This move aims to exceed similar programmes from OpenAI and Anthropic, each priced at $1 per agency for the first year. https://www.pymnts.com/artificial-intelligence-2/2025/google-offers-gemini-to-government-workers-for-47-cents/?eicker.news #tech #media #news
-
🎯 WRAPPING UP: #BlackHat USA 2025 Coverage Nearly Complete!
With nearly all our on-location content from Las Vegas now published, we're excited to share this recap story.Stay tuned for the closing reflections (Newsletter Articles and Audio version) from Marco Ciappelli and Sean Martin, CISSP coming soon!
🔔 Follow ITSPmagazine, Sean Martin, CISSP, and Marco Ciappelli to catch those final insights when they drop!
This is an event recap from the expo floor with our friends at ThreatLocker 🙏
#ThreatLocker Unveils Configuration Defense & Achieves #FedRAMP Status at #BlackHat2025
#Zerotrust evolved from theory to practical business solution at Black Hat 2025, as Kieran Human from ThreatLocker revealed game-changing announcements that address real-world security challenges.
The standout:
Defense Against Configuration (#DAC)—a monitoring tool that solves a critical zero trust gap. Organizations invest heavily in security but often leave systems vulnerable through poor configuration management. DAC changes this by:
• Continuously monitoring configurations and alerting to potential issues
• Mapping findings to compliance frameworks including Essential 8
• Providing weekly executive reports to ensure oversight
• Preventing the "overly permissive rules" that compromise securityThreatLocker's "denied by default, allowed by exception" approach fundamentally differs from traditional EDR solutions. With 10,000+ built-in application profiles and learning mode capabilities, deployment no longer means business disruption.
Major milestone:
FedRAMP certification opens government sector opportunities, answering strong customer demand from highly regulated environments that previously couldn't adopt their zero trust capabilities.Real impact:
One customer reported preventing THREE breaches after implementing ThreatLocker's solution—proving that properly implemented zero trust delivers measurable security improvements.The key insight? Security must enable business, not hinder it. ThreatLocker's least privilege implementation focuses on meeting business requirements with minimal necessary permissions—protecting assets without hampering productivity.
📺 Watch the video: https://youtu.be/AN5k5-aBwWc
➤ Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974
✦ Catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlocker
🎪 Follow all of our #BHUSA 2025 coverage: https://www.itspmagazine.com/bhusa25
#Cybersecurity #BlackHatUSA #BHUSA25 #Compliance #SecurityAutomation #GovTech
-
🎯 NOW PUBLISHING: On-Location Coverage from #BlackHat USA 2025!
How to Automate #Cybersecurity Operations Without Coding, Crying, or Calling IT at 2 A.M.
We're back in the office and excited to start sharing all the conversations we captured on location in Las Vegas with our amazing sponsors and editorial coverage!
🔔 Follow ITSPmagazine, Sean Martin, CISSP, and Marco Ciappelli to get this content fresh as it drops!
We're delighted to share this game-changing Brand Story conversation thanks to our friends at BlinkOps 🙏
Traditional #SOAR platforms promise automation but deliver complexity—requiring extensive scripting, specialized skills, and weeks to implement new workflows. At #BlackHat2025, Mike Wayne from #BlinkOps reveals a better way.
The breakthrough: Micro agents instead of monolithic #AI. BlinkOps enables you to build small, focused #AI entities designed for specific tasks—minimizing hallucination risks while maximizing control and precision.
What makes this different:
• Describe automation goals in plain language—the system generates working automations
• Low-code/no-code accessibility lets citizen developers across HR, finance, and security build automations
• Smaller context windows = fewer AI mistakes and more predictable outcomes • Deploy as #SaaS, hybrid, or in #FedRAMP #GovCloud environments
Real-world results that matter:
• One customer saved $1.8M in 30 days automating endpoint deployments
• A triage agent processed 400 SOC alerts in 8 days with zero human intervention
• Reduced MTTR through agent-embedded workflows
• Automation extends beyond security into HR, finance, and operationsThe message is clear: Instead of replacing humans, these micro agents work alongside them—taking on repetitive tasks so your team can focus on strategic initiatives. Just blink it!
📺 Watch the video: https://youtu.be/eohOpveUkCQ
➤ Learn more about BlinkOps: https://itspm.ag/blinkops-942780
✦ Catch more stories from BlinkOps: https://www.itspmagazine.com/directory/blinkops
🎪 Follow all of our #BHUSA 2025 coverage: https://www.itspmagazine.com/bhusa25
#Cybersecurity #SecurityAutomation #SOAR #AI #NoCode #BlackHatUSA #BHUSA25 #SOC #AutomationPlatform #MicroAgents
-
I am job hunting if anyone is looking for an #IT #engineer
I currently work in Mergers and Acquisitions as an IT specialist in the embroidery field, but I have experience with #Cisco #networking including their Firepower ASA and their switches. I am also an #MDM engineer and I am the team lead for SOP writing and development. #SSO experience with Okta. Admin experience with #Threatlocker.
I have operated in a variety of compliance frameworks including #CMMC #PCI and #FEDRAMP for the last 2 years. I've spent 3 years working medical field so I'm #HIPAA aware as well.
I would like to get back into a #datacenter job. I am comfortable with #travel and I'm comfortable with #parttime and #contract work if you have any recommendations.
I won't do defence companies though.
-
FedRAMP 20x – One Month in and Moving Fast
https://www.fedramp.gov/2025-04-24-fedramp-20x-one-month-in-and-moving-fast/
#HackerNews #FedRAMP #20x #OneMonth #In #MovingFast #Cybersecurity #Innovation
-
@ubuntu commits to 12 years of security maintenance and support, starting with Canonical Kubernetes 1.32
https://www.admin-magazine.com/index.php/News/Canonical-to-Provide-12-Years-of-Kubernetes-Support
#Kubernetes #Canonical #FedRAMP #OpenStack #BareMetal #MicroCloud #VMware #PublicCloud -
“This will enhance our security posture across the board while also helping MSPs and their customers meet requirements like FEDRamp and CMMC,”
-
🔒 Modernize & secure open source management! ActiveState's platform supports FedRAMP and GovCloud, providing end-to-end traceability and automated vulnerability detection. Streamline compliance and enhance security.
Discover how our solution can transform your agency's open source practices: https://www.activestate.com/blog/modernizing-securing-open-source-management-in-fedramp-and-govcloud/
-
The #CSRB report on the #Microsoft #Azure #Storm0558 security incident says that Cloud Service Providers (#CSP) should adopt a minimum standard for default audit logging.
A wonder which standard exist there? Any pointers welcome.
The report later mentions the #FedRAMP AU-2 "standard". But I couldn't find it 😠
