As a cybersecurity reporter at ProPublica, much of my work over the past two years has focused on how the federal government and its IT contractors, like Microsoft, have navigated major technological transitions. The one now in the news every day is artificial intelligence.
This emerging technology has its grip on everyone: Home users, corporations and the federal government are all rushing to use it. President Donald Trump and his Cabinet say AI will transform the nation, making us more prosperous, efficient and secure — if only we can adopt it fast enough.
But this messaging isn’t new. President Barack Obama’s administration used nearly identical language a decade and a half ago as the U.S. barreled into the technological revolution of cloud computing.
I’ve studied how the federal government has handled — and mishandled — this transition over the past two decades, and my reporting offers some cautionary tales and valuable lessons as policymakers encourage the use of AI and federal agencies adopt the technology.
Lesson 1: There’s no such thing as a free lunch
Then: In the early 2020s, a series of cyberattacks linked to Russia, China and Iran left the federal government reeling. The Biden administration called on major tech companies to help the U.S. bolster its defenses. In response, Microsoft CEO Satya Nadella pledged to give the government $150 million in technical services to help upgrade its digital security. It also offered a “free” security upgrade for government customers.
Now: Last year, the Trump administration announced a raft of agreements with tech companies that were meant to help federal agencies “purchase enterprise AI tools at government-friendly pricing.” Agencies could use OpenAI’s ChatGPT for $1. Google’s Gemini for 47 cents. Grok by xAI for 42 cents. The administration hoped that the low-cost pricing would make it “easier for federal teams to acquire powerful AI capabilities … to enhance mission delivery and operational efficiency.”
The takeaway: Be wary of freebies. Our investigation into Microsoft’s seemingly straightforward commitment revealed a more complex, profit-driven agenda. After installing the upgrades, federal customers would be effectively locked in, because shifting to a competitor after the free trial would be cumbersome and costly. At that point, the customer would have little choice but to pay for the higher subscription fees. The plan worked: One former Microsoft salesperson told me “it was successful beyond what any of us could have imagined.” In response to questions about the commitment, Microsoft has said its “sole goal during this period was to support an urgent request by the Administration to enhance the security posture of federal agencies who were continuously being targeted by sophisticated nation-state threat actors.”
Agencies looking to buy AI tools at discounted rates today must consider how the costs might balloon down the road. The General Services Administration warns that AI “usage costs can grow quickly without proper monitoring and management controls” and advises agencies to “set usage limits and regularly review consumption reports.”
Lesson 2: Oversight programs are only as effective as their resources
Then: In the Obama era, the federal government shifted its sensitive information and computing needs to data centers owned and operated by private companies. Acknowledging the potential risks, the administration created the Federal Risk and Authorization Management Program, or FedRAMP, in 2011 to help ensure the security of the cloud computing services that it was encouraging U.S. agencies to use.
But in my recent investigation of the program, I found it was no match for Microsoft, which effectively wore down the FedRAMP team over five years as the company sought the program’s seal of approval for a major cloud offering known as GCC High. Despite serious reservations about its cybersecurity, FedRAMP ultimately authorized the product, in part because it lacked the resources to keep going. In response to questions, Microsoft told me: “We stand by our products and the comprehensive steps we’ve taken to ensure all FedRAMP-authorized products meet the security and compliance requirements necessary.”
Now: Today, this tiny outpost within the General Services Administration has even fewer resources to oversee the cloud technology on which the government relies — including AI. FedRAMP says it now operates “with an absolute minimum of support staff” and “limited customer service.” The program was an early target of the Trump administration’s Department of Government Efficiency.
The takeaway: FedRAMP, which a 2024 White House memo said “must be an expert program that can analyze and validate the security claims” of cloud providers, is now little more than a rubber stamp for the tech industry, former employees told me. As federal agencies adopt AI tools that draw upon reams of sensitive information, the implications of this downsizing for federal cybersecurity are far-reaching. A GSA spokesperson defended the program and said FedRAMP now “operates with strengthened oversight and accountability mechanisms.”
Lesson 3: “Independent” reviews are only so independent
Then: The government has long relied on so-called third-party assessors to verify the security claims made by cloud service providers like Microsoft and Google. In theory, these firms are supposed to be independent experts that offer a recommendation to FedRAMP on whether a product meets federal standards. But in practice, their independence has an asterisk: They are paid by the companies they are evaluating.
My recent investigation found that this setup creates an inherent conflict of interest. In the case of Microsoft’s GCC High, two assessors recommended the product despite being unable to fully vet it, according to a former FedRAMP reviewer. One of those firms did not respond to my questions and the other denied this account.
Read More
FedRAMP, we found, is well aware of how the financial arrangement between the cloud companies and their assessors can distort official findings about cybersecurity problems. The program even created a “back channel” to encourage assessors to share concerns they might not otherwise raise in their official reports for fear of angering their tech clients and losing business.
Now: With FedRAMP reduced to being a “paper pusher,” as one former GSA official put it, these third-party assessment firms have taken on even more importance in the vetting process. In response to questions from ProPublica, the GSA said that FedRAMP’s system “does not create an inherent conflict of interest for professional auditors who meet ethical and contractual performance expectations.” It did not respond to questions about the program’s back channel.
The takeaway: The pendulum has essentially swung back to the pre-FedRAMP era, when each federal agency was individually responsible for vetting the products it used. The GSA told me that FedRAMP’s job is “to ensure agencies have sufficient information to make these risk decisions.” The problem is that agencies often lack the staff and resources to do thorough reviews, which means the whole system is leaning on the claims of the cloud companies and the assessments of the third-party firms they pay to evaluate them.
Facts Only
The federal government and IT contractors like Microsoft have navigated major technological transitions, including cloud computing and artificial intelligence.
President Donald Trump and his Cabinet have promoted AI as a tool to enhance prosperity, efficiency, and security.
President Barack Obama’s administration used similar language to promote cloud computing in the mid-2000s.
In the early 2020s, cyberattacks linked to Russia, China, and Iran prompted the Biden administration to seek help from tech companies like Microsoft.
Microsoft pledged $150 million in technical services and offered a "free" security upgrade for government customers.
The Trump administration announced agreements with tech companies to provide AI tools at discounted rates, such as OpenAI’s ChatGPT for $1 and Google’s Gemini for 47 cents.
The General Services Administration warns that AI usage costs can grow quickly without proper monitoring.
The Federal Risk and Authorization Management Program (FedRAMP) was created in 2011 to ensure the security of cloud computing services used by federal agencies.
FedRAMP authorized Microsoft’s GCC High product despite reservations about its cybersecurity, partly due to limited resources.
FedRAMP now operates with minimal staff and limited customer service.
Third-party assessors, paid by the companies they evaluate, are used to verify the security claims of cloud service providers.
FedRAMP created a "back channel" to encourage assessors to share concerns not raised in official reports.
The GSA states that FedRAMP’s system does not create an inherent conflict of interest for third-party assessors.
Executive Summary
The federal government’s adoption of emerging technologies like cloud computing and artificial intelligence has been marked by both enthusiasm and caution. Over the past two decades, administrations from Obama to Trump have promoted these technologies as transformative, yet the transition has not been without challenges. For instance, Microsoft’s offer of "free" security upgrades to federal agencies in the early 2020s ultimately led to long-term costs, as agencies became locked into higher subscription fees. Similarly, the Federal Risk and Authorization Management Program (FedRAMP), created to oversee cloud security, has struggled with limited resources, raising concerns about its effectiveness as AI adoption accelerates.
The reliance on third-party assessors, who are paid by the companies they evaluate, further complicates oversight. While FedRAMP maintains that this system does not create inherent conflicts of interest, critics argue that it undermines independence. As federal agencies rush to adopt AI tools at discounted rates, questions remain about the long-term costs and security risks. The General Services Administration has warned of potential cost overruns and emphasizes the need for monitoring, but the broader implications for federal cybersecurity and accountability are still unfolding.
Full Take
The strongest version of this narrative highlights a recurring pattern in federal technology adoption: the tension between rapid innovation and robust oversight. The article effectively documents how the government’s reliance on private sector solutions—whether in cloud computing or AI—has led to unintended consequences, from vendor lock-in to under-resourced regulatory programs. It also exposes structural conflicts of interest, such as third-party assessors being paid by the companies they evaluate, which undermines trust in security certifications. These are valid concerns that warrant scrutiny, especially as AI adoption accelerates.
However, the narrative also risks reinforcing a cynical view of government-technology partnerships without fully exploring countervailing efforts to improve accountability. For example, while FedRAMP’s limitations are noted, the GSA’s claim of "strengthened oversight" is mentioned but not deeply interrogated. The pattern here aligns with **ARC-0024 Ambiguity**, where the focus on systemic failures may obscure incremental progress or alternative perspectives. Another pattern, **ARC-0043 Motte-and-Bailey**, could apply if the critique of "free" offers from tech companies is later generalized into a broader indictment of all public-private partnerships without nuance.
The root cause of these challenges lies in the federal government’s struggle to balance speed and security in technological adoption. The assumption that market-driven solutions will inherently serve public interests—without sufficient safeguards—echoes historical patterns of regulatory capture and mission drift. The implications for human agency are significant: if oversight mechanisms like FedRAMP are weakened, the public bears the cost of potential breaches or cost overruns, while tech companies benefit from lucrative contracts.
Bridge questions to consider: What would a truly independent oversight system for AI adoption look like? How can the government incentivize innovation without sacrificing long-term security and cost control? What role should Congress play in ensuring that agencies have the resources to vet these technologies effectively?
Counterstrike scan: A bad actor pushing this narrative might amplify the failures of FedRAMP and third-party assessors to undermine trust in all government-technology collaborations, framing it as inevitable corruption. However, the article does not match this pattern. It presents a measured critique with specific examples, acknowledging both systemic issues and the GSA’s responses. The focus remains on improving accountability rather than dismissing collaboration outright.
Sentinel — Human
The article appears to be human-written. It exhibits human-like sentence length variance, shows signs of idiosyncratic emphasis, personal voice, and stylistic fingerprint, and does not show signs of argumentative skeleton matching or talking points appearing nearly verbatim across sources.
