> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".

Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.

▲

chii 3 hours ago | parent [-]

It's why these enterprise vendors want foot in the door at all costs.

They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.

▲

andychase 3 hours ago | parent [-]

That's false that Government agencies have 0 cost ceiling. Maybe DoD does, but most offices have extremely tight budgets.

	▲	kipchak 2 hours ago \| parent [-]
		As far as I know numbers aren't reported, but there's probably at least as many DIB GCC-H customers as government, who in part use it because the government does and it's compliant. Once they're locked in it's very hard to migrate.