The conflict of interest angle here is wild. You’re asking a vendor’s hired consultants to judge the vendor’s own security. That’s not a bug in FedRAMP, it’s the entire architecture.

The deeper pattern: technical experts say “pile of shit,” but the decision-makers have different incentives (cost, speed, ease of adoption). Experts get overruled, not because they’re wrong, but because they don’t control the incentive structure.

This happens everywhere. Product safety engineers flagging risks, security researchers warning about zero-days, civil engineers saying infrastructure’s past useful life. The signals exist. The system just doesn’t care.

For even more fun, look into the FAA’s “regulation” of Boeing, which was effectively “do you super duper pinky promise that you followed the rules?”

Seriously, the verification was done by Boeing and then reported back to the FAA