A former Accenture employee has been charged with allegedly misleading federal officials about the security of a cloud platform used by the Army and other agencies.

In an indictment secured by the Justice Department this week, Danielle Hillmer was charged with multiple counts of fraud over allegations that she concealed a cloud platform’s noncompliance with security controls required by the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP).

DoJ’s press release on the indictment states GSA’s Office of the Inspector General has been involved in the investigation.

The indictment doesn’t identify the cloud platform or company that Hillmer worked for at the time of the alleged fraud and obstruction. DoJ’s allegations cover a period between March 2020 and November 2021.

But Hillmer’s LinkedIn shows that during the time in question, she worked for Accenture Federal Services as “lead, cloud managed services” and “business and system owner, cloud management platform services.”

A copy of Hillmer’s LinkedIn profile, which was taken offline this week, shows she left Accenture in December 2021 and was most recently a “senior product manager for public sector” at SentinelOne.

“As previously disclosed in our public filings, we proactively brought this matter to the government’s attention following an internal review. We have cooperated extensively with the government’s investigation and continue to do so,” an Accenture spokeswoman told Federal News Network. “We remain dedicated to operating with the highest ethical standards as we serve all our clients, including the federal government.”

In an Oct. 12, 2023, filing with the Securities and Exchange Commission, Accenture referenced how it made a voluntary disclosure to the government that initiated a DoJ investigation “concerning whether one or more employees provided inaccurate submissions to an assessor who was evaluating on behalf of the U.S. government an AFS service offering and whether the service offering fully implemented required federal security controls.”

“AFS is responding to an administrative subpoena and cooperating with DOJ’s investigation,” AFS wrote at the time.

A spokesman for SentinelOne noted that Hillmer left her position at the company this past August and said DoJ’s allegations have “nothing to do with her work at SentinelOne.”

“In her previous role at SentinelOne, she was not involved in any compliance related work for FedRAMP or any other program,” the spokesman added.

The indictment alleges that in March 2020, Hillmer sought to “uplift” the cloud platform in question from a FedRAMP Moderate to a High authorization, driven by recently awarded Army contracts that required FedRAMP High.

DoJ alleges that Hillmer ignored warnings from a fellow employee and an outside firm that the cloud platform wasn’t compliant with security controls required for a FedRAMP High authorization.

For instance, the indictment alleges that Hillmann was aware that system administrators could access the cloud platform without “necessary” multifactor authentication controls in place.

DoJ alleges Hillmer “concealed known issues” from assessors and authorizing officials, as well as submitted materials to FedRAMP and the Joint Authorization Board “knowing they contained materially false and misleading representations about the platform’s architecture, implementation of security controls and risk posture.”

In July 2021, the FedRAMP program granted the cloud platform a FedRAMP High provisional authority-to-operate (P-ATO), according to DoJ’s indictment. It says at least six departments and agencies, including the Army, used or planned to use the P-ATO to obtain authorizations for cloud products and services. The contracts or subcontracts involved were valued at more than $250 million, according to DoJ.

The criminal charges against Hillmer carry heavy weight, with the wire fraud charge alone carrying a maximum of 20 years in prison.

Lawyers representing Hillmer didn’t respond to an emailed request for comment.

The case is notable, as DoJ has increasingly pursued legal action to enforce federal cybersecurity requirements. DoJ’s Civil Cyber-Fraud Initiative has resulted in multiple False Claims Act settlements with companies for allegedly failing to meet contractual security requirements.

However, a criminal case targeting an individual employee for allegedly misrepresenting security controls will be closely watched in the FedRAMP community.

Most conversations around the cloud security program in recent years have focused on streamlining the FedRAMP process, which is often considered a barrier to agencies accessing new technology.

The post FedRAMP at the center of DoJ’s latest cyber fraud allegations first appeared on Federal News Network.