\n<\/p>\n
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they\u2019re published.<\/p>\n
Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems.<\/p>\n
Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems, according to a copy obtained by ProPublica. In fact, the Microsoft plan viewed by ProPublica makes no reference to the company\u2019s China-based operations or foreign engineers at all.<\/p>\n
The document belies Microsoft\u2019s repeated assertions that it disclosed the arrangement to the federal government, showing exactly what was left out as it sold its security plan to the Defense Department. The Pentagon has been investigating the use of foreign personnel by IT contractors in the wake of reporting by ProPublica last month that exposed Microsoft\u2019s practice.<\/p>\n
Our work detailed how Microsoft relies on \u201cdigital escorts\u201d \u2014 U.S. personnel with security clearances \u2014 to supervise the foreign engineers who maintain the Defense Department\u2019s cloud systems. The department requires that people handling sensitive data be U.S. citizens or permanent residents.<\/p>\n
Microsoft\u2019s security plan, dated Feb. 28 and submitted to the department\u2019s IT agency, distinguishes between personnel who have undergone and passed background screenings to access its Azure Government cloud platform and those who have not. But it omits the fact that workers who have not been screened include non-U.S. citizens based in foreign countries. \u201cWhenever non-screened personnel request access to Azure Government, an operator who has been screened and has access to Azure Government provides escorted access,\u201d the company said in its plan.<\/p>\n
The document also fails to disclose that the screened digital escorts can be contractors hired by a staffing company, not Microsoft employees. ProPublica found that escorts, in many cases former military personnel selected because they possess active security clearances, often lack the expertise needed to supervise engineers with far more advanced technical skills. Microsoft has told ProPublica that escorts \u201care provided specific training on protecting sensitive data\u201d and preventing harm.<\/p>\n
Microsoft\u2019s reference to the escort model comes two-thirds of the way into the 125-page document, known as a \u201cSystem Security Plan,\u201d in several paragraphs under the heading \u201cEscorted Access.\u201d Government officials are supposed to evaluate these plans to determine whether the security measures disclosed in them are acceptable.<\/p>\n
In interviews with ProPublica, Microsoft has maintained that it disclosed the digital escorting arrangement in the plan, and that the government approved it. But Defense Secretary Pete Hegseth and other government officials have expressed shock and outrage over the model, raising questions about what, exactly, the company disclosed as it sought to win and keep government cloud computing contracts.<\/p>\n
None of the parties involved, including Microsoft and the Defense Department, commented on the omissions in this year\u2019s security plan. But former federal officials now say that the obliqueness of the disclosure, which ProPublica is reporting for the first time, may explain that disconnect and likely contributed to the government\u2019s acceptance of the practice. Microsoft previously told ProPublica that its security documentation to the government, going back years, contained similar wording regarding escorts.<\/p>\n
Former Defense Department Chief Information Officer John Sherman, who said he was unfamiliar with the digital escorting process before ProPublica\u2019s reporting, called it a \u201ccase of not asking the perfect question to the vendor, with every conceivable prohibited condition spelled out.\u201d<\/p>\n
In a LinkedIn post about ProPublica\u2019s investigation, Sherman said such a question \u201cwould\u2019ve smoked out this crazy practice of \u2018digital escorts.\u2019\u201d His post continued: \u201cThe DoD can\u2019t be exposed in this way. The company needs to admit this was wrong and commit to not doing things that don\u2019t pass a common sense test.\u201d<\/p>\n
Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country\u2019s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the \u201cmost active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.\u201d<\/p>\n
Following ProPublica\u2019s reporting last month, Microsoft said that it had stopped using China-based engineers to support Defense Department cloud computing systems. The company did not respond directly to questions from ProPublica about the security plan and instead issued a statement defending the escort practice.<\/p>\n
\u201cEscorted sessions were tightly monitored and supplemented by layers of security mitigations,\u201d the statement said. \u201cBased on the feedback we\u2019ve received, however, we have updated our processes to prevent any involvement of China based engineers.\u201d<\/p>\n
Sen. Tom Cotton, a Republican who chairs the Senate Select Committee on Intelligence, wrote to Hegseth last month suggesting that the Defense Department needed to strengthen oversight of its contractors and that current processes \u201cfail to account for the growing Chinese threat.\u201d<\/p>\n
\u201cAs we learn more about these \u2018digital escorts\u2019 and other unwise \u2014 and outrageous \u2014 practices used by some DoD partners, it is clear the Department and Congress will need to take further action,\u201d Cotton wrote. He continued: \u201cWe must put in place the protocols and processes to adopt innovative technology quickly, effectively, and safely.\u201d<\/p>\n
Since 2011, the government has used the Federal Risk and Authorization Management Program, known as FedRAMP, to evaluate the security practices of commercial companies that want to sell cloud services to the federal government. The Defense Department also has its own guidelines, which include the citizenship requirement for people handling sensitive data.<\/p>\n
Both FedRAMP and the Defense Department rely on \u201cthird party assessment organizations\u201d to evaluate whether vendors meet the government\u2019s cloud security requirements. While the government considers these organizations \u201cindependent,\u201d they are hired and paid directly by the company being assessed. Microsoft, for example, told ProPublica that it enlisted a company called Kratos to shepherd it through the initial FedRAMP and Defense Department authorization processes and to handle annual assessments after winning federal contracts.<\/p>\n
On its website, Kratos calls itself the \u201cguiding light\u201d for organizations seeking to win government cloud contracts and said it \u201cboasts a history of performing successful security assessments.\u201d<\/p>\n
In a statement to ProPublica, Kratos said its work determines \u201cif security controls are documented accurately,\u201d but the company did not say whether Microsoft had done so in the security plan it submitted to the Defense Department\u2019s IT agency.<\/p>\n
Microsoft told ProPublica that it has given demonstrations of the escort process to Kratos but not directly to federal officials. The security plan makes no reference to any such demonstration. Kratos did not respond to questions about whether its assessors were aware that non-screened personnel could include foreign workers.<\/p>\n
A former Microsoft employee who worked with Kratos through several FedRAMP accreditations compared Microsoft\u2019s role in the process to \u201cleading the witness\u201d to the desired outcome. \u201cThe government approved what we paid Kratos to tell the government to approve. You\u2019re paying for the outcome you want,\u201d said the former employee, who requested anonymity to discuss the confidential proceeding.<\/p>\n
Kratos said it \u201cvehemently denies the characterization from an unnamed source that Kratos\u2019 services are pay for play.\u201d In its statement, Kratos said that it has been \u201caccredited and audited by an independent, non-profit industry group\u201d for factors that \u201cinclude impartiality, competence and independence.\u201d<\/p>\n
\u201cKratos hires and retains the most technically sophisticated, certified security and technology experts,\u201d the company said, adding that its personnel \u201care beyond reproach in their work.\u201d<\/p>\n
For its part, Microsoft said hiring Kratos was simply part of following the government\u2019s cloud assessment process. \u201cAs required by FedRAMP, Microsoft relies on this certified assessor to conduct independent assessments on our behalf under FedRAMP\u2019s supervision,\u201d Microsoft said in its statement.<\/p>\n
Still, critics take issue with the FedRAMP process itself, saying that the arrangement of a company paying its auditor presents an inherent conflict of interest. One former official from the U.S. General Services Administration, which houses FedRAMP, likened it to a restaurant hiring and paying for its own health inspector rather than the city doing so.<\/p>\n
The GSA did not respond to requests for comment.<\/p>\n
The Defense Information Systems Agency, the Defense Department\u2019s IT agency, reviewed and accepted Microsoft\u2019s security plan. Among those involved were senior DISA officials Roger Greenwell and Jackie Snouffer, according to people familiar with the situation. Neither responded to phone messages seeking comment, and DISA and Defense Department spokespeople did not respond to ProPublica\u2019s request to interview them.<\/p>\n
A DISA spokesperson declined to comment for this article, saying \u201cany responses will come from Office of the Secretary of Defense Public Affairs.\u201d<\/p>\n
The Office of the Secretary of Defense did not respond to questions about whether Greenwell and Snouffer, or anyone at DISA, understood that Microsoft\u2019s China-based employees would be supporting the Defense Department\u2019s cloud. A spokesperson also did not directly respond to questions about Microsoft\u2019s System Security Plan but in an emailed statement said the information in such plans is considered proprietary. The spokesperson noted that \u201cany process that fails to comply with\u201d department restrictions barring foreigners from accessing sensitive department systems \u201cposes unacceptable risk to the DOD infrastructure.\u201d<\/p>\n
\n Microsoft Used China-Based Engineers to Support Product Recently Hacked by China<\/strong>\n <\/p>\n That said, the office left open the door to the continued use of foreign-based engineers with digital escorts for \u201cinfrastructure support,\u201d saying that it \u201cmay be deemed an acceptable risk,\u201d depending on factors that include \u201cthe country of origin of the foreign national\u201d being escorted. The department said in such scenarios foreign workers would have \u201cview-only\u201d capabilities, not \u201chands-on\u201d access. In addition to China, Microsoft has operations in India, the European Union and elsewhere across the globe.<\/p>\n In a statement to ProPublica on Friday, Hegseth\u2019s office said the Pentagon\u2019s investigation into tech companies\u2019 use of foreign personnel \u201cis complete and we have identified a series of possible actions the Department could take.\u201d A spokesperson declined to describe those actions or say whether the department would follow through with them. It\u2019s unclear whether Microsoft\u2019s security plan or DISA\u2019s role in approving it was a part of the review.<\/p>\n \u201cAs with all contracted relationships, the Department works directly with the vendor to address concerns, to include those that have come to light with the Microsoft digital escort process,\u201d Hegseth\u2019s office said in the statement.<\/p>\n","protected":false},"excerpt":{"rendered":" ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they\u2019re published. Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems. Yet in a 2025<\/p>\n","protected":false},"author":1,"featured_media":16827,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[4728,1729,211,8504,4729,788,1563,2969,247,1099,871,811],"class_list":{"0":"post-16826","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-social-issues","8":"tag-chinabased","9":"tag-details","10":"tag-didnt","11":"tag-disclose","12":"tag-engineers","13":"tag-key","14":"tag-microsoft","15":"tag-officials","16":"tag-propublica","17":"tag-record","18":"tag-shows","19":"tag-u-s"},"_links":{"self":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/16826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16826"}],"version-history":[{"count":0,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/16826\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/media\/16827"}],"wp:attachment":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}