Microsoft Failed to Disclose Key Details About Use of China-Based Engineers in U.S. Defense Work, Record Shows

By Renee Dudley

Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems.

Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems, according to a copy obtained by ProPublica. In fact, the Microsoft plan viewed by ProPublica makes no reference to the company’s China-based operations or foreign engineers at all.

The document belies Microsoft’s repeated assertions that it disclosed the arrangement to the federal government, showing exactly what was left out as it sold its security plan to the Defense Department. The Pentagon has been investigating the use of foreign personnel by IT contractors in the wake of reporting by ProPublica last month that exposed Microsoft’s practice.

Our work detailed how Microsoft relies on “digital escorts” — U.S. personnel with security clearances — to supervise the foreign engineers who maintain the Defense Department’s cloud systems. The department requires that people handling sensitive data be U.S. citizens or permanent residents.

Microsoft’s security plan, dated Feb. 28 and submitted to the department’s IT agency, distinguishes between personnel who have undergone and passed background screenings to access its Azure Government cloud platform and those who have not. But it omits the fact that workers who have not been screened include non-U.S. citizens based in foreign countries. “Whenever non-screened personnel request access to Azure Government, an operator who has been screened and has access to Azure Government provides escorted access,” the company said in its plan.

The document also fails to disclose that the screened digital escorts can be contractors hired by a staffing company, not Microsoft employees. ProPublica found that escorts, in many cases former military personnel selected because they possess active security clearances, often lack the expertise needed to supervise engineers with far more advanced technical skills. Microsoft has told ProPublica that escorts “are provided specific training on protecting sensitive data” and preventing harm.

Microsoft’s reference to the escort model comes two-thirds of the way into the 125-page document, known as a “System Security Plan,” in several paragraphs under the heading “Escorted Access.” Government officials are supposed to evaluate these plans to determine whether the security measures disclosed in them are acceptable.

In interviews with ProPublica, Microsoft has maintained that it disclosed the digital escorting arrangement in the plan, and that the government approved it. But Defense Secretary Pete Hegseth and other government officials have expressed shock and outrage over the model, raising questions about what, exactly, the company disclosed as it sought to win and keep government cloud computing contracts.

None of the parties involved, including Microsoft and the Defense Department, commented on the omissions in this year’s security plan. But former federal officials now say that the obliqueness of the disclosure, which ProPublica is reporting for the first time, may explain that disconnect and likely contributed to the government’s acceptance of the practice. Microsoft previously told ProPublica that its security documentation to the government, going back years, contained similar wording regarding escorts.

See Also: Microsoft Says It Caught Hackers From China, Russia and Iran Using Its AI Tools

Former Defense Department Chief Information Officer John Sherman, who said he was unfamiliar with the digital escorting process before ProPublica’s reporting, called it a “case of not asking the perfect question to the vendor, with every conceivable prohibited condition spelled out.”

In a LinkedIn post about ProPublica’s investigation, Sherman said such a question “would’ve smoked out this crazy practice of ‘digital escorts.’” His post continued: “The DoD can’t be exposed in this way. The company needs to admit this was wrong and commit to not doing things that don’t pass a common sense test.”

Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”

Following ProPublica’s reporting last month, Microsoft said that it had stopped using China-based engineers to support Defense Department cloud computing systems. The company did not respond directly to questions from ProPublica about the security plan and instead issued a statement defending the escort practice.

Sen. Tom Cotton, a Republican who chairs the Senate Select Committee on Intelligence, wrote to Hegseth last month suggesting that the Defense Department needed to strengthen oversight of its contractors and that current processes “fail to account for the growing Chinese threat.”

“As we learn more about these ‘digital escorts’ and other unwise — and outrageous — practices used by some DoD partners, it is clear the Department and Congress will need to take further action,” Cotton wrote. He continued: “We must put in place the protocols and processes to adopt innovative technology quickly, effectively, and safely.”

Since 2011, the government has used the Federal Risk and Authorization Management Program, known as FedRAMP, to evaluate the security practices of commercial companies that want to sell cloud services to the federal government. The Defense Department also has its own guidelines, which include the citizenship requirement for people handling sensitive data.

Both FedRAMP and the Defense Department rely on “third party assessment organizations” to evaluate whether vendors meet the government’s cloud security requirements. While the government considers these organizations “independent,” they are hired and paid directly by the company being assessed. Microsoft, for example, told ProPublica that it enlisted a company called Kratos to shepherd it through the initial FedRAMP and Defense Department authorization processes and to handle annual assessments after winning federal contracts.

On its website, Kratos calls itself the “guiding light” for organizations seeking to win government cloud contracts and said it “boasts a history of performing successful security assessments.”

In a statement to ProPublica, Kratos said its work determines “if security controls are documented accurately,” but the company did not say whether Microsoft had done so in the security plan it submitted to the Defense Department’s IT agency.

Microsoft told ProPublica that it has given demonstrations of the escort process to Kratos but not directly to federal officials. The security plan makes no reference to any such demonstration. Kratos did not respond to questions about whether its assessors were aware that non-screened personnel could include foreign workers.

A former Microsoft employee who worked with Kratos through several FedRAMP accreditations compared Microsoft’s role in the process to “leading the witness” to the desired outcome. “The government approved what we paid Kratos to tell the government to approve. You’re paying for the outcome you want,” said the former employee, who requested anonymity to discuss the confidential proceeding.

Kratos said it “vehemently denies the characterization from an unnamed source that Kratos’ services are pay for play.” In its statement, Kratos said that it has been “accredited and audited by an independent, non-profit industry group” for factors that “include impartiality, competence and independence.”

For its part, Microsoft said hiring Kratos was simply part of following the government’s cloud assessment process. “As required by FedRAMP, Microsoft relies on this certified assessor to conduct independent assessments on our behalf under FedRAMP’s supervision,” Microsoft said in its statement.

Still, critics take issue with the FedRAMP process itself, saying that the arrangement of a company paying its auditor presents an inherent conflict of interest. One former official from the U.S. General Services Administration, which houses FedRAMP, likened it to a restaurant hiring and paying for its own health inspector rather than the city doing so.

The GSA did not respond to requests for comment.

The Defense Information Systems Agency, the Defense Department’s IT agency, reviewed and accepted Microsoft’s security plan. Among those involved were senior DISA officials Roger Greenwell and Jackie Snouffer, according to people familiar with the situation. Neither responded to phone messages seeking comment, and DISA and Defense Department spokespeople did not respond to ProPublica’s request to interview them.

See Also: Microsoft faces antitrust violation for bundling Teams with Office software

A DISA spokesperson declined to comment for this article, saying “any responses will come from Office of the Secretary of Defense Public Affairs.”

The Office of the Secretary of Defense did not respond to questions about whether Greenwell and Snouffer, or anyone at DISA, understood that Microsoft’s China-based employees would be supporting the Defense Department’s cloud. A spokesperson also did not directly respond to questions about Microsoft’s System Security Plan but in an emailed statement said the information in such plans is considered proprietary. The spokesperson noted that “any process that fails to comply with” department restrictions barring foreigners from accessing sensitive department systems “poses unacceptable risk to the DOD infrastructure.”

That said, the office left open the door to the continued use of foreign-based engineers with digital escorts for “infrastructure support,” saying that it “may be deemed an acceptable risk,” depending on factors that include “the country of origin of the foreign national” being escorted. The department said in such scenarios foreign workers would have “view-only” capabilities, not “hands-on” access. In addition to China, Microsoft has operations in India, the European Union and elsewhere across the globe.

In a statement to ProPublica on Friday, Hegseth’s office said the Pentagon’s investigation into tech companies’ use of foreign personnel “is complete and we have identified a series of possible actions the Department could take.” A spokesperson declined to describe those actions or say whether the department would follow through with them. It’s unclear whether Microsoft’s security plan or DISA’s role in approving it was a part of the review.

This article is republished from ProPublica under a Creative Commons license. Read the original article.

(ProPublica/NS)

Also Read: