President Donald Trump signed a bill this month that bans anyone based in China or other hostile countries from accessing the Pentagon’s cloud computing systems.
The ban, included in the $900 billion Defense Policy Act, was enacted in response to a ProPublica investigation this year that exposed how Microsoft used China-based engineers to service the Pentagon’s computer systems for nearly a decade, a practice that left some of the nation’s most sensitive data vulnerable to hacking from major cyber adversaries.
U.S.-based supervisors known as “digital escorts” were supposed to serve as a check on these foreign employees, but it turns out they often lack the expertise needed to effectively supervise engineers with far more advanced technical skills.
The report prompted leading members of Congress to call on the Pentagon to tighten security requirements and accuse Microsoft of what some Republicans called “national betrayal.” Cybersecurity and intelligence experts told ProPublica that the arrangement poses significant risks to national security, given that Chinese law gives state officials broad powers to collect data.
Microsoft pledged in July to stop using China-based engineers to service the Pentagon’s cloud systems after Defense Secretary Pete Hegseth publicly condemned the practice. “Foreign engineers, of course from any country, including China, should never be allowed to maintain or access Department of Defense systems,” Hegseth wrote in X.
In September, the Department of Defense updated its cybersecurity requirements for technology contractors, prohibiting IT vendors from using China-based personnel to work on Department of Defense computer systems. The new law effectively codifies that change, requiring Hegseth to prohibit individuals from China, Russia, Iran and North Korea from directly or indirectly accessing the Pentagon’s cloud computing systems.
Microsoft declined to comment on the new law. Following the previous changes, a spokesperson said the company was “working with our national security partners to evaluate and adjust our security protocols in light of the new directive.”
Republican Rep. Elise Stefanik, a member of the House Armed Services Committee, praised the development, saying it was “the first closed contractor loophole since companies like Microsoft were found to have been exploiting it.” Sen. Tom Cotton, the Republican chairman of the Senate Select Committee on Intelligence, who has criticized big tech, also welcomed the bill, saying it “contains much-needed efforts to protect our nation’s critical infrastructure threatened by communist China and other foreign adversaries.”
The bill also increases Congressional oversight of the Department of Defense’s cybersecurity practices and requires the Secretary to brief the Congressional Defense Committees on any changes by June 1, 2026. These briefings will then be held annually for the next three years, including updates on “control effectiveness, security incidents, and recommendations for legislative and administrative action.”
As ProPublica reported, Microsoft initially developed the Digital Escorts program as a workaround for the Department of Defense’s requirement that people handling sensitive data be U.S. citizens or permanent residents.
The company disclosed the program to the Department of Defense and claims that the guards were provided with “specific training in protecting sensitive data and preventing harm.” But Pentagon officials said they did not know about Microsoft’s program until the ProPublica report.
A copy of the company’s security plan submitted to the Pentagon in 2025 shows that Microsoft has omitted key details about the Escort program and makes no mention of its China-based operations or foreign engineers.
This summer, Mr. Hegseth announced that his department had opened an investigation into whether any of the Microsoft engineers based in China had violated national security. He also ordered a new third-party audit of the company’s digital escort program. The Department of Defense did not respond to requests for comment on the status of these investigations.
