Propublica is a nonprofit newsroom that investigates power abuse. Sign up and receive the biggest story as soon as it’s published.
As a provider of cloud services to the US government, Microsoft must regularly submit security plans to personnel explaining how the company will protect federal computer systems.
However, in its 2025 submission to the Department of Defense, the tech giant ruled out key details, including the use of employees based in China, the top cyber enemy in the US, according to a copy obtained by ProPublica. In fact, the Microsoft plans viewed by Propublica do not mention the company’s China-based businesses or foreign engineers at all.
The document supports repeated claims that Microsoft has disclosed the arrangement to the federal government, showing what remains when it sold its security plan to the Department of Defense. The Pentagon is investigating the use of foreigners by IT contractors after a report by Propublica that exposed Microsoft’s practices last month.
Our work details how Microsoft relies on “digital escorts” (US staff with security clearance) and oversees foreign engineers who maintain the Department of Defense’s cloud system. The department requires people to be US citizens or permanent residents to work with sensitive data.
The Microsoft security plan dated February 28th will distinguish between staff submitted to the department’s IT agency and handed over after background screening, those who have not accessed the Azure Government Cloud platform and those who are not. However, the fact that unscreened workers include non-US citizens based abroad. “Whenever an unscreened personnel request access to the Azure government, they will provide escorted access by operators who can access the Azure government,” the company said in its plan.
The document also does not reveal that the screened digital escorts could become contractors employed by staffing agencies rather than Microsoft employees. Propublica has discovered that escorts selected by ex-servicemen often lack the expertise needed to oversee engineers with much more advanced technical skills, often lacking the expertise needed to oversee engineers with much more advanced technical skills. Microsoft told Propublica that the escorts “providing specific training on protecting sensitive data and preventing harm.”
Microsoft’s reference to the escort model is found in several paragraphs with two-thirds of the 125-page document known as “System Security Plans” heading “Escorted Access.” Government officials are to evaluate these plans and determine whether the security measures disclosed to them are acceptable.
In an interview with Propublica, Microsoft has disclosed the digital escort arrangement in the plan and claimed that the government has approved it. But Defense Secretary Pete Hegses and other government officials have expressed shock and anger towards the model, raising questions about what the company revealed when they tried to win and maintain a government cloud computing contract.
Officials, including Microsoft and the Department of Defense, did not comment on omissions in this year’s security plan. However, former federal officials now say the obliqueness of disclosure, which Propublica is reporting for the first time, may explain the likely contribution and contribution to government practices. Microsoft previously told Propublica that government security documents date back several years ago and included similar language on escorts.
Former Department of Defense Chief Information Officer John Sherman said he was new to Propublica’s pre-report digital escort process, “called a case of not asking vendors a complete question and spelling out all possible bans.”
In a LinkedIn post about Propublica’s research, Sherman said such questions would have “smoked this crazy practice of this ‘digital escort’.” His post continued.
Experts say that allowing China-based personnel to provide technical support and maintenance on US government computer systems poses a major security risk. Chinese law grants national officials a wide range of authority to collect data, and experts say it is difficult for Chinese citizens and companies to meaningfully resist direct requests from security forces or law enforcement agencies. The Director of National Intelligence has seen China as “the most active and lasting cyber threat to the US government, the private sector and critical infrastructure networks.”
Following a Propublica report last month, Microsoft said it has stopped using China-based engineers and supported the defense sector’s cloud computing system. The company did not respond directly to questions from Propublica about security plans and instead issued a statement defending its escort practices.
“The escorted sessions were closely monitored and supplemented by the layer of security mitigation,” the statement said. “However, based on the feedback we received, we updated the process to prevent the involvement of China-based engineers.”
Sen. Tom Cotton, a Republican who chairs the Senate Selection Committee on Intelligence Report, wrote to Hegses last month, suggesting that the Department of Defense needs to increase its surveillance of contractors and that the current process “cannot explain the growing threat in China.”
“It’s clear that the department and Congress need to take further action as we learn more about these ‘digital escorts’ and other unwise and outrageous practices that some DOD partners use,” Cotton writes. He continued. “Protocols and processes must be implemented to adopt innovative technologies quickly, effectively and safely.”
Since 2011, the government has used a federal risk and license management program known as FedRamp to assess the security practices of commercial companies that want to sell cloud services to the federal government. The Department of Defense also has its own guidelines. This includes citizenship requirements for those who process sensitive data.
Both FedRamp and the Department of Defense rely on “third-party evaluation organizations” to assess whether vendors meet government cloud security requirements. The government considers these organizations “independent” but are directly employed and paid directly by the company being valued. For example, Microsoft told Propublica that it recruited a company called Kratos to shepherd it through the initial Fedramp and Department of Defense authorization process and processed the annual assessment after winning a federal contract.
Kratos, on its website, calls it a “guide light” for organizations seeking to win government cloud contracts, and says it “has a history of successful security assessments.”
In a statement to Propublica, Kratos said it would decide the work “when security controls are accurately documented,” but the company did not say whether Microsoft did that in its security plan submitted to the Ministry of Defense IT agency.
Microsoft told Propublica that it gave Kratos a demonstration of the escort process, but that it wasn’t directly to federal officials. The security plan does not mention such demonstrations. Kratos did not answer questions about whether the assessor was aware that on-screen staff could include foreign workers.
Former Microsoft employees, who worked with Kratos through several FedRamp certifications, compared Microsoft’s role in the process to “guiding witnesses” with the desired outcome. “The government has approved what you paid to Kratos to approve the government to approve the government. You are paying for the outcome you want,” said a former employee who requested anonymity to discuss confidential procedures for anonymity.
Kratos said he “hardly denys the characterization from unnamed sources that Kratos’ services are paying for plays.” In its statement, Kratos said that factors “including equity, competence and independence” were “certified and audited by an independent nonprofit industry group.”
“Kratos hires and retains the most technically sophisticated and certified security and technology experts,” the company said, adding that its personnel “exceeds to blame in the work.”
Microsoft said Kratos’ employment is part of following the government’s cloud assessment process. “In response to FedRamp’s request, Microsoft relies on this certified evaluator to conduct independent evaluations based on Fedramp’s oversight,” Microsoft said in a statement.
Still, critics have problems with the Fedramp process itself, saying that the company arrangements paying the auditors create inherent conflicts of interest. One former employee of the U.S. Department of General Services, which houses Fedramp, compared the employment and payment of his health inspector to a restaurant, rather than the city would.
The GSA did not respond to requests for comment.
The Defense Information Systems Agency, the Department of Defense IT agency, reviewed and accepted Microsoft’s security plan. Among the people involved were senior staff members Roger Greenwell and Jackie Snoofer, according to people familiar with the situation. DISA and the Department of Defense spokesman did not respond to a request for an interview with ProPublica, as neither of them responded to phone messages seeking comment.
A DISA spokesman declined to comment on the article, saying “any response comes from the Secretary of Defense civil servant.”
The Secretary of Defense’s Office did not answer any questions about whether Greenwell and Snoofer, or anyone at DISA, Microsoft’s China-based employees would support the Department of Defense Cloud. The spokesman also did not directly answer questions about Microsoft’s system security plans, but in an email statement, information on such plans is considered unique. A spokesperson said the department’s restrictions that prohibit foreigners from accessing sensitive department systems “will not comply” with department restrictions that “pose an unacceptable risk to DOD infrastructure.”
Microsoft has used China-based engineers to support products recently hacked by China
That said, the office has kept the door open to the ongoing use of digital escorting digital engineers for “infrastructure support,” and says it “could be considered an acceptable risk.” The department said in such a scenario, foreign workers have “view-only” functionality rather than “practical” access. In addition to China, Microsoft operates in India, the European Union and elsewhere around the world.
In a statement to Propublica on Friday, Hegseth’s office said the Pentagon investigation into the use of foreigners in high-tech companies “has been completed and identified a series of possible actions the department could take.” The spokesperson refused to explain these actions or refused to say whether the department would follow them. It is unclear whether DISA’s role in Microsoft’s security plan or approving it is part of the review.
“As with all contractual relationships, the department will work directly with vendors to address concerns and include those revealed in the Microsoft Digital Escort process,” the Hegseth office said in a statement.
