Microsoft Omitted Key Details in DOD Security Filings on China-Related Program

The Department of Defense (DOD) cannot mitigate security flaws it cannot see — or those that are purposely hidden. On August 20, ProPublica reported that Microsoft failed to alert DOD that the company was using Chinese-based software engineers to help service the Pentagon’s cloud computing infrastructure. To be sure, after an earlier ProPublica report revealed the existence of this program, Microsoft claimed DOD cybersecurity officials were aware of the arrangement. A 2025 Microsoft security filing with DOD, however, says otherwise.

This revelation exposes systemic flaws in both Microsoft’s disclosures and the federal government’s procurement oversight, leaving the U.S. military vulnerable to malicious Chinese cyber activity.

Microsoft May Have Misled Key Third Parties Responsible for Security Screening

Microsoft previously told ProPublica in July that it had discussed with the department the details of the company’s “digital escorts” program, which allowed China-based engineers to access DOD cloud systems under supervision of approved U.S. personnel. But what the DOD actually received in the company’s security filing was a vague description of the escorted-access model without any mention that overseas personnel were involved.

The filing also failed to note that some of the digital escorts who were supposed to oversee the Chinese engineers were not Microsoft employees but outside contractors, many of whom reportedly lacked the technical expertise to monitor them properly. The Pentagon’s information technology office accepted this superficial security plan, reflecting a breakdown not only in Microsoft’s transparency but also in the government’s ability to demand appropriate disclosures.

In addition, Microsoft may have failed to fully alert Kratos, the third-party contractor that the firm paid to assess its compliance with the Federal Risk and Authorization Management Program (FedRAMP), about the use of China-based engineers. While Microsoft claimed it had alerted Kratos, there is no evidence of such disclosure in Microsoft’s official filing with DOD.

China May Have Exploited Gaps in Federal IT Guidelines

Although Microsoft insists that its China-based engineers never had direct access to Pentagon systems, the escort model functionally created a proxy channel. Cleared escorts reportedly uploaded pre-written code into DOD’s cloud environments and mediated troubleshooting requests on behalf of these engineers. In doing so, the arrangement exposed sensitive information regarding DOD’s cloud architecture to personnel in China.

The revelations also highlight larger structural challenges within the federal government’s cyber procurement process. FedRAMP’s current design relies on third-party assessment organizations that vendors directly hire and pay, creating an inherent conflict of interest worsened by agency-level authorizations that vary in rigor. In Microsoft’s case, the company’s plan distinguished between “screened” and “non-screened” personnel but did not specify that “non-screened” personnel included engineers located in mainland China. This reliance on generalized categories, rather than requiring explicit disclosures of personnel location and nationality, contributed to the breakdown in security protocol.

Washington Must Reform Federal Procurement for Cyber Services

Microsoft’s failure to disclose its flawed practices to DOD comes as the company admitted that Chinese hackers had exploited its services to target the Department of Homeland Security and the Department of Health and Human Services within the past month. The Trump administration should eliminate the vendor-pays model for third-party assessors and establish a government-approved pool of independent auditors. System Security Plans should require explicit disclosure of the location, nationality, and employer of record for all personnel (including subcontractors) with access to federal cloud environments. The administration should also prohibit agencies from approving filings that rely on vague categories such as “non-screened personnel” without a detailed explanation. These reforms would reduce conflict of interest, create consistency across agency reviews, and better secure U.S. government systems against Chinese intrusions.

Jack Burnham is a research analyst in the China Program at the Foundation for Defense of Democracies (FDD). Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at FDD. For more analysis from Jack, Jiwon, and FDD, please subscribe HERE. Follow Jack on X @JackBurnham802. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.