President Donald Trump this month signed into law a measure banning anyone based in China and other adversary countries from accessing the Pentagon’s cloud computing systems.
The ban, written into the $900 billion Defense Policy Act, was signed into law. in response to a ProPublica investigation this year which revealed how Microsoft used China-based engineers to maintain the Defense Department’s computer systems for nearly a decade – a practice that left some of the country’s most sensitive data vulnerable to hacking by its main cyber adversary.
U.S.-based supervisors, called “digital escorts,” were supposed to serve as a check on these foreign employees, but we found that they often lacked the expertise needed to effectively supervise engineers with much more advanced technical skills.
Following the report, prominent members of Congress called on the Defense Department to strengthen its security requirements while accusing Microsoft of what some Republicans called “a national betrayal.” Cybersecurity and intelligence experts told ProPublica that the arrangement poses major national security risks, given that Chinese laws grant the country’s authorities broad power to collect data.
Microsoft pledged in July to stop using China-based engineers to maintain the Pentagon’s cloud systems after Defense Secretary Pete Hegseth publicly condemned the practice. “Foreign engineers – from any country, including of course China – should NEVER be allowed to maintain or access DoD systems,” Hegseth written the.
In September, the Pentagon updated its cybersecurity requirements for technology contractors, prohibiting IT vendors from using China-based personnel to work on Department of Defense IT systems. The new law effectively codifies this change, requiring Hegseth to prohibit individuals from China, Russia, Iran and North Korea from having direct or indirect access to the Department of Defense’s cloud computing systems.
Microsoft declined to comment on the new law. Following the earlier changes, a spokesperson said the company would “work with our national security partners to evaluate and adjust our security protocols in light of the new guidance.”
Rep. Elise Stefanik, a Republican who sits on the House Armed Services Committee, celebrated the development, saying it “fills the gaps for entrepreneurs …following the discovery that companies like Microsoft were exploiting them. » Sen. Tom Cotton, Republican chairman of the Senate Select Committee on Intelligence who has criticized the tech giant, also announced the legislationsaying this “includes much-needed efforts to protect our nation’s critical infrastructure, which is under threat from Communist China and other foreign adversaries.”
The legislation also strengthens Congressional oversight of the Pentagon’s cybersecurity practices, requiring the secretary to brief the congressional defense committees on changes no later than June 1, 2026. After that, such briefings will occur annually for the next three years, including updates on “the effectiveness of controls, security incidents, and recommendations for legislative or administrative actions.”
Learn more
As ProPublica reported, Microsoft initially developed the digital escort program to circumvent a Defense Department requirement that people handling sensitive data be U.S. citizens or permanent residents.
The company claimed it disclosed the program to the Pentagon and that the escorts received “specific training on protecting sensitive data” and preventing damage. But senior Pentagon officials said they were unaware of Microsoft’s program until ProPublica reported.
A copy of the security plan that the company submitted to the Ministry of Defense in 2025 showed that Microsoft left out key details of the escort program, making no reference to its China-based operations or its foreign engineers.
This summer, Hegseth announced that the department had opened an investigation if one of Microsoft’s engineers based in China had compromised national security. He also ordered a new third-party audit of the company’s digital escort program. The Pentagon did not respond to a request for comment on the status of these investigations.
