Microsoft, as a cloud service provider for the US government, is obliged to regularly provide security plans to officials describing how the company will protect federal computer systems.
However, in the sending of the 2025 defender, the technological giant left key details, including the use of staff based in China, the US High Cyber Cyber to work on high sensitive departments, according to a copy obtained by Propublica. In fact, the Microsoft plan, which views Propublica, does not refer to operations based in China or foreign engineers.
The document provokes Microsoft’s repeated statements that it revealed the arrangement of the federal government, showing what it was left when it sold its security plan at the Ministry of Defense. Pentagon was Investigation of the use of foreign staff According to IT contractors after the PROPBLICA reporting last month, which exposed the practice of Microsoft.
Our work is described in detail As Microsoft relies on “digital accompanies” – US safety staff – control foreign engineers who support cloud systems of the Ministry of Defense. The Department requires that people resort to sensitive data that will be US citizens or permanent residents.
Microsoft security plan from February 28 and submitted to the IT Agency of the Department, distinguishes the staff, which passed and passed the checks to access its Azure cloud platform and those who do not have. But it lowers the fact that workers who have not surveyed include non -US -based citizens. “Whenever shielded staff requests access to the Azure government, the operator who has undergone and has access to the Azure government provides access,” the company said.
The document also does not reveal that screened digital accompaniment can be a contractor hired by the staff company rather than Microsoft staff. Propublica found that the supporters in many cases were chosen by former military personnel because they have active security design, often lacking the experience required to control engineers with much more advanced technical skills. Microsoft told PROPUBLICA, which accompanies “a certain training to protect secret data” and prevent damage.
The Microsoft link to the Models of the accompaniment goes two -thirds in the document on 125 pages, known as the “System Security Plan”, in several paragraphs under the heading “Access”. Should be state officials Rate these plans To determine whether the security measures are acceptable.
In an interview with Propublica Microsoft claims he has revealed digital support and that the government approved it. But Defense Minister Pitt Hugset and other government officials expressed shock and indignation at the model, raising the questions that, for sure, the company revealed when sought to overcome and maintain state -owned contracts.
None of the participants, including Microsoft and the Ministry of Defense, commented on security this year. But former federal officials are now saying that the smoothing disclosure that propublica reports for the first time may explain that the shutdown and probably contributed to the government. Earlier, Microsoft told Propublica that its government security documentation returned to the years contained a similar wording regarding the accompaniment.
Former Chief Information Director of the Defense Department John Sherman, who stated that he had been unfamiliar with the digital accompaniment before the Propublica report, called “the case of the ideal question to the supplier, and all the prohibited conditions were prescribed.”
In A LinkedIn Post About the Prapublica investigation, Sherman said that such a question “smoked this crazy practice” digital support “. His post continued:” DOD could not be exposed this way. The company must admit that this is wrong and pledged not to do things that do not pass the common sense. “
Experts have said that it will allow staff based in China to provide technical support and maintenance of US state computer systems, and creates basic safety risks. Laws in China are providing extensive data collection powers to officials, and experts say that any citizen of China or the company is difficult to resist a direct request for security forces or law enforcement agencies. Director’s Office of National Intelligence He considered China “the most active and sustainable cyber force for the US government, private sector and critical infrastructure.”
After reporting PROPBLICA last month Microsoft said it was stopped using engineers based on China To support cloud computing systems. The company did not answer the propublica questions about the security plan directly and instead made a statement that defended the practice of accompaniment.
“The escort sessions were heavily controlled and supplemented by layers of security,” the statement said. “Based on the feedback we received, we updated our processes to prevent any participation of the engineers based in China.”
Senator Tom Kotton, Republican, headed by the Senate Intelligence Committee, intelligence, wrote in HegSeth Last month, it is believed that the Ministry of Defense must strengthen the supervision of their contractors, and that modern processes “do not take into account the growing Chinese threat”.
“As long as we learn more about these” digital accompanying “and other unreasonable – and flamboyant practices used by some DOD partners, it is clear that the department and the congress should take further measures,” Kotton wrote. He continued: “We must create protocols and processes to quickly, effectively and safely accept innovative technologies.”
Since 2011, the government has used Federal risk management program and authorizationKnown as Fedramp, to assess the security practice of commercial companies who want to sell cloud services to the federal government. The Ministry of Defense also has its own guidelines that include citizenship requirements for people who resort to sensitive data.
Both the Fedop and the Ministry of Defense rely on “third -party assessment organizations” to evaluate whether the suppliers complying with government cloud security. While the government is considering these organizations “Independent”, They are hired and paid directly by the estimated company. For example, Microsoft told Propublica that it enlisted a company called Kratos to enroll it through the initial Federal Resolution and Defense Department and process annual evaluations after winning federal contracts.
On your site, Kratos calls itself a “governing light” For organizations seeking to win public cloud contracts and stated that “can” boast the history of successful security assessments “.
In her statement, Propublica, Kratos states that her work determines that “if security control is documented,” but the company did not say whether it did Microsoft in terms of security he presented to the IT Agency of the Defense Department.
Microsoft told PROPBLICA that she gave a demonstration of the process of accompaniment, but not directly to the federal official. The security plan does not refer to any such demonstration. Kratos did not answer the questions about whether his assessors know that an employee who has no screen may include foreign workers.
Former Microsoft employee, who worked with Kratos through a few Fedramp accreditation, compared the role of Microsoft in the process of “bringing the witness” to the desired result. “The government has approved what we paid Kratos to order the government to approve. You pay for the desired result,” said the former employee who asked for anonymity to discuss the confidential process.
Kratos said he “severely denies the characteristic of an unnamed source that Kratos’s services are paid for the game.” In his statement, Kratos said he was “accredited and proven by an independent, non -profit industry group” for factors that “include impartiality, competence and independence.”
“Kratos hires and retains the most technically sophisticated, certified security experts and technologies,” the company said, adding that its staff “goes beyond reproach in their work.”
For its part, Microsoft said Kratos hiring was just part of the next cloud assessment process. “As the Fedramp requires, Microsoft relies on this certified assessor to conduct independent estimates on our behalf under Fedramp’s supervision,” Microsoft said in her statement.
However, critics consider the issue of the FedramP process itself, saying that the arrangement of the company that pays its auditor is a peculiar conflict of interest. One of the former officials from the US Administration, which houses Fedop, compared it to the restaurant who hires and paid for his own health inspector, not for that.
GSA did not respond to comment requests.
The Defense Agency, IT Agency of the Defense Department, considered and adopted a Microsoft security plan. The participants included high -ranking Disa officials Roger Greenwell and Jackie Snofer, people who are familiar with the situation report. None of them responded to the telephone messages that sought to comment, and the press -secretaries of the Department and Defense did not respond to the propublica request to interview them.
Disa’s press secretary refused to comment on this article, saying that “any answers will come from the State Defense Secretary’s office.”
The Defense Minister’s service did not answer questions that Greenwell and the snap, or anyone from Disa, realized that Chinese staff would support the Defense Department. The press secretary also did not answer directly to the questions about the Microsoft system security plan, but the email statement states that the information in such plans is considered its own. The press secretary noted that “any process that does not comply with” the restrictions of the Department, which prohibit foreigners from accessing sensitive departments, “there is an unacceptable risk to the Ministry of Defense infrastructure.”
Given this, the office has left open door for further use of foreign engineers working with digital support for “infrastructure support”, saying that “may be considered an acceptable risk”, depending on the factors that include the “foreign citizen’s origin”. The Department said that in such scenarios, foreign workers would be able to “only for viewing” rather than “practical” access. In addition to China, Microsoft works in India, the European Union and elsewhere around the world.
In a statement by Propublica on Friday, the HegSeth office said the Pentagon investigation into the use of foreign technology companies “has completed, and we identified a number of possible actions that the department can take.” The secretary -secretary refused to describe these actions either to say whether the department will follow with them. It is unclear whether the Microsoft security plan or the Disa role was in its approval.
“Like all respects with contracts, the department works directly with the provider to solve problems to include those that appeared with the Microsoft digital accompaniment process,” the HEGSET said.
