Microsoft’s 125-page System Security Plan submitted to the Defense Department on Feb. 28, 2025 makes no mention of the company’s use of engineers based in China to maintain highly sensitive Azure Government cloud systems, according to a document obtained by ProPublica. The plan refers only obliquely to a “digital escort” arrangement under which U.S. personnel with security clearances supervise foreign workers, but it does not state that those workers are non-citizens operating from China or other countries. Pentagon rules require that individuals handling sensitive military data be U.S. citizens or permanent residents, and critics say allowing China-based staff even view-only access poses unacceptable espionage risks. Microsoft says the escorted sessions were tightly monitored and that, in response to government feedback, it has ended the involvement of engineers located in China. Defense Secretary Pete Hegseth has completed an internal review of foreign personnel used by contractors and is considering additional safeguards. Separately, Senate Intelligence Committee chair Tom Cotton has urged stronger oversight, arguing current vetting “fails to account for the growing Chinese threat.” The lapse also highlights weaknesses in the government’s FedRAMP cloud-authorization process. The Defense Information Systems Agency accepted Microsoft’s plan after an assessment performed by Kratos, a firm hired and paid by Microsoft. Former officials say the pay-to-audit model can mask critical omissions, and they are calling for more independent scrutiny of vendors that handle national-security workloads.