While much of the focus marking 20 years since Hurricane Katrina is on New Orleans, where federal levees failed and flooded the city, the historic storm also decimated the Mississippi Gulf Coast. (Image credit: Mario Tama)
It’s been a week of turmoil at the CDC, and now there’s a new person tapped to be acting director of the agency.
Parents are struggling to figure out what to say to their children after another school shooting. We talked to some experts, who offered these guidelines. (Image credit: Stephen Maturen)
This weekend features three top-10 matchups, the most ever for an opening weekend in college football history. And Arch Manning, the most hyped player of a generation, will start for the first time. (Image credit: Julio Cortez)
This week, Taylor Swift debuted her engagement ring and the parasite world brought us something gross to worry about.
Two years after the oil deal was signed, it collapsed — with the Taliban accusing the Chinese company of breaching the contract and some Chinese employees likening the Taliban’s actions to robbery. (Image credit: Ahmad Sahel Arman)
The Trump administration argues that rescinding the 2001 Roadless Rule will help wildland firefighters. Fire researchers warn that more roads could exacerbate the problem. (Image credit: Benjamin Hanson/Middle East Images)
Thailand’s Constitutional Court on Friday dismissed Paetongtarn Shinawatra from her position as prime minister, ruling that as the country’s leader she violated constitutional rules on ethics. (Image credit: Sakchai Lalit)
The father of a boy killed in the Minneapolis church shooting speaks out on how he wants his son to be remembered. And, a new acting CDC director has been announced. (Image credit: Scott Olson)
by Renee Dudley, with research by Doris Burke ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published. Microsoft, as a provider of cloud services to the U.S. government, is required to regularly submit security plans to officials describing how the company will protect federal computer systems. Yet in a 2025 submission to the Defense Department, the tech giant left out key details, including its use of employees based in China, the top cyber adversary of the U.S., to work on highly sensitive department systems, according to a copy obtained by ProPublica. In fact, the Microsoft plan viewed by ProPublica makes no reference to the company’s China-based operations or foreign engineers at all. The document belies Microsoft’s repeated assertions that it disclosed the arrangement to the federal government, showing exactly what was left out as it sold its security plan to the Defense Department. The Pentagon has been investigating the use of foreign personnel by IT contractors in the wake of reporting by ProPublica last month that exposed Microsoft’s practice. Our work detailed how Microsoft relies on “digital escorts” — U.S. personnel with security clearances — to supervise the foreign engineers who maintain the Defense Department’s cloud systems. The department requires that people handling sensitive data be U.S. citizens or permanent residents. Microsoft’s security plan, dated Feb. 28 and submitted to the department’s IT agency, distinguishes between personnel who have undergone and passed background screenings to access its Azure Government cloud platform and those who have not. But it omits the fact that workers who have not been screened include non-U.S. citizens based in foreign countries. “Whenever non-screened personnel request access to Azure Government, an operator who has been screened and has access to Azure Government provides escorted access,” the company said in its plan. The document also fails to disclose that the screened digital escorts can be contractors hired by a staffing company, not Microsoft employees. ProPublica found that escorts, in many cases former military personnel selected because they possess active security clearances, often lack the expertise needed to supervise engineers with far more advanced technical skills. Microsoft has told ProPublica that escorts “are provided specific training on protecting sensitive data” and preventing harm. Microsoft’s reference to the escort model comes two-thirds of the way into the 125-page document, known as a “System Security Plan,” in several paragraphs under the heading “Escorted Access.” Government officials are supposed to evaluate these plans to determine whether the security measures disclosed in them are acceptable. In interviews with ProPublica, Microsoft has maintained that it disclosed the digital escorting arrangement in the plan, and that the government approved it. But Defense Secretary Pete Hegseth and other government officials have expressed shock and outrage over the model, raising questions about what, exactly, the company disclosed as it sought to win and keep government cloud computing contracts. None of the parties involved, including Microsoft and the Defense Department, commented on the omissions in this year’s security plan. But former federal officials now say that the obliqueness of the disclosure, which ProPublica is reporting for the first time, may explain that disconnect and likely contributed to the government’s acceptance of the practice. Microsoft previously told ProPublica that its security documentation to the government, going back years, contained similar wording regarding escorts. Former Defense Department Chief Information Officer John Sherman, who said he was unfamiliar with the digital escorting process before ProPublica’s reporting, called it a “case of not asking the perfect question to the vendor, with every conceivable prohibited condition spelled out.” In a LinkedIn post about ProPublica’s investigation, Sherman said such a question “would’ve smoked out this crazy practice of ‘digital escorts.’” His post continued: “The DoD can’t be exposed in this way. The company needs to admit this was wrong and commit to not doing things that don’t pass a common sense test.” Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” Following ProPublica’s reporting last month, Microsoft said that it had stopped using China-based engineers to support Defense Department cloud computing systems. The company did not respond directly to questions from ProPublica about the security plan and instead issued a statement defending the escort practice. “Escorted sessions were tightly monitored and supplemented by layers of security mitigations,” the statement said. “Based on the feedback we’ve received, however, we have updated our processes to prevent any involvement of China based engineers.” Sen. Tom Cotton, a Republican who chairs the Senate Select Committee on Intelligence, wrote to Hegseth last month suggesting that the Defense Department needed to strengthen oversight of its contractors and that current processes “fail to account for the growing Chinese threat.” “As we learn more about these ‘digital escorts’ and other unwise — and outrageous — practices used by some DoD partners, it is clear the Department and Congress will need to take further action,” Cotton wrote. He continued: “We must put in place the protocols and processes to adopt innovative technology quickly, effectively, and safely.” Since 2011, the government has used the Federal Risk and Authorization Management Program, known as FedRAMP, to evaluate the security practices of commercial companies that want to sell cloud services to the federal government. The Defense Department also has its own guidelines, which include the citizenship requirement for people handling sensitive data. Both FedRAMP and the Defense Department rely on “third party assessment organizations” to evaluate whether vendors meet the government’s cloud security requirements. While the government considers these organizations “independent,” they are hired and paid directly by the
