New US law blocks China IT from Pentagon cloud access

The new law codifies cybersecurity updates the Pentagon implemented in September 2025, explicitly banning IT vendors from employing personnel located in China, Russia, Iran, and North Korea for work on Defense Department computer systems. The legislation also mandates enhanced congressional oversight of the Pentagon‘s cybersecurity practices, requiring the Secretary of Defense to brief congressional defense committees on these changes. Subsequent briefings are scheduled annually for the next three years, including updates on control effectiveness, security incidents, and legislative recommendations.

This legislative move emerged directly from a ProPublica investigation published in July 2025, which detailed Microsoft‘s digital escort program that had been in operation for nearly a decade. Under this program, engineers based in China provided technical support for sensitive Defense Department cloud systems. Defense Secretary Pete Hegseth publicly condemned the practice, stating that Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems.

The digital escort program reportedly involved U.S.-based personnel with security clearances who would input commands dictated by overseas engineers, many of whom were in China, into Defense Department cloud environments. ProPublica‘s investigation indicated that these American digital escorts often lacked the technical expertise to effectively supervise the more advanced foreign engineers, some of whom were paid as little as $18 an hour. This arrangement applied to Impact Level 4 and 5 data, which includes information directly supporting military operations and whose compromise could have severe or catastrophic adverse effects.

Microsoft maintained that it had disclosed the program to the Pentagon and that escorts received specific training on protecting sensitive data. However, top Pentagon officials stated they were unaware of the program until ProPublica‘s reporting. A security plan submitted by Microsoft in 2025 reportedly omitted crucial details regarding its China-based operations and foreign engineers.

The new law and the Pentagon‘s tightened requirements directly address concerns over potential national security risks posed by foreign access to sensitive defense data. Republicans in Congress, reacting to the ProPublica findings, characterized Microsoft‘s program as a national betrayal. Cybersecurity and intelligence experts highlighted that such arrangements presented significant risks, particularly given China’s national security laws that grant its officials broad authority to collect data from citizens and companies.

If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that. Harry Coker, a former senior executive at the CIA and National Security Agency, told ProPublica, emphasizing the potential for espionage.

Specific details regarding the initial mandated briefing for congressional defense committees, including its exact date and the depth of information to be provided, remain unconfirmed. The full findings of the third-party audit of Microsoft‘s digital escort program and the separate Pentagon investigation into potential security breaches have not yet been released.

Following the ProPublica report, Microsoft pledged in July 2025 to cease using China-based engineers for Pentagon cloud systems. The company stated it would work with our national security partners to evaluate and adjust our security protocols. The mandated annual briefings to Congress over the next three years will provide ongoing updates on the effectiveness of the new controls and any emerging security incidents. The Pentagon also expects all DoD contractors to comply with the updated cybersecurity requirements.

Companies acting as cloud service providers to the U.S. Department of Defense should review their compliance with the updated DoD Cloud Computing Security Requirements Guide to ensure all personnel accessing sensitive systems meet the new nationality restrictions. Contractors should conduct internal audits to identify and eliminate any reliance on foreign-based personnel from adversarial nations for sensitive IT support functions. Implementing robust supply chain risk management practices and ensuring all employees handling defense data possess the necessary technical expertise and security clearances are critical steps.