President Donald Trump has enacted sweeping cybersecurity legislation explicitly prohibiting individuals from China and other adversarial nations from accessing the Pentagon’s cloud computing infrastructure. This decisive action, embedded within the $900 billion National Defense Authorization Act, represents the government’s formal response to critical security vulnerabilities exposed earlier this year.
The legislative measure follows a ProPublica investigation revealing that Microsoft had utilized China-based engineers to maintain Defense Department computer systems for nearly ten years. This arrangement potentially compromised some of the nation’s most sensitive military data to foreign access. While Microsoft implemented a ‘digital escort’ program with US-based supervisors intended to monitor foreign engineers, investigators found these escorts frequently lacked the technical expertise to effectively oversee their more skilled Chinese counterparts.
Cybersecurity experts and intelligence officials consistently warned that such practices created unacceptable national security risks, particularly given China’s legal framework that grants authorities broad data collection powers. The revelation prompted bipartisan concern in Congress, with some Republican members condemning Microsoft’s practices as ‘a national betrayal.’
Defense Secretary Pete Hegseth publicly denounced the practice in July, prompting Microsoft to voluntarily cease using Chinese engineers for Pentagon cloud systems. The Department of Defense subsequently updated its cybersecurity requirements in September, formally banning IT contractors from utilizing China-based personnel. The newly signed legislation codifies these changes into federal law, extending prohibitions to personnel from Russia, Iran, and North Korea.
The law significantly enhances congressional oversight mechanisms, mandating that the Defense Secretary brief congressional defense committees on implementation progress by June 1, 2026, with annual follow-up briefings scheduled through 2029. These sessions will evaluate control effectiveness, security incidents, and recommend additional legislative or administrative actions.
Microsoft declined to comment specifically on the legislation but previously committed to collaborating with national security partners to adjust security protocols. Congressional leaders including Representative Elise Stefanik and Senator Tom Cotton praised the legislation for closing dangerous contractor loopholes and protecting critical infrastructure from foreign adversaries.
The Pentagon has initiated both an investigation into potential national security compromises by China-based engineers and a third-party audit of Microsoft’s digital escort program. Defense officials have stated they were unaware of the full extent of Microsoft’s foreign engineer program until the ProPublica disclosure, despite Microsoft’s claims of having disclosed the arrangement to the Pentagon.