Microsoft used China-based support for multiple U.S. agencies, potentially exposing sensitive data

Western Air Defense Sector's Agile Operations Center receives the next iteration of the cloud-based command and control (C2) system, September 2024. (U.S. Air National Guard photo by Kimberly D. Burke)

By Renee Dudley with Doris Burke • Jul 28, 2025

Microsoft announced that it would no longer use China-based engineering teams to support the Defense Department’s cloud computing systems, following ProPublica’s investigation of the practice, which cybersecurity experts said could expose the government to hacking and espionage.

But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce, ProPublica has found.

This work has taken place in what’s known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive. The Federal Risk and Authorization Management Program, the U.S. government’s cloud accreditation organization, has approved GCC to handle “moderate” impact information “where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals.”