Pentagon CIO considers changes to cloud service provider security measures in wake of potential data exposure

A Defense Department spokesperson shared the latest update regarding this multi-team response.
John Sherman
John Sherman appears in the Pentagon Briefing Room for the Cyber Beacon virtual event, Dec. 3, 2020. (DOD / Marvin Lynchard)

The Pentagon’s chief information officer is preparing to potentially direct changes in security measures that govern cloud service providers (CSPs) hosting Defense Department data — based on findings that will stem from an unfolding investigation associated with recent reports that emails with sensitive military data hosted on Microsoft’s Azure government cloud were unintentionally left exposed online this month.

The problem first came to light a few days ago when a non-government researcher flagged it.

In an email Thursday night, DOD spokesperson Cmdr. Jessica McNulty told DefenseScoop that the Pentagon is diving deep into the “potential exposure of DOD unclassified, commercially cloud-hosted data to the Internet over the past two weeks” — and that the “affected server was identified and removed from public access on” Feb. 20.

This marks the first time the Office of the Secretary of Defense acknowledged that the military email data was accessible online for multiple weeks — though details about how much was possibly exposed remain unverified.


“U.S. Cyber Command and Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) continue to work with affected DOD entities and the Cloud Service Provider to assess the scope and impact of this potential data exposure,” McNulty told DefensesScoop on Thursday.

In coordination with JFHQ-DODIN, Pentagon CIO John Sherman is “working with the CSP to understand the root cause of the exposure and why this problem was not detected sooner,” McNulty said. That CSP — reportedly Microsoft — is one of four major U.S. technology companies now vying for individual task orders to ultimately provide the Joint Warfighting Cloud Capability (JWCC). A spokesperson from the company did not respond to DefenseScoop’s multiple requests for comment this week.

McNulty stated that the “DOD CIO will direct changes in CSP security measures as required based on any findings and recommendations” of this ongoing investigation.

A security researcher who works to safeguard vulnerable databases and servers holding national security information first raised an alarm about the possible exposure last weekend. Earlier this week, military and Pentagon officials were hesitant to validate details of the allegations on the record, and repeatedly declined to share additional information about what happened, or their review.

“We will notify any DOD personnel affected by the incident appropriately and following Federal law and DOD policy. DOD takes this matter very seriously and will incorporate all lessons learned from this event to strengthen its cybersecurity posture,” McNulty told DefenseScoop on Thursday when she provided an update on where things stand.


In response to DefenseScoop’s questions on Friday regarding what those possible “changes” to CSP security might look like down the line, McNulty said the Pentagon could not share more information at this time but aims to provide further updates when possible.

Latest Podcasts