[siffland]

You can lock down YOUR infrastructure, but then are 100% dependent on the cloud environment to maintain and patch theirs. Since you have no insight to what the underlying infrastructure consists of you really have no way of knowing if they are secure. Do their storage arrays have open CVE's? are they employing people who are mentally sane? You just need to trust them.

So in the cloud just migrates the a lot of the security to another team. I do not know for a fact, but I am pretty sure the DoD cannot just show up at the AWS or Azure facilities and start auditing them (maybe they can and it is in a contract, someone else might know).

[mrep]

Considering AWS already has 2 entire airgapped dataceters for the US government, I'm pretty sure this contract will entail microsoft building entirely separate airgapped datacenters for the DOD and thus they probably will be able to just show up to their datacenter because nobody else is going to be running anything in those datacenters.

[topkai22]

Correct, but those air gapped data centers already exist- there are separate Azure regions for certain restricted civilian government workloads, DoD unclassified work, and cleared work.

[thefreeman]

They are almost certainly getting their own privately built cloud which they can 100% show up and audit whenever they please.