SharePoint for Government: FedRAMP, GCC High, and Microsoft 365 Government Deployment Guide

Microsoft 365 for Government: Understanding the Clouds

U.S. government agencies and contractors have specific requirements that the commercial Microsoft 365 service cannot meet — FedRAMP authorization, data residency in the United States, restrictions on who can access government data, and compliance with ITAR/DFARS for defense contractors. Microsoft addresses this with dedicated government cloud environments.

Understanding which government cloud is appropriate for your organization is the critical first decision before any SharePoint deployment.

The Four Microsoft Government Cloud Options

Microsoft 365 Commercial

The standard Microsoft 365 service. Data centers in the U.S. and globally. FedRAMP Low authorized only. Not appropriate for:

• Federal agencies with CUI (Controlled Unclassified Information)
• State and local government agencies handling federal data
• Defense contractors with ITAR or DFARS obligations
• Any workload requiring FedRAMP Moderate or High

Microsoft 365 GCC (Government Community Cloud)

Target: U.S. federal, state, local, and tribal government agencies; government contractors

FedRAMP Authorization: FedRAMP Moderate

Data residency: United States only

Staff access: U.S. government-screened personnel only

Appropriate for most state and local government and many federal civilian workloads that don't handle sensitive national security information.

Key differences from Commercial:

• Separate infrastructure from commercial tenants
• U.S. government employees and contractors only as administrators
• Cannot federate with commercial Azure AD tenants
• SharePoint, Teams, Exchange, and OneDrive are all available
• Copilot: available in GCC as of 2025

Microsoft 365 GCC High

Target: Department of Defense contractors, federal agencies with CUI/ITAR/DFARS requirements

FedRAMP Authorization: FedRAMP High

Data residency: United States (East and West data centers only)

ITAR compliance: Yes — ITAR-eligible

Staff access: U.S. citizens only, with government background screening

Required for:

• Defense contractors handling CUI per DFARS clause 252.204-7012
• Organizations subject to ITAR (International Traffic in Arms Regulations)
• Federal agencies requiring FedRAMP High authorization
• Any workload that could touch export-controlled technical data

Key differences from GCC:

• ITAR-eligible environment
• Stricter access controls (U.S. citizens only for Microsoft staff)
• Some features lag GCC by 3-6 months
• Higher licensing cost (~20% premium over GCC)
• Cannot interconnect with GCC or Commercial

Microsoft 365 DoD

Target: U.S. Department of Defense agencies and authorized contractors with IL4/IL5 requirements

FedRAMP Authorization: FedRAMP High + DoD IL5

Access: DOD CAC/PIV authentication required

Staff access: DoD-cleared personnel only

Only available to DoD agencies and approved mission partner contractors. Not available for general procurement — requires DoD approval.

FedRAMP Authorization and Shared Responsibility

FedRAMP (Federal Risk and Authorization Management Program) is the government-wide program for cloud security authorization. Microsoft holds FedRAMP authorizations at:

• Commercial: FedRAMP Low
• GCC: FedRAMP Moderate
• GCC High: FedRAMP High
• DoD: FedRAMP High + DISA IL4/IL5

Shared Responsibility Model

FedRAMP compliance is shared between Microsoft and the agency:

Microsoft is responsible for:

• Physical data center security
• Network infrastructure security
• Platform-level controls (hypervisor, hardware)
• Incident response for platform-level events
• Business continuity for the cloud infrastructure

Agency is responsible for:

• Identity and access management (Azure AD configuration)
• SharePoint permissions and access controls
• Data classification and sensitivity labels
• Application-level audit logging configuration
• End-user device security (endpoint management)
• Training and awareness for staff

When auditors assess your agency's FedRAMP compliance, they will assess both Microsoft's controls (covered by their ATO) and your agency's controls (your responsibility to implement and document).

Setting Up SharePoint in GCC/GCC High

Tenant Provisioning

GCC and GCC High tenants are provisioned separately from commercial tenants. Contact your Microsoft Government account team to establish a GCC or GCC High tenant. Key setup steps:

• Tenant domain: government.onmicrosoft.us (GCC High) vs. government.onmicrosoft.com (GCC)
• Global admin: Must be a U.S. person (GCC High requirement)
• Azure AD: Separate Azure Government AD, not the commercial Azure AD
• DNS: Configure government tenant DNS records (separate from commercial)
• MFA: Enforce MFA for all users from day 1 — required for FedRAMP

```powershell

# Connect to GCC High SharePoint Admin Center

Connect-SPOService -Url "https://youragency-admin.sharepoint.us" # Note .us TLD for GCC High

# GCC (not GCC High) uses:

Connect-SPOService -Url "https://youragency-admin.sharepoint.com"

```

Microsoft Entra ID (Azure AD) Government Configuration

```powershell

# Connect to Azure Government (for GCC High)

Connect-AzAccount -Environment AzureUSGovernment

# For GCC, use standard Azure AD (but government tenant)

Connect-MgGraph -Environment USGov # GCC

Connect-MgGraph -Environment USGovDoD # DoD

```

Conditional Access for Government Requirements

FedRAMP Moderate and High require strong authentication and device compliance:

```

Required Conditional Access Policies for FedRAMP:

├── Policy 1: Require MFA for all users (no exceptions)

├── Policy 2: Require compliant device for SharePoint access

├── Policy 3: Block legacy authentication (no basic auth)

├── Policy 4: Block access from non-approved countries (U.S. + territories only)

├── Policy 5: Require MFA for all admin roles (always, even trusted locations)

└── Policy 6: Session policy - sign out after 15 min idle (agency requirement)

```

```powershell

# Block access from outside the United States

New-AzureADMSConditionalAccessPolicy `

-DisplayName "Block Non-US Access to SharePoint" `

-State "Enabled" `

-Conditions @{

Applications = @{ IncludeApplications = "SharePoint Online App ID" }

Locations = @{ IncludeLocations = "All"; ExcludeLocations = "United States Named Location" }

} `

-GrantControls @{ Operator = "OR"; BuiltInControls = @("Block") }

```

Controlled Unclassified Information (CUI) in SharePoint

CUI is government information that requires safeguarding per Executive Order 13556 and the CUI Registry. For federal agencies and contractors handling CUI, NIST SP 800-171 controls apply.

SharePoint CUI Configuration Requirements (NIST SP 800-171)

Key NIST 800-171 controls with SharePoint configuration mapping:

| NIST Control | Requirement | SharePoint Configuration |

|-------------|------------|------------------------|

| 3.1.1 | Limit system access to authorized users | Azure AD groups, SharePoint permissions |

| 3.1.2 | Limit access to types of transactions | Role-based site access, read-only for non-editors |

| 3.1.3 | Control CUI flow | DLP policies blocking external sharing of CUI |

| 3.3.1 | Create and retain system audit logs | Purview audit log, 3-year retention |

| 3.3.2 | Review and update logged events | Monthly audit log review procedure |

| 3.4.2 | Establish baselines | SharePoint security baseline configuration document |

| 3.13.1 | Monitor networks | Defender for Cloud Apps monitoring SharePoint |

| 3.13.16 | Protect CUI at rest | Sensitivity labels with encryption |

Sensitivity Labels for CUI

Configure sensitivity labels aligned to CUI categories:

```powershell

# Create CUI sensitivity label

Connect-IPPSSession -ConnectionUri "https://ps.compliance.protection.office365.us/PowerShell-LiveID"

New-Label `

-Name "CUI - Controlled Unclassified Information" `

-DisplayName "CUI" `

-Tooltip "Controlled Unclassified Information per EO 13556. Protect per NIST SP 800-171." `

-EncryptionEnabled $true `

-EncryptionRightsDefinitions "[email protected]:VIEW,EDIT,PRINT" `

-ContentMarkingUpHeaderEnabled $true `

-ContentMarkingUpHeaderText "CONTROLLED UNCLASSIFIED INFORMATION" `

-ContentMarkingUpHeaderFontColor "#FF0000"

```

DLP Policy for CUI

```powershell

# Block external sharing of CUI documents

New-DlpCompliancePolicy `

-Name "CUI Protection - Block External Sharing" `

-SharePointLocation All `

-OneDriveLocation All

New-DlpComplianceRule `

-Policy "CUI Protection - Block External Sharing" `

-Name "Block External Access to CUI" `

-ContentContainsSensitivityLabel @("CUI - Controlled Unclassified Information") `

-BlockAccess $true `

-BlockAccessScope PerUser `

-NotifyUser Owner `

-NotifyEmailMessage "CUI documents cannot be shared externally. Contact your Information Systems Security Officer."

```

CMMC 2.0 and SharePoint for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) 2.0 applies to Defense Industrial Base (DIB) contractors handling CUI. CMMC Level 2 maps to NIST SP 800-171 (110 practices).

For defense contractors, Microsoft 365 GCC High is the minimum required environment for CUI. Key CMMC configurations for SharePoint:

CMMC Level 2 SharePoint Requirements

• AC.2.006: Enforce approved authorizations → Azure AD role-based access
• AC.2.007: Least privilege → SharePoint permissions audit, no "Everyone" access
• AU.2.041: Create and retain audit logs → Purview audit, 3-year retention minimum
• AU.2.042: Review audit logs → Monthly review, documented
• CA.2.158: Periodically assess security controls → Annual SharePoint security assessment
• CM.2.061: Baseline configurations → SharePoint security baseline, change control
• IA.2.078: Enforce minimum password complexity → Azure AD password policy
• IA.3.083: Require MFA → Conditional Access, no exceptions
• SC.3.177: Encrypt CUI in transit → SharePoint HTTPS only (default)
• SC.3.187: Encrypt CUI at rest → Sensitivity labels with encryption
• SI.2.214: Identify and report vulnerabilities → Defender for Cloud Apps, monthly report

State and Local Government SharePoint Deployment

State and local governments (SLTT — State, Local, Tribal, and Territorial) typically use GCC or Commercial depending on the presence of federal grant-related CUI. Key considerations:

Records Management for Government

State archives and records laws require document retention schedules. Configure Microsoft Purview retention labels per your state's Schedule of Records:

```

Common Government Records Retention Schedule (examples):

├── Meeting Minutes (Governing Board) — Permanent

├── Financial Records — 7 years

├── Personnel Records — 7 years post-separation

├── Grant Records (Federal) — Duration of grant + 3 years

├── Public Records (general) — Varies by state law

└── Police/Law Enforcement Records — Varies by state

```

Open Records / FOIA for SharePoint

Government agencies must respond to public records requests. Configure SharePoint to support FOIA/open records:

• Purview Content Search can run FOIA searches across SharePoint + Exchange + Teams
• eDiscovery export in native format satisfies most FOIA production requirements
• Redaction: Purview Compliance Portal allows redaction of exempt information before production

Conclusion

Microsoft 365 SharePoint for government requires careful selection of the appropriate cloud (GCC vs. GCC High vs. DoD), implementation of FedRAMP-required controls, CUI protection per NIST SP 800-171, and records management aligned to federal and state retention requirements.

EPC Group has deployed Microsoft 365 GCC and GCC High environments for federal civilian agencies, defense contractors, and state/local government organizations. Contact us for a government SharePoint assessment.