Compliance

SharePoint for Government: ITAR, FedRAMP & CMMC Controls

Deploying SharePoint Online in federal, state, and DIB environments. GCC vs GCC High vs DoD IL5, ITAR Technology Control Plans, CMMC Level 2 mapping, and ConMon evidence.

SharePoint Support TeamApril 21, 202618 min read
SharePoint for Government: ITAR, FedRAMP & CMMC Controls - Compliance guide by SharePoint Support
SharePoint for Government: ITAR, FedRAMP & CMMC Controls - Expert Compliance guidance from SharePoint Support

Government and DIB SharePoint: The Tenant Decides

Federal, state, and defense-industrial-base (DIB) deployments of SharePoint are defined by the tenant and authorization boundary that host them. The tenant chosen at day one dictates which authorizations apply, which features are available, which personnel can operate it, and whether ITAR or CUI data is permissible. Tenant migration is a multi-month project, so the decision effectively cannot be reversed after regulated data is ingested.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

This brief is the government companion to our SharePoint compliance pillar. It focuses on the specific patterns for SharePoint deployment in commercial, GCC, GCC High, and DoD IL5 environments; ITAR Technology Control Plans; CMMC Level 2 mapping; and FedRAMP continuous monitoring.

Tenant Decision Tree

Use this decision tree at the start of every government or DIB SharePoint deployment:

  • FedRAMP Moderate, no CUI, no ITAR — Commercial Microsoft 365 is acceptable when the agency's authorization boundary allows. Common for state agencies and federal civilian programs handling only public information.
  • US-only residency, no FedRAMP High requirement — Microsoft 365 GCC. Appropriate for state and federal civilian workloads needing US data residency without FedRAMP High authorization.
  • FedRAMP High, CUI, ITAR, CMMC Level 2+ — Microsoft 365 GCC High. The standard choice for DIB contractors and federal agencies handling sensitive-but-unclassified data.
  • DoD IL4 or IL5 workloads — Microsoft 365 DoD on Azure Government. Typical for DoD components and major defense primes.
  • Classified (Secret or above) — Azure Government Secret / Top Secret environments; outside the scope of this brief.

The tenant decision must be finalized before provisioning SharePoint sites or ingesting regulated data. Migration between commercial and GCC High is a multi-million-dollar, multi-month program.

Commercial Microsoft 365 in State and Local Government

State and local government agencies often deploy SharePoint in commercial Microsoft 365 when data residency and background-check requirements are satisfied. The commercial cloud holds:

  • FedRAMP Moderate authorization
  • SOC 1 / SOC 2 Type II attestations
  • HIPAA BAA (for health agencies)
  • PCI DSS, ISO 27001, ISO 27018
  • CJIS coverage (verify per-state against the current Microsoft CJIS attestation)

Agencies handling CJIS-regulated data should confirm the Microsoft CJIS posture for their state and ensure Conditional Access, MFA, and device compliance controls align with the state CSO's requirements.

Microsoft 365 GCC

GCC is a commercial-grade cloud with US-only data residency and background-screened Microsoft personnel. Appropriate for:

  • State and local government workloads requiring US residency
  • Federal civilian agencies without FedRAMP High requirements
  • Workloads touching FBI CJIS data where state CSO requires GCC

SharePoint Online and OneDrive in GCC closely match commercial in functionality, with some feature-parity lag. Copilot availability is narrower than commercial; validate per-workload.

Microsoft 365 GCC High for DIB and Federal

GCC High is a separate tenant with FedRAMP High authorization, DoD IL4 compliance, and ITAR support. It is a distinct identity boundary with its own licensing catalog.

SharePoint availability in GCC High is close to commercial for core workloads (team sites, communication sites, document libraries, OneDrive). Feature-parity gaps include:

  • Some Copilot for SharePoint capabilities lag commercial
  • SharePoint Premium AI services have narrower availability
  • Certain third-party connectors and plug-ins are unavailable
  • Preview features typically reach commercial first

Validate the specific SharePoint features required for your workload before committing to GCC High. Microsoft maintains a GCC High roadmap; review it quarterly.

SharePoint in DoD IL5

SharePoint availability in the Microsoft 365 DoD environment is a subset of GCC High with further authorization lag. Typically used by DoD components and major defense primes. Validate each SharePoint workload for IL5 authorization before committing.

ITAR Technology Control Plan for SharePoint

ITAR (22 CFR 120-130) restricts access to defense-related technical data. For SharePoint to hold ITAR content:

  • Deploy in GCC High (required; commercial or GCC is non-compliant for ITAR)
  • Apply sensitivity labels for Export-Controlled and ITAR content to sites and files
  • Restrict site membership to Entra ID groups limited to verified US persons
  • Enforce MFA and device compliance via Conditional Access
  • Disable external sharing entirely for ITAR sites
  • Configure Purview DLP with ITAR-marking detection
  • Retain Purview audit at least 5 years (or longer if your ITAR program requires)
  • Document the full configuration in the Technology Control Plan (TCP)

The TCP must name the specific SharePoint sites in scope, the Entra ID groups granting access, the empowered official, and the review cadence. Update the TCP when sites are added or removed.

CMMC Level 2 Mapping for SharePoint

CMMC 2.0 Level 2 assessment is NIST 800-171 based. SharePoint in GCC High inherits significant platform controls from the underlying Microsoft 365 FedRAMP authorization. The customer-configurable practices most affected by SharePoint include:

  • AC (Access Control) — Site permissions, Conditional Access, Entra ID group discipline
  • AU (Audit and Accountability) — Purview audit export to Sentinel
  • CM (Configuration Management) — Tenant settings change control, site lifecycle governance
  • IA (Identification and Authentication) — MFA via Conditional Access
  • IR (Incident Response) — SharePoint-specific runbook references
  • MP (Media Protection) — Device compliance requirements via Conditional Access
  • SC (System and Communications Protection) — TLS 1.2+, encryption at rest, VNet integration where applicable
  • SI (System and Information Integrity) — DLP for CUI markings, sensitivity labels

Map SharePoint into the System Security Plan (SSP) with specific practice-level implementation statements. A C3PAO assessor will test both the inherited and customer-configurable layers.

FedRAMP Continuous Monitoring

Agencies expect ongoing evidence that SharePoint remains within the authorization boundary. A typical SharePoint ConMon package:

  • Monthly scan results for any customer-managed infrastructure supporting SharePoint (typically minimal since SharePoint is Microsoft-managed SaaS)
  • Quarterly POA&M updates for any SharePoint control deviations
  • Annual security assessment covering SharePoint configuration
  • Significant change notifications before major tenant configuration changes
  • Incident reports aligned to FedRAMP incident communications procedure

Microsoft provides FedRAMP package evidence for the SharePoint platform. Customer-configurable controls — site governance, sensitivity labels, DLP, audit retention, Copilot posture — are customer responsibility. Document the inherited-vs-customer split clearly in ConMon deliverables.

Reference Architecture: DIB Contractor

A DIB contractor deploying SharePoint in GCC High for a CMMC Level 2 environment operates with five layers:

  • Identity and access — Entra ID synced from the authoritative HR source with US-person citizenship attributes, Conditional Access enforcing MFA and compliant device, SharePoint access via governed security groups limited to verified US persons
  • Content classification — Purview sensitivity labels with CUI parent label and sub-labels for CUI-Basic, CUI-Specified, Export-Controlled, and ITAR
  • Site governance — ITAR sites use dedicated workspaces with no external sharing; CUI sites restrict external sharing to approved US-person partners only
  • Monitoring — Purview audit export to Sentinel for GCC High with analytic rules detecting first-time access, anomalies, and access to export-controlled content
  • Documentation — SSP entries, TCP entries, POA&M items, and evidence package maintained for C3PAO assessment and DoD oversight

Covered Defense Information and DFARS 252.204-7012

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires contractors handling Covered Defense Information (CDI) in any information system, including SharePoint, to implement NIST 800-171 security requirements. In a GCC High SharePoint deployment:

  • Identify SharePoint sites in scope for CDI and label them accordingly
  • Enforce the NIST 800-171 control set through Entra ID, Conditional Access, sensitivity labels, DLP, and audit
  • Report cyber incidents affecting CDI to DoD within 72 hours via the DoD DIBNet reporting portal
  • Preserve forensic images of affected SharePoint content for 90 days
  • Provide full incident-response support to DoD investigators

Integrate the DFARS reporting workflow with the broader incident response program so the 72-hour clock is never missed. Most CMMC Level 2 organizations operate on the conservative assumption that every CUI site in SharePoint is also potentially CDI.

Supply Chain Risk Management for SharePoint in GCC High

CMMC Level 2 and NIST 800-171 both require supply chain risk management. For SharePoint in GCC High, document:

  • Microsoft as the primary provider with the Microsoft GCC High authorization as inherited evidence
  • Any Microsoft 365 backup ISV operating inside the GCC High boundary (verify authorization before use)
  • Any third-party connector or SPFx extension deployed into GCC High
  • Azure AD app registrations for SharePoint automation

Every addition to the supply chain should go through the Supplier Risk Management process and be added to the CMMC SSP. Unauthorized ISV connectors are a common C3PAO finding.

Federal Record Retention in SharePoint

Federal agencies have additional retention obligations under the Federal Records Act and the National Archives and Records Administration (NARA) guidance. For SharePoint content:

  • Apply Purview retention labels aligned to the agency records schedule
  • Use Preservation Lock on retention policies for permanent records
  • Document the records schedule mapping in the agency's Records Management policy
  • Coordinate with the agency Records Management officer on annual reviews

State and local government agencies follow state-specific records retention schedules (often managed by the state archives). SharePoint labels should reflect the state schedule.

ITAR Violations and SharePoint

Historical ITAR violations involving cloud services have centered on three patterns: (1) ITAR data transmitted to non-US cloud regions, (2) ITAR data accessible to non-US persons through misconfigured permissions, and (3) ITAR data retained in decommissioned systems without proper destruction.

SharePoint controls addressing these patterns:

  • Non-US region exposure — GCC High tenant enforces US-only data residency; verify tenant home region is GCC High; disable any multi-geo features that could route data outside
  • Non-US person access — Entra ID citizenship attributes; Conditional Access policies; sensitivity labels that reference citizenship attribute via Purview
  • Decommissioning — Documented disposition workflow for SharePoint sites containing ITAR data; cryptographic erase where required; certificate of destruction retained per TCP

Document the ITAR compliance evidence in the annual Directorate of Defense Trade Controls (DDTC) registration renewal package.

Frequently Asked Questions

Can commercial SharePoint Online handle FedRAMP Moderate workloads?

Yes for most FedRAMP Moderate classifications without CUI or ITAR. Commercial Microsoft 365 holds FedRAMP Moderate. FedRAMP High, CUI, or ITAR require GCC High or Azure Government.

What is the difference between SharePoint in GCC and GCC High?

GCC is commercial-grade with US residency and background-screened personnel; GCC High is a separate tenant with FedRAMP High, DoD IL4, and ITAR authorizations. GCC High is a distinct identity boundary.

Is Microsoft Copilot for SharePoint available in GCC High?

Availability trails commercial and varies by workload. Validate each Copilot feature before enabling; for ITAR, confirm the language-model endpoint is inside the GCC High boundary.

Can I store ITAR content in SharePoint?

Yes in GCC High. Configure US-person-only permissions, sensitivity labels for Export-Controlled / ITAR, disabled external sharing, DLP for ITAR markings, and document in the TCP.

What CMMC Level 2 controls does SharePoint satisfy?

Inherited NIST 800-171 controls from the FedRAMP High platform authorization plus customer-configurable practices across AC, AU, CM, IA, IR, MP, SC, SI. Map SharePoint into the SSP.

How do I handle FedRAMP continuous monitoring for SharePoint?

Sentinel analytic rules, monthly POA&M updates, annual assessment, significant change notifications. Microsoft provides platform-layer ConMon evidence; customer-configurable controls are customer responsibility.

What are the citizenship controls for SharePoint in GCC High?

Microsoft personnel are US-person-only by tenant design. Customer-side, restrict SharePoint access to verified US persons for ITAR via Entra ID attributes, Conditional Access, and group membership. Document in the TCP.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

Can commercial SharePoint Online handle FedRAMP Moderate workloads?
Yes for most FedRAMP Moderate classifications that do not contain CUI or ITAR data. Commercial Microsoft 365 holds FedRAMP Moderate authorization. Validate the specific service authorization for your agency's boundary. For FedRAMP High, CUI, or ITAR, you must use GCC High or Azure Government.
What is the difference between SharePoint in GCC and GCC High?
GCC is a commercial-grade cloud with US-only data residency and background-screened Microsoft personnel, designed for state and local government and for federal civilian workloads that do not require FedRAMP High. GCC High is a separate tenant with FedRAMP High authorization, DoD IL4 compliance, and ITAR support. GCC High is a distinct identity boundary — users cannot be migrated between GCC and GCC High without a tenant-to-tenant migration.
Is Microsoft Copilot for SharePoint available in GCC High?
Copilot availability in GCC High trails commercial and varies by workload. Validate the specific Copilot SKU, the in-app surfaces, and Copilot for SharePoint availability before enabling. For ITAR data, confirm that the language-model endpoint sits inside the GCC High authorization boundary. When in doubt, treat Copilot as disabled for ITAR until authorization is confirmed in writing.
Can I store ITAR content in SharePoint?
Yes, in GCC High (required — commercial or GCC is non-compliant for ITAR). Configure site and library permissions using Entra ID groups limited to verified US persons, apply sensitivity labels for Export-Controlled and ITAR content, disable external sharing entirely for ITAR sites, enable Purview DLP with ITAR marking detection, and document the configuration in the Technology Control Plan.
What CMMC Level 2 controls does SharePoint satisfy?
SharePoint in GCC High inherits significant NIST 800-171 controls from the platform FedRAMP authorization. Customer-configurable practices remain: Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Media Protection, and System and Information Integrity. A C3PAO assessor will test both layers. Map SharePoint into the System Security Plan with practice-level implementation statements.
How do I handle FedRAMP continuous monitoring for SharePoint?
Export SharePoint activity logs to Microsoft Sentinel in the appropriate cloud (Sentinel for Commercial, Sentinel for GCC High for FedRAMP High). Build analytic rules aligned to the agency ConMon package. Submit monthly POA&M updates on any SharePoint control deviations, annual security assessment, and significant change notifications before major tenant configuration changes.
What are the citizenship controls for SharePoint in GCC High?
GCC High requires Microsoft personnel with US-person status for data handling. Customer-side, restrict SharePoint access to verified US persons when processing ITAR data. Enforce through Entra ID citizenship attributes combined with Conditional Access, and combine with role-based group membership. Document the citizenship control in your Technology Control Plan and review annually.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Continue Reading in Compliance