State & Local Government Copilot Deployment (CJIS + StateRAMP)
M365 GCC vs GCC High + CJIS + StateRAMP + open records + 6 proven use cases. The EPC Group state/local playbook.
Frequently Asked Questions
Which Microsoft 365 environment does state/local government use for Copilot?
Three options depending on the workload. (1) Microsoft 365 GCC (Government Community Cloud) — FedRAMP Moderate baseline, common for state agencies without CJIS or defense scope. Copilot is available. (2) Microsoft 365 GCC High — FedRAMP High baseline + DoD IL5, required for CJIS-in-scope law enforcement + DoD contracts. Copilot for GCC High available with certain gating. (3) Commercial M365 — some smaller local governments without regulated workloads stay on commercial. Most state governments deploy the majority of agencies on GCC and the law enforcement agencies (state police, sheriff's offices, prosecutors) on GCC High for CJIS.
What is CJIS Security Policy and how does it affect Copilot?
CJIS (Criminal Justice Information Services) Security Policy is the FBI's requirements for handling criminal justice information (CJI) — arrest records, criminal history, warrants, intelligence products. CJIS-in-scope work: (1) requires cleared personnel with fingerprint-based background checks (level determined by CJIS Systems Officer). (2) requires strong multi-factor authentication (Advanced Authentication under CJIS Section 5.6.2). (3) requires audit trails satisfying CJIS Section 5.4. (4) restricts data location — CJI must remain in CONUS-based, CJIS-attested cloud infrastructure. Microsoft 365 GCC High is CJIS-attested; commercial M365 is NOT. Copilot for GCC High extends CJIS attestation to Copilot workloads.
What is StateRAMP and how does it relate to FedRAMP?
StateRAMP is the state-and-local-government-focused parallel program to FedRAMP, using the same NIST 800-53 control baseline (Moderate baseline is the common target). StateRAMP was created because states wanted a shared cloud service authorization process instead of each state duplicating security assessments. Microsoft 365 GCC has both FedRAMP Moderate + StateRAMP Ready listings; GCC High has FedRAMP High. For Copilot procurement: many state agencies now require StateRAMP Ready or Authorized listing on their approved products list. Microsoft Copilot inherits the M365 GCC / GCC High attestation posture.
How do open records / FOIA / sunshine laws affect Copilot?
Every state has open records laws (Sunshine Act, Freedom of Information Act state analogs) requiring government records to be discoverable and disclosable on request unless a specific statutory exemption applies. Copilot outputs used in government work are potentially discoverable records: (1) records retention policies (typically 3-7 years for administrative records) must apply to Copilot outputs. (2) Purview eDiscovery lets FOIA officers respond to public records requests including Copilot interactions if in scope. (3) statutory exemptions (attorney-client privilege, personnel records, law enforcement investigations, security-sensitive information) still apply — labeling ensures Copilot doesn't inadvertently disclose exempt content in FOIA responses.
What are the 6 proven state/local government Copilot use cases?
(1) Constituent communication drafting — Copilot drafts responses to constituent inquiries from case data + prior communications (staff reviews before sending). (2) Regulatory / rulemaking drafting — Copilot drafts rulemaking notices, RFI responses, public hearing summaries. (3) Grant application drafting — Copilot drafts federal / foundation grant applications from program data. (4) FOIA response drafting — Copilot summarizes responsive records + drafts response letters (FOIA officer reviews to ensure exempt content is redacted). (5) Meeting minutes + agenda drafting — Copilot drafts meeting minutes from Teams recordings (still human-reviewed for accuracy on official records). (6) Case summary drafting for social services / child welfare / public health — Copilot summarizes case notes for supervisor review + inter-agency communication (with strict labeling of protected content). All 6 human-in-loop; none decisioning benefit eligibility or enforcement actions.
What does an EPC Group state/local government Copilot engagement produce?
Standard 30-Day Copilot Readiness Accelerator plus eight state/local-specific deliverables: (1) M365 environment selection matrix (GCC vs GCC High per agency scope). (2) CJIS scope confirmation for law enforcement agencies. (3) StateRAMP procurement documentation. (4) 5-tier sensitivity label taxonomy including CJI + Attorney Work Product + Constituent Records + FOIA-Exempt. (5) FOIA-response workflow overlay for Copilot outputs. (6) Records retention policies applied to Copilot interactions. (7) Six proven state/local use case pilots. (8) Board / council reporting on program effectiveness.
Talk to a senior architect
Email contact@epcgroup.net or call 888-381-9725.
North America's oldest continuous Microsoft Gold Partner (2000 until Microsoft retired the program in 2022) — today holding all six Microsoft Solutions Partner Designations.
