Public Sector Microsoft 365 & Power BI: A FedRAMP/CMMC Playbook

Most public sector Microsoft engagements that fail do not fail at the build. They fail at the tenant decision or the boundary scope — choices made in the first two weeks of the program that compound through every subsequent decision. This piece is the decision tree, the boundary discipline, the CMMC controls that produce most assessor findings, and the audit-package cadence that ships evidence faster than the assessor can request it.

EPC Group's public sector practice is anchored in founder Errin O'Connor's FedRAMP framework contribution and his role as Lead Architect on the NASA Nebula Cloud — the original federal cloud-first implementation. The methodology survives the assessor. See the parent practice at Government Power BI Consulting for the broader scope.

Decision 1: Tenant type

The four production options and when each is correct:

• Microsoft 365 Commercial: State and local government without federal data sharing. State-specific compliance overlays (CJIS, IRS Publication 1075) handled in-tenant.
• Microsoft 365 GCC (Government Community Cloud): Federal civilian agencies, state and local handling federal data, federal contractors handling unclassified federal data. FedRAMP Moderate authorization. CJIS support.
• Microsoft 365 GCC High: Federal civilian agencies handling CUI, federal contractors handling ITAR/EAR-regulated data, DIB contractors at CMMC L2. FedRAMP High authorization equivalent. DFARS 7012 compliance support.
• Microsoft 365 DoD: Department of Defense agencies and contractors handling DoD CUI at IL5. Dedicated DoD cloud regions.

The decision is driven by data types, contract clauses, and downstream sharing requirements. Picking too high (DoD when GCC would have sufficed) inflates licensing cost and feature lag. Picking too low (commercial when GCC was needed) creates a remediation event that typically restarts the implementation. EPC Group runs a fixed-fee tenant assessment to make this decision explicitly before any architecture work begins.

Decision 2: FedRAMP boundary scope

Microsoft's cloud services carry FedRAMP authorizations at specific impact levels. The customer's FedRAMP boundary for the system built on top of those services inherits the cloud-provided controls but must explicitly document what is inherited versus what is customer-implemented. The most common failure mode is assuming broader inheritance than the cloud service actually provides — the assessor catches this in the SAR, and the program restarts the documentation cycle.

The discipline that works: a documented System Security Plan that names every control in scope, identifies inheritance source for each (Microsoft cloud control, customer technical control, customer procedural control, customer hybrid), and ties each customer-implemented control to specific tenant configuration (conditional access policy IDs, DLP rule names, Purview label IDs). The SAR cycle becomes a verification exercise rather than a discovery exercise.

Decision 3: CMMC L2 control implementation

For DIB contractors at CMMC L2 (currently in rolling enforcement through DoD acquisitions): 110 controls from NIST SP 800-171 Rev 2, evidence collection and retention discipline, third-party assessor (C3PAO) audit at 3-year cadence, and continuous monitoring posture between assessments. Most of the controls map cleanly to Microsoft 365 GCC High capabilities — but mapping is not implementation. The implementation is still customer responsibility.

The controls that most consistently produce assessor findings:

• 3.1.x (Access Control): RBAC discipline, conditional access policy completeness, least-privilege documentation.
• 3.3.x (Audit and Accountability): Audit log retention matching the regulatory period, log forwarding to a separate immutable store, automated review cadence.
• 3.4.x (Configuration Management): Baseline configuration documentation, change-control process with evidence, drift detection.
• 3.13.x (System and Communications Protection): Boundary protection at the tenant edge, cryptographic protection with specific algorithm documentation, session lock and termination.
• 3.14.x (System and Information Integrity): Defender XDR posture with evidence, threat intelligence integration, automated response workflows.

Decision 4: Audit-package discipline

Evidence collection automated wherever possible. Microsoft Purview audit logs, Defender XDR posture exports, Microsoft Sentinel alerts, and Power BI control-mapping dashboards generated continuously rather than scrambled before each audit window. The audit package is the evidence the assessor will request, mapped control-by-control to the in-scope framework (FedRAMP, CMMC L2, or both).

The cadence: monthly evidence rollup, quarterly attestation review, annual full-package generation. Continuous monitoring between formal audits. The Operate stage of The EPC Group Lifecycle ships this as a managed service for organizations without an in-house compliance team — see Managed Microsoft Services.

Power BI in government clouds

Power BI for Government runs in GCC, GCC High, and DoD environments with feature parity tracking the commercial release on a documented cadence. Microsoft Fabric availability is rolling — GCC has Fabric today; GCC High and DoD availability tracks per Microsoft's published roadmap. Direct Lake mode for high-scale analytics is available where Fabric is.

Architectural patterns translate directly from commercial — see our AI-Safe Power BI Rollout Playbook and FINRA risk reporting playbook for the underlying RLS / semantic model / certified-release disciplines. The boundary scope and audit- package cadence change for public sector; the architecture pattern does not.

State and local government variations

• CJIS environments: Criminal justice information requires CJIS-aware tenant configuration plus state-specific overlays. Audit cadence stricter than most federal civilian work.
• Tax / IRS Publication 1075 environments: Tax data handling under IRS 1075 with specific encryption and access requirements.
• State-specific PII regimes: California CCPA/CPRA, Illinois BIPA, Texas data privacy law, Washington My Health My Data Act — each requires DLP tuning and incident response workflow adjustments.
• Higher education public sector: FERPA overlays on top of standard tenant configurations.

Where this connects

• Government Power BI Consulting — the parent practice.
• Microsoft 365 Consulting — tenant deployment patterns.
• Microsoft Defender — Defender XDR posture for the audit package.
• Microsoft Purview Consulting — classification + audit-log retention.
• Data Governance — the Govern stage.
• Standards Alignment — FedRAMP / CMMC + NIST AI RMF + COBIT mappings.
• HIPAA/SOC 2/FedRAMP compliance partner — the broader compliance practice.
• The EPC Group Lifecycle — Modernize + Govern + Operate sequenced for public sector cadence.

Tenant decision first. Boundary scope documented. Controls mapped, not assumed. Evidence generated continuously. Multiple models. One truth. Survive the assessor.