Microsoft Cloud for State, Local, and Tribal Government — StateRAMP, CJIS, M365 GCC (2026)

Microsoft 365 GCC (Government Community Cloud) is the multi-tenant M365 environment designed for U.S. federal, state, local, and tribal government customers and their contractors. GCC inherits FedRAMP Moderate authorization, DoD SRG IL2, CJIS Security Policy alignment, IRS 1075 alignment, and StateRAMP authorization. The underlying Azure datacenters are physically located in the continental United States, and operations personnel are screened U.S. persons.

Microsoft 365 GCC High is the M365 environment built to U.S. federal standards for Controlled Unclassified Information (CUI), including ITAR. GCC High inherits FedRAMP High authorization and DoD SRG IL4 / IL5. It is operated exclusively by screened U.S. citizens. GCC High is rarely the default for SLG — but specific SLG scenarios require it: state National Guard units handling federal CUI, state agencies executing federal contracts that flow CUI down, and tribal nations operating federal trust-fund systems that the federal sponsoring agency designates as CUI-in-scope.

Azure Government is a physically separate Azure cloud built for U.S. government customers and contractors. It is operated by screened U.S. citizens in U.S.-only datacenters and carries FedRAMP High, DoD SRG IL2 / IL4 / IL5 (select services at IL6), CJIS Security Policy alignment, IRS 1075, StateRAMP authorization, and HIPAA Business Associate Agreement coverage. For SLG, Azure Government is the platform layer beneath M365 GCC High and the right host for state and local mission systems that need a FedRAMP High landing zone — public-safety records, court case management, state revenue / tax administration, state Medicaid analytics, and tribal nation enterprise systems.

AWS GovCloud is the AWS-equivalent sovereign U.S.-only cloud, with FedRAMP High and a StateRAMP authorization. Many SLG procurement officers evaluate AWS GovCloud alongside Azure Government and ask EPC for a comparison. EPC includes AWS GovCloud here for context — not as an EPC delivery platform. EPC builds and operates Microsoft clouds (M365 GCC / GCC High / Azure Government). For SLG buyers comparing the two, the practical decision is usually driven by where the rest of the agency stack lives — Microsoft-centric agencies almost always land on Azure Government because identity (Entra ID Government), collaboration (M365 GCC), endpoint management (Intune), security (Defender XDR, Sentinel), and analytics (Power BI Government, Fabric) all sit on one Microsoft control plane.

Pattern 1. State-level Microsoft 365 GCC migration for a cabinet-level agency

Pattern 2. County sheriff Records Management System on CJIS-compliant Azure Government

Pattern 3. Tribal nation sovereignty and data residency in Azure Government

Pattern 4. Public-safety consortium with shared RMS / CAD integration

Pattern 5. Court case-management system on Azure Government

Pattern 6. State-funded K-12 and higher-education plane

CJIS Security Policy v5.9.1 requires Advanced Authentication (AA) for access to Criminal Justice Information (CJI) from any environment that is not physically inside an agency-controlled secure facility. AA must satisfy NIST SP 800-63B Authenticator Assurance Level (AAL) 2 or higher.

CJIS requires that access to CJI be limited to authorized personnel, that role-based access control (RBAC) be enforced, and that administrative duties be separated from operational user duties on CJI systems.

CJIS requires that CJI be encrypted in transit (TLS 1.2 minimum, FIPS 140-2 / 140-3 validated cryptographic modules) and at rest (FIPS-validated cryptographic modules, key management documented). For CJI traversing public networks, FIPS-validated VPN or equivalent is required.

CJIS requires comprehensive audit logging of all access to CJI, all administrative actions on CJI systems, all queries to NCIC / state CJI systems, and the ability to reconstruct the exact sequence of events for any CJI incident. Audit logs must be retained for a minimum of 365 days.

CJIS requires that all personnel with unescorted access to CJI undergo a fingerprint-based background investigation, that the screening be documented and tracked, and that personnel security training be delivered before access is granted and annually thereafter.

The General Services Administration Multiple Award Schedule — formerly Schedule 70 for IT — is the most-used federal contract vehicle and is widely accessible to state, local, tribal, and education buyers under the GSA Cooperative Purchasing Program.

NASPO ValuePoint is the National Association of State Procurement Officials cooperative purchasing program. NASPO contracts are pre-negotiated by lead states and made available to all participating states, local governments, and authorized public entities. The NASPO ValuePoint Cloud Solutions contract is the most-used SLG vehicle for Microsoft cloud.

NITAAC CIO-SP4 is the federal government-wide acquisition contract for IT services. The CIO-SP4 Small Business set-aside provides a fast acquisition path for federal agencies — and many state and local governments piggyback federal task orders that include SLG scope.

Many states run their own master IT contracts (Texas DIR, California CMAS, Florida State Term Contracts, New York OGS, and others). Regional cooperative purchasing networks (TIPS, Sourcewell, OMNIA Partners) provide access to pre-negotiated SLG pricing.

Federally recognized tribes can contract directly under Indian Self-Determination and Education Assistance Act (Public Law 93-638) authority, and many tribes operate enterprise IT under self-governance compacts that consolidate federal program funding.

What is the difference between StateRAMP and FedRAMP?

StateRAMP and FedRAMP are parallel programs. FedRAMP — the Federal Risk and Authorization Management Program — is the U.S. federal cloud security authorization program; it grants Moderate and High authorizations to cloud service offerings consumed by federal agencies. StateRAMP — the State Risk and Authorization Management Program — is the equivalent program for state, local, and education (SLED) governments, modeled directly on FedRAMP and using the same NIST SP 800-53 control catalog. The two programs share most of the technical content. The practical differences: StateRAMP is governed by a nonprofit member organization (the StateRAMP Program Management Office) and is procured by SLED entities, while FedRAMP is governed by the federal Joint Authorization Board and procured by federal agencies. Many cloud service offerings — including Microsoft 365 GCC and Azure Government — hold both authorizations. EPC Group delivers StateRAMP-aligned and FedRAMP-aligned Microsoft cloud deployments; the control work overlaps heavily. EPC is a FedRAMP-aligned consultancy and a StateRAMP-aligned consultancy — neither program grants authorization to consulting firms, only to cloud service offerings.

How does EPC support CJIS Security Policy v5.9.1 posture for sheriffs, courts, and public-safety consortia?

CJIS Security Policy v5.9.1 (and successor versions) governs how Criminal Justice Information (CJI) is handled in cloud and on-premises systems. EPC delivers CJIS-aligned Microsoft cloud postures for sheriffs, police departments, court systems, and public-safety consortia. The work covers Advanced Authentication (Microsoft Entra ID Government with FIDO2, Windows Hello for Business, smart-card / PIV), Access Control with separation of duties (Entra ID Privileged Identity Management with time-bound activation), encryption in transit and at rest (FIPS 140-2 / 140-3 validated modules, TLS 1.2 minimum, Azure Key Vault Managed HSM where customer-managed keys are required), comprehensive Audit and Accountability (Microsoft Sentinel with 365-day-minimum retention, frequently configured for 7-year retention), and Personnel Security (Microsoft's screened-U.S.-persons attestation plus agency-side fingerprint-based background investigation tracking). EPC documents each control family's alignment in a CJIS package the State CJIS Systems Officer (CSO) and State CJIS Systems Agency (CSA) review.

Can EPC support a tribal nation that needs sovereign data residency and the right to exit?

Yes. EPC delivers tribal-nation Microsoft cloud engagements that explicitly honor tribal sovereignty. The work includes a tribal-government addendum to the Microsoft Customer Agreement, U.S.-only Azure Government datacenter residency with Microsoft's contractual attestation of personnel screening, Customer Lockbox for Government requiring explicit tribal IT approval for any Microsoft access to tenant data, Purview sensitivity labels mapped to the tribe's own data-classification taxonomy (sovereign data, member data, gaming compliance data, IHS-coordinated PHI, federal trust-fund data), and a documented data-exit runbook that lets the tribe retrieve all data to a tribal datacenter or alternative cloud if the council so directs. EPC does not characterize tribal-nation engagements as "government" engagements without the tribal council's explicit framing — sovereign tribal nations choose how their cloud relationship is described, and EPC follows that lead.

How does EPC integrate with a public-safety Records Management System (RMS) on Azure Government?

RMS source-code ownership almost always sits with a specialist public-safety integrator (Tyler Technologies, Motorola Solutions, Mark43, Caliber Public Safety, Niche Technology, and others). EPC does not own RMS source code. EPC builds the destination Azure Government landing zone — CJIS-aligned network, Entra ID Government with Advanced Authentication, Sentinel CJIS audit aggregation, Defender for Cloud — and partners with the RMS integrator to migrate the application into the landing zone. The shared-responsibility split is documented in the engagement: EPC owns the landing zone, identity, audit, and Microsoft-stack security; the RMS integrator owns the application; the agency owns CJI handling policy and personnel screening. This split is the only honest way to deliver RMS on Azure Government — any consultancy claiming to own both the landing zone and the RMS source code is either an RMS vendor in disguise or is misrepresenting scope.

M365 GCC or M365 Commercial — which one does a state agency actually need?

For most state, local, and tribal government workloads, the right plane is Microsoft 365 GCC, not commercial M365. GCC inherits FedRAMP Moderate, DoD SRG IL2, CJIS Security Policy alignment, IRS 1075 alignment, and StateRAMP authorization — the regulatory baseline most SLG procurement officers now require. Commercial M365 does not carry StateRAMP authorization, and many state procurement policies as of 2026 explicitly require StateRAMP-authorized cloud. The exceptions are narrow: education tenants for student-facing workloads sometimes run on the commercial education plane (A3 / A5 for Education) because the FERPA control posture is delivered through the education-specific agreements rather than through GCC. For agency staff handling state-tax data, criminal justice information, citizen PII, or federal flow-down data, GCC is the right plane. EPC will identify the specific workloads that belong on commercial, GCC, and GCC High during the Phase 1 Readiness Assessment.

How much does the SLG Modernization Accelerator cost?

The EPC SLG Modernization Accelerator runs $300,000 to $2,000,000 across Phases 1-4, with Phase 5 as a separate monthly retainer. Phase 1 (Readiness Assessment, 3-4 weeks) is the smallest fixed-fee step and is procurement-ready output. Phase 2 (M365 GCC tenant build and migration, 90-180 days) typically lands in the $250K-$700K range for 500-5,000 seat agencies. Phase 3 (Azure Government landing zone plus one to three mission systems, 120-240 days) typically lands in the $400K-$900K range depending on landing-zone scope and the number of mission systems migrated. Phase 4 (Power BI Government / Fabric modernization, 90-180 days) typically lands in the $200K-$500K range depending on the legacy reporting estate size. Phase 5 (24/7 co-managed services) is monthly retainer scoped to seat count and platform surface. Microsoft licensing (GCC seats, Azure Government consumption, Sentinel ingest, Defender) is separate and scopes per Microsoft's government price list. EPC delivers on a fixed-fee basis with the costed Statement of Work after Phase 1 — no time-and-materials surprises.

What past performance does EPC have with state, local, and tribal government?

EPC Group has delivered Microsoft engagements with named federal references — NASA, the FBI, the Federal Reserve, and the Pentagon — plus a broader SLG portfolio that includes state agencies, county sheriffs, municipal IT departments, tribal nations, public-safety consortia, K-12 districts, and higher-education systems. The firm's 29-year history (founded 1997) and 11,000+ enterprise engagements include extensive SLG delivery; 216+ M&A M365 tenant migrations and 1.83 million users migrated includes both private-sector and SLG engagements. Specific named SLG references and case-study packages are released under NDA after a Phase 1 fit-call — many state, sheriff, court, and tribal engagements have public-information restrictions that prevent disclosure on a public website. The CEO and founder, Errin O'Connor, is a 4× Microsoft Press bestselling author (Power BI, SharePoint Foundation 2010, SharePoint 2013 Field Guide, WSS 3.0) and an original beta-team member of Microsoft's Project Tahoe (SharePoint) and Project Crescent (Power BI).

Does EPC hold the clearances and certifications SLG buyers ask about?

EPC is honest about credential framing — overstating clearance or certification is unhelpful to SLG buyers. EPC is a Microsoft Solutions Partner holding all six current Solutions Partner Designations. EPC is FedRAMP-aligned and StateRAMP-aligned (neither program issues authorizations to consulting firms — only to cloud service offerings, so no consultancy is literally "FedRAMP-authorized" or "StateRAMP-authorized"). EPC personnel hold individual industry certifications appropriate to engagement scope (Microsoft Certified: Azure Solutions Architect Expert, Microsoft Certified: Security Operations Analyst Associate, Microsoft Certified: Identity and Access Administrator Associate, CISSP, and others). For engagements requiring personnel security clearances or specific CJIS personnel screening, EPC documents the staffing posture per engagement and partners with cleared-prime contractors where the engagement scope so requires. EPC does not represent itself as holding 8(a) small-business status in its own right; 8(a) work is delivered through prime-contractor partnerships.