Microsoft for federal — three tenant types, three compliance levels
Federal Microsoft consulting starts with picking the right tenant type. The three federal Microsoft 365 environments are distinct cloud instances with different data-residency, operations-staff citizenship, and contractual provisions:
| Tenant | Who it serves | FedRAMP / DoD level |
|---|---|---|
| GCC | Federal civilian agencies + state/local/tribal governments handling CUI | FedRAMP High |
| GCC High | DFARS/NIST 800-171/CMMC 2.0 defense contractors + intel community + sensitive federal civilian | FedRAMP High + DoD IL4 |
| DoD | U.S. Department of Defense missions only | DoD IL5 Provisional Authorization |
For Azure, the federal cloud instances are Azure Government (FedRAMP High + DoD IL5), Azure Government Secret (DoD IL6), and Azure Government Top Secret (DoD IL7). Picking the wrong instance is expensive to reverse — EPC Group runs the tenant-selection assessment upfront.
CMMC 2.0 — the 2025-onward DoD contractor requirement
CMMC 2.0 (Cybersecurity Maturity Model Certification, version 2.0) is the U.S. Department of Defense's required cybersecurity certification for defense contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 is being phased into all new DoD contracts starting in 2025.
- Level 1 (Foundational) — 17 practices, self-assessment, for FCI-only contracts.
- Level 2 (Advanced) — 110 practices aligned to NIST 800-171, third-party assessor (C3PAO) for prioritized contracts, for CUI.
- Level 3 (Expert) — NIST 800-171 + selected NIST 800-172 practices, government-led assessment, for the highest-priority CUI.
For Microsoft 365 + Azure, CMMC 2.0 Level 2 typically requires GCC High tenancy + Azure Government IL5, enforced sensitivity labels via Microsoft Purview, Microsoft Defender XDR coverage, audit logging retention of 12+ months, and documented incident response. EPC Group runs CMMC 2.0 readiness assessments and the Microsoft 365 + Azure remediation plan that gets contractors to assessment-ready status before the C3PAO arrives.
Federal credentials that matter
Federal Microsoft consulting demands documented federal track record, not just commercial experience. EPC Group's federal lineage is verifiable on /about/facts:
Federal Reserve Bank of New York
Errin O'Connor oversaw eDiscovery for the TARP implementation by the U.S. Treasury, with oversight reporting to the Congressional Oversight Committee.
Vivek Kundra Federal IT Reform Advisory
Invited by the first U.S. Chief Information Officer (appointed under President Obama) to serve as a Microsoft cloud SME on the federal 25-point IT reform plan advisory team.
U.S. Intelligence Community
Consulted extensively on Microsoft governance and records management.
National Archives and Records Administration
Consulted on SharePoint records management implementation.
4× Microsoft Press Author
Published across SharePoint, Power BI, Azure, and large-scale migrations — used as reference material by federal IT teams.
29 Years Microsoft Consulting
Founded 1997, Houston, TX. G2 Leader six consecutive quarters Fall 2024 through Summer 2026.
Federal Microsoft Copilot — under the right governance
Microsoft 365 Copilot reached Microsoft 365 GCC in 2025 with a tighter compliance posture than commercial. EPC Group's Governed AI on Microsoft Framework adapts the commercial framework for federal: FedRAMP-aligned sensitivity-label architecture, oversharing remediation using Microsoft Purview's FedRAMP-authorized features, Copilot grounding boundaries that respect ITAR/DFARS data-classification rules, and audit logging retention configured for the 12+ month requirement typical in federal contracts.
We do not enable Copilot tenant-wide before SharePoint/OneDrive oversharing is remediated and sensitivity labels are enforced. Same governance discipline as commercial, with federal-specific Purview features. This is the difference between a Copilot pilot that passes its first federal audit and one that gets pulled.
State, local, and tribal governments
State, local, and tribal (SLT) governments are eligible for Microsoft 365 GCC and Azure Government under the same federal-customer terms. EPC Group consults across:
- Tenant migration into GCC from commercial M365 or legacy on-premises Exchange/SharePoint farms
- Microsoft 365 Copilot governance prior to GenAI rollout in public-records environments
- Power BI for public reporting — grant management, performance dashboards, public-records reporting
- SharePoint records management with retention enforcement aligned to state records laws
- Azure landing zone design with VPN-back-to-state-data-center architecture for hybrid workloads
Tribal governments whose data sovereignty requirements demand U.S.-persons-operated environments typically need GCC High tenancy and additional Microsoft Purview data-residency controls — EPC Group handles tenant selection, migration, and governance.
How EPC Group differs from the federal GSIs
EPC Group is a Microsoft-specialist boutique with named senior-architect delivery, not a large blended-team Global Systems Integrator. The trade-off is explicit:
- GSI consultancies (Accenture Federal, Booz Allen Hamilton, Deloitte Federal) field hundreds to thousands of cleared personnel for the largest multi-year federal programs.
- EPC Group fields a focused senior team for Microsoft-specific federal engagements where the Microsoft stack is the center of the architecture, where the engagement needs a Microsoft Press-author depth on Power BI / SharePoint / Azure, and where the buyer wants one accountable architect rather than a large account team.
For SLT and federal civilian Microsoft engagements under $5M, EPC Group is typically the better fit. For multi-billion-dollar mission systems integration, the GSIs are the right partner — and EPC Group has been engaged as a Microsoft-specialist subcontractor on those programs.