[nonameiguess]

You need an ATO for any government software, not just IL6 and higher. What you're experiencing is cloud service providers only get a provisional ATO for their services. Full compliance with IL5 isolation requirements involves controls both on Microsoft's side and on your side. They have some rough documentation here (https://learn.microsoft.com/en-us/azure/compliance/offerings...) and here (https://learn.microsoft.com/en-us/azure/azure-government/doc...). If you can figure out what you need to do from reading that, well, you're better qualified than I am. It's complicated. I don't think this is on your IT team. The government makes this hard.

If you've been out of the game a while, things got significantly more difficult ten years ago around the time of the OPM breach. CMMC2 requirements got a lot stricter. The only bright side here is everyone is subject to the same bullshit, so you're not at any competitive disadvantage. I get how frustrating it is. We've all been there. But go easy on your own team. It's just as frustrating for them.