Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

NIST 800-171 (Maybe)?

The article states: "DFARS mandates the implementation of NIST 800-171 AND FedRamp Moderate Impact Level for Commercial clouds."

The DFAR 252.204.7012 rule does not state NIST 800-171 AND Fedramp Moderate impact. DFAR rule states "If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline" 

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

Most understand that there is a shared responsibility for security implementation of DFARS 7012 rule.  The DoD customer has a responsibility to properly configure their tenant to meet "our" requirement for 800-171. Where is Microsoft obtaining information suggesting that both FedRamp and 800-171 are required from cloud commercial service providers?