Plan for Microsoft 365 compliance – GCC

This guidance is for IT pros who are driving deployments of Office 365 in US federal, state, local, tribal, or territorial government entities or other entities that handle data that is subject to government regulations and requirements, where the use of Microsoft 365 Government - GCC is appropriate to meet these requirements.


If your organization has already met the Microsoft 365 Government - GCC eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.

Step 1. Determine whether your organization needs Microsoft 365 Government - GCC and meets eligibility requirements

The Microsoft 365 Government - GCC environment complies with US government requirements for cloud services, including FedRAMP Moderate, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).

In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government - GCC:

  • Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.

  • Your organization’s customer content is stored within the United States.

  • Access to your organization’s customer content is restricted to screened Microsoft personnel.

  • Microsoft 365 Government - GCC complies with certifications and accreditations that are required for US public sector customers.

You can find more information about the Microsoft 365 Government - GCC offering for US Government customers at Office 365 Government plans, including eligibility requirements.

The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.


You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.


Microsoft 365 Government - GCC is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.

Decision points:

  • Decide whether Microsoft 365 Government - GCC is appropriate for your organization.
  • Confirm that your organization meets eligibility requirements.

Step 2. Apply for Microsoft 365 Government - GCC

Having decided that this service is right for your organization, start the process of applying for this service.

Step 3. Understand Microsoft 365 Government - GCC default security settings

We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.

Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government - GCC security settings, resolving to first understand the impact of any changes you might make.

Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC1

To accommodate the requirements of our government cloud customers, there are some differences between Microsoft 365 Government - GCC and enterprise plans. Refer to the following table to see which features are available.

Feature GCC Status
Information protection & governance Archiving Available
Manual labels and policies2 Available
Auto application of labels Available
Labels based on sensitive data types On engineering backlog
Labels and associated policies based on queries Available
File plan Available
Recommended policies On engineering backlog
Smart import filters On engineering backlog
Event-based retention Available
Disposition review Available
Information barriers Available
Data loss prevention (DLP) for files and email Available
DLP for Teams chat and channel conversations On engineering backlog
DLP exact data match On engineering backlog
Label Activity Explorer On engineering backlog
Trainable classifiers On engineering backlog
Unified labeling and sensitivity labels On engineering backlog
Insider risk management Advanced Message Encryption Available
Insider Risk Management On engineering backlog
Communication compliance On engineering backlog
Customer Lockbox Available
Customer Key Available
Privileged access management On engineering backlog
Discover & respond In-place reservation Available
Case management Available
Search Available
Export Available
RMS decryption Available
Native export Available
Auditing Available
Advanced processing On engineering backlog
Email threading On engineering backlog
Near duplicate identification On engineering backlog
Themes On engineering backlog
Predictive coding On engineering backlog
Processed export with load file On engineering backlog
Tagging On engineering backlog
Viewers On engineering backlog
Redactions On engineering backlog
Filtering On engineering backlog
Custodian to workload mapping On engineering backlog
Custodian communications On engineering backlog
Review sets On engineering backlog
Review and annotate On engineering backlog
Non-Office 365 ingestion On engineering backlog
Search Term report On engineering backlog

1 Identified status is subject to change as project plans and priorities are reevaluated.
2 Manual application of labels requires Azure Information Protection (AIP) client version 1.

Decision point: Decide whether the compliance features meet your organization’s needs.