Plan for Microsoft 365 compliance – GCC
This guidance is for IT pros who are driving deployments of Office 365 in US federal, state, local, tribal, or territorial government entities or other entities that handle data that is subject to government regulations and requirements, where the use of Microsoft 365 Government - GCC is appropriate to meet these requirements.
Note
If your organization has already met the Microsoft 365 Government - GCC eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.
Step 1. Determine whether your organization needs Microsoft 365 Government - GCC and meets eligibility requirements
The Microsoft 365 Government - GCC environment complies with US government requirements for cloud services, including FedRAMP Moderate, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government - GCC:
Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
Your organization’s customer content is stored within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
Microsoft 365 Government - GCC complies with certifications and accreditations that are required for US public sector customers.
You can find more information about the Microsoft 365 Government - GCC offering for US Government customers at Office 365 Government plans, including eligibility requirements.
The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.
Tip
You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.
Note
Microsoft 365 Government - GCC is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.
Decision points:
- Decide whether Microsoft 365 Government - GCC is appropriate for your organization.
- Confirm that your organization meets eligibility requirements.
Step 2. Apply for Microsoft 365 Government - GCC
Having decided that this service is right for your organization, start the process of applying for this service.
Step 3. Understand Microsoft 365 Government - GCC default security settings
We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.
Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government - GCC security settings, resolving to first understand the impact of any changes you might make.
Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC1
To accommodate the requirements of our government cloud customers, there are some differences between Microsoft 365 Government - GCC and enterprise plans. Refer to the following table to see which features are available. See here for the latest compliance product updates published on Microsoft 365 roadmap.
| Area | Feature | GCC Status |
|---|---|---|
| Information protection | Unified labeling client and scanner | Available |
| Exact data match | Available | |
| Automatic classification and labeling for Exchange Online, SharePoint Online, and OneDrive | Rolling out | |
| Automatic classification and labeling for Office app (Word, Excel, PowerPoint, Outlook) across platforms (web, Android, iOS, Windows, and Mac) | In development | |
| Automatic classification and labeling for Office clients (Mobile) | On engineering backlog | |
| Automatic classification and labeling for Teams | On engineering backlog | |
| Data classification analytics: Overview and Content Explorer | On engineering backlog | |
| Analytics: Machine learning classifiers with auto labeling on service side | On engineering backlog | |
| Analytics: Machine learning classifiers with auto labeling on Office apps/client side | On engineering backlog | |
| Basic Office 365 Message Encryption (E3) | Available | |
| Advanced Office 365 Message Encryption (E5) | Available | |
| Customer Key for Office 365 | Available | |
| Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle | Available | |
| Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios (Preview) | Available | |
| Double Key Encryption | Available | |
| Encryption: Co-authoring on encrypted documents using WXP web apps | On engineering backlog | |
| Data loss prevention (DLP) for files and email | Available | |
| DLP for Teams chat and channel conversations | In development | |
| DLP Endpoint | On engineering backlog | |
| Information governance | Information governance: Email Archiving | Available |
| Information governance: Preservation lock | Available | |
| Information governance: Import PST | Available | |
| Information governance: Manual non-record retention labels | Available | |
| Information governance: Default retention labels for SharePoint, OneDrive for Business libraries, folders, and document sets; Exchange inboxes; and Office 365 Groups | Available | |
| Information governance: Retention policies to entire organization; specific locations or users; automatically based on specific condition (for example, keywords or sensitive information); and based on an event | Available | |
| Information governance: Retention policies for Teams | Available | |
| Information governance: Retention labels using SharePoint Syntex classification | On engineering backlog | |
| Information governance: Retention policies with trainable classifiers | On engineering backlog | |
| Information governance: Retention policies for Teams meeting recording | On engineering backlog | |
| Information governance: Retention policies for Yammer | On engineering backlog | |
| Records management: Manual classification for record labels | Available | |
| Records management: Default record labels for SharePoint, OneDrive for Business libraries, folders, and document sets; and Office 365 groups | Available | |
| Records management: Automatic record policies based on specific conditions (for example, keywords or sensitive information); and based on an event | Available | |
| Records management: Disposition review | Available | |
| Records management: File plan manager | Available | |
| Records management: Proof of disposal | Available | |
| Records management: Records versioning | Available | |
| Records management: Regulatory records (Public preview) | In development | |
| Records management: Multi-stage disposition review | On engineering backlog | |
| Records management: Use SharePoint Syntex classification to apply record labels | On engineering backlog | |
| Insider risk management | Customer Lockbox | Available |
| Insider Risk Management: Office indicators for Teams, SharePoint sites, email messaging | In development | |
| Insider Risk Management: Data theft by departing users | In development | |
| Insider Risk Management: General data leaks | In development | |
| Insider Risk Management: Investigate insider risk management alerts | In development | |
| Insider risk management: Case dashboard, content explorer and notice templates | In development | |
| Insider Risk Management: Escalate for investigation for Advanced eDiscovery | In development | |
| Insider Risk Management: Device indicators for activity on Windows 10 Build 1809 and higher | On engineering backlog | |
| Insider Risk Management: Indicators for security policy violation (preview) | On engineering backlog | |
| Insider Risk Management: Indicators for Microsoft Defender for Endpoint alerts (preview) | On engineering backlog | |
| Insider Risk Management: Policy templates for data leaks by priority users (preview) | On engineering backlog | |
| Insider Risk Management: Policy templates for data leaks by disgruntled users (preview) | On engineering backlog | |
| Insider Risk Management: Policy templates for general security policy violations (preview) | On engineering backlog | |
| Insider Risk Management: Policy templates for security policy violations by priority users, departing users, disgruntled users (preview) | On engineering backlog | |
| Insider Risk Management: Policy customization (preview) | On engineering backlog | |
| Insider Risk Management: Export alerts (preview) | On engineering backlog | |
| Insider Risk Management: Priority user groups (preview) | On engineering backlog | |
| Communication compliance (incl. Supervision policies): Create customer policies, 3 pre-configured | Rolling out | |
| Communication compliance (incl. Supervision policies): Support for Teams, Exchange, and remove Teams message | Rolling out | |
| Communication Compliance (incl. Supervision policies): Access alerts; notice templates; communication policy dashboard | Rolling out | |
| Communication Compliance (incl. Supervision policies): Escalate for investigation for Advanced eDiscovery | Rolling out | |
| Communication Compliance (incl. Supervision policies): Detect adult content | Rolling out | |
| Communication Compliance: Detects repeat code of conduct violation over time | Rolling out | |
| Communication Compliance: Support for more granular permissions | Rolling out | |
| Communication Compliance: Analyze Teams chat data of users with on-prem mailbox | Rolling out | |
| Communication Compliance: Conflict of interest template | On engineering backlog | |
| Communication Compliance: Ability to ignore email signature or disclaimer | On engineering backlog | |
| Communication Compliance: Insider risk management hand-off | On engineering backlog | |
| Communication Compliance: Policy health check and ability to pause policy | On engineering backlog | |
| Communication Compliance: Translate health content during investigation | On engineering backlog | |
| Communication Compliance: Burnout and suicide detection | On engineering backlog | |
| Information barriers | On engineering backlog | |
| Privileged access management | On engineering backlog | |
| Discover & respond | Core eDiscovery: In-place preservation | Available |
| Core eDiscovery: Auditing | Available | |
| Core eDiscovery: Case management | Available | |
| Core eDiscovery: Export | Available | |
| Core eDiscovery: Native export | Available | |
| Core eDiscovery: RMS decryption | Available | |
| Core eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business Recycle bin | In development | |
| Advanced eDiscovery: Advanced processing | Available | |
| Advanced eDiscovery: Dashboard | Available | |
| Advanced eDiscovery: Email threading | Available | |
| Advanced eDiscovery: Export (download, export, add to another view set) | Available | |
| Advanced eDiscovery: Filtering | Available | |
| Advanced eDiscovery: Legal hold for Teams private channels messages | Available | |
| Advanced eDiscovery: Near duplicate identification | Available | |
| Advanced eDiscovery: Non-custodial data sources | Available | |
| Advanced eDiscovery: Non-Office 365 ingestion | Available | |
| Advanced eDiscovery: Predictive coding | Available | |
| Advanced eDiscovery: Processed export with load file | Available | |
| Advanced eDiscovery: Redactions | Available | |
| Advanced eDiscovery: Review sets | Available | |
| Advanced eDiscovery: Review data (query data, smart tags, dashboard) and annotate (redact) | Available | |
| Advanced eDiscovery: Search Term report | Available | |
| Advanced eDiscovery: Single item error remediation | Available | |
| Advanced eDiscovery: Support PST Export | Available | |
| Advanced eDiscovery: Supporting linked content from OneDrive and SharePoint Online (modern attachments) | Available | |
| Advanced eDiscovery: Tagging | Available | |
| Advanced eDiscovery: Tenant reports | Available | |
| Advanced eDiscovery: Themes | Available | |
| Advanced eDiscovery: Viewers | Available | |
| Advanced eDiscovery: Yammer Advanced eDiscovery in the Microsoft Compliance Center | Available | |
| Advanced eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business recycle bin | In development | |
| Advanced eDiscovery: Teams reactions support | In development | |
| Basic audit | Available | |
| Advanced Audit: Access to crucial events (for example, mailitemsaccessed) | Available | |
| Advanced Audit: Increased bandwidth to management activity API | Available | |
| Advanced Audit: Legal hold for Teams private channels messages | Available | |
| Advanced Audit: Log retention (1 year) | Rolling out | |
| Advanced Audit: Security and Compliance Center | Available | |
| Advanced Audit: Longer term retention on audit logs (10 years) | On engineering backlog | |
| Advanced Audit: Mail forward and mail send events | On engineering backlog | |
| Advanced Audit: Processed audit insights | On engineering backlog | |
| Advanced Audit: Search term events in Exchange Online and SharePoint Online | On engineering backlog | |
| Compliance Management | Microsoft 365 Security and Compliance Center | Available |
| Compliance Manager | Available | |
| Microsoft Cloud App Security | On engineering backlog | |
| Double byte character support | On engineering backlog | |
| Ecosystem | Graph APIs for Advanced eDiscovery | In development |
| First-party data connectors | On engineering backlog | |
| Third-party data connectors | On engineering backlog | |
| Graph APIs for Teams export data | On engineering backlog |
1 Identified status is subject to change as project plans and priorities are reevaluated.
Decision point: Decide whether the compliance features meet your organization’s needs.