Plan for Microsoft 365 compliance – GCC
This guidance is for IT pros who are driving deployments of Office 365 in US federal, state, local, tribal, or territorial government entities or other entities that handle data that is subject to government regulations and requirements, where the use of Microsoft 365 Government - GCC is appropriate to meet these requirements.
If your organization has already met the Microsoft 365 Government - GCC eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.
Step 1. Determine whether your organization needs Microsoft 365 Government - GCC and meets eligibility requirements
The Microsoft 365 Government - GCC environment complies with US government requirements for cloud services, including FedRAMP Moderate, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government - GCC:
Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
Your organization’s customer content is stored within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
Microsoft 365 Government - GCC complies with certifications and accreditations that are required for US public sector customers.
You can find more information about the Microsoft 365 Government - GCC offering for US Government customers at Office 365 Government plans, including eligibility requirements.
The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.
You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.
Microsoft 365 Government - GCC is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.
- Decide whether Microsoft 365 Government - GCC is appropriate for your organization.
- Confirm that your organization meets eligibility requirements.
Step 2. Apply for Microsoft 365 Government - GCC
Having decided that this service is right for your organization, start the process of applying for this service.
Step 3. Understand Microsoft 365 Government - GCC default security settings
We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.
Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government - GCC security settings, resolving to first understand the impact of any changes you might make.
Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC1
To accommodate the requirements of our government cloud customers, there are some differences between Microsoft 365 Government - GCC and enterprise plans. Refer to the following table to see which features are available.
|Information protection & governance||Archiving||Available|
|Manual labels and policies2||Available|
|Auto application of labels||Available|
|Labels based on sensitive data types||On engineering backlog|
|Labels and associated policies based on queries||Available|
|Recommended policies||On engineering backlog|
|Smart import filters||On engineering backlog|
|Data loss prevention (DLP) for files and email||Available|
|DLP for Teams chat and channel conversations||On engineering backlog|
|DLP exact data match||On engineering backlog|
|Label Activity Explorer||On engineering backlog|
|Trainable classifiers||On engineering backlog|
|Unified labeling and sensitivity labels||On engineering backlog|
|Insider risk management||Advanced Message Encryption||Available|
|Insider Risk Management||On engineering backlog|
|Communication compliance||On engineering backlog|
|Privileged access management||On engineering backlog|
|Discover & respond||In-place reservation||Available|
|Advanced processing||On engineering backlog|
|Email threading||On engineering backlog|
|Near duplicate identification||On engineering backlog|
|Themes||On engineering backlog|
|Predictive coding||On engineering backlog|
|Processed export with load file||On engineering backlog|
|Tagging||On engineering backlog|
|Viewers||On engineering backlog|
|Redactions||On engineering backlog|
|Filtering||On engineering backlog|
|Custodian to workload mapping||On engineering backlog|
|Custodian communications||On engineering backlog|
|Review sets||On engineering backlog|
|Review and annotate||On engineering backlog|
|Non-Office 365 ingestion||On engineering backlog|
|Search Term report||On engineering backlog|
1 Identified status is subject to change as project plans and priorities are reevaluated.
2 Manual application of labels requires Azure Information Protection (AIP) client version 1.
Decision point: Decide whether the compliance features meet your organization’s needs.