Plan for Microsoft 365 compliance – GCC High
This guidance is for IT pros who are driving deployments of Office 365 in US Federal Government entities or other entities that handle data that’s subject to government regulations and requirements, where the use of Microsoft 365 Government – GCC High is appropriate to meet these requirements.
Note
If your organization has already met the Microsoft 365 Government – GCC High eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.
Step 1. Determine whether your organization needs Microsoft 365 Government – GCC High and meets eligibility requirements
The Microsoft 365 Government - GCC High environment complies with US Government requirements for cloud services. In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government – GCC High:
- Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
- Your organization’s customer content is stored within the United States.
- Access to your organization’s customer content is restricted to screened Microsoft personnel.
- Microsoft 365 Government – GCC High complies with certifications and accreditations that are required for US public sector customers.
You can find more information about the Microsoft 365 Government – GCC High offering for US Government customers at Office 365 Government plans, including eligibility requirements.
The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.
Tip
You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.
Decision points:
- Decide whether Microsoft 365 Government – GCC-High is appropriate for your organization.
- Confirm that your organization meets eligibility requirements.
Note
Microsoft 365 Government - GCC High is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.
Step 2. Apply for Microsoft 365 Government – GCC-High
Having decided that this service is right for your organization, start the process of applying for this service.
Step 3. Understand Microsoft 365 Government – GCC-High default security settings
We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.
Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government – GCC-High security settings, resolving to first understand the impact of any changes you might make.
Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC-High1
To meet the requirements of our government cloud customers, there are some differences between Microsoft 365 Government – GCC-High and enterprise plans. Refer to the following table to see which features are available. See here for the latest compliance product updates published on the Microsoft 365 roadmap.
Area | Feature | GCC Status |
---|---|---|
Information protection | Unified labeling client and scanner | Available |
Exact data match | Available | |
Automatic classification and labeling for Exchange Online, SharePoint Online, and OneDrive | Rolling out | |
Automatic classification and labeling for Office apps (Word, Excel, PowerPoint, Outlook) across web, Android, iOS, Windows, and Mac | In development | |
Automatic classification and labeling for Office clients (Mobile) | On engineering backlog | |
Automatic classification and labeling for Teams | On engineering backlog | |
Data classification analytics: Overview and Content Explorer | On engineering backlog | |
Analytics: Machine learning classifiers with auto labeling on service side | On engineering backlog | |
Analytics: Machine learning classifiers with auto labeling on Office apps/client side | On engineering backlog | |
Basic Office 365 Message Encryption (E3) | Available | |
Advanced Office 365 Message Encryption (E5) | Available | |
Customer Key for Office 365 | Available | |
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle | Available | |
Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios (Preview) | Available | |
Double Key Encryption | Available | |
Encryption: Co-authoring on encrypted documents using WXP web apps | On engineering backlog | |
Data loss prevention (DLP) for files and email | Available | |
DLP for Teams chat and channel conversations | On engineering backlog | |
DLP Endpoint | On engineering backlog | |
Information governance | Information governance: Email Archiving | Available |
Information governance: Preservation lock | Available | |
Information governance: Import PST | Available | |
Information governance: Manual non-record retention labels | Available | |
Information governance: Default retention labels for SharePoint/OneDrive for Business libraries, folders, and document sets; Exchange inboxes; and Office 365 Groups | Available | |
Information governance: Retention policies to entire organization; specific locations or users; automatically based on specific condition (for example, keywords or sensitive information); and based on an event | Available | |
Information governance: Retention policies for Teams | On engineering backlog | |
Information governance: Retention labels using SharePoint Syntex classification | On engineering backlog | |
Information governance: Retention policies with trainable classifiers | On engineering backlog | |
Information governance: Retention policies for Teams meeting recording | On engineering backlog | |
Information governance: Retention policies for Yammer | On engineering backlog | |
Records management: Manual classification for record labels | Available | |
Records management: Default record labels for SharePoint, OneDrive for Business libraries, folders, and document sets; and Office 365 groups | Available | |
Records management: Automatic record policies based on specific conditions (for example, keywords or sensitive information); and based on an event | Available | |
Records management: Disposition review | Available | |
Records management: File plan manager | Available | |
Records management: Proof of disposal | Available | |
Records management: Records versioning | Available | |
Records management: Regulatory records | On engineering backlog | |
Records management: Multi-stage disposition review | On engineering backlog | |
Records management: Use SharePoint Syntex classification to apply record labels | On engineering backlog | |
Insider risk management | Customer Lockbox | Available |
Insider Risk Management: Office indicators for Teams, SharePoint sites, email messaging | In development | |
Insider Risk Management: Data theft by departing users | In development | |
Insider Risk Management: General data leaks | In development | |
Insider Risk Management: Investigate insider risk management alerts | In development | |
Insider Risk Management: Case dashboard, content explorer and notice templates | In development | |
Insider Risk Management: Escalate for investigation for Advanced eDiscovery | In development | |
Insider Risk Management: Device indicators for activity on Windows 10 Build 1809 and higher | On engineering backlog | |
Insider Risk Management: Indicators for security policy violation (preview) | On engineering backlog | |
Insider Risk Management: Indicators for Microsoft Defender for Endpoint alerts (preview) | On engineering backlog | |
Insider Risk Management: Policy templates for data leaks by priority users (preview) | On engineering backlog | |
Insider Risk Management: Policy templates for data leaks by disgruntled users (preview) | On engineering backlog | |
Insider Risk Management: Policy templates for general security policy violations (preview) | On engineering backlog | |
Insider Risk Management: Policy templates for security policy violations by priority users, departing users, disgruntled users (preview) | On engineering backlog | |
Insider Risk Management: Policy customization (preview) | On engineering backlog | |
Insider Risk Management: Export alerts (preview) | On engineering backlog | |
Insider Risk Management: Priority user groups (preview) | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Create customer policies, 3 pre-configured | In development | |
Communication Compliance (incl. Supervision policies): Support for Teams, Exchange, and remove Teams message | In development | |
Communication Compliance (incl. Supervision policies): Access alerts; notice templates; communication policy dashboard | In development | |
Communication Compliance (incl. Supervision policies): Escalate for investigation for Advanced eDiscovery | In development | |
Communication Compliance (incl. Supervision policies): Detect adult content | In development | |
Communication Compliance (incl. Supervision policies): Detects repeat code of conduct violation over time | Rolling out | |
Communication Compliance (incl. Supervision policies): Support for more granular permissions | Rolling out | |
Communication Compliance (incl. Supervision policies): Analyze Teams chat data of users with on-prem mailbox | Rolling out | |
Communication Compliance (incl. Supervision policies): Conflict of interest template | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Ability to ignore email signature or disclaimer | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Insider risk management hand-off | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Policy health check and ability to pause policy | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Translate health content during investigation | On engineering backlog | |
Communication Compliance (incl. Supervision policies): Burnout and suicide detection | On engineering backlog | |
Information barriers | On engineering backlog | |
Privileged access management | On engineering backlog | |
Discover & respond | Core eDiscovery: In-place preservation | Available |
Core eDiscovery: Case management | Available | |
Core eDiscovery: Search | Available | |
Core eDiscovery: Export | Available | |
Core eDiscovery: RMS decryption | Available | |
Core eDiscovery: Native export | Available | |
Core eDiscovery: Auditing | Available | |
Core eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin | In development | |
Advanced eDiscovery: Advanced processing | Available | |
Advanced eDiscovery: Custodian to workload mapping | Available | |
Advanced eDiscovery: Custodian communications | Available | |
Advanced eDiscovery: Dashboard | Available | |
Advanced eDiscovery: Email threading | Available | |
Advanced eDiscovery: Export (download, export, add to another review set) | Available | |
Advanced eDiscovery: Filtering | Available | |
Advanced eDiscovery: Legal hold for Teams private channels messages | Available | |
Advanced eDiscovery: Near duplicate identification | Available | |
Advanced eDiscovery: Non-custodial data sources | Available | |
Advanced eDiscovery: Non-Office 365 ingestion | Available | |
Advanced eDiscovery: Predictive coding | Available | |
Advanced eDiscovery: Processed export with load file | Available | |
Advanced eDiscovery: Redactions | Available | |
Advanced eDiscovery: Review sets | Available | |
Advanced eDiscovery: Review data (query data, smart tags, dashboard) and annotate (redact) | Available | |
Advanced eDiscovery: Search Term report | Available | |
Advanced eDiscovery: Single item error remediation | Available | |
Advanced eDiscovery: Support PST export | Rolling out | |
Advanced eDiscovery: Supporting linked content from OneDrive and SharePoint Online (modern attachments) | Available | |
Advanced eDiscovery: Tagging | Available | |
Advanced eDiscovery: Tenant reports | Available | |
Advanced eDiscovery: Themes | Available | |
Advanced eDiscovery: Viewers | Available | |
Advanced eDiscovery: Yammer Advanced eDiscovery in the Microsoft Compliance Center | Available | |
Advanced eDiscovery: CJK/Double byte support for Advanced eDiscovery | In development | |
Advanced eDiscovery: Support Teams reactions | In development | |
Advanced eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin | On engineering backlog | |
Basic audit | Available | |
Advanced Audit: Access to crucial events (for example, mailitemsaccessed) | Available | |
Advanced Audit: Increased bandwidth to management activity API | Available | |
Advanced Audit: Legal hold for Teams private channels messages | Available | |
Advanced Audit: Log retention (1 year) | Rolling out | |
Advanced Audit: Security and Compliance Center availability | Available | |
Advanced Audit: Longer term retention on audit logs (10 years) | On engineering backlog | |
Advanced Audit: Mail forward and mail send events | On engineering backlog | |
Advanced Audit: Processed audit insights | On engineering backlog | |
Advanced Audit: Search term events in Exchange Online and SharePoint Online | On engineering backlog | |
Compliance Management | Microsoft 365 Security and Compliance Center | Available |
Compliance Manager | Available | |
Microsoft Cloud App Security | Available | |
Double byte character support | On engineering backlog | |
Ecosystem | Graph APIs for Advanced eDiscovery | In development |
First-party data connectors | On engineering backlog | |
Third-party data connectors | On engineering backlog | |
Graph APIs for Teams export data | On engineering backlog |
1 Identified status is subject to change as project plans and priorities are reevaluated.
Decision point: Decide whether the compliance features meet your organization’s needs.