Plan for Microsoft 365 compliance – GCC High

This guidance is for IT pros who are driving deployments of Office 365 in US Federal Government entities or other entities that handle data that’s subject to government regulations and requirements, where the use of Microsoft 365 Government – GCC High is appropriate to meet these requirements.

Note

If your organization has already met the Microsoft 365 Government – GCC High eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.

Step 1. Determine whether your organization needs Microsoft 365 Government – GCC High and meets eligibility requirements

The Microsoft 365 Government - GCC High environment complies with US Government requirements for cloud services. In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government – GCC High:

  • Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
  • Your organization’s customer content is stored within the United States.
  • Access to your organization’s customer content is restricted to screened Microsoft personnel.
  • Microsoft 365 Government – GCC High complies with certifications and accreditations that are required for US public sector customers.

You can find more information about the Microsoft 365 Government – GCC High offering for US Government customers at Office 365 Government plans, including eligibility requirements.

The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.

Tip

You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.

Decision points:

  • Decide whether Microsoft 365 Government – GCC-High is appropriate for your organization.
  • Confirm that your organization meets eligibility requirements.

Note

Microsoft 365 Government - GCC High is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.

Step 2. Apply for Microsoft 365 Government – GCC-High

Having decided that this service is right for your organization, start the process of applying for this service.

Step 3. Understand Microsoft 365 Government – GCC-High default security settings

We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.

Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government – GCC-High security settings, resolving to first understand the impact of any changes you might make.

Step 4. Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC-High1

To meet the requirements of our government cloud customers, there are some differences between Microsoft 365 Government – GCC-High and enterprise plans. Refer to the following table to see which features are available. See here for the latest compliance product updates published on the Microsoft 365 roadmap.

Area Feature GCC Status
Information protection Unified labeling client and scanner Available
Exact data match Available
Automatic classification and labeling for Exchange Online, SharePoint Online, and OneDrive Rolling out
Automatic classification and labeling for Office apps (Word, Excel, PowerPoint, Outlook) across web, Android, iOS, Windows, and Mac In development
Automatic classification and labeling for Office clients (Mobile) On engineering backlog
Automatic classification and labeling for Teams On engineering backlog
Data classification analytics: Overview and Content Explorer On engineering backlog
Analytics: Machine learning classifiers with auto labeling on service side On engineering backlog
Analytics: Machine learning classifiers with auto labeling on Office apps/client side On engineering backlog
Basic Office 365 Message Encryption (E3) Available
Advanced Office 365 Message Encryption (E5) Available
Customer Key for Office 365 Available
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle Available
Hold Your Own Key (HYOK) that spans Azure Information Protection and Active Directory (AD) Rights Management for highly regulated scenarios (Preview) Available
Double Key Encryption Available
Encryption: Co-authoring on encrypted documents using WXP web apps On engineering backlog
Data loss prevention (DLP) for files and email Available
DLP for Teams chat and channel conversations On engineering backlog
DLP Endpoint On engineering backlog
Information governance Information governance: Email Archiving Available
Information governance: Preservation lock Available
Information governance: Import PST Available
Information governance: Manual non-record retention labels Available
Information governance: Default retention labels for SharePoint/OneDrive for Business libraries, folders, and document sets; Exchange inboxes; and Office 365 Groups Available
Information governance: Retention policies to entire organization; specific locations or users; automatically based on specific condition (for example, keywords or sensitive information); and based on an event Available
Information governance: Retention policies for Teams On engineering backlog
Information governance: Retention labels using SharePoint Syntex classification On engineering backlog
Information governance: Retention policies with trainable classifiers On engineering backlog
Information governance: Retention policies for Teams meeting recording On engineering backlog
Information governance: Retention policies for Yammer On engineering backlog
Records management: Manual classification for record labels Available
Records management: Default record labels for SharePoint, OneDrive for Business libraries, folders, and document sets; and Office 365 groups Available
Records management: Automatic record policies based on specific conditions (for example, keywords or sensitive information); and based on an event Available
Records management: Disposition review Available
Records management: File plan manager Available
Records management: Proof of disposal Available
Records management: Records versioning Available
Records management: Regulatory records On engineering backlog
Records management: Multi-stage disposition review On engineering backlog
Records management: Use SharePoint Syntex classification to apply record labels On engineering backlog
Insider risk management Customer Lockbox Available
Insider Risk Management: Office indicators for Teams, SharePoint sites, email messaging In development
Insider Risk Management: Data theft by departing users In development
Insider Risk Management: General data leaks In development
Insider Risk Management: Investigate insider risk management alerts In development
Insider Risk Management: Case dashboard, content explorer and notice templates In development
Insider Risk Management: Escalate for investigation for Advanced eDiscovery In development
Insider Risk Management: Device indicators for activity on Windows 10 Build 1809 and higher On engineering backlog
Insider Risk Management: Indicators for security policy violation (preview) On engineering backlog
Insider Risk Management: Indicators for Microsoft Defender for Endpoint alerts (preview) On engineering backlog
Insider Risk Management: Policy templates for data leaks by priority users (preview) On engineering backlog
Insider Risk Management: Policy templates for data leaks by disgruntled users (preview) On engineering backlog
Insider Risk Management: Policy templates for general security policy violations (preview) On engineering backlog
Insider Risk Management: Policy templates for security policy violations by priority users, departing users, disgruntled users (preview) On engineering backlog
Insider Risk Management: Policy customization (preview) On engineering backlog
Insider Risk Management: Export alerts (preview) On engineering backlog
Insider Risk Management: Priority user groups (preview) On engineering backlog
Communication Compliance (incl. Supervision policies): Create customer policies, 3 pre-configured In development
Communication Compliance (incl. Supervision policies): Support for Teams, Exchange, and remove Teams message In development
Communication Compliance (incl. Supervision policies): Access alerts; notice templates; communication policy dashboard In development
Communication Compliance (incl. Supervision policies): Escalate for investigation for Advanced eDiscovery In development
Communication Compliance (incl. Supervision policies): Detect adult content In development
Communication Compliance (incl. Supervision policies): Detects repeat code of conduct violation over time Rolling out
Communication Compliance (incl. Supervision policies): Support for more granular permissions Rolling out
Communication Compliance (incl. Supervision policies): Analyze Teams chat data of users with on-prem mailbox Rolling out
Communication Compliance (incl. Supervision policies): Conflict of interest template On engineering backlog
Communication Compliance (incl. Supervision policies): Ability to ignore email signature or disclaimer On engineering backlog
Communication Compliance (incl. Supervision policies): Insider risk management hand-off On engineering backlog
Communication Compliance (incl. Supervision policies): Policy health check and ability to pause policy On engineering backlog
Communication Compliance (incl. Supervision policies): Translate health content during investigation On engineering backlog
Communication Compliance (incl. Supervision policies): Burnout and suicide detection On engineering backlog
Information barriers On engineering backlog
Privileged access management On engineering backlog
Discover & respond Core eDiscovery: In-place preservation Available
Core eDiscovery: Case management Available
Core eDiscovery: Search Available
Core eDiscovery: Export Available
Core eDiscovery: RMS decryption Available
Core eDiscovery: Native export Available
Core eDiscovery: Auditing Available
Core eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin In development
Advanced eDiscovery: Advanced processing Available
Advanced eDiscovery: Custodian to workload mapping Available
Advanced eDiscovery: Custodian communications Available
Advanced eDiscovery: Dashboard Available
Advanced eDiscovery: Email threading Available
Advanced eDiscovery: Export (download, export, add to another review set) Available
Advanced eDiscovery: Filtering Available
Advanced eDiscovery: Legal hold for Teams private channels messages Available
Advanced eDiscovery: Near duplicate identification Available
Advanced eDiscovery: Non-custodial data sources Available
Advanced eDiscovery: Non-Office 365 ingestion Available
Advanced eDiscovery: Predictive coding Available
Advanced eDiscovery: Processed export with load file Available
Advanced eDiscovery: Redactions Available
Advanced eDiscovery: Review sets Available
Advanced eDiscovery: Review data (query data, smart tags, dashboard) and annotate (redact) Available
Advanced eDiscovery: Search Term report Available
Advanced eDiscovery: Single item error remediation Available
Advanced eDiscovery: Support PST export Rolling out
Advanced eDiscovery: Supporting linked content from OneDrive and SharePoint Online (modern attachments) Available
Advanced eDiscovery: Tagging Available
Advanced eDiscovery: Tenant reports Available
Advanced eDiscovery: Themes Available
Advanced eDiscovery: Viewers Available
Advanced eDiscovery: Yammer Advanced eDiscovery in the Microsoft Compliance Center Available
Advanced eDiscovery: CJK/Double byte support for Advanced eDiscovery In development
Advanced eDiscovery: Support Teams reactions In development
Advanced eDiscovery: Microsoft Compliance Center expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin On engineering backlog
Basic audit Available
Advanced Audit: Access to crucial events (for example, mailitemsaccessed) Available
Advanced Audit: Increased bandwidth to management activity API Available
Advanced Audit: Legal hold for Teams private channels messages Available
Advanced Audit: Log retention (1 year) Available
Advanced Audit: Security and Compliance Center availability Available
Advanced Audit: Longer term retention on audit logs On engineering backlog
Advanced Audit: Mail forward and mail send events On engineering backlog
Advanced Audit: Processed audit insights On engineering backlog
Advanced Audit: Search term events in Exchange Online and SharePoint Online On engineering backlog
Compliance Management Microsoft 365 Security and Compliance Center Available
Compliance Manager Rolling out
Microsoft Cloud App Security Available
Double byte character support On engineering backlog
Ecosystem Graph APIs for Advanced eDiscovery In development
First-party data connectors On engineering backlog
Third-party data connectors On engineering backlog
Graph APIs for Teams export data On engineering backlog

1 Identified status is subject to change as project plans and priorities are reevaluated.

Decision point: Decide whether the compliance features meet your organization’s needs.