Can Microsoft 365 support records management compliance? Take a strategic approach.

Microsoft 365 (M365) has evolved into a strategic enterprise collaboration and content platform for many federal agencies. Federal records officers must provide solutions that complement and enhance M365 in order to achieve records compliance and information governance objectives.

Memorandum M-23-07, and its predecessor M-19-21, issued by the Office of Management and Budget (OMB), and the National Archives and Records Administration (NARA)—directs all agencies to start their transition to electronic records keeping. It sets deadlines by which agencies must be managing and submitting all of their records to NARA electronically. This requires agencies to provide their stakeholders with solutions that help achieve records management compliance objectives without hindering mission performance.

Read the federal requirements at the National Archives.

Meanwhile, agencies have invested in M365 as an enterprise strategy to provide their organizations with a cloud-based collaboration and productivity platform. M365 satisfies the emphasis many agencies place on ease of use, productivity and security.  It provides agency stakeholders with an integrated suite of collaboration, information management and security tools including Exchange Online for email, SharePoint Online for content management, and Microsoft Teams for team-based collaboration.

Assessing the scope of noncompliance

In Laurence Hart’s recent post, he observed that agencies may have many records that are not managed in compliance with records management (RM) policies and mandates. With the broad adoption of M365, these unmanaged records likely include documents, email and other content stored in M365 repositories.

With its email and content management capabilities, agencies’ records officers are quite aware that federal agency personnel are creating, storing and accessing records using M365. Agency wide deployments of M365 requires a strategy for ongoing training, transition and user adoption – and this strategy must provide records management capabilities that enable M-23-07 compliance, and satisfy eDiscovery and FOIA demands.   

Accordingly, we recommend agencies assess their use of M365 to identify RM compliance gaps, such as records that are not categorized or assigned to approved records retention and disposition schedules.  The assessment approach described below will help agencies implement M365 with capabilities and processes that enable RM compliance.

The key to this strategy is to define agency records management requirements in order to identify the functions and capabilities that are necessary to meet compliance. Start with an assessment of what records are stored and where, keeping an eye out for multiple repositories that could be consolidated.  

Developing a strategic RM compliance approach for M365

We recommend the following approach to address Records Management and M-23-07 compliance needs in support of your agency’s M365 implementation:

• Conduct a requirements analysis focusing on your agency’s records management compliance needs.  Document all your records management requirements, including mandatory and optional capabilities
• Compare M365’s native capabilities to the documented records management  requirements – this will help identify records management requirements which cannot be met natively with your agency’s M365 licensing subscription
• Evaluate M365’s records management capabilities, from the user’s perspective, to determine whether the system can provide the needed records management capabilities without placing additional labor and time burdens on your agency’s staff and essential business processes. Many records management efforts fail because they require more work from already-busy agency staff. 

The next step is to evaluate solution alternatives in order to choose the best approach for your agency.  We have identified three primary approaches to address agency records management needs for agencies who are adopting M365 across their user community;

1. Native M365 – M365 alone may meet agency needs. Its native capabilities include retention labels, along with Purview—a family of data governance, risk, and compliance solutions—and other useful out-of-the-box features. This approach reduces software costs and administrative overhead, and leverages a single cloud-based application. 
2. Third-party add-on Products — Some M365 add-ons can address agency needs that M365 does not meet on its own. However, add-on software can increase costs and software support needs.
3. Federated Records Management — This is a flexible configuration in which an enterprise records management application, with centralized records file plan and disposition schedules, integrates with M365. It allows the agency to manage the data where it is—“managed in place” —while providing centralized records management controls over records contained in M365 and other agency repositories.

Agencies can achieve M-23-07 and NARA compliance cost-effectively by leveraging M365 security and compliance capabilities—and, if necessary, third-party add-on products. CGI can help your agency assess records management needs and current M365 implementation in order to arrive at the ideal solution for your agency—balancing compliance standards and agency records keeping requirements with stakeholder needs for information sharing and security, productivity, and an improved customer experience for all users.