Jan 17 2023
Software

How Agencies Can Adhere to GSA Standards and Protect Email Backups

Stay compliant with this step-by-step process for archiving employees’ Microsoft 365 mailboxes.

The U.S. General Services Administration requires government agencies to keep a backup of all emails related to agency business transactions. This applies while employees are working and after they leave, and includes specifications for where agencies must retain and record all of their emails.

The requirement is consistent with other compliance standards, such as the Freedom of Information Act and Department of Defense regulations for contractors, which require agencies to archive emails for three years.

As of December 2022, Microsoft has updated its recommendations for archiving employee mailboxes. Litigation hold — which preserves an employee’s mailbox contents after a user account is deleted — is still supported, but Microsoft 365 retention is recommended.

In-place holds in Microsoft Exchange admin center have been retired and replaced with Microsoft 365 retention policies, along with labels for exceptions. This is now the most up-to-date method for IT admins to archive Microsoft 365 mailboxes in compliance with federal regulations.

Admins can create an inactive mailbox using Microsoft 365 retention policies when employees leave or go on extended absence. Labels prevent employees from permanently deleting message contents.

Click the banner to access customized content when you register as an Insider.

Create Labels to Prevent Deletion

To access labels, load the Microsoft Purview compliance portal and open the Data Lifecycle Management tab. Select Microsoft 365 and click Create a label. Choose a name for the retention label and then click Next.

 

You can specify whether to retain items forever or for a defined period, which you will specify in the next window.

 

For example, you could specify a retention length of three years, to start when the user’s employment ends. This label would comply with FOIA and DOD retention requirements.

 

How Agencies Can Align with NARA Rules

It’s also important to govern what happens after the retention period. Delete items automatically will remove mailbox contents from the target location when the retention period ends.

All GSA employees and high-level officials have specific retention requirements. If a reviewer believes specific emails need to be preserved for a longer period (from seven to 15 years), IT admins can choose the setting for Start a 90-day trial to trigger a disposition review. This allows CIOs to review and transfer emails to the National Archives and Records Administration before deletion to remain compliant with GSA’s CIO Email Retention Policy.

 

Search Mailbox Archives in Microsoft 365 Mailboxes

In Microsoft Purview, the eDiscovery tool lets IT admins and compliance officers search archived mailboxes. Use Create a case to grant access to relevant users so they can search email contents.

For example, you can create a case called Archived Mailboxes. Then, go to the Searches tab and create a new search. Add a name, toggle Exchange mailboxes to On, and choose the users, groups or teams to search for.

 

Select the Conditions card builder and set the query language to English. Set Message kind to “Equals any of” and specify “email” to return all emails in the archived mailbox.

 

Learn About Free Storage for Archives

Retention policies in Data lifecycle management are used to delete or migrate old email in a compliant manner. For example, a policy could move email from the primary mailbox to the archive mailbox before deleting it. Microsoft offers free storage for archive mailboxes to help admins free up space in Exchange Admin Center.

MORE FROM FEDTECH: How to choose the right backup for your agency.

Image by Staff Artist
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.