Microsoft and Cabinet Office issue government-wide security guidelines for M365

Software vendor has worked with officials from Central Digital and Data Office and Government Security Group to produce advice documents to support secure rollouts of widely used suite of products

Cabinet Office teams have worked with Microsoft to publish government-wide guidance on how to secure install and use the software vendor’s core products.

The Central Digital and Data Office has published Microsoft 365 Guidance for UK Government, a document that sets out advice for departmental IT workers on how to implement, configure and use the suite of software tools. The product set includes familiar programs including Teams, Word, Excel, PowePoint, Outlook, OneNote and OneDrive.

The guidance is split into three sections, the first of which is a Secure Configuration Blueprint – which was first published in 2019, and was created by the Government Digital Service and the National Cyber Security Centre, working alongside Microsoft.

The advice – which was updated two years ago, in part, to reflect changing bring-your-own-device policies – includes specifications for controls at three levels: good; better; and best. Covered in the advice is a range of monitoring and auditing measures, as well as the use of data-loss prevention tools.

The second section of the configuration guidance – which was developed in conjunction with Microsoft by the Central Digital and Data Office and the Government Security Group – covers information protection.

According to the advice document, which has been published on the vendor’s website, the guidance is intended to support officials “wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers”.


Related content


The publication of the M365-specific advice for comes in light of an update to the Government Security Classifications Policy (GSCP), which provides departments with wider guidelines for the protection of data against common threats and known bad actors.

“This gave us a significant opportunity in UK government to modernise and standardise how organisations apply technical controls in line with security classifications,” said a spokesperson for the Government Security Group (GSG), which is based in the Cabinet Office. “Microsoft 365 is widely used across UK government, so we partnered directly with Microsoft to define a standard approach to applying sensitivity labels and data loss prevention features of Microsoft 365 in line with the GSCP.”

The final section of the guidelines covers advice on security measures to support government bodies that use the Microsoft tools in collaborating across departmental boundaries – including via “instant messaging, document sharing and co-authoring, SharePoint and Teams sites, calendar availability and shared channels”.

The collaboration guidance – developed by Microsoft, CDDO and the NCSC – was first published last year, but has now been updated following the tweaks to government’s security classifications.

All three portions of the guidelines have been collated on a newly created section of GOV.UK, published by CDDO.

“These have been created to support government organisations that use Microsoft 365,” it says. “They outline how to configure the Microsoft 365 platform to enable a secure and interoperable experience for civil servants operating at the Official tier. This guidance is intended for IT professionals who administer enterprise Microsoft 365 platforms in UK government organisations or partner organisations. Attention should be paid to the dates that the guidance was published as subsequent technology changes may not be reflected in the current guidance.”

As units of the Cabinet Office, CDDO, GDS and GSG are all likely to use core software tools from Google, rather than the Microsoft 365 product set.

However, the central department is currently is currently undertaking a £52m programme of work – known as Falcon – which includes the creation of a new unified internal IT system, alongside a ubiquitous migration from Google to Microsoft.

Documents recently published as part of government’s regime of major project assessments said: “[Falcon] will enable better interoperability across government as we move both our people and data from Google Workspace to Microsoft 365. The Cabinet Office is at the heart of government and a common productivity suite will enable more efficient and effective ways of working.”

GDS – from which CDDO was, effectively, spun out in 2021 – has been a long-term supporter of Google’s tools and the wider Cabinet Office switched over from Microsoft in 2015, which was seen as a major coup for the enterprise software arm of the search-engine firm.

The department upgraded and expanded its engagement several times since then, most recently in a extension to a near-£10m contract that ensures the Cabinet Office will retain access to Google’s apps until 29 September 2024 – six months before project Falcon is due to complete delivery.

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter
ErrorHere