Skip to main content

Data Lifecycle & Retention

Protecting CUI is only half of information management: the other half is retaining it for as long as a contract or CUI rule requires, then disposing of it when it is no longer needed. Over-retention is a liability: every record kept past its purpose is additional breach exposure and additional scope for an assessor. NIST SP 800-171 Rev. 3 makes this explicit in 03.14.08 (Information Management and Retention); the related 03.03.07 governs how long the audit logs are kept (covered in Audit Readiness).

Microsoft Purview addresses this with two complementary solutions:

  • Data Lifecycle Management: retain or delete content automatically with retention policies and retention labels (overview).
  • Records Management: for high-value or regulated records: a file plan, records declaration (tamper-proof), and disposition review with proof of disposition (overview).

Retention policies vs. retention labels

Both can retain-then-delete, retain-only, or delete-only. Choose by scope:

Retention policyRetention label
ScopeWorkload / location (Exchange, SharePoint, OneDrive, M365 Groups, Teams)Item level (folder, document, email)
AppliedAutomatically across a locationManually, auto-applied (SIT / keyword / trainable classifier), or as a default
Travels with contentNoYes: within the tenant, if the item moves
AdvancedEvent-based start, disposition review, declare as a record, proof of disposition

(Source: retention policies and labels.)

Rule of thumb: a retention policy sets the baseline for a whole site or mailbox; a retention label handles item-level exceptions and anything that must become a defensible record.

  1. A tenant default retention policy across Exchange, SharePoint, OneDrive, and Teams that retains content for your minimum required period and deletes afterward, so nothing is silently kept forever and nothing is prematurely lost.
  2. A CUI retention label, auto-applied to CUI by reusing the SITs / trainable classifiers from Sensitivity Labels and Sensitive Information Types, with the retention period your contract or CUI category requires and disposition review at the end, so CUI is never auto-deleted without a human decision.
  3. Records declaration for contract deliverables and anything with a legal-hold dimension, locks the item against edit/delete and yields proof of disposition.

Disposition & proof

At the end of a retention period a label can start a disposition review instead of auto-deleting: designated reviewers approve deletion, extend retention, or relabel, and Purview retains proof of disposition for up to seven years (disposition). That proof is the artifact demonstrating CUI was disposed of deliberately and on schedule, exactly what 03.14.08 asks you to show.

Evidence for assessment

  • 03.14.08 (Information Management and Retention): the retention policy/label configuration, the file plan, and disposition-review records / proof-of-disposition exports.
  • Retention is itself audited: admin configuration of retention policies/labels, and (for labels) retention actions, are written to the Unified Audit Log (auditing retention); pair this with Audit Readiness.

Licensing

Creating and publishing retention labels and basic retention policies are included at the Microsoft 365 / Office 365 E3 level. The advanced capabilities (event-based retention, disposition review, declaring records / regulatory records, and auto-relabel at end of period) require E5 / G5 or the Purview add-on (Purview service description).

GCC High

Core retention policies and labels are available in Microsoft Purview for GCC High. Availability of specific advanced Records Management features (event-based retention, regulatory records, disposition-review options) in the sovereign cloud is unverified here; confirm in the Purview portal / the Microsoft 365 GCC High service description before committing them to your SSP.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.