Tech Alert

Overview

Effective April 15, 2025, Microsoft will turn on the Copilot Chat feature inside Office 365 (O365) for all State departments. Copilot Chat is a Generative Artificial Intelligence (GenAI) assistant designed to enhance staff productivity by streamlining information analysis, assisting with content creation, answering questions, and more.

This defaulted feature is now part of Microsoft 365 (M365) core suite and is available at no additional cost for M365 Government Community Cloud (GCC) users who log in with their Microsoft Entra (work) accounts. However, your IT team has the ability to turn off this feature.

Action Requested: Review and Communicate for Safe, Secure, and Responsible Use

M365 Copilot Chat is a helpful tool — but like all artificial intelligence, it must be used with care.

The California Department of Technology (CDT) advises all State entities to evaluate Copilot Chat in accordance with statewide GenAI policies to ensure secure, ethical, and compliant use. (California Executive Order N-12-23, Technology Letter 25-01, and GenAI Policies SAM 4986.1–4986.13, SIMM 5305-F)

Secure by Default – Built for Government Use

• • Copilot Chat runs within Microsoft’s Government Boundary, with Enterprise Data Protection (EDP) enabled to safeguard state data.
    • Copilot Chat has limited access to your data. At this time, it cannot see the data inside your tenant. It can only perform GenAI functions on content it is provided directly.
      • Example: it can summarize a document uploaded into the tool, but it cannot see or open files in your SharePoint repository and summarize them.
  • Web Grounding for Copilot Chat is OFF by default – Copilot Chat will not access real-time internet content unless explicitly enabled by your organization’s IT team.
    • Copilot Chat knows what the model knows, but not real-time data from the internet.
      • Example: if you ask about weather in Tahoe, it can tell you general weather patterns for this time of year, but not today’s forecast.
    • Individual departments may enable Web Grounding (WG) if desired, following security, data governance, and risk assessment protocols.

• • If your department turns on Web Grounding for Copilot Chat, a GenAI Risk Assessment (SIMM 5305-F) is required for all risk levels. The completed assessment must be submitted to CDT via the New Technology Consultation and Assessment request in the CDT IT Service Portal.
  • If your department chooses to use Copilot Chat with default settings or disables Copilot Chat, a GenAI Risk Assessment (SIMM 5305-F) is not required. CDT is available to provide general guidance on this configuration as requested.

User Responsibilities – Use M365 Copilot Chat Safely

To stay in compliance with State policy, follow these user guidelines:

• • Keep Data Safe
    Do not input confidential, sensitive, or personally identifiable information. Use only State-provided accounts for work (i.e., State entity enterprise account); personal accounts should not be used.
    • Ref: SAM 4986.10 – Privacy for GenAI

• • Verify Before Sharing
    Review and validate Copilot’s output. You are accountable for the content you use or distribute.
    • Ref: SAM 4986.12 – Acceptable Use of GenAI

• • Complete Required Training
    Engage with department-provided training to understand GenAI tools and appropriate usage.
    • Ref: SAM 4986.13 – Workforce Training

• • Know Copilot’s Limit
    Copilot supports your work but doesn’t replace your decision-making. Contact IT or security staff when in doubt.
    • Ref: SAM 4986.3 – High-Risk Inventory

IT and Security Safeguards for State Entities

Departments must implement the following technical and security measures before enabling or expanding use of Copilot Chat (per TL 25-01, SAM 4986.11, and SIMM 5305-F):

• • Update your organization’s Acceptable Use Policy (AUP)
    Required for all implementations. As required by the GenAI Risk Assessment (SIMM 5305-F) to include GenAI content and tools into standard work processes.
    • Ref: SAM 4986.11 – Security for GenAI
    • Ref: SAM 4986.12 – Acceptable Use of GenAI
• • Enforce Access Controls
    Limit Copilot’s data access using least-privilege principles. Monitor activity with audit logging.
• • Address AI-Specific Threats
    Update threat models to account for prompt injection, data leakage, and other GenAI vulnerabilities.
• • Validate Training Data Practices
    Ensure that Microsoft does not use your data for model training. Periodically confirm this when products are updated. Request transparency under SAM 4986.4.
• • Review Hosting and Vendor Compliance
    Confirm data residency, hosting conditions, and contract terms comply with SAM 4986.5 and 4986.9.
• • Strengthen Identity Protections
    Enforce Multi-Factor Authentication (MFA) and role-based access controls, as Copilot relies on user identity to generate context-aware responses.

Final Reminder

All tools with GenAI features must be reviewed and documented using the GenAI Risk Assessment (SIMM 5305-F) before use. Submit the completed and signed GenAI Risk Assessment (SIMM 5305-F) to CDT via the New Technology Consultation and Assessment request.

For questions or support, contact your department’s Chief Information Officer (CIO) and Information Security Officer (ISO).

Next Steps:

Disseminate this important information to your entire organization for awareness on the safe, secure, and responsible use of Microsoft’s new Copilot Chat feature.