R3 Hybrid Security & CMMC Compliance

A modern, Microsoft-aligned architecture for GovCon security and compliance.

GovCon organizations today operate in an environment where compliance is non-negotiable and operational speed matters more than ever. They face a persistent architectural tension: they must protect CUI with the highest levels of security and compliance while also running fast, automated, cross-functional business operations.

Since 2022, evolving CMMC guidance, DFARS interpretations, and advances in Microsoft’s cloud security have driven a clear industry shift: 

• Store all CUI in GCC/GCC High.
• Run your business systems outside the Microsoft 365 enclave so you can remain modern and high-performing.

Vertical Hybrid Architecture

Compliance and Productivity

With these shifts, a new, Microsoft-aligned model has evolved for GovCon. Systems are deployed and run in a Vertical Hybrid Architecture to deliver both compliance and productivity to GovCon. R3 uses it as the foundation for delivering secure, high-performance business solutions to GovCon organizations.

Below we describe R3's implementation of the vertical Hybrid. We cover:

• Alternative Options
• Vertical Hybrid Overview
• The CUI Boundary
• Compliance Matrix
• Benefits of Hybrid
• Architecture Guide for Technical Reviewers - ➡️ Go to the Hybrid Architecture Guide
• FAQ

Most GovCon organizations only see two options.

Option 1 — Move Everything Into GCC High

This over-rotates on compliance.
You gain strong document controls, but you lose:

• the ability to run structured business applications at scale
• modern workflow automation
• high-performance reporting
• cross-system integrations
• ease of use for cross-functional teams
• AI enablement
• affordability and scalability

Running all business systems inside GCC High slows BD, Capture, PM, Contracts, Finance, and every function that needs to move quickly.

Option 2 — Use Vendor Systems That Claim They Can Handle CUI

This is the modern trap.

AI tools, BD platforms, CLM systems, proposal tools, or productivity systems often imply they can “store” or “process” CUI. They use FedRAMP Moderate Equivalent or Authorized as the basis for compliance. If you put CUI into these systems, you expand your CUI boundary into their environments.

This creates major problems:

• DFARS 7012 inheritance often fails unless the vendor is FedRAMP High and is actually setup with DOD to handle incident response
• your CMMC assessment scope expands into the vendor's staff and infrastructure
• you lose document sovereignty and clear auditability
• integrations become spill points
• AI becomes off-limits for CUI
• your audit footprint fragments across external SaaS systems

Option 2 increases cost, complexity, and risk — and weakens compliance.

Identity Plane - Microsoft Entra ID

Identity as the Unified Security Gateway

A single identity perimeter governs access to both planes.

• login, MFA, Conditional Access policies
• RBAC and least privilege
• full auditability
• all identity governance remains customer-controlled

Entra ID anchors the architecture with one secure, centralized identity layer.

Execution Plane - R3 GovCloud Workplace (AWS GovCloud)

What Runs Here

The Execution Plane runs all R3 business solutions and automation — including workflows, dashboards, metadata handling, and AI processing. This plane optimizes operations without inheriting CUI obligations.

• structured business applications (R3 CM, WinCenter, PM)
• workflow automation and tasking
• metadata processing
• R3 AI Skills
• cross-functional visibility and reporting

R3 does not store customer documents. They are all routed directly into the Document Control Plane (GCC, GCC High). No CUI is stored, processed, or transmitted. The Execution Plane handles FCI only.

 Compliance Alignment

• Assessed for CMMC Level 1 (FCI)
• implements all NIST SP 800-171 controls
• out of scope for CMMC Level 2 because it never handles CUI

Built for performance, automation, and AI — without crossing the CUI boundary.

Document Control Plane - M365 (Commercial, GCC, GCC High)

The R3 Hybrid requires you to use a Microsoft 365 tenant for your Document Control Plane. It can be Commercial, GCC or GCC High. The following section assumes you are handling CUI and using GCC High as your M365 tenant.

Microsoft GCC High (Customer Tenant for CUI)

The Document Control Plane stores and protects all documents — including all FCI, all CUI, and all sensitive files — inside the customer’s Microsoft 365 tenant.

• Documents in SharePoint in GCC High
• Microsoft Purview classification, labeling, and DLP
• customer-owned access, retention, and logging
• FedRAMP High inheritance
• full sovereignty over document governance

 Compliance Alignment

• Assessed for CMMC Level 2 as the sole CUI boundary
• Meets all NIST SP 800-171 requirements for document storage and handling
• Supports DFARS 252.204-7012 incident reporting, logging, and forensic requirements
• Operates on FedRAMP High infrastructure (GCC High) with DoD SRG IL4/IL5 alignment
• Satisfies ITAR / U.S. Persons-only operational requirements through Microsoft’s sovereign cloud controls
• Maintains authoritative audit logs for all document access and activity

The CUI Boundary: How It Works

R3 enforces a simple architectural rule:

• All customer documents are routed directly into the customer designated M365 Document Control Plane (Commercial, GCC, or GCC High).

R3 stores metadata only — never the documents themselves. When users upload files in any workflow, the document is placed immediately into the customer’s M365 SharePoint. R3 keeps only metadata, including a link to the document in M365.

This is the ZeroDrift™ document-governance model: documents stay under customer identity, policies, and control at all times. Because no document ever enters vendor systems, the CUI boundary remains simple, measurable, and easy for assessors to validate.

 This creates:

• a clean, defensible CUI boundary
• no vendor document custody
• AI that operates only on metadata
• an assessment model auditors can evaluate quickly

In addition, ZeroDrift means that when users access documents when working in R3, they open the file directly from your M365 Document Control Plane tenant. This allows them to work in the native Office 365 application with full productivity features such as co-authoring and auto-save. And because the document remains under your M365 tenant, all activity is governed by your Microsoft Purview and DLP security policies.

Compliance Matrix (Audit Scope Simplified)

This matrix shows exactly which planes are in scope for each compliance requirement.

Notes:

• GCC is suitable for CMMC Level 1 (FCI only).
• GCC High is required for CUI - CMMC Level 2, DFARS, and ITAR.
• The R3 Execution Plane is out of scope for CMMC Level 2 because it never handles CUI. It is in scope for CMMC Level 1 because it handles FCI.

Hybrid Benefits at a Glance

• Reduced assessment scope for CMMC Level 2 and DFARS 7012
• A clean, defensible CUI boundary aligned with Microsoft’s guidance and assessor expectations
• Full sovereignty over documents and identity, with no vendor custody of CUI
• Fast, modern business systems that avoid GCC High performance limitations
• Automation and AI enablement through metadata-only processing
• Cross-functional productivity for BD, Capture, Contracts, PM, and Finance
• Works for any other vendor or system that follows the hybrid pattern, keeping the customer firmly in control of identity and document governance.

Hybrid gives GovCon organizations the strongest compliance posture and the highest operational performance — at the same time.

For Technical Reviewers: Explore the Full R3 Hybrid Architecture Guide

Security and IT teams can explore the full breakdown of the Hybrid Architecture in our online guide, including diagrams, data flows, enforcement mechanisms, and the Shared Responsibility Model.

➡️ Go to the Hybrid Architecture Guide

R3 Hybrid Security & Compliance Architecture Guide Contents