10. Customer Control Narrative

Estimated reading: 3 minutes

The Hybrid Architecture ensures that the customer retains full control over identity, documents, CUI governance, access, and audit evidence. R3 systems process metadata only, and R3 personnel have no access to customer documents or Microsoft 365 resources. This design keeps compliance authority where it belongs—with the GovCon organization and its M365 tenant—and simplifies CMMC and DFARS assessments by eliminating vendor-centric ambiguity.

 

10.1 Customer Control of Identity

Identity governance is fully customer-owned through Microsoft Entra ID.
The customer manages:

  • MFA enforcement and Conditional Access
  • Identity lifecycle and group membership
  • Administrative roles and privileged access monitoring

R3 does not store or manage identities; all authentication flows through the customer’s Entra ID tenant.

 

10.2 Customer Control of the Document Control Plane

All documents—including all CUI and FCI—reside exclusively in the customer’s Microsoft 365 tenant. Each R3 solution writes to a customer-provisioned SharePoint Site Collection, fully governed by the customer.

The customer controls:

  • SharePoint permissions
  • Purview sensitivity labels
  • Data Loss Prevention (DLP)
  • Retention and Records Management
  • Document-level audit logging

R3 has no access to document content, audit logs, or the customer’s M365 configuration.

 

10.3 Customer Control in Multi-Vendor Environments

The Hybrid Architecture enables customers to adopt multiple SaaS systems while maintaining centralized identity and document governance.

  • All vendors authenticate through the customer’s Entra ID tenant
  • All documents remain inside the customer’s Microsoft 365 tenant
  • Each vendor operates an independent Execution Plane that handles metadata only

This ensures that no external vendor expands the customer’s CUI scope or gains custody of customer documents.

 

10.4 Customer-Exclusive Control of CUI

Because all CUI resides solely in Microsoft 365 GCC High, the customer maintains exclusive control of:

  • CUI classification and labeling
  • Access permissions and retention
  • DFARS 252.204-7012 incident reporting
  • Audit evidence and assessment readiness

R3 systems do not store, process, or cache CUI.
AI behavior is limited to transient FCI-only extraction initiated by an authorized user, and no content is retained.

 

10.5 Customer Control of Compliance Boundaries

The customer defines and governs their CUI boundary. Identity policies, document governance, and tenant audit logs all remain under customer ownership, ensuring that:

  • CMMC Level 2 assessments apply only to the customer’s Microsoft 365 tenant
  • R3 GovCloud remains an FCI-only system outside the CUI boundary
  • Compliance evidence is generated entirely within the customer’s tenant

 

10.6 Customer Authority Over Operational Decisions

Because identity and document governance stay within the customer’s Microsoft 365 tenant, the customer decides:

  • Who can access documents
  • How long documents are retained
  • When users or roles change
  • How permissions map to business needs
  • When security policies must be adjusted

R3 does not influence or modify document-level or identity-level access controls.

 

10.7 Customer Control Over AI Capabilities

R3 AI Skills operate in the metadata-only Execution Plane and are optional.
The customer determines:

  • Whether AI is enabled
  • Which AI Skills may process FCI documents
  • Who within the organization may invoke AI-driven actions

AI never processes CUI and never stores or retains document content.

10. Customer Control Narrative - Previous 9. Operational Assurance & High Availability Next - 10. Customer Control Narrative Appendix A: Compliance Control Matrix