5. Document Control Plane

Estimated reading: 7 minutes

The Document Control Plane consists of the customer’s Microsoft 365 environment—Commercial, GCC, or GCC High—where all documents, including all CUI and FCI, are stored, governed, protected, and audited. This plane contains the authoritative document stores for all R3-enabled business processes.

All document governance responsibilities—access control, retention, sensitivity labeling, DLP, encryption, and audit logging—remain under customer ownership.

The sections below describe the functions, controls, administrative boundaries, and compliance characteristics of the Document Control Plane.

 

5.1 Document Control Plane Overview

The Document Control Plane is the authoritative location for all document content referenced by R3 solutions.

Any document added, created, or used within R3 business processes is routed directly into the customer’s Microsoft 365 tenant, where it is stored in SharePoint.

This plane provides all document-centric controls required under NIST SP 800-171, CMMC Level 2, and DFARS 252.204-7012, including encryption, data loss prevention, retention, auditing, and governance automation. All administrative authority—including tenant hardening, lifecycle policies, and access control—remains with the customer.

The customer may choose any Microsoft 365 tenant based on their compliance requirements:

  • Commercial – Not suitable for Federal FCI
  • GCC – Supports FCI but not CUI or ITAR
  • GCC High – Required for CUI, ITAR, and DFARS 7012 compliance

The R3 Hybrid Architecture supports all three Microsoft 365 tenants. However, the following four requirements apply:

  1. R3 only integrates with Microsoft 365 tenants.
  2. R3 integrates with exactly one tenant per customer.
  3. All R3 users must have access to the chosen Microsoft 365 tenant.
  4. R3 requires Microsoft Entra ID for identity, and the Entra ID tier must match the chosen M365 tenant (details in the Identity Plane section).

These requirements ensure a clean, defensible document boundary and consistent application of security controls.

 

5.2 Document Governance Functions

Microsoft 365 provides the governance capabilities required to manage sensitive documents and CUI. Representative functions include:

  • Information protection (Purview): Sensitivity labels, automatic classification, encryption, content marking, and labeling rules.
  • Data Loss Prevention (DLP): Detection, blocking, or reporting of sensitive content actions.
  • Access control: SharePoint Online permissions, Entra ID group membership, Conditional Access, and data perimeter controls.
  • Retention & records management: Retention labels, legal holds, and lifecycle policies.
  • Versioning & collaboration: Full version history with secure co-authoring.
  • Audit logging: Unified audit logs capturing access, edits, sharing, labeling, and policy enforcement events.

Collectively, these capabilities ensure that all document content is governed by a comprehensive, policy-driven security model.

 

5.3 Customer Administrative Control

Administrative authority and configuration responsibilities for the Document Control Plane reside entirely with the customer. This includes:

  • tenant security & compliance policies
  • Purview information protection configurations
  • DLP rules & thresholds
  • sharing & external access controls
  • administrative role assignments
  • Conditional Access policies
  • audit-log configuration & retention
  • lifecycle & retention rules
  • site & library permissions
  • identity lifecycle management

R3 never administers or modifies customer tenant settings and never accesses customer documents. This ensures that all CUI governance remains 100% customer-controlled.

 

5.4 CUI Boundary and Compliance Characteristics (GCC High)

The Document Control Plane defines the CUI boundary for the R3 Hybrid Architecture.
All CUI resides exclusively within the customer’s GCC High tenant.

Key compliance characteristics:

  • Satisfies CUI storage and handling requirements via Microsoft 365 GCC High.
  • Supports DFARS 252.204-7012 incident reporting and monitoring requirements through Microsoft’s platform controls and DoD-assessed processes.
  • Provides the auditable controls required for NIST SP 800-171 / CMMC Level 2.
  • Ensures customer-only administrative access to CUI.
  • Prevents vendor access—R3 and AWS personnel have no access to document content.
  • Maintains a clean, defensible, Microsoft-governed CUI boundary.

This model confines all CUI to a customer-governed enclave capable of meeting federal cybersecurity requirements.

 

5.5 Document Interaction and Storage Model

All document interactions within R3 solutions follow a consistent and compliant pattern:

  • Documents are stored only in the customer’s Microsoft 365 tenant.
  • Users access documents directly in native Microsoft 365 applications under Entra ID and Conditional Access policies.
  • R3 maintains metadata only (links, GUIDs, structured references).
  • Document edits, versioning, labeling, and retention occur completely within Microsoft 365.
  • All document activity is audited in the Microsoft 365 Unified Audit Log.

R3 never stores, transmits, proxies, replicates, or ingests document content.
This ensures alignment with Microsoft Zero Trust and Purview governance models.

 

5.6 ZeroDrift: Document Routing & Boundary Enforcement Pattern

ZeroDrift™ is the document-handling model that ensures the Execution Plane never receives, stores, or processes document content. It is the operational enforcement mechanism that guarantees all CUI and FCI document content remains inside the customer’s Microsoft 365 tenant (the Document Control Plane), regardless of how users interact with documents through R3 solutions.

ZeroDrift is not a procedural guideline or workflow preference—it is a structural characteristic of the architecture. The system is designed such that document drift into the Execution Plane is technically impossible.

 

5.6.1 Purpose and Scope

ZeroDrift governs the following document interactions:

  • Uploading or creating documents
  • Linking documents to R3 records
  • Viewing and editing documents
  • AI-based extraction and metadata generation
  • Workflow steps that involve document review or approval

ZeroDrift ensures:

  • All document content stays in Microsoft 365
  • R3 receives metadata only
  • No document binaries, streams, or text bodies enter R3 storage
  • CUI cannot be accidentally routed into the Execution Plane
  • Microsoft 365 remains the sole CUI enclave

This is the operational guarantee behind the CUI boundary defined in Section 5.4.

 

5.6.2 Direct-to-Microsoft 365 Upload Pattern

All document uploads initiated from R3 workflows follow the same enforced pattern:

  1. User uploads the file directly into SharePoint
    • Uploads flow from the user’s device to the customer’s M365 tenant
    • R3 never receives the file payload
  2. R3 receives only metadata
    • Document ID
    • SharePoint URL
    • File name / type / version
    • Metadata references
  3. The R3 document record stores only a pointer
    • No file is cached, copied, transmitted, or stored by R3
    • No document content enters R3 systems
  4. Users access documents directly in Microsoft 365
    • Clicking a link in R3 simply opens the SharePoint URL
    • All editing occurs in native Office 365 applications

This is the core ZeroDrift upload path. Users do not have a choice to store documents in R3.

 

5.6.3 Enforcement Through Metadata-Only Architecture

ZeroDrift relies on architectural constraints:

  • R3’s data model stores metadata only
  • R3 APIs reject file uploads and binary payloads
  • No document content is proxied or transformed
  • No SharePoint permissions with the Document Control Plane are altered by R3
  • R3 RBAC does not influence document access

Because R3 is structurally incapable of storing or accepting documents, boundary enforcement does not depend on user behavior or administrator diligence.

 

5.6.4 AI Extraction Under System-Enforced ZeroDrift Controls

AI-driven metadata extraction operates outside the ZeroDrift document-routing model but is constrained by the same system-enforced CUI boundary. AI processing is a user-initiated action, but the ZeroDrift controls and Microsoft 365 protections ensure that no user—authorized or not—can invoke AI on a document labeled as CUI.

AI Processing Flow

  1. The document remains stored exclusively in Microsoft 365
  2. From R3, an authorized user initiates an AI operation
  3. R3 retrieves a time-limited Microsoft 365 content token
  4. The system validates that the document is not labeled as CUI in M365
    • If CUI-labeled → AI processing is blocked
  5. Only a minimal, transient textual extract is accessed for processing
  6. The AI engine returns structured metadata only
  7. The transient extract is immediately discarded
  8. No document file or content is ever stored, logged, or retained in R3 systems

Key Properties

  • System-enforced hard boundary: AI cannot process documents labeled as CUI
  • User-initiated, permission-controlled operation: only authorized users may request AI extraction
  • ZeroDrift untouched: no document is stored in R3
  • Metadata-only outputs are FCI
  • AI cannot cross, weaken, or bypass the CUI boundary

This ensures that even with AI involved, the CUI boundary is not dependent on user behavior, convenience, or discretion — it is technically enforced and not bypassable.

5. Document Control Plane - Previous 4. Execution Plane Next - 5. Document Control Plane 6. Identity Plane