4. Execution Plane

Estimated reading: 7 minutes

The Execution Plane contains the R3 GovCloud Workplace environment, where R3’s business applications, workflow automation, metadata processing, and optional AI-assisted capabilities operate. This plane supports contract execution activities while remaining outside the scope of systems that store or process CUI. All authentication and authorization are governed through the customer’s Microsoft Entra ID tenant.

The R3 GovCloud Workplace is a cloud environment running on AWS GovCloud West. It is operated based upon NIST 800-171 110 controls. It leverages a broad set of AWS services to provide security, compliance and operational control. It does not store documents and does not store, process or transmit CUI.

All references to documents within R3 business processes are maintained as metadata (e.g., SharePoint links or document record associations) that point to content stored in the customer’s Microsoft 365 GCC or GCC High tenant (Document Control Plane). When users open a document from R3, they are opening it directly from their Microsoft 365 environment.

The following sections describe the responsibilities, constraints, components, and isolation model of the Execution Plane.

 

4.1 Responsibilities of the Execution Plane

The Execution Plane supports the operational functions of R3 solutions. Responsibilities include:

  • Workflow automation: Approvals, reviews, routing, state transitions, and other business process logic.
  • Metadata and structured-data management: Business record fields and relationships, status indicators, traceability attributes, key-value pairs, and configuration data.
  • Task and activity tracking: User assignments, due dates, completion tracking, and activity logs.
  • AI-assisted operational tasks: Automated population of metadata fields, structured extraction, or system-driven recommendations (not involving CUI content).
  • Integration orchestration: Interactions with customer systems or external applications using metadata and document references without transmitting document bodies.
  • Event handling and operational audit metadata: Logging of workflow events, user actions, and system events occurring within the Execution Plane.

These responsibilities allow the Execution Plane to automate GovCon business operations while preserving a strict separation from document content and CUI.

 

4.2 Explicit Non-CUI Boundary of the Execution Plane

The Execution Plane is designed to operate entirely outside the CUI boundary. It does not:

  • store document bodies,
  • process or transmit CUI,
  • scan or parse document content,
  • index or replicate customer documents, or
  • retain backup copies of customer documents.

All document content is stored exclusively in the customer’s Microsoft 365 environment.
This ensures that the Execution Plane is considered an FCI-only environment for assessment purposes under CMMC Level 1 and remains out-of-scope for CMMC Level 2 and DFARS 252.204-7012 CUI handling requirements.

 

4.3 Identity and Access Control

Authentication and authorization to the Execution Plane are provided solely through the customer’s Microsoft Entra ID tenant. Key characteristics include:

  • Single identity perimeter: Users authenticate using the customer’s identity provider; no separate R3 identity store is used.
  • Customer-controlled access policies: MFA, Conditional Access, RBAC, and session controls apply uniformly to the Execution Plane.
  • Administrative separation: R3 does not manage customer identities, user roles, or tenant security policies.
  • Consistent identity governance: Access to both the Execution Plane and the Document Control Plane follows the same identity perimeter and audit controls.

This ensures that identity governance and access control remain fully under customer authority.

 

4.4 Document Reference Patterns

The Execution Plane interacts with documents through metadata and references only. These reference patterns include:

  • SharePoint Online URLs or file identifiers
  • R3 document record associations
  • Customer-controlled API calls
  • Metadata fields for version, classification, or workflow state

When documents are added to R3 workflows, the system routes them directly into the customer’s Microsoft 365 tenant. The Execution Plane stores only the associated metadata, ensuring that document content remains within the customer’s CUI-governed environment.

 

4.5 Architectural Constraints

To preserve boundary integrity and support compliance alignment, the Execution Plane adheres to the following architectural constraints:

  • No document content ingestion: The Execution Plane never receives or stores document bodies.
  • Metadata-only processing: Operational data is limited to metadata and workflow information.
  • No mixed-mode storage: Document bodies and CUI are never stored alongside operational metadata.
  • Customer-governed identity: All access originates from the customer’s Entra ID tenant.
  • Consistent logging segmentation: Workflow events are logged inside R3; document activity is logged in Microsoft 365.
  • No elevation into customer M365: R3 support and systems cannot access or modify customer documents.

These constraints support a clear, defensible, and narrow boundary definition.

 

4.6 Execution Plane Components (Infrastructure & Platform Stack)

The Execution Plane is composed of multiple layers that together support R3’s applications and metadata-processing workflows. These include:

4.6.1 AWS GovCloud Infrastructure

The Execution Plane operates within AWS GovCloud (US-West), a FedRAMP High and DoD SRG IL4/IL5-aligned region designed for regulated workloads.
AWS GovCloud provides:

  • FIPS 140-2 validated encryption at rest and in transit
  • U.S. Persons / U.S.-based support
  • Separate availability zones for redundancy
  • Network isolation and tenant separation
  • Strong infrastructure auditability

4.6.2 R3 Application Platform

The R3 business applications (WinCenter, Contract Management, Program Management) run on a no-code/low-code platform that provides:

  • workflow automation engine
  • form and metadata management
  • rules-based processing
  • configurable business objects
  • API orchestration

4.6.3 SharePoint Server Metadata Storage

R3 uses Microsoft SharePoint Server (hosted in AWS GovCloud) as the metadata storage layer.
SharePoint provides:

  • SQL content databases
  • versioning
  • permissions model
  • workflow state data
  • hardened security model familiar to auditors
  • customer-specific storage boundaries (see Section 4.8)

4.6.4 R3 AI Platform

The Execution Plane integrates with AI capabilities running on AWS services, including:

  • Amazon Textract
  • Amazon Bedrock
  • Other AWS-managed AI and ML services

These AI functions operate only on metadata or non-CUI document representations and cannot access CUI or M365-stored content.

4.6.5 Required Customer Components

Two customer-managed systems are required for hybrid operation:

  • Microsoft Entra ID — for Single Sign-On and identity governance
  • Microsoft 365 (Commercial, GCC, or GCC High) — for all document storage

 

4.7 Execution Plane Isolation Model

The Execution Plane is architected to provide strong tenant isolation consistent with expectations for regulated cloud workloads. Each customer environment is provisioned as a separate SharePoint web application with dedicated content databases and isolated operational boundaries.

4.7.1 Database Isolation

  • Each customer environment uses dedicated SQL content databases.
  • No metadata or document record is stored in a shared database.
  • Database-level controls prevent cross-tenant access.
  • Backups and DR restoration occur at the per-database level.

4.7.2 Application Isolation

  • Each customer runs in a separate SharePoint web application.
  • Application pools, service accounts, and IIS processes are isolated per customer.
  • Application configuration is stored within each customer’s own content database, ensuring isolation during DR operations.

4.7.3 Operational Isolation

  • Backup, recovery, and DR operations do not affect any other customer environment.
  • DR restoration is performed into separate application pools and database instances.
  • Events in one tenant cannot impact the configuration or metadata of another.

4.7.4 Support Isolation

  • R3 personnel access is scoped to the customer’s Execution Plane environment only.
  • R3 support cannot access the customer’s Microsoft 365 tenant or documents.
  • AWS support personnel cannot access customer documents or metadata.
  • All privileged user access logs are segmented per customer environment.

 

4.8 Business Authorization in the Execution Plane

A critical responsibility of the Execution Plane is enforcing business authorization—determining which users are entitled to access specific GovCon documents and perform specific operational actions based on business context. GovCon work is organized around contracts, programs, pursuits, subcontracts, financial structures, and workflow stages. These relationships define who should have access and are required to meet CMMC Level 2, NIST SP 800-171 access-control requirements, DFARS 252.204-7012, and Zero Trust principles (NIST SP 800-207), including least privilege, need-to-know, and separation of duties. The location-based security controls of Microsoft 365 in the Document Control Plane cannot support these requirements.

R3 applications in the Execution Plane maintain all relevant business context and apply role-based access controls to manage role assignments, business-record ownership, workflow state, segregation-of-duties rules, and delegated authority. This enables the system to apply least privilege and need-to-know at the operational level, then broker controlled access to documents stored in Microsoft 365.

See Appendix B – Business Authorization and Least Privilege for a deeper explanation of these requirements.

4. Execution Plane - Previous 3. Vertical Hybrid Model Next - 4. Execution Plane 5. Document Control Plane