1. Executive Summary

Estimated reading: 5 minutes

1.1 Purpose of This Document

The purpose of this document is to explain how the R3 Hybrid Architecture supports the security and compliance requirements commonly evaluated during CMMC Level 2 and DFARS 252.204-7012 (DIBCAC) assessments. It describes the system boundary, the separation of responsibilities, the handling of CUI and FCI, and the inherited controls that underpin the compliance posture.

To support this goal, the document provides a detailed technical description of the Hybrid Architecture, including its three operational planes, the flow of data between them, and the mechanisms that ensure all documents and CUI remain exclusively within the customer’s Microsoft 365 environment.

This document may be used for internal planning, architectural review, system boundary definition, audit preparation, or technical evaluation by assessors and third-party reviewers. It is intended to complement—not replace—the customer’s own security documentation, System Security Plan (SSP), and compliance evidence.

 

1.2 Intended Audience

This guide is written for:

  • Security and compliance professionals
  • IT and cloud architects
  • Identity and access management teams
  • CMMC assessors and preparatory consultants
  • GovCon operations and technical reviewers
  • System administrators responsible for Microsoft 365, Entra ID, and boundary governance

It provides the level of detail typically required for architectural review, boundary definition, risk evaluation, and audit preparation.

 

1.3 Document Sections

The document is organized into the following 12 major sections:

Section 1 — Executive Summary
Provides an overview of the R3 Hybrid Architecture documentation set, including its guiding principles and objectives, and explains how identity, execution, and document control planes create a secure and modern GovCon environment.

Section 2 — GovCon Technology Evolution and Compliance Alignment
Describes major federal cybersecurity shifts from 2022–2025 and why GovCon organizations are converging on hybrid architectural patterns to meet evolving CMMC and DFARS expectations.

Section 3 — The Vertical Hybrid Model: Conceptual Overview
Defines the Vertical Hybrid Model and explains how separating execution, identity, and document control planes creates a defensible CUI boundary and operational clarity.

Section 4 — Execution Plane (R3 GovCloud Workplace)
Explains how the Execution Plane enables contract operations without storing CUI, using ZeroDrift protections and strict AI boundaries.

Section 5 — Document Control Plane (Microsoft 365 GCC / GCC High)
Outlines GCC/GCC High as the authoritative storage environment for CUI and FCI, applying location-based security and compliance safeguards.

Section 6 — Identity Plane (Microsoft Entra ID)
Describes Microsoft Entra ID as the unified identity layer supporting MFA, conditional access, and RBAC while remaining fully customer-controlled.

Section 7 — Security & Compliance Alignment
Maps the hybrid architecture to CMMC Level 2, DFARS 7012, FedRAMP, and NIST 800-171 controls, illustrating how plane separation reduces assessment scope.

Section 8 — Shared Responsibility Model (SRM)
Clarifies responsibility partitions among the customer, Microsoft, and R3 for identity, documents, infrastructure, and operations.

Section 9 — Operational Assurance & High Availability
Covers R3’s infrastructure resiliency, monitoring, business continuity, and how the execution plane maintains availability without storing CUI.

Section 10 — Customer Control Narrative
Explains how customers retain full control of documents, identities, permissions, and governance, keeping compliance authority entirely within the GovCon organization.

Appendix A — Compliance Control Matrix
Provides a table of how each of the 3 planes of Hybrid map to the primary compliance requirements (CMMC, NIST 800-171, DFARS, ITAR, etc.).

Appendix B — Business Authorization & Least Privilege
Defines business-layer authorization for Federal compliance requirements and explains how least-privilege access is assigned independently of CUI document permissions within the hybrid model.

Together, these sections provide a comprehensive overview of how the Hybrid Architecture operates and how it supports compliance.

 

1.4 Architectural Objectives

The R3 Hybrid Architecture is designed to achieve the following objectives:

  • Establish a clear, defensible CUI boundary rooted in the customer’s GCC/GCC High environment
  • Separate business execution from document storage to maintain performance while protecting CUI
  • Unify identity and access control under customer-owned Microsoft Entra ID
  • Minimize assessment scope by ensuring CUI resides only in customer-controlled systems
  • Leverage existing Microsoft security investments, including Purview, DLP, retention, and audit logs
  • Provide a scalable, metadata-based execution layer capable of workflow automation and AI processing without handling CUI
  • Ensure structural enforcement of boundaries, rather than relying on policy-based controls alone

These objectives reflect the practical requirements of GovCon organizations balancing security, compliance, and operational efficiency.

 

1.5 Summary of the Hybrid Architecturer3 vertical hybrid architecture

The Hybrid Architecture consists of three coordinated planes:

  • Execution Plane — R3 GovCloud Workplace
    Runs R3 business solutions, workflows, automation, metadata processing, and optional AI capabilities. This plane never stores, processes, or transmits CUI.
  • Document Control Plane — Microsoft 365 GCC / GCC High
    All customer documents, including all CUI and FCI, reside exclusively in customer-provided SharePoint site collections within their Microsoft 365 tenant.
  • Identity Plane — Microsoft Entra ID
    A unified identity perimeter provides authentication, MFA, Conditional Access, RBAC, and auditability across both planes, fully governed by the customer.

These planes work together to support a clean separation between business execution, document governance, and identity control.

 

1.6 Key Architectural Principles

The design of the Hybrid Architecture is based on the following principles:

  • CUI resides only in the customer’s GCC/GCC High tenant
  • R3 systems handle metadata only, not document bodies or CUI
  • Identity is singular and customer-controlled, with no parallel identity store
  • Boundaries are structurally enforced, not dependent on configuration or user behavior
  • Vendor personnel do not have access to customer documents
  • Audit logs remain within their appropriate boundary (M365 for CUI, R3 GovCloud for metadata)

These principles produce a stable, transparent, and easily validated compliance posture.

Next - 1. Executive Summary 2. GovCon Technology Evolution