7. Security & Compliance Alignment

Estimated reading: 3 minutes

The Hybrid Architecture aligns security responsibilities with the three-plane model:

Identity controls remain in the customer’s Entra ID tenant
Document-centric controls remain in Microsoft 365
Metadata processing occurs in the R3 Execution Plane

This structure defines a single, defensible CUI boundary and ensures vendor-operated systems remain outside CMMC Level 2 and DFARS 7012 scope.

7.1 CMMC Level 1 and Level 2 Alignment

The planes participate differently in CMMC assessments:

CMMC Level 1 (FCI): All three planes are in scope because they process or control access to FCI.
CMMC Level 2 (CUI): Only the Document Control Plane (Microsoft 365 GCC High) and identity-related controls within Entra ID are in scope.
The Execution Plane is not in scope for CMMC Level 2 because it does not store, process, or transmit CUI and is restricted to metadata. R3 provides evidence package for CMMC Level 1 assessment.

This separation reduces assessment complexity by isolating CUI to Microsoft 365.

7.2 DFARS 252.204-7012 (CUI Incident Reporting)

DFARS 252.204-7012 applies only to cloud systems that handle CUI.
In the Hybrid Architecture, this requirement applies solely to the customer’s Microsoft 365 GCC High tenant.

Microsoft provides incident reporting, forensic data, and evidence collection for CUI stored in GCC High.
The customer is responsible for fulfilling DFARS 7012 reporting requirements.
R3 systems are out of scope because the Execution Plane handles metadata only and never receives CUI.

This design confines DFARS responsibilities to the customer–Microsoft relationship.

7.3 FedRAMP High and DoD SRG Alignment

FedRAMP High and DoD SRG IL4/IL5 requirements apply only to systems that store or protect CUI. In the Hybrid Architecture:

Microsoft 365 GCC High is the FedRAMP High–authorized CUI environment.
Azure Government Entra ID provides identity alignment for authentication into the CUI boundary.
The R3 Execution Plane, while hosted on FedRAMP High infrastructure (AWS GovCloud), remains outside the CUI boundary because it processes metadata only.

This keeps CUI protections within Microsoft’s validated CUI service boundary.

7.4 NIST SP 800-171 Control Alignment

NIST SP 800-171 applies to systems storing or processing CUI.

Document Control Plane: Fully subject to NIST SP 800-171 via Microsoft 365 GCC High controls.
Identity Plane: Entra ID contributes identity-related controls (access, authentication, MFA).
Execution Plane: Supports the 17 control set of CMMC Level 1 for metadata but is not required to meet CUI-specific controls because it does not handle CUI. It is operated based upon the full 110 control set of CMMC Level 2.

This alignment keeps NIST 800-171 responsibilities concentrated within Microsoft 365 and customer governance.

7.5 ITAR and Export Control Alignment

Export-controlled data must remain in environments with U.S. Persons–only operational support and strong access controls.

Microsoft 365 GCC High provides U.S. Persons–only operations and appropriate export-control safeguards.
R3 GovCloud is operated exclusively by U.S. Persons and supports metadata-only processing without storing export-controlled content.
All document-level export-control controls remain within the customer’s M365 tenant.

The architecture prevents export-controlled data from entering any vendor system.

7.6 Consolidated Responsibilities Across Planes

The security model depends on strict separation of responsibilities:

Identity Plane: Customer controls authentication, MFA, Conditional Access, and identity governance.
Document Control Plane: Customer and Microsoft jointly control document protection, retention, DLP, labeling, and audit logging.
Execution Plane: R3 controls metadata processing, workflow automation, and system security within AWS GovCloud.

Each plane is responsible only for the controls within its boundary. No plane inherits CUI responsibilities from another, ensuring a clear and defensible assessment scope.