8. Shared Responsibility Model (SRM)
The R3 Hybrid Architecture implements a clear Shared Responsibility Model (SRM) that separates operational responsibilities across the three planes of the model: the Identity Plane, the Document Control Plane, and the Execution Plane. Each plane has distinct responsibilities, enforcement mechanisms, and compliance expectations.
This separation ensures that CUI remains contained within the customer’s Microsoft 365 tenant while enabling high-performance business operations in the R3 GovCloud Execution Plane.
The SRM prevents overlap, eliminates ambiguity, and simplifies CMMC Level 2 boundary definition.
8.1 Structural Characteristics of the Hybrid SRM
The Hybrid Architecture is built around foundational responsibility boundaries:
- The Document Control Plane is the only CUI environment.
All CUI and all document content reside exclusively in the customer’s Microsoft 365 tenant (GCC High when required). R3 systems never store, transmit, access, or process CUI.
- The Identity Plane governs authentication only.
Microsoft Entra ID manages identity lifecycle, MFA, Conditional Access, and sign-in policy enforcement. Identity does not govern document content or workflow permissions.
- The Execution Plane is FCI-only.
The R3 GovCloud Workplace processes metadata, workflow actions, and automation outputs, but has no ability to store or access documents. This plane is intentionally scoped to CMMC Level 1 and excluded from CMMC Level 2 and DFARS 7012 obligations.
- ZeroDrift prevents cross-plane document drift.
ZeroDrift enforces that all document content flows directly into the customer’s M365 tenant and never into R3 systems. Document boundaries are enforced structurally, not through policy.
These characteristics create a defensible boundary that auditors can independently evaluate.
8.2 Shared Responsibility Matrix (High-Level)
The table below summarizes responsibility assignment across the three planes and the three parties involved: the customer, Microsoft, and R3.
| Responsibility Area | Identity Plane
(Entra ID) |
Execution Plane
(R3 GovCloud Workplace) |
Document Control Plane
(M365 GCC / GCC High) |
| CUI Storage & Protection | — | — | ✔ (Customer + Microsoft) |
| FCI Handling | — | ✔ (metadata only) | ✔ |
| Authentication, MFA, Conditional Access | ✔ (Customer) | — | — |
| Identity Lifecycle Management | ✔ (Customer) | — | — |
| Workflow Role-Based Access (R3 RBAC) | — | ✔ | — |
| SharePoint Permissions / ACLs | — | — | ✔ (Customer) |
| Purview Labels, DLP, Retention | ✔ (Customer) | — | ✔ (Microsoft enforcement) |
| Document Storage & Versioning | — | — | ✔ |
| Metadata Storage & Processing | — | ✔ | — |
| Audit Logs (Identity) | ✔ | — | — |
| Audit Logs (Metadata / Workflow) | — | ✔ | — |
| Audit Logs (Documents) | — | — | ✔ |
| DFARS 7012 Incident Reporting | ✔ (Customer) | — | ✔ (Microsoft) |
| CMMC Level 2 Assessment | ✔ (identity only) | ✖ (not in scope) | ✔ (CUI environment) |
| FedRAMP High Responsibilities | — | — | ✔ (Microsoft as CUI CSP) |
| U.S. Persons Requirement | ✔ | ✔ | ✔ |
This matrix reflects the architectural principle that each plane is responsible only for the controls within its boundary.
8.3 Responsibility by Plane
Identity Plane — Customer-Controlled
The customer is responsible for:
- Identity lifecycle management
- MFA enforcement and Conditional Access
- Device compliance settings
- Administrator roles and identity governance
- Sign-in logs and identity-related audit trail
- U.S. Persons-only access (when applicable)
Microsoft provides the identity platform; the customer governs identity policy.
Document Control Plane — Customer + Microsoft
Customer responsibilities:
- SharePoint permissions and document access control
- Purview sensitivity labels
- DLP rules and data perimeter policies
- Retention and legal hold
- Tenant configuration and security posture
- Determining CUI scope and managing CUI policies
Microsoft responsibilities:
- Hosting all CUI content (GCC High)
- FedRAMP High / DoD SRG IL4–IL5 infrastructure
- Encryption, labeling enforcement, retention enforcement
- Unified Audit Log for documents and content operations
- DFARS 7012 incident response capabilities
- Operating U.S. Persons-only cloud regions
This plane is the sole CUI boundary for the Hybrid Architecture.
Execution Plane — R3 Responsibility (Metadata-Only)
R3 is responsible for:
- Operating the FCI-only R3 GovCloud Workplace
- Metadata storage and processing
- Workflow logic and R3 RBAC
- Logging of business actions, metadata events, and system behaviors
- Platform hardening and patching in AWS GovCloud
- Enforcing ZeroDrift to prevent any document storage
- AI extraction limited to metadata-only outputs
R3 has zero responsibility for document content or CUI protection.
8.4 What R3 Is Not Responsible For
R3 is explicitly not responsible for:
- Storing, processing, or transmitting CUI
- Document governance (ACLs, labels, retention)
- DFARS 7012 reporting
- Purview, DLP, or CUI lifecycle controls
- Managing the M365 tenant
- Identity governance or Conditional Access
- Document audit logs
This prevents any scope expansion into CUI environments.
8.5 Why the SRM Is Auditor-Preferred
The Hybrid SRM:
- Establishes a single CUI environment (M365 GCC High)
- Removes ambiguity by separating identity from content
- Keeps business systems performing without inheriting CUI obligations
- Reduces CMMC Level 2 assessment scope
- Ensures cross-plane boundaries are structural, not policy-based
- Allows assessors to evaluate each plane independently
- Guarantees R3 never touches CUI
This model mirrors how federal assessors prefer to evaluate distributed architectures.