The Vertical Hybrid Model: Conceptual Overview

The Vertical Hybrid Model defines how identity, documents, and business execution are separated into three independent planes. This structure creates a clear CUI boundary, enables modern business operations, and ensures each plane has discrete responsibilities.

The model consists of:

• Identity Plane (Microsoft Entra ID): authentication, MFA, Conditional Access, and sign-in governance.
• Document Control Plane (Microsoft 365 GCC / GCC High): storage and governance of all documents, including all CUI and FCI.
• Execution Plane (R3 GovCloud Workplace): business applications, metadata processing, workflow automation, and AI capabilities, with no document storage.

This separation allows organizations to maintain full control of identity and documents while operating high-performance workflows in a modern cloud environment.

 

3.1 Separation of Execution Plane vs. Document Control Plane

The model enforces a strict division between business execution and document storage:

• The Execution Plane handles metadata, workflow actions, and automation. It does not store, transmit, or cache document content.
• The Document Control Plane is the authoritative location for all files, including CUI, and applies all document-centric controls (access, retention, DLP, audit logging).

This separation ensures the Execution Plane remains an FCI-only environment while the Document Control Plane remains the customer’s sole CUI boundary.

 

3.2 Identity Plane as the Unified Access Perimeter

Microsoft Entra ID provides the unified identity perimeter for both planes. All authentication, MFA, Conditional Access, device compliance enforcement, and identity lifecycle management occur in the customer’s tenant.

Key characteristics:

• Entra ID authenticates users to both planes without storing documents or metadata.
• Identity governance remains fully customer-controlled.
• Entra ID enforces the access perimeter but does not authorize access to document content.
• No identity data crosses into R3 systems, and R3 has no identity administration role.

This structure ensures access decisions remain under customer authority and are independent of vendor systems.

 

3.3 CUI Boundary Definition

The Document Control Plane defines the exclusive CUI boundary:

• All CUI resides inside the customer’s Microsoft 365 tenant (GCC High when required).
• No CUI enters R3 systems at any point.
• R3 processes metadata only, maintaining a clean separation from document content.
• AI extraction is restricted to transient FCI-only events; CUI-labeled files are not accepted.

This boundary allows organizations to meet CMMC Level 2 and DFARS 252.204-7012 requirements using Microsoft 365 while keeping the Execution Plane out of scope.

 

3.4 Data Flows & Boundary Enforcement

Data flows in the Hybrid Model are intentionally unidirectional:

• Documents → Microsoft 365 only
  All document uploads and creations are routed directly into customer-controlled SharePoint locations within the M365 tenant.
  R3 stores metadata only in document records (IDs, URLs, classifications, status).
• Metadata → R3 GovCloud
  Workflow actions, AI outputs, and business data remain in the Execution Plane.

ZeroDrift (Section 5.6) ensures:

• Documents cannot be stored in the Execution Plane
• Document boundaries are enforced at the architectural level, not through user behavior
• All document access and audit logs remain in Microsoft 365

This structural enforcement guarantees a defensible separation between CUI-containing systems and metadata systems.