https://ferkakta.dev/tags/cmmc/Recent content in Cmmc on ferkakta.devHugoen-USCopyright fizz.Mon, 30 Mar 2026 20:00:00 -0500https://ferkakta.dev/cmmc-crm-acquisition-playbook/Mon, 30 Mar 2026 20:00:00 -0500https://ferkakta.dev/cmmc-crm-acquisition-playbook/<p>I spent a Monday getting the same document from two cloud service providers. AWS took five minutes and a command-line PDF extraction tool. Google took eight hours, two simultaneous support chats, an LLM-drafted support ticket, an escalation sherpa, and a tripartite NDA structure whose existence is unknown to Google&rsquo;s own frontline support.</p> <p>Both vendors publish a CMMC Customer Responsibility Matrix — the spreadsheet that maps NIST 800-171 controls to inherited, shared, or customer responsibility. Both are legally required to provide it. The experience of obtaining them could not be more different.</p>https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/<h2 id="the-starting-assumption">The starting assumption</h2> <p>I&rsquo;m building <a href="https://ramparts.dev">ramparts</a>, a multi-tenant compliance platform running on EKS. Each tenant gets a Kubernetes namespace &ndash; <code>tenant-acme</code>, <code>tenant-globex</code>, whatever &ndash; and the compliance controls require that their application logs land in isolated storage with 365-day retention. CMMC maps this to AU-2 (audit events), AU-3 (audit content), AU-11 (retention), and AC-4 (information flow isolation). A tenant cannot read another tenant&rsquo;s container output.</p> <p>The obvious first move was <code>aws-for-fluent-bit</code>, AWS&rsquo;s own Helm chart and container image for shipping logs to CloudWatch. AWS service, AWS chart, AWS logging destination. The blessed path.</p>