Compliance on ferkakta.devhttps://ferkakta.dev/tags/compliance/Recent content in Compliance on ferkakta.devHugoen-USCopyright fizz.Mon, 30 Mar 2026 20:00:00 -0500Bananas Acquisition: a CMMC CRM playbookhttps://ferkakta.dev/cmmc-crm-acquisition-playbook/Mon, 30 Mar 2026 20:00:00 -0500https://ferkakta.dev/cmmc-crm-acquisition-playbook/<p>I spent a Monday getting the same document from two cloud service providers. AWS took five minutes and a command-line PDF extraction tool. Google took eight hours, two simultaneous support chats, an LLM-drafted support ticket, an escalation sherpa, and a tripartite NDA structure whose existence is unknown to Google&rsquo;s own frontline support.</p> <p>Both vendors publish a CMMC Customer Responsibility Matrix — the spreadsheet that maps NIST 800-171 controls to inherited, shared, or customer responsibility. Both are legally required to provide it. The experience of obtaining them could not be more different.</p>The missing layer in compliance RAG: why your search results need a judgehttps://ferkakta.dev/rag-judging-layer/Thu, 19 Mar 2026 12:00:00 -0500https://ferkakta.dev/rag-judging-layer/<p>If you&rsquo;re building search over a knowledge base with an LLM — the pattern everyone calls RAG — you&rsquo;ve seen the standard pipeline: embed the user&rsquo;s question, find the closest chunks in a vector store, hand them to the LLM, get an answer. For documentation search or internal wikis, this works. The LLM is good at ignoring irrelevant context when the relevant stuff is also in the window.</p> <p>I&rsquo;m building a CMMC compliance platform, and I wanted a way to dogfood our own product against our own development process. Every commit we make to the platform touches some aspect of NIST 800-171 — access control, audit logging, encryption, configuration management. I wanted our pull requests to show which compliance controls each change addresses. Not as a compliance artifact (though it could become one), but as a consciousness-raising tool: every engineer on the team sees the compliance implications of their own code, every reviewer sees which controls are being strengthened. It&rsquo;s ambient education that turns into culture.</p>I assumed GovCloud was AWS with a different region code. It took two weeks to prove me wrong.https://ferkakta.dev/govcloud-surprises/Wed, 11 Mar 2026 23:00:00 -0400https://ferkakta.dev/govcloud-surprises/<p>I needed a GovCloud account for a multi-tenant NIST compliance platform. I&rsquo;d been running commercial AWS infrastructure for months — EKS, Terraform, tenant provisioning, the whole stack. GovCloud would be the same thing in a different region. That was the assumption. It lasted about four hours.</p> <h2 id="the-account-that-doesnt-exist-yet">The account that doesn&rsquo;t exist yet</h2> <p>My management account couldn&rsquo;t call <code>CreateGovCloudAccount</code>. The API returned <code>ConstraintViolationException</code> with a message about not being &ldquo;enabled for access to GovCloud&rdquo; and no guidance on what that meant. I filed a support case. AWS enabled the permission two days later, and as a side effect created a standalone GovCloud account that had no relationship to my Organizations structure — an orphan floating in the partition with disconnected root credentials. I still had to find it and deal with it.</p>