I built Merkle-chain evidence verification for CMMC compliance — here's why and how

This started with a frustrating conversation. A defense contractor friend failed their CMMC Level 2 assessment. Not because they hadn't done the security work — but because when the assessor asked "who last updated this document and when," the answer was effectively "we don't know." Their evidence was a folder of Word docs labeled things like final_v3_REALLYFINAL.docx. Technically fine content. No way to prove authenticity. That's what I ended up building Solymus around. Here's the core pattern: Artifact gets uploaded SHA-256 hash computed server-side Hash digest signed with KMS — ECDSA_SHA_256, MessageType=DIGEST (important: if you sign the full payload you'll hit the 4KB limit fast) Record stored in DynamoDB with the digest and signature Every night at midnight UTC, an attestation job seals that day's events into a Merkle root Each artifact gets a public /verify/{id} endpoint — no auth — that returns the hash, signature, and Merkle linkage One thing that bit me: right after upload, m

I built Merkle-chain evidence verification for CMMC compliance — here's why and how

Related Articles

7 Coding Habits That Will Improve Your Skills

A Multi-Agent Code for Trading with Prompts

Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)

Building a Real-Time Customer Support System in .NET

Apple iPhone 17e: Specs, Features, Release Date, Price

Related Articles

How-To
7 Coding Habits That Will Improve Your Skills
Medium Programming • 13h ago

How-To
A Multi-Agent Code for Trading with Prompts
Medium Programming • 14h ago

How-To
Algorithms I Finally Understood — Part 1: Why Algorithms Exist (Before We Even Write Code)
Medium Programming • 15h ago

How-To
Building a Real-Time Customer Support System in .NET
Medium Programming • 16h ago

How-To
Apple iPhone 17e: Specs, Features, Release Date, Price
Wired • 16h ago