CMMC合规性证据的加密收据
我一直看到的问题是:防务承包商会花几个月的时间准备CMMC评估——包括政策、截图、控制映射等所有内容——然后C3PAO会问谁最后修改了某个文档以及修改时间。没有审计追踪,评估结束。
大约15%到30%的首次CMMC评估未能通过。我猜其中很大一部分并不是因为安全控制措施没有到位,而是因为没有办法证明证据的真实性。
因此,我开发了Solymus。您上传的每个文档都会进行SHA-256哈希处理,使用KMS进行签名(ECDSA_SHA_256——对摘要进行签名,而不是有效载荷,因为有4KB的限制),并封装到每日的Merkle链中。每个文档都有一个公共的/verify/{id}端点——无需身份验证——这样评估人员可以自行检查。
值得注意的是:在上传后不久,merkle_status会显示为“待处理”。在协调世界时(UTC)午夜后,证明作业运行时,它会升级为“已链接”。KMS签名立即有效——Merkle是额外的每日封印。我花了一段时间才意识到需要清楚地记录这一点,否则人们会认为它是坏的。
在prolixotech.com提供免费套餐。如果有人感兴趣,我很乐意详细讲解加密实现。
查看原文
The problem I kept seeing: defense contractors would spend months preparing for a CMMC assessment — policies, screenshots, control mappings, the whole thing — and then the C3PAO would ask who last modified a document and when. No audit trail. Assessment over.
About 15–30% of first-time CMMC assessments fail. I'd guess a big chunk of those aren't failing because the security controls aren't in place. They're failing because there's no way to prove the evidence is authentic.
So I built Solymus. Every artifact you upload gets SHA-256 hashed, signed with KMS (ECDSA_SHA_256 — signing the digest, not the payload, because of the 4KB limit), and sealed into a daily Merkle chain. Each artifact gets a public /verify/{id} endpoint — no auth required — so the assessor can check it themselves.
One thing worth knowing: right after upload, merkle_status shows "pending". It upgrades to "linked" after midnight UTC when the attestation job runs. The KMS signature is valid immediately — Merkle is the additional daily seal. Took me a while to realize I needed to document that clearly or people assumed it was broken.
Free tier at prolixotech.com. Happy to go into the crypto implementation if anyone's curious.