Considering how many security controls my FISMA Moderate-classed SaaS inherits from my cloud vendor, I very much doubt it's easier to build any platform internally, if we're only considering regulatory compliance.
There’s paperwork compliance, and then there’s security and risk controls performance validated compliance.
It may be more difficult if “we signed a contrast, trust the compliance report” is not an acceptable answer for a particular risk management audit or regulator.
If we're in "we can't rely the 3PAO's assessment or the JAB's (or DISA's) review of this cloud vendor" territory, then we're probably dealing with workloads far more sensitive than FISMA High or Secret, in which case it absolutely makes sense to DIY.
It may be more difficult if “we signed a contrast, trust the compliance report” is not an acceptable answer for a particular risk management audit or regulator.