[Terretta]

There’s paperwork compliance, and then there’s security and risk controls performance validated compliance.

It may be more difficult if “we signed a contrast, trust the compliance report” is not an acceptable answer for a particular risk management audit or regulator.

[xenophonf]

If we're in "we can't rely the 3PAO's assessment or the JAB's (or DISA's) review of this cloud vendor" territory, then we're probably dealing with workloads far more sensitive than FISMA High or Secret, in which case it absolutely makes sense to DIY.

But most workloads aren't that special.