This chapter covers SOC 2 and FedRAMP—two critical compliance frameworks for cloud service providers. SOC 2 governs how service organizations handle customer data based on five Trust Service Criteria, while FedRAMP provides a standardized approach to security assessment for cloud products used by U.S. federal agencies. For the SY0-701 exam, Objective 5.4 (Security Program Management) tests your understanding of these frameworks as part of third-party risk management and compliance requirements. By the end of this chapter, you'll be able to distinguish between SOC 2 Type I and Type II reports, explain FedRAMP's authorization levels, and identify common exam traps.
Jump to a section
Imagine you're a restaurant owner who wants to prove to health inspectors and liability insurers that your kitchen meets strict safety standards. SOC 2 is like a private health inspection report: you hire a certified inspector to evaluate your processes—food storage temperatures (availability), hand-washing logs (integrity), and customer allergy protocols (confidentiality)—and issue a report (Type I or Type II) that you can share with insurers or corporate clients. The inspector doesn't certify you; they just report on your controls. FedRAMP is like a government-issued operating license: if you want to serve food on a federal military base, you must undergo a standardized, rigorous inspection by a joint team (the JAB) that follows a government-defined checklist (NIST SP 800-53). Once you get that license (an authorization), it's valid for three years, but you must submit monthly self-inspections and pass annual re-evaluations. The key mechanism difference: SOC 2 is a report—flexible, scoped by you, and used for commercial trust; FedRAMP is an authorization—rigid, government-scoped, and mandatory for federal cloud services. A common mistake is thinking SOC 2 is a certification (it's not—it's an attestation report) or that FedRAMP is optional for commercial clients (it's only for federal use).
What Are SOC 2 and FedRAMP?
SOC 2 (System and Organization Controls 2) is a reporting framework developed by the American Institute of CPAs (AICPA). It is not a certification but an attestation report issued by a CPA firm after evaluating a service organization's controls against five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 is voluntary but widely demanded by enterprise customers who want assurance that their cloud provider has adequate controls.
FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Unlike SOC 2, FedRAMP results in an authorization (ATO) that is mandatory for any cloud service handling federal data. FedRAMP uses NIST SP 800-53 as its baseline security controls.
How They Work Mechanically
SOC 2 Process: 1. The service organization defines the system boundaries and selects applicable TSCs (e.g., Security and Availability). 2. They design and implement controls to meet the TSCs. 3. A licensed CPA firm (the auditor) performs testing—either a point-in-time examination (Type I) or a period-of-time test (Type II, typically 6-12 months). 4. The auditor issues a report: Type I reports on control design at a specific date; Type II reports on control operating effectiveness over a period. 5. The report is distributed to customers under NDA; it cannot be used as a marketing certification.
FedRAMP Process: 1. A cloud service provider (CSP) selects a FedRAMP-authorized Third-Party Assessment Organization (3PAO) to perform a security assessment. 2. The CSP submits a System Security Plan (SSP) and supporting documentation. 3. The 3PAO tests controls against the FedRAMP baseline (Low, Moderate, or High impact). 4. The Joint Authorization Board (JAB) or an agency reviews the package and issues a Provisional ATO (P-ATO) or agency ATO. 5. The CSP must continuously monitor security controls and submit monthly vulnerability scans and annual assessments.
Key Components and Variants
SOC 2 Types: - Type I: Design of controls at a specific point in time. Minimal assurance; exam often asks: "Which report shows control design but not operation?" - Type II: Operating effectiveness over a period (minimum 6 months). More rigorous.
SOC 2 Trust Service Criteria (TSC): - Security: The system is protected against unauthorized access (logical and physical). - Availability: The system is available for operation and use as committed. - Processing Integrity: System processing is complete, accurate, timely, and authorized. - Confidentiality: Information designated as confidential is protected. - Privacy: Personal information is collected, used, retained, and disclosed in conformity with the organization's privacy notice.
FedRAMP Impact Levels: - Low: For systems where loss of confidentiality, integrity, or availability would have limited adverse effect (e.g., public-facing websites). - Moderate: For systems where loss would have serious adverse effect (e.g., most federal enterprise apps). - High: For systems where loss would have severe or catastrophic effect (e.g., law enforcement or emergency response).
Authorization Types: - JAB P-ATO: Provisional authorization by the Joint Authorization Board (DoD, DHS, GSA). Reusable by any agency. - Agency ATO: Authorization by a specific federal agency for its own use.
How Attackers Exploit or Defenders Deploy
SOC 2 in Practice: A defender uses a SOC 2 Type II report to validate a vendor's security posture during third-party risk assessment. An attacker might target gaps not covered by the report—for example, if the report only covers Security and Availability, the attacker could exploit weak Privacy controls (e.g., improper data disposal). The key is that SOC 2 is point-in-time or period-based; it does not guarantee current security.
FedRAMP in Practice: A defender uses FedRAMP authorization to ensure a cloud service meets federal baseline controls. An attacker might exploit misconfigurations in the CSP's environment that fall outside the FedRAMP boundary (e.g., a third-party plugin not in the SSP). Continuous monitoring helps but is only as good as the scanning tools used.
Real Command/Tool Examples
SOC 2 Control Testing Example: An auditor might test logical access controls by reviewing:
Password policy: grep -i 'minlen' /etc/pam.d/common-password
MFA enforcement: aws iam list-virtual-mfa-devices
Logging: auditctl -l | grep -E 'w+ -p wa'
FedRAMP Continuous Monitoring: CSPs must run vulnerability scans monthly. Example using Nessus:
nessuscli scan --target 192.168.1.0/24 --policy "FedRAMP Moderate" --output /var/reports/monthly_scan.nessusThey must also submit POA&M (Plan of Action and Milestones) for any findings.
Common Exam Commands:
- NIST SP 800-53 control catalog: nmap -sV --script vuln (not directly, but used for testing)
- FedRAMP requires CVSS score reporting: cvss-calc --vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary of Differences
| Feature | SOC 2 | FedRAMP | |---------|-------|---------| | Purpose | Commercial assurance | Federal compliance | | Standard | AICPA TSC | NIST SP 800-53 | | Type | Attestation report | Authorization (ATO) | | Auditor | CPA firm | 3PAO | | Reuse | Customer-specific | Reusable across agencies | | Validity | Report date | 3 years (with continuous monitoring) |
Define System Boundaries
For SOC 2, the service organization must clearly define the system boundaries—what infrastructure, software, people, and data are in scope. This includes physical locations, cloud environments, and third-party dependencies. For FedRAMP, the CSP defines the authorization boundary, which includes all components that process, store, or transmit federal data. Common mistake: including too much or too little—over-scoping leads to unnecessary controls; under-scoping risks non-compliance. Tools used: network diagrams, data flow diagrams, and asset inventories (e.g., ServiceNow CMDB).
Select Applicable Criteria
For SOC 2, the organization selects which Trust Service Criteria (TSC) to include. Most choose Security (mandatory in practice) plus one or more of Availability, Processing Integrity, Confidentiality, Privacy. For FedRAMP, the impact level (Low, Moderate, High) determines the baseline control set from NIST SP 800-53. Example: a Moderate baseline includes ~325 controls. The CSP must document which controls are applicable and how they are implemented. Exam trap: thinking SOC 2 requires all five TSCs—it does not.
Implement Controls
The organization designs and implements controls to meet the selected criteria. For SOC 2, common controls include access control policies, encryption (AES-256), intrusion detection (e.g., Snort), and backup procedures. For FedRAMP, controls are mapped to NIST 800-53 families (e.g., AC-1 for access control policy, IA-2 for identification and authentication). CSPs often use automation tools like Terraform to enforce configurations. Logs: Windows Event ID 4625 for failed logins; Linux /var/log/auth.log. A common mistake is implementing controls but not documenting evidence—auditors need proof.
Engage Auditor or 3PAO
For SOC 2, the organization hires a licensed CPA firm (e.g., Big Four) to perform the examination. The auditor reviews control descriptions and tests them. For FedRAMP, the CSP must use a FedRAMP-accredited 3PAO (e.g., Coalfire, A-LIGN). The 3PAO conducts a readiness assessment, then a full security assessment. The CSP provides evidence: policies, configuration screenshots, logs. Common mistake: choosing an uncertified auditor—SOC 2 requires CPA; FedRAMP requires accredited 3PAO. The exam may ask: 'Who performs a FedRAMP assessment?' Answer: 3PAO.
Report or Authorization Issuance
For SOC 2, the auditor issues a Type I or Type II report. Type I is a point-in-time opinion on control design; Type II covers operating effectiveness over a period (minimum 6 months). The report is confidential and distributed under NDA. For FedRAMP, the JAB or agency issues an ATO (Authorization to Operate). The ATO is valid for 3 years, with continuous monitoring requirements. The CSP receives a FedRAMP package including the SSP, SAR (Security Assessment Report), and POA&M. Common exam question: 'Which SOC report evaluates controls over time?' Answer: Type II.
Scenario 1: Cloud Vendor Selection
A healthcare company is evaluating a SaaS provider for patient scheduling. The provider claims to be 'SOC 2 certified.' The security analyst requests the SOC 2 Type II report and discovers it only covers Security and Availability, not Privacy. The analyst realizes that the provider's Privacy controls are untested, which is critical for HIPAA compliance. The correct response is to ask for a SOC 2 report that includes Privacy or conduct a separate assessment. Common mistake: accepting a Type I report as sufficient—it only tests design, not operation. Tools used: vendor risk management platform (e.g., OneTrust), SOC 2 report repository.
Scenario 2: FedRAMP Authorization for a Federal Agency
A federal agency wants to use a cloud-based email service. The CSP has a FedRAMP Moderate JAB P-ATO. The agency's security team reviews the FedRAMP package, including the SSP and POA&M. They find that the CSP has a critical vulnerability (CVSS 9.8) in a web application firewall, with a POA&M item stating remediation by next quarter. The agency must decide whether to accept the risk. The correct response is to evaluate the POA&M and possibly require a faster fix. Common mistake: assuming FedRAMP authorization means no vulnerabilities exist—it only means the CSP has a plan to address them.
Scenario 3: SOC 2 Type I vs Type II Confusion
A startup receives a SOC 2 Type I report and advertises it as proof of security. A potential enterprise customer asks for a Type II report. The startup cannot provide one because they haven't operated controls for a sufficient period. The customer walks away. The lesson: Type I is insufficient for high-assurance partners. The startup should have planned a Type II examination from the start. Tools: audit management software (e.g., Vanta, Drata) to track control evidence over time.
Exactly What SY0-701 Tests
Objective 5.4 (Security Program Management) expects you to:
Distinguish between SOC 2 Type I and Type II reports.
Identify the five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
Understand that SOC 2 is an attestation, not a certification.
Know that FedRAMP is for U.S. federal cloud services and uses NIST SP 800-53.
Recognize the roles: 3PAO, JAB, agency ATO vs. P-ATO.
Differentiate between SOC 2 (commercial) and FedRAMP (government).
Common Wrong Answers
'SOC 2 is a certification.' Wrong—it's an attestation report issued by a CPA firm. Candidates confuse it with ISO 27001 certification.
'FedRAMP is voluntary for commercial clients.' Wrong—it's mandatory only for federal use. Commercial clients may ask for it, but it's not required.
'SOC 2 Type I tests controls over time.' Wrong—Type I is point-in-time; Type II tests over time.
'FedRAMP uses ISO 27001 controls.' Wrong—it uses NIST SP 800-53.
Specific Terms and Values
Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy (remember acronym: SAPCP).
Type I vs Type II: Type I = design only; Type II = design + operating effectiveness over 6+ months.
FedRAMP impact levels: Low, Moderate, High.
3PAO: Third-Party Assessment Organization.
JAB: Joint Authorization Board (DoD, DHS, GSA).
ATO: Authorization to Operate; P-ATO: Provisional ATO.
NIST SP 800-53: The control catalog used by FedRAMP.
Trick Questions
'Which report shows that controls are operating effectively over time?' Answer: SOC 2 Type II.
'Which framework is required for cloud services used by federal agencies?' Answer: FedRAMP.
'Who performs the FedRAMP assessment?' Answer: 3PAO.
'What is the purpose of a SOC 2 report?' Answer: To provide assurance to customers, not to certify.
Decision Rule for Eliminating Wrong Answers
On scenario questions asking about third-party risk, ask: 'Is this about commercial or government?' If commercial, think SOC 2. If government, think FedRAMP. Then ask: 'What is the timeframe?' If point-in-time, Type I; if over a period, Type II. If the answer mentions 'certification,' eliminate it unless it's ISO 27001. If it mentions 'NIST 800-53,' it's likely FedRAMP.
SOC 2 is an attestation, not a certification; Type I = design, Type II = operating effectiveness over 6+ months.
The five Trust Service Criteria are Security, Availability, Processing Integrity, Confidentiality, Privacy (SAPCP).
FedRAMP is mandatory for U.S. federal cloud services; uses NIST SP 800-53 controls.
FedRAMP impact levels: Low, Moderate, High determine control baseline.
3PAO performs FedRAMP assessments; JAB issues P-ATO; agencies issue ATO.
SOC 2 reports are confidential and distributed under NDA; FedRAMP packages are shared with agencies.
Common exam trap: confusing SOC 2 Type I with Type II or thinking SOC 2 is a certification.
These come up on the exam all the time. Here's how to tell them apart.
SOC 2
Commercial framework for service organizations
Based on AICPA Trust Service Criteria
Results in an attestation report (Type I or Type II)
Auditor is a licensed CPA firm
No continuous monitoring requirement (only period of examination)
FedRAMP
Government framework for cloud services used by federal agencies
Based on NIST SP 800-53 controls
Results in an authorization (ATO or P-ATO)
Assessor is a FedRAMP-accredited 3PAO
Requires continuous monitoring (monthly scans, annual assessments)
Mistake
SOC 2 is a certification like ISO 27001.
Correct
SOC 2 is an attestation report issued by a CPA firm. It does not certify an organization; it provides an opinion on controls. ISO 27001 is a certifiable standard.
Mistake
A SOC 2 Type I report proves controls are effective.
Correct
Type I only evaluates control design at a single point in time. It does not test whether controls actually operate effectively. Type II is needed for operational effectiveness.
Mistake
FedRAMP is voluntary for any cloud provider.
Correct
FedRAMP is mandatory for cloud services used by U.S. federal agencies. Commercial customers may request it, but it is not legally required outside government.
Mistake
SOC 2 covers all five Trust Service Criteria by default.
Correct
Organizations can choose which TSCs to include. Many only include Security and Availability. Privacy and Confidentiality are optional unless specifically requested.
Mistake
FedRAMP authorization means the system is completely secure.
Correct
FedRAMP authorization indicates that the system meets a baseline of controls and has a plan to address vulnerabilities (POA&M). It does not guarantee zero risk.
SOC 2 Type I evaluates the design of controls at a specific point in time. Type II evaluates both the design and operating effectiveness of controls over a period (minimum 6 months). For the exam, remember: Type I = snapshot; Type II = movie. Most customers require Type II for higher assurance.
No, SOC 2 is voluntary. However, many enterprise customers require SOC 2 reports as part of vendor risk management. It is not a legal requirement like FedRAMP is for federal agencies.
The JAB, consisting of DoD, DHS, and GSA, reviews FedRAMP packages and issues Provisional ATOs (P-ATOs) that can be reused by any federal agency. The JAB prioritizes CSPs based on demand.
No, SOC 2 reports are confidential and typically shared under a non-disclosure agreement (NDA). They are intended for customers and partners, not the general public. Marketing use is restricted.
The Moderate baseline is derived from NIST SP 800-53 and includes approximately 325 controls across 18 families. It is the most common baseline for federal systems.
The CSP must notify the agency and the FedRAMP PMO within a specified timeframe (usually 24-72 hours). They must also update the POA&M and may face re-assessment or revocation of authorization.
A FedRAMP authorization (ATO) is valid for 3 years, provided the CSP maintains continuous monitoring and passes annual assessments. If the CSP fails to comply, the authorization can be revoked.
You've just covered SOC 2 and FedRAMP Compliance — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?