code/+/trust primary logo full color svg

SOC 2

Definition

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates a software company''s controls over security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report -- covering 6-12 months of operating effectiveness -- is increasingly required by enterprise buyers and is a de facto procurement requirement for B2B SaaS vendors.

SOC 2 is the trust badge enterprise buyers check before signing a software contract. A SOC 2 Type I report verifies that controls exist at a point in time. A SOC 2 Type II report -- the one that matters -- verifies that controls operated effectively over a sustained period (typically 6 or 12 months).

SOC 2 Trust Services Criteria

  • Security (CC) -- required for all SOC 2 reports; covers logical and physical access, change management, risk assessment
  • Availability (A) -- system uptime and performance commitments
  • Processing Integrity (PI) -- data processed completely and accurately
  • Confidentiality (C) -- data designated confidential is protected
  • Privacy (P) -- personal information is collected, used, and disclosed per policy

SOC 2 vs. FedRAMP

SOC 2 is the commercial enterprise standard. FedRAMP is required for federal government cloud services. They share controls but are distinct programs. Many federal-adjacent vendors pursue SOC 2 first (faster and cheaper) as a bridge while pursuing FedRAMP authorization.

Related terms

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

CMMC (Cybersecurity Maturity Model Certification)

CMMC (Cybersecurity Maturity Model Certification) is the DoD''s third-party verification program for cybersecurity practices on defense contracts. CMMC Level 2 -- required on most DoD contracts handling Controlled Unclassified Information by 2026 -- mandates independent assessment of all 110 NIST SP 800-171 practices by a Certified Third-Party Assessment Organization (C3PAO).

NIST SP 800-171

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Any company that handles CUI under a DoD contract must implement all 110 requirements and submit a self-assessment score to the Supplier Performance Risk System (SPRS).

HIPAA Software

HIPAA software is any application that creates, receives, maintains, or transmits Protected Health Information (PHI) and must comply with the HIPAA Security Rule''s administrative, physical, and technical safeguards. Healthcare software companies that handle PHI must sign a Business Associate Agreement (BAA) with covered entities -- violations carry fines of $100-$50,000 per violation up to $1.9 million annually.

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like soc 2 into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →