If your organization already holds a SOC 2 Type II report, you might assume CMMC compliance is mostly handled. You’ve invested in controls, passed an audit, and received a formal attestation from a CPA firm. That should count for something.
It does count for something. But it doesn’t count for CMMC.
SOC 2 and CMMC originate from different standards bodies, measure against different control sets, carry different legal weight, and produce different outcomes. Organizations that treat SOC 2 as a shortcut to CMMC discover the gap during assessment prep, when closing it costs the most.
This article breaks down where the two frameworks overlap, where they diverge, and what it takes to maintain both.
Different Standards, Different Purpose
SOC 2 is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates an organization’s controls against the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The output is a report: either Type I (point-in-time design) or Type II (operating effectiveness over a period, typically 6-12 months).
CMMC is a certification program administered by the Department of Defense through the CMMC Accreditation Body (operating as the Cyber AB). At Level 2, it evaluates an organization’s implementation of the 110 security requirements defined in NIST SP 800-171. The output is a certification status (Conditional or Final) that determines contract eligibility.
The frameworks ask different questions:
- SOC 2 asks: “Do you have reasonable controls for the Trust Services Criteria you selected?”
- CMMC asks: “Did you implement these specific 110 controls, and can you prove each one?”
One is flexible. The other is prescriptive.
SOC 2 allows significant latitude in how you satisfy each criterion. Two organizations can have completely different control implementations and both receive clean SOC 2 Type II reports. That flexibility is a feature. It lets the framework adapt to different business models and technology stacks.
CMMC doesn’t offer that latitude. Each of the 110 security requirements maps to specific assessment objectives defined in NIST SP 800-171A. There are 320 objectives total. Assessors evaluate each one against defined criteria. You either implemented the control or you didn’t.
Voluntary vs Mandatory
SOC 2 is market-driven. No law requires it. Organizations pursue SOC 2 because their customers, partners, or investors expect it. Enterprise buyers often require SOC 2 Type II reports as a condition of doing business. The incentive is commercial: win deals, build trust, reduce vendor risk questionnaires.
CMMC is contractual and regulatory. When the DoD includes a CMMC requirement in a solicitation, the contractor must hold the required certification level to be eligible. There’s no alternative. No waiver. No “we’re working on it” exception that preserves eligibility.
The legal consequences differ too.
SOC 2 noncompliance means losing a customer or failing a vendor assessment. It doesn’t trigger legal liability. If your SOC 2 report contains inaccuracies, the consequences are reputational and commercial.
CMMC noncompliance carries federal exposure. Defense contractors who misrepresent their compliance status face the False Claims Act. The Department of Justice’s Civil Cyber-Fraud Initiative specifically targets cybersecurity misrepresentations in government contracts. Recent DOJ enforcement actions have recovered tens of millions from cybersecurity-related FCA cases, with the pace of recovery accelerating year over year.
We see this gap in awareness regularly among companies entering the defense market from the commercial side. They’re accustomed to SOC 2, where the worst outcome of overstatement is a failed re-audit. In the defense contracting world, overstatement of your security posture is a legal risk that personal officers sign for annually through CMMC affirmation requirements.
How the Assessments Work
SOC 2: CPA Firms and Attestation Reports
SOC 2 audits are conducted by CPA firms licensed to perform attestation engagements under AICPA standards. The auditor examines your controls against the Trust Services Criteria you’ve selected (most organizations choose Security and one or two additional categories).
A Type I report evaluates control design at a specific point in time. It answers: “Are these controls suitably designed?”
A Type II report evaluates operating effectiveness over a review period (usually 6-12 months). It answers: “Did these controls operate effectively throughout the period?”
The auditor issues an opinion. A clean opinion means your controls met the criteria. The report goes to your customers and prospects, who use it to evaluate your security posture as part of their vendor risk management.
SOC 2 is continuous by nature. Type II reports cover rolling periods, and most organizations maintain annual audit cycles. There’s no concept of “passing” or “failing.” You receive an opinion that describes your control environment.
CMMC: C3PAOs and Certification Status
CMMC Level 2 certification assessments are conducted by CMMC Third-Party Assessor Organizations (C3PAOs) authorized by the Cyber AB. Assessors evaluate your implementation of all 110 NIST 800-171 security requirements against the 320 assessment objectives.
The assessment produces a score. A perfect score is 110. Any control not fully implemented receives a deficiency, and associated points are deducted. Organizations that score above the threshold, and have no deficiencies in controls that are not POA&M-eligible, can receive certification.
The certification status follows a defined path:
- Conditional: Issued when limited deficiencies are documented in a Plan of Action and Milestones (POA&M). The contractor has 180 days to close the gaps.
- Final: Issued once all POA&M items are resolved and verified.
CMMC certification is point-in-time, valid for three years. Between assessments, contractors submit an annual affirmation: a formal affirmation submitted in SPRS by a senior official confirming that the organization continues to meet all requirements. That affirmation carries legal weight.
Control Overlap: Real but Limited
SOC 2 and CMMC do share common ground. Both frameworks address access control, logging, incident response, and change management. Organizations with mature SOC 2 programs have already built muscle in these areas.
But the overlap is narrower than most people expect.
SOC 2’s CC6 (Logical and Physical Access Controls) maps loosely to CMMC’s Access Control family. Both require that you control who accesses what. But SOC 2 lets you define “reasonable” access controls for your environment. CMMC specifies 22 discrete requirements, including specific controls for remote access, wireless access, mobile devices, CUI flow control, and session termination that SOC 2 simply doesn’t address at that level of detail.
SOC 2’s CC7 (System Operations) overlaps with CMMC’s Audit and Accountability and System and Information Integrity families. Both expect monitoring and logging. But CMMC requires specific log content, correlation analysis, response to audit processing failures, and protection of audit information from unauthorized access. SOC 2’s criteria leave those implementation details to the organization.
SOC 2’s CC8 (Change Management) connects to CMMC’s Configuration Management family. Both address change control processes. CMMC goes further with requirements for baseline configurations, configuration settings for IT products, software usage restrictions, and user-installed software policies.
The areas where SOC 2 provides little or no coverage of CMMC requirements include:
- Media Protection: CUI marking, media sanitization, transport protection
- Personnel Security: Screening during hiring, access revocation at termination
- Physical Protection: Visitor management, alternate work sites, physical access logs
- Maintenance: Controlled maintenance, remote maintenance sessions, equipment sanitization
- CUI boundary scoping: SOC 2 has no concept of CUI enclaves or boundary definition
In our readiness reviews for organizations with active SOC 2 Type II reports, the typical coverage against CMMC Level 2 lands between 30% and 40% of the 110 requirements. The controls that are covered tend to be partially met. SOC 2 evidence proves the organization has a control, but not that it meets the specific CMMC implementation requirements. After accounting for partial credit, effective coverage drops closer to 25%.
That’s not close. That’s a starting point.
”We Already Have SOC 2. Aren’t We Close?”
This is the most common question we hear from commercial companies exploring defense contracts. The answer is honest but uncomfortable: your SOC 2 program gives you a head start on culture and process maturity, but it doesn’t give you a head start on most of the technical controls.
Here’s what SOC 2 Type II typically doesn’t cover that CMMC Level 2 requires:
Encryption specifics. CMMC requires FIPS-validated cryptography for protecting CUI at rest and in transit. SOC 2 requires “encryption where appropriate,” which usually means TLS for web traffic and disk encryption on laptops. FIPS 140-2/140-3 validated modules are a specific technical requirement that most commercial environments haven’t implemented.
Multi-factor authentication scope. SOC 2 environments commonly implement MFA for admin access and remote access. CMMC requires MFA for all network access to CUI systems and for all remote access, including privileged and non-privileged accounts. The scope is wider.
Audit log specifics. SOC 2 expects logging. CMMC specifies what must be logged (user identity, event type, timestamp, access target, outcomes), how logs must be protected, how audit failures must be handled, and how log review must occur. Organizations need to verify their logging infrastructure meets each specific requirement.
CUI marking and handling. SOC 2 has no equivalent. CMMC requires that CUI be marked per NARA standards, stored within defined boundaries, and tracked through its lifecycle. This requires new processes, training, and potentially new tooling.
System Security Plan. CMMC requires a formal System Security Plan (SSP) that documents how every control is implemented within your CUI boundary. SOC 2 doesn’t require an equivalent document. Your SOC 2 control matrix isn’t an SSP.
Incident reporting timelines. DoD contractors must report cyber incidents within 72 hours per DFARS 252.204-7012. SOC 2 requires incident response capabilities but doesn’t prescribe reporting timelines to government entities.
When You Need Both
Many organizations serve both commercial clients and defense contractors. If you’re in that position, you likely maintain both programs, and that’s the right call.
SOC 2 satisfies your commercial customers’ security expectations. CMMC satisfies your defense contract requirements. Dropping either one creates risk on one side of your business.
The good news: the programs can share infrastructure. Where controls overlap, you can use common evidence. Your access management platform, your SIEM, your MFA deployment, your change management process: these serve both programs. You don’t need two separate security stacks.
What you do need is two separate assessment tracks:
- SOC 2 continues with your CPA firm on an annual cycle
- CMMC follows the C3PAO assessment timeline on a three-year cycle with annual affirmation
You also need documentation that serves both audiences. Your SSP covers CMMC. Your control descriptions cover SOC 2. Some artifacts serve both, but the formats, scope, and detail level differ.
Organizations we’ve worked with that run both programs typically find 30-40% of their evidence artifacts can serve dual duty. The remaining 60-70% is CMMC-specific documentation: the SSP, POA&M, CUI scoping documentation, FIPS validation evidence, and NIST 800-171A objective-by-objective assessment results. Building this documentation layer on top of an existing SOC 2 program is faster than building from scratch, but it’s still a material investment.
The Real Difference
SOC 2 is a trust signal. It tells the market that an independent auditor examined your controls and found them reasonable for the criteria you selected. The market decides whether that’s sufficient.
CMMC is a gate. It tells the DoD that an authorized assessor verified your implementation of 110 specific security controls against 320 defined objectives. Without it, you don’t get the contract.
SOC 2 asks: “Do you have reasonable controls?”
CMMC asks: “Did you implement these exact controls and can you prove it?”
The frameworks complement each other. They don’t replace each other. An organization with a clean SOC 2 Type II report still faces 60-75% of the CMMC compliance work ahead. An organization with CMMC certification still needs SOC 2 if commercial customers require it.
Closing the Gap
If you’re starting from SOC 2 and need to reach CMMC Level 2, here’s the realistic path:
1. Scope your CUI boundary. SOC 2 doesn’t require this. CMMC does. Identify where CUI will live, how it flows, and what systems touch it. This is the foundational step. Get scoping right first.
2. Run a gap assessment against NIST 800-171. Map your existing SOC 2 controls to the 110 CMMC requirements. Identify which requirements are fully met, partially met, or not addressed. Expect 60-70 requirements to need new or modified controls.
3. Build your SSP. Document every control implementation within your CUI boundary. This is a net-new artifact for SOC 2 organizations.
4. Close technical gaps. FIPS-validated encryption, expanded MFA, audit log enhancements, media protection, CUI marking. These are the controls that SOC 2 doesn’t cover.
5. Budget appropriately. SOC 2 organizations tend to underestimate CMMC costs because they anchor on their existing program spend. The CMMC-specific work (CUI scoping, SSP development, technical control implementation, and C3PAO assessment fees) is additional, not substitutional.
6. Engage a C3PAO early. Start the assessment timeline conversation before you need the certification. C3PAO availability is constrained, and scheduling lead times are growing.
Moving Forward
SOC 2 and CMMC serve different masters. SOC 2 serves the market. CMMC serves the mission. If your business spans both, you maintain both, using shared infrastructure where possible and dedicated documentation where required.
The organizations that navigate this well are the ones that understand the gap upfront, budget for it, and build compliance programs that serve both tracks without pretending one covers the other.
The organizations that start this process with clear visibility into their current state move faster and spend less. The first step is always the same: map what you have against what CMMC requires, control by control.