SOC 2 vs. FedRAMP - the main differences

As a follow on to my previous article on what #CPAfirms need to know about #FedRAMP, this article is meant to demonstrate some of the main differentiators between #SOC2 engagements and FedRAMP engagements.

Who performs them

• SOC 2 - CPA firms or IT audit firms working with a CPA. SOC 2 reports must be issued by a licensed, registered, CPA firm because a qualified CPA is the one that signs the report. Note, some CPA firms will work with, or be affiliated with, an IT audit firm which is not a CPA firm. The CPA firm will essentially use the IT audit firm as a specialist to help with certain portions (usually technical testing) of the SOC 2 engagement.
• FedRAMP - a 3PAO that is authorized on the FedRAMP Marketplace. 3PAOs will undergo annual A2LA assessments to keep up to date with their status to be able to perform FedRAMP engagements. FedRAMP packages can only be submitted by a qualified “senior assessor” at the 3PAO.

Deliverables

• SOC 2 - A single report that has different sections as prescribed by reporting requirements. Includes the independent auditor’s report, management’s assertion, system description, and criteria/controls/tests of controls.
• FedRAMP - during planning, a SAP that is agreed upon between client and 3PAO, and approved by government official.? After assessment, a SAR with embedded attachments including pen test report, manual control testing results, vulnerability scan results, list of POA&Ms, risk exposure table.

Timing

• SOC 2 - a SOC 2 Type 1 report is a single point in time that audits control design to meet certain criteria.? A SOC 2 Type 2 report is a period of time that audits not only design suitability, but also the operational effectiveness of controls during that period of time. For this reason, SOC 2 Type 2 reports are “lookback” reports that audit a period of time that has already passed.
• Example - if the audit period is January 1, 2024 - December 31, 2024, parts of the audit may happen during the year, but the bulk of testing will happen in December, with reporting and final deliverable sometime in January or even February 2025 (or longer depending on how many open items there are).
• FedRAMP - the reporting package (SAR and all its components) are generated over the course of an engagement, then delivered to the authorizing agency/official for approval. After that, the package is sent to the JAB for their signoff, and then the system is authorized as of a specific date.
• Example - the FedRAMP audit kicks off in January 2024 with the development of the SAP.? SAP approval happens, planning occurs over the winter, with testing starting in February 2024. The completed SRTM and RET are completed in March 2024. The client opts to remediate some findings in April 2024, and 3PAO re-testing takes place in May 2024. Finalization of the FedRAMP package is June 2024 and sent to the agency. Approvals can take weeks or months, but for our example, we’ll say JAB approval happens in September 2024 and the system is authorized. With FedRAMP, timelines can be very dynamic depending on findings, remediation, and how long approvals take (both on the front and back ends).

Testing

• SOC 2 - testing for SOC 2 depends on what controls and how many controls the client has. SOC 2 also tends not to dive as “deep” as FedRAMP does, but instead casts a “wider net”.? For example, SOC 2 has criteria for oversight, where we typically see controls related to the Board of Directors, which FedRAMP does not touch. SOC 2 also requires greater sample testing than FedRAMP, which is due to the report covering a period of time (as opposed to an authorization date) about the operational effectiveness of controls. Sampling guidance for SOC auditors factors into the greater sample sizes as well.
• FedRAMP - FedRAMP tests a lot more controls (based on NIST 800-53 r5) during the initial (or even annual) assessment. Also, as mentioned above, FedRAMP will go “deeper” in testing because of all the required parameters of each control. For example, here is AC-2 (which relates to access/account management) for NIST 800-53 r5:

Remediation & re-testing

• SOC 2 - in a SOC 2 Type 1 report, the auditor is testing suitability of design (and implementation) as of a specific date. If the client is “not ready” or the environment/controls is in poor shape, the “as of” date could be changed until the client remediates the issues they are having. In a SOC 2 Type 2 report (which is a lookback report), if controls were failing (or exceptions were found), those findings will still go in the report regardless of if they modify the opinion or not.
• FedRAMP - findings in FedRAMP testing have the ability to be fixed/remediated by the client before the final package is submitted for approval. Clients will often fix certain findings to present a better package for authorization (if they don’t, they run a greater risk of not getting approval). Findings are not required to be remediated though, and often not all of them are. In the final package, any open findings are listed as POA&Ms with a remediation plan.

Use

• SOC 2 - covers not just cloud service providers (CSPs), but really any type of service organization. Primary use is commercial B2B, including vendor management, due diligence, and management/board oversight.
• FedRAMP - is only for CSPs, especially if they do business with the Federal government (required). Typically organizations will get the system FedRAMP authorized via a Federal agency, called a “sponsor”. Some organizations choose to do a FedRAMP “like” audit, without formal authorization at the end (see my previous article). They may do this for more commercial B2B or internal use purposes.

LOE/Cost

• SOC 2 - Lower scope, lower cost. The LOE for a SOC 2 will depend on the trust service categories in-scope, the complexity of the system, and the amount of controls that need to be audited. Only the highest scope and complexity systems in SOC 2 begin to get into the cost ballpark we see for FedRAMP engagements. The only areas we typically see that are greater LOE than FedRAMP are around oversight (think board of directors) and sample sizes.
• FedRAMP - initial (first-year) FedRAMP assessments cover the entire NIST 800-53 set of controls and have a high cost associated with that (don’t forget pen testing, vulnerability scanning, and red teaming!). Annual FedRAMP assessments reduce the number of NIST 800-53 controls, but still typically include a large number of controls overall. And don’t forget that FedRAMP will go “deeper” into controls compared to SOC 2.

Process (external authorization)

• SOC 2 - requires an assertion from client management, then an independent external CPA to form the auditor’s opinion on that assertion.
• FedRAMP - the client develops a FedRAMP package, which the 3PAO reports on, then that final package is presented to the authorizing official (or JAB depending on authorization route the client is taking) for final signoff.

Fortreum

Fortreum can help you bridge any gaps if your firm is not a 3PAO. We are an industry-recognized and respected 3PAO, being led by individuals that have been involved in the program since its inception. If your firm has clients that are considering, or are committed to, undergoing the FedRAMP process, we can help. As a friend of CPA firms, we hold all our partnerships in the highest regard and treat clients with the utmost care. Give us a call (or reach out to me at [email protected]) to learn more about how we can help your firm with client needs.

• Business case discussions
• Scoping
• Roadmapping
• Assessment
• Federal agency or JAB interface

See the similarities of SOC 2 & FedRAMP article here!