A SOC 2 Type II report does not fully satisfy any of the 60 FedRAMP 20x Key Security Indicators. Based on Workstreet's control-by-control gap analysis, SOC 2 partially addresses 52 KSIs and leaves 8 unaddressed.
The gaps cluster in three places:
Authorization data sharing, continuous monitoring reporting, significant change notifications.
Persistent validation, immutable deployments, automated account management.
FIPS-validated cryptography, phishing-resistant MFA for all users.
Expand any KSI below to see the official requirement, your closest SOC 2 controls, and the scope of work — with effort and priority — to close the gap.
Reflects Workstreet's control-by-control gap analysis of a typical SOC 2 Type II report against the v0.9.0-beta KSIs. Not an assessment of your environment.
The requirement. Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization.
Gap from SOC 2. While a production inventory and service description exist, the FedRAMP MAS requires a precisely defined authorization boundary — every component, data flow, external connection, and service within scope documented in an OSCAL-formatted System Security Plan. This is substantially more prescriptive than SOC 2.
Develop the FedRAMP SSP: define precise authorization boundary, inventory all in-scope components, document data flows, interconnections, user types, data types, and information systems. Produce OSCAL-formatted SSP. This is the primary authorization artifact.
Dependencies & notes. Foundational document — all other authorization artifacts reference it. Engage 3PAO early.
The requirement. Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.
Gap from SOC 2. No SOC 2 control addresses how security authorization data is shared with government customers and agencies. An ADS process, machine-readable package, and data-sharing agreements with agency AOs must be developed from scratch.
Establish the ADS process: determine what authorization data is shared, with whom (agency AOs, FedRAMP PMO), in what format, and on what cadence. Develop machine-readable authorization package structure. Align with FedRAMP ADS reference process.
Dependencies & notes. Must be established early — it shapes all other authorization artifacts.
The requirement. Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process.
Gap from SOC 2. Vulnerability scanning and pen testing are in place (VPM-1, VPM-2, IAO-2, OPS-1). FedRAMP VDR requires a formal, documented VDR methodology with defined detection timelines, FedRAMP-specific remediation SLAs (Critical: 15 days, High: 30 days, Moderate: 90 days), and integration into the ConMon reporting process.
Document formal VDR methodology aligned with FedRAMP VDR reference process. Define FedRAMP remediation SLAs (Critical: 15 days, High: 30 days, Moderate: 90 days, Low: 180 days). Integrate with POA&M. Establish authenticated scanning program covering all in-scope components. Add VDR to ConMon reporting.
Dependencies & notes. Builds on VPM-1/VPM-2. Primary gap is FedRAMP-specific SLAs, authenticated scanning, and ConMon integration.
The requirement. Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process.
Gap from SOC 2. External change communication exists (GOV-6, GOV-13) and change management is enforced (CHG-1). FedRAMP SCN defines specific categories of 'significant changes' and requires advance notification to all agency AOs and the FedRAMP PMO — a formal Significant Change Request (SCR) process must be established.
Define FedRAMP significant change categories per FedRAMP guidance. Build SCR process: advance notification to agency AOs, FedRAMP PMO coordination, impact assessment, approval workflow. Embed in change management process. Develop customer notification templates.
Dependencies & notes. Builds on existing GOV-6/CHG-1. Primary effort is defining 'significant change' and establishing agency notification workflow.
The requirement. Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process.
Gap from SOC 2. FedRAMP's CCM program — quarterly reviews, ongoing authorization reports, and collaborative monitoring with agency AOs — has no SOC 2 equivalent. A full ConMon program must be built, including reporting cadence, templates, and agency engagement model.
Build the full FedRAMP ConMon program: define quarterly review process, ongoing authorization reporting cadence, agency AO engagement model, reporting templates (POA&M, scan results, deviation requests). Assign ConMon team ownership. This becomes an ongoing operational function post-authorization.
Dependencies & notes. Most significant ongoing operational burden. Must be resourced as a permanent function.
The requirement. Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process.
Gap from SOC 2. Internal configuration management exists (CFG-1, NET-5). FedRAMP SCG additionally requires publishing customer-facing secure configuration guidance and maintaining a secure-by-default configuration baseline — neither of which is required by SOC 2.
Develop secure-by-default configuration baselines and customer-facing secure configuration guidance. Document what customers need to do to securely configure the service for federal use. Publish and maintain as part of the authorization package.
Dependencies & notes. Requires collaboration between security, engineering, and customer success teams.
The requirement. Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements.
Gap from SOC 2. A dedicated, monitored security inbox for receiving FedRAMP and agency security communications is a FedRAMP-specific operational requirement with no SOC 2 equivalent. Must be established and staffed.
Establish and operate a monitored security inbox for FedRAMP/agency communications. Define SLAs for reading/responding to inbox messages. Staff appropriately. Register with FedRAMP PMO.
Dependencies & notes. Operationally straightforward but must be in place before authorization review.
The requirement. Persistently validate, assess, and report on the effectiveness and status of security decisions and policies implemented within the cloud service offering, in alignment with FedRAMP 20x Persistent Validation and Assessment (PVA) process.
Gap from SOC 2. SOC 2 requires annual control self-assessments (IAO-1). FedRAMP 20x PVA requires continuous, automated, machine-readable validation of KSI compliance — a fundamentally different paradigm. A compliance-as-code pipeline producing persistent, auditable evidence must be built.
Design and implement automated KSI validation pipeline: define automated evidence collection for each KSI, build machine-readable compliance reports, integrate with OSCAL. Target ≥70% automated validation. This is the core FedRAMP 20x innovation requiring the most technical investment.
Dependencies & notes. Most technically complex requirement. Requires dedicated engineering effort and compliance automation tooling (RegScale, Trestle, or custom OSCAL tooling).
The requirement. Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.
Gap from SOC 2. IR policies and procedures exist (IRO-2, IRO-3). FedRAMP ICP adds specific government notification timelines (e.g., 1-hour notification to US-CERT/CISA for major incidents), agency AO notification, and FedRAMP PMO reporting — none of which are required by SOC 2.
Update the Incident Response Plan to integrate FedRAMP ICP: add US-CERT/CISA 1-hour notification requirement for major incidents, agency AO notification timelines, FedRAMP PMO notification, FedRAMP incident categories and severity definitions. Develop notification templates. Test updated IRP.
Dependencies & notes. Builds on existing IRO-2/IRO-3. Primary effort is updating IRP with FedRAMP-specific content and testing.
The requirement. Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance.
Gap from SOC 2. Encryption controls exist for data at rest and in transit (CRY-3, CRY-4, NET-1). FedRAMP UCM specifically requires FIPS 140-2 or 140-3 validated cryptographic modules — a hard technical requirement not mandated by SOC 2. All crypto implementations must be audited against FIPS validation.
Audit all cryptographic implementations against FIPS 140-2/140-3 requirements. Enable FIPS mode on cloud-native encryption services. Replace or reconfigure any non-FIPS-validated modules. Verify TLS configurations use only FIPS-approved cipher suites. Document all crypto implementations with CMVP certificate numbers.
Dependencies & notes. Hard FedRAMP requirement with no exceptions. May require application code changes if non-FIPS crypto libraries are used directly.
The requirement. Log and monitor modifications to the cloud service offering.
Gap from SOC 2. Change logging processes and log management are in place (CHG-1, MON-2). FedRAMP 20x emphasizes persistent, automated logging of all changes with tamper-resistant, machine-readable audit trails. Completeness of logging across all cloud-native components must be validated.
Ensure all cloud-native change logging is centralized, tamper-resistant, and covers 100% of in-scope components. Integrate cloud provider audit logs (CloudTrail, Azure Activity Log, GCP Audit Logs) into SIEM. Validate completeness of logging coverage against inventory.
Dependencies & notes. Builds on existing MON-2/CHG-1. Primary gap is completeness of cloud-native log coverage.
The requirement. Execute changes to machine-based information resources through redeployment of version-controlled immutable resources rather than direct modification wherever reasonable.
Gap from SOC 2. SOC 2 requires change management processes but does not require immutable infrastructure or GitOps deployment models. This requires adopting IaC (Terraform, CloudFormation), container-based deployments, disabling direct production access (SSH/RDP), and enforcing all changes through version-controlled pipelines.
Adopt IaC (Terraform, CloudFormation, Pulumi) for all infrastructure. Containerize workloads or migrate to serverless. Disable direct production access (SSH/RDP). Enforce all changes through version-controlled CI/CD pipelines. Prohibit manual configuration changes to production.
Dependencies & notes. Largest architectural change if not already cloud-native. Requires engineering investment and operational process changes.
The requirement. Automate persistent testing and validation of changes throughout deployment.
Gap from SOC 2. CHG-1 requires changes be tested prior to production. FedRAMP 20x requires automated, persistent testing integrated throughout the entire deployment pipeline (SAST, DAST, IaC scanning, automated regression tests as mandatory pipeline gates) — not just pre-deployment manual testing.
Implement or formalize automated testing as mandatory CI/CD gates: unit tests, integration tests, SAST, DAST, dependency scanning, secret scanning. Define break-the-build thresholds. Ensure 100% of code changes to in-scope components pass through automated testing before production.
Dependencies & notes. Extends CHG-1/CHG-3. Tooling: SonarQube/Semgrep (SAST), OWASP ZAP (DAST), Snyk (SCA), GitGuardian (secrets).
The requirement. Persistently review the effectiveness of documented change management procedures.
Gap from SOC 2. Change procedures exist and are assessed annually (CHG-1, IAO-1). FedRAMP adds the requirement for persistent (continuous or frequent automated) review of change procedure effectiveness — beyond the annual cadence typical in SOC 2.
Establish a continuous or frequent review cadence for change management procedure effectiveness. Implement automated metrics (change failure rate, mean time to deploy, unauthorized change detection). Document review outcomes and evidence of continuous improvement.
Dependencies & notes. Extends existing IAO-1 annual self-assessment cadence to more frequent, automated monitoring.
The requirement. Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic.
Gap from SOC 2. Firewall controls are in place (IAC-4, NET-3, NET-4). FedRAMP requires persistent, automated enforcement and validation that every cloud resource (not just network-level firewalls) is configured to deny traffic by default, with machine-readable evidence of continuous compliance.
Implement automated, continuous validation that every cloud resource denies traffic by default (zero-trust network defaults). Deploy cloud-native policy enforcement (AWS Service Control Policies, Azure Policy, GCP Org Policy). Produce machine-readable evidence of ongoing compliance.
Dependencies & notes. Extends IAC-4/NET-3/NET-4 to persistent, automated enforcement beyond periodic firewall reviews.
The requirement. Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised.
Gap from SOC 2. Network segmentation and firewalls are addressed (NET-2 through NET-5). FedRAMP extends this to require micro-service architecture, east-west traffic controls, and automated, persistent validation that lateral movement paths are blocked — not just periodic firewall reviews.
Document micro-services architecture with segmentation diagrams. Implement east-west traffic controls (service mesh or network policies). Validate microsegmentation prevents unauthorized lateral movement. Produce automated evidence of network policy enforcement.
Dependencies & notes. May require service mesh (Istio, Linkerd) or cloud-native network policies (Kubernetes NetworkPolicy, AWS Security Groups).
The requirement. Use logical networking and related capabilities to enforce traffic flow controls.
Gap from SOC 2. Network segmentation and access controls are in place (NET-2, IAC-6, NET-4). FedRAMP requires cloud-native logical networking (VPCs, subnets, route tables, security groups) to be formally documented, and traffic flow controls to be continuously validated with automated tooling.
Document all VPC/VNet configurations, subnets, route tables, peering connections, and traffic flow controls. Implement automated validation of network topology (Cloud Mapper, Cartography, or native tooling). Produce architecture diagrams for SSP.
Dependencies & notes. Primarily a documentation and tooling effort for existing network controls.
The requirement. Strictly define the functionality and privileges for infrastructure and services.
Gap from SOC 2. Access restrictions for key systems are in place (IAC-1, IAC-3, IAC-4, IAC-5). FedRAMP requires this be implemented at the infrastructure level — containers and serverless functions with strictly defined, minimal functionality and privileges enforced via code, validated automatically.
Define and document minimum-necessary functionality and privileges for all cloud infrastructure components (containers, serverless functions, VMs). Enforce via IAM policies, security groups, and container security contexts. Validate automatically in CI/CD.
Dependencies & notes. Closely related to KSI-IAM-ELP. Cloud-native IAM boundary definition is the primary new work.
The requirement. Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity.
Gap from SOC 2. Intrusion detection and firewalls are in place (MON-1, NET-4). FedRAMP requires persistent review of DDoS protection effectiveness — documented evidence of cloud-native DDoS protection (e.g., AWS Shield, Azure DDoS Protection) with testing and review on an ongoing basis.
Deploy cloud-native DDoS protection (AWS Shield Standard/Advanced, Azure DDoS Protection, GCP Cloud Armor). Configure rate limiting and WAF rules. Establish persistent review of DDoS protection effectiveness. Document detection and response procedures.
Dependencies & notes. Cloud-native DDoS tooling is readily available. Primary effort is configuration, testing, and documentation.
The requirement. Appropriately optimize machine-based information resources for high availability and rapid recovery.
Gap from SOC 2. BC/DR plans exist (BCD-1, BCD-2). FedRAMP requires cloud-native HA architecture (multi-AZ, auto-scaling, load balancing, automated failover) to be formally documented with architecture diagrams and linked to authorization boundary documentation.
Formally document HA architecture: multi-AZ/multi-region deployment, auto-scaling, load balancers, failover mechanisms. Produce architecture diagrams linked to SSP authorization boundary. Establish automated monitoring of HA component health.
Dependencies & notes. Likely already in place for a cloud-native SaaS — primary effort is documentation and integration into SSP.
The requirement. Persistently ensure cloud-native machine-based information resources are implemented based on the host provider's best practices and documented guidance.
Gap from SOC 2. Hardening standards exist (NET-5, CFG-1). FedRAMP requires persistent, automated validation that all cloud resources comply with the cloud provider's Well-Architected Framework and security best practices — with machine-readable evidence of ongoing compliance.
Validate all cloud resources against the cloud provider's Well-Architected Framework security pillar. Implement automated compliance checks (AWS Security Hub, Azure Security Center, GCP Security Command Center). Document ongoing compliance with persistent automated evidence.
Dependencies & notes. Cloud-native tooling makes this largely a configuration and documentation effort.
The requirement. Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.
Gap from SOC 2. Configuration management and self-assessments exist. FedRAMP requires automated Cloud Security Posture Management (CSPM) tooling that continuously detects and automatically remediates configuration drift — beyond what SOC 2 requires.
Deploy CSPM tooling (Wiz, Orca, Prisma Cloud, or cloud-native equivalent) to continuously assess security posture and automatically remediate drift. Configure automated enforcement of intended resource state. Integrate with SIEM for alerting.
Dependencies & notes. Optional for Moderate. Recommended — CSPM significantly accelerates automated KSI evidence collection.
The requirement. Persistently review the effectiveness of training given to all employees on policies, procedures, and security-related topics.
Gap from SOC 2. Annual security awareness training is required (SAT-1). FedRAMP adds persistent review of training effectiveness — including phishing simulations, knowledge assessments, and documented review of outcomes — beyond the annual completion tracking typical in SOC 2.
Enhance the existing awareness training program (SAT-1) with persistent effectiveness review: phishing simulations with documented pass/fail rates, knowledge assessments, and evidence of training improvement based on outcomes. Document review cadence and findings.
Dependencies & notes. Builds directly on SAT-1. Primary gap is adding metrics, simulations, and documented effectiveness reviews.
The requirement. Persistently review the effectiveness of role-specific training given to employees in high-risk roles, including at least roles with privileged access.
Gap from SOC 2. General awareness training exists (SAT-1). FedRAMP requires a distinct role-based training program for privileged users, system administrators, and security staff — with persistent review of effectiveness beyond annual completion metrics.
Develop and deliver role-specific training for privileged users, system administrators, and security staff. Document training completion. Implement persistent review of effectiveness (e.g., quarterly security briefings, privileged access misuse metrics). Maintain training records.
Dependencies & notes. Distinct track from general SAT-1. Focus on privileged access risks, insider threat, and FedRAMP-specific responsibilities.
The requirement. Persistently review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.
Gap from SOC 2. General security awareness training exists (SAT-1). FedRAMP requires dedicated, persistent review of developer-specific training effectiveness — covering secure coding, OWASP Top 10, Secure by Design, and secrets management. This is a distinct track from general awareness training.
Develop and deliver role-specific security training for development and engineering staff: secure coding, OWASP Top 10, secrets management, Secure by Design principles. Implement persistent effectiveness review (knowledge assessments, code review metrics). Document training completion and outcomes.
Dependencies & notes. Distinct from general SAT-1 training. Requires curriculum development and an LMS or equivalent tracking.
The requirement. Persistently review the effectiveness of role-specific training given to staff involved with incident response or disaster recovery.
Gap from SOC 2. IR plan testing exists (IRO-1) and IR policies are established (IRO-2). FedRAMP requires persistent review of training effectiveness for IR/DR staff specifically — including tabletop exercises with documented after-action reports and evidence that lessons learned are incorporated.
Establish dedicated training track for IR and DR staff. Conduct tabletop exercises (at minimum annually) with documented scenarios, participants, results, and after-action reports. Provide evidence that lessons learned are incorporated into updated plans.
Dependencies & notes. Builds on IRO-1. Must include FedRAMP-specific incident scenarios (e.g., federal data breach notification).
The requirement. Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.
Gap from SOC 2. MFA is enforced for remote access (IAC-12). FedRAMP specifically requires phishing-resistant MFA (FIDO2/WebAuthn hardware keys, or PIV/CAC) for ALL user authentication — not just remote access, and not just TOTP-based MFA. Current MFA methods must be evaluated against this standard.
Extend phishing-resistant MFA from remote access (IAC-12) to ALL user access to in-scope systems. Configure IdP to enforce FIDO2/WebAuthn or equivalent for all authentication flows. Audit and remediate any authentication paths that allow weaker factors.
Dependencies & notes. Closely related to KSI-IAM-APM. Scope extends beyond remote access to all system access.
The requirement. Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA for authentication.
Gap from SOC 2. Password policies and MFA for remote access exist (IAC-11, IAC-12). FedRAMP prefers passwordless methods (FIDO2/WebAuthn, PIV/CAC) and requires phishing-resistant MFA where passwordless is not feasible — a higher bar than standard MFA required by SOC 2.
Evaluate current MFA against phishing-resistant standards (FIDO2/WebAuthn, PIV/CAC). Deploy hardware security keys or platform authenticators for all in-scope users. Restrict or eliminate TOTP/SMS-based MFA as sole factor for federal system access. Document and validate rollout.
Dependencies & notes. May require IdP configuration changes and hardware key procurement. Prioritize privileged users first.
The requirement. Enforce appropriately secure authentication methods for non-user accounts and services.
Gap from SOC 2. Unique authentication for production systems exists (CRY-1, CRY-5, IAC-3). FedRAMP extends this to all service accounts, API keys, and machine identities — requiring automated secret management, certificate-based auth, and prohibition of long-lived static credentials.
Inventory all service accounts, API keys, and machine identities. Enforce certificate-based or short-lived credential authentication. Deploy automated secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) for all service credentials. Eliminate long-lived static secrets.
Dependencies & notes. Closely related to KSI-SVC-ASM. Service account hardening requires systematic inventory and tooling deployment.
The requirement. Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.
Gap from SOC 2. Access request and review processes exist (IAC-2, IAC-7, IAC-9). JIT access — time-limited, approval-gated, automatically expiring access grants — is not required by SOC 2. PAM tooling with JIT workflows must be implemented for all privileged and sensitive access.
Implement JIT access for all privileged and sensitive system access: time-limited access grants, approval workflows, automated expiry. Deploy PAM tooling (HashiCorp Vault, AWS IAM Identity Center, CyberArk, Teleport). Eliminate standing privileged access where feasible.
Dependencies & notes. PAM tooling is the primary investment. Coordinate with KSI-IAM-ELP and KSI-MLA-ALA.
The requirement. Persistently ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.
Gap from SOC 2. Least privilege controls and access restrictions exist (IAC-1, IAC-2, IAC-3, IAC-5). FedRAMP requires persistent, automated validation of least privilege across all resources — including non-user service accounts, cloud roles, and API keys — with continuous evidence collection.
Implement automated least privilege analysis across all cloud resources, service accounts, and APIs (AWS IAM Access Analyzer, Azure AD Access Reviews, GCP IAM Recommender). Generate continuous findings. Remediate overly permissive policies. Produce machine-readable evidence.
Dependencies & notes. Cloud-native tooling supports automated analysis. Scope must include all service accounts, API keys, and cloud roles.
The requirement. Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity.
Gap from SOC 2. Intrusion detection and incident response procedures exist (MON-1, IRO-3). FedRAMP requires automated response — accounts must be automatically locked or suspended upon suspicious activity detection without manual intervention. UEBA or SIEM-driven automated remediation must be implemented.
Implement automated account response to suspicious activity: configure SIEM/UEBA rules to automatically lock or suspend accounts exhibiting anomalous behavior. Define response playbooks. Test automated response with simulated events. Document and validate.
Dependencies & notes. Requires SIEM integration with IdP (SOAR or native IdP automation). Must cover privileged accounts at minimum.
The requirement. Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation.
Gap from SOC 2. Access management processes exist (IAC-2, IAC-7, IAC-8, IAC-9). FedRAMP requires these be automated — SCIM-based provisioning/de-provisioning, automated access reviews, automated disablement upon termination — with persistent evidence of automated lifecycle management.
Integrate IdP with HR system via SCIM for automated provisioning/de-provisioning. Implement automated disabling within 24 hours of termination. Automate access reviews with documented completion evidence. Cover all in-scope applications. Provide machine-readable evidence of lifecycle automation.
Dependencies & notes. SCIM integration well-supported in Okta, Azure AD, Google Workspace. Must cover 100% of in-scope applications.
The requirement. Persistently review the effectiveness of documented incident response procedures.
Gap from SOC 2. IR policies are established and the plan is tested (IRO-1, IRO-2, IRO-3). SOC 2 typically requires annual testing. FedRAMP requires persistent review of IR procedure effectiveness with more frequent exercises and documented continuous improvement — plus FedRAMP-specific ICP integration.
Increase IR procedure review cadence beyond annual. Implement metrics-driven review: mean time to detect, mean time to respond, false positive rate. Document persistent review evidence. Include FedRAMP ICP integration in review scope.
Dependencies & notes. Extends IRO-1/IRO-2 to more frequent, metrics-driven review with documented evidence.
The requirement. Persistently review past incidents for patterns or vulnerabilities.
Gap from SOC 2. Incident management procedures and log management exist (IRO-3, MON-2). A formal process for periodically reviewing past incident history to identify patterns, systemic vulnerabilities, and security trends — with documented findings fed back into risk assessment — must be formalized.
Establish a formal process for reviewing past incidents to identify patterns and systemic vulnerabilities. Define review cadence (quarterly minimum). Document findings and integrate into risk assessment and security improvement processes.
Dependencies & notes. Formalizes a review process that leverages existing IRO-3 incident records and MON-2 log data.
The requirement. Generate incident after action reports and persistently incorporate lessons learned.
Gap from SOC 2. Incident management procedures exist (IRO-3). Formal after action reports (AARs) with documented lessons learned are not explicitly required by SOC 2. FedRAMP requires AARs for significant incidents and evidence that lessons are incorporated into updated procedures and controls.
Formalize the AAR process: define what incidents require an AAR, establish AAR template, assign ownership, document process for incorporating lessons learned into IR procedures and controls. Conduct and document AARs for all significant incidents.
Dependencies & notes. Formalizes what may be done informally today. Requires AAR template, ownership, and documentation process.
The requirement. Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistant logging of events, activities, and changes.
Gap from SOC 2. Log management is in place (MON-2). SOC 2 does not require a SIEM specifically. FedRAMP requires a centralized SIEM with tamper-resistant log storage, defined retention periods (minimum 90 days hot / 1 year cold), integration of all in-scope log sources, and automated alerting on security events.
Deploy or formalize a centralized SIEM (Splunk, Microsoft Sentinel, Sumo Logic, AWS Security Lake). Integrate ALL in-scope log sources. Configure tamper-resistant log storage with minimum 90-day hot and 1-year cold retention. Define and implement automated alerting rules. Document log source coverage.
Dependencies & notes. Foundational FedRAMP requirement. Must achieve 100% in-scope log source coverage.
The requirement. Persistently review and audit logs.
Gap from SOC 2. Log management and periodic assessments exist (MON-2, IAO-1). FedRAMP requires persistent, documented log review with automated alerting on anomalies, evidence of regular review activity (tickets, dispositions), and defined escalation procedures — not just annual assessment coverage.
Establish formal, documented log review procedures with defined cadence. Implement automated alerting for high-priority events. Create evidence of regular review activity (tickets, alert dispositions, review meeting records). Define escalation procedures.
Dependencies & notes. Builds directly on SIEM deployment. Alert rules, procedures, and evidence cadence must be documented.
The requirement. Persistently evaluate and test the configuration of machine-based information resources, especially infrastructure as code.
Gap from SOC 2. Configuration management exists (CFG-1) and periodic assessments are conducted (IAO-1). FedRAMP requires persistent, automated IaC security scanning (e.g., Checkov, tfsec, KICS) integrated into CI/CD pipelines — which is not required by SOC 2.
Integrate IaC security scanning tools (Checkov, tfsec, KICS, Terrascan) as mandatory CI/CD pipeline gates for all infrastructure code. Define NIST/FedRAMP-aligned policy ruleset. Automate evidence collection of scan results. Address findings within defined SLAs.
Dependencies & notes. Net-new requirement for SOC 2-certified companies. Must cover all IaC in scope.
The requirement. Maintain a list of information resources and event types that will be logged, monitored, and audited, then do so.
Gap from SOC 2. Log management and monitoring procedures exist (MON-2, OPS-1). FedRAMP requires a formally documented, maintained list of all information resources and the specific event types logged for each — providing traceability between assets and their logging coverage.
Develop and maintain a formal inventory of all information resources and the specific event types logged for each. Map log coverage against authorization boundary. Identify and remediate gaps. Include in SSP documentation.
Dependencies & notes. Primarily a documentation effort — creates the log coverage traceability required by FedRAMP.
The requirement. Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity.
Gap from SOC 2. General access controls and reviews exist (IAC-2, IAC-7). JIT access specifically scoped to log/audit data is not required by SOC 2. Must implement separate JIT access controls for SIEM and log data with automated approval workflows.
Implement JIT access specifically for SIEM and log/audit data, separate from general system access. Define approval workflow, time-bounded access grants, and automated expiry. Audit log access regularly. Document based on data sensitivity classification.
Dependencies & notes. Optional for Moderate. Recommended as part of the broader JIT access implementation (KSI-IAM-JIT).
The requirement. Use authoritative sources to automatically generate real-time inventories of all information resources when needed.
Gap from SOC 2. A production inventory exists (AST-3). FedRAMP requires real-time, automatically generated inventories from authoritative cloud sources (cloud provider APIs, CSPM tools) — not static spreadsheets — covering 100% of in-scope resources within the authorization boundary.
Implement automated cloud asset discovery using cloud provider APIs or CSPM (AWS Config, Azure Resource Graph, GCP Asset Inventory). Ensure real-time, 100% coverage of all in-scope resources. Link to SSP authorization boundary. Eliminate static spreadsheet inventories.
Dependencies & notes. Cloud-native tooling makes this achievable quickly. Must be continuously updated and linked to boundary definition.
The requirement. Persistently review the effectiveness of the provider's vulnerability disclosure program.
Gap from SOC 2. Vulnerability scanning exists (VPM-2) but a public-facing vulnerability disclosure program (VDP) — allowing external researchers to report vulnerabilities — is not required by SOC 2. FedRAMP requires a VDP and persistent review of its effectiveness.
Establish a public-facing vulnerability disclosure program: define scope, safe harbor policy, intake process, response SLAs, and researcher communication procedures. Publish VDP policy page. Implement persistent review of VDP effectiveness (submission volume, time-to-response, time-to-fix).
Dependencies & notes. Net-new requirement. CISA provides a VDP platform that can be used. Also required for CISA Secure by Design alignment.
The requirement. Persistently review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.
Gap from SOC 2. An SDLC methodology exists (CHG-3). FedRAMP requires persistent review of SDLC security effectiveness and explicit alignment with CISA Secure by Design principles — including threat modeling, SAST/DAST integration, and documented developer security training outcomes.
Formalize Secure by Design alignment: implement threat modeling for new features, integrate SAST/DAST in CI/CD (see KSI-CMT-VTD), deliver developer security training (KSI-CED-DET), document security requirements in development standards. Conduct persistent review of SDLC security effectiveness.
Dependencies & notes. Coordinates with KSI-CMT-VTD and KSI-CED-DET. CISA Secure by Design is the reference framework.
The requirement. Persistently review the effectiveness of the organization's investments in achieving security objectives.
Gap from SOC 2. Risk management program and self-assessments exist (RSK-3, IAO-1). FedRAMP requires persistent review of security investment effectiveness — including whether security tooling, staffing, and processes are achieving KSI outcomes — with documented evidence feeding back into the authorization package.
Develop a framework for evaluating security investment effectiveness against KSI outcomes. Define metrics for each investment area. Conduct persistent reviews (quarterly) with documented findings. Feed results into the authorization package and improvement planning.
Dependencies & notes. Leverages existing RSK-3 risk program. Adds investment-effectiveness measurement cadence.
The requirement. Persistently review executive support for achieving the organization's security objectives.
Gap from SOC 2. Board oversight and governance structures exist (GOV-1 through GOV-4). FedRAMP extends this to require persistent review of executive support specifically for security objectives and FedRAMP program resources — not just annual board meetings.
Establish a formal, documented process for persistently reviewing executive support for security objectives. Define metrics (security investment levels, KSI achievement rates, resource allocation). Schedule quarterly executive security reviews with documented outcomes.
Dependencies & notes. Extends existing GOV-1/GOV-2 governance. Primarily a process and documentation effort.
The requirement. Persistently review desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Gap from SOC 2. RTO/RPO are typically defined within BC/DR plans (BCD-1, BCD-2). FedRAMP requires these be formally documented in the SSP, persistently reviewed for relevance, and validated through functional tests — with documented evidence that actual recovery meets defined objectives.
Formally document RTO and RPO for all in-scope systems and include in the SSP. Conduct functional tests validating actual recovery against defined objectives. Document test results as evidence. Review and update RTO/RPO at least annually or after significant architectural changes.
Dependencies & notes. Primarily a documentation and evidence collection effort. Values likely already defined — need SSP integration.
The requirement. Persistently review the alignment of recovery plans with defined recovery objectives.
Gap from SOC 2. BC/DR plans exist and are tested (BCD-1, BCD-2). FedRAMP requires persistent review that recovery plans remain aligned with current system architecture and defined RTO/RPO — including government-specific recovery priorities and agency customer notification procedures during disruptions.
Update BC/DR plans to include: government data recovery priorities, agency customer notification procedures during disruptions, FedRAMP-aligned RTO/RPO targets, and procedures for maintaining federal data integrity during recovery. Document and test updated plans.
Dependencies & notes. Extends BCD-1/BCD-2. Adds government-specific content to existing plans.
The requirement. Persistently review the alignment of machine-based information resource backups with defined recovery objectives.
Gap from SOC 2. Backup processes are documented (GOV-5). FedRAMP requires persistent review that backup configurations (frequency, retention, geographic distribution) actually align with defined RPO — with automated monitoring and evidence of regular alignment validation.
Audit backup configurations (frequency, retention, geographic distribution) against defined RPO for all in-scope systems. Implement automated monitoring of backup job success/failure. Conduct periodic restoration tests and document results. Update SSP with backup architecture.
Dependencies & notes. Builds on GOV-5. Primary gap is automated monitoring and documented alignment validation.
The requirement. Persistently test the capability to recover from incidents and contingencies, including alignment with defined recovery objectives.
Gap from SOC 2. BC/DR and IR plans are tested (BCD-2, IRO-1). FedRAMP requires persistent functional testing — actual failover exercises, not just tabletop — with documented evidence that recovery met defined RTO/RPO targets. Annual testing minimum, with lessons learned incorporated.
Conduct functional (not just tabletop) recovery tests at defined intervals: actual failover exercises, database restoration tests, full-environment recovery simulations. Document outcomes, measure actual vs. target RTO/RPO, capture lessons learned, and update plans.
Dependencies & notes. Extends BCD-2/IRO-1. Must include actual failover, not just documentation review.
The requirement. Manage configuration of machine-based information resources using automation.
Gap from SOC 2. A configuration management system exists (CFG-1). FedRAMP requires configuration management to be fully automated — all resource configurations defined as code, deployed via automated pipelines, with drift detection and automated remediation. Manual configuration changes to production must be eliminated.
Migrate all configuration management to automation: define all resource configurations as code, deploy via automated pipelines, implement continuous drift detection and automated remediation. Eliminate all manual configuration changes to production. Document the automated configuration management architecture.
Dependencies & notes. Closely related to KSI-CMT-RMV. Configuration-as-code is the primary investment.
The requirement. Automate management, protection, and regular rotation of digital keys, certificates, and other secrets.
Gap from SOC 2. Encryption key access is restricted (CRY-2). Automated secret rotation — short-lived credentials, automated certificate renewal, secrets vault with automated rotation policies — is not required by SOC 2. Long-lived static secrets and manually rotated credentials must be eliminated.
Deploy a secrets management solution (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Automate rotation of all keys, certificates, and secrets on defined schedules. Eliminate long-lived static secrets. Implement automated alerting on rotation failures. Document coverage.
Dependencies & notes. Closely related to KSI-IAM-SNU. Secret management tooling is well-established. Primarily a deployment and migration effort.
The requirement. Implement improvements based on persistent evaluation of information resources for opportunities to improve security.
Gap from SOC 2. Self-assessments and vulnerability scanning provide improvement inputs (IAO-1, VPM-2). FedRAMP requires a persistent, systematic process for evaluating all information resources for security improvement opportunities — with automated tooling generating continuous findings that feed into an improvement backlog.
Establish a continuous security improvement pipeline: automated tools generate findings (CSPM, SAST, vulnerability scanners), findings are triaged and prioritized, improvements tracked to completion, metrics reviewed persistently. Document the improvement cycle as evidence.
Dependencies & notes. Integrates outputs from multiple other KSIs (MLA, CMT, CNA). Primarily a process and workflow effort.
The requirement. Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data.
Gap from SOC 2. Change management procedures exist (CHG-1). Post-change residual risk review — specifically checking for orphaned resources, unintended data exposures, or configuration remnants after changes — is more specific than SOC 2 requirements. Must be formalized as a post-deployment verification step.
Formalize a post-deployment review step in the change management process: verify no orphaned resources, unintended data exposures, or configuration remnants after changes. Automate residual resource detection. Document as part of change closure criteria.
Dependencies & notes. Optional for Moderate. Extends CHG-1 with a post-deployment verification gate.
The requirement. Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate.
Gap from SOC 2. Customer data deletion and retention procedures exist (DCH-1, AST-2). FedRAMP adds agency-directed data removal — including from backups — within defined timeframes and with documented evidence of removal completion. Processes must be enhanced to cover backup purging and provide agency notification of completion.
Formalize process for removing federal customer data upon agency request: define SLAs, include backup purging procedures, implement verification of removal completion, provide agencies with documented confirmation. Test and document the removal process.
Dependencies & notes. Optional for Moderate. Builds on DCH-1/AST-2 with federal-specific data removal procedures.
The requirement. Encrypt or otherwise secure network traffic.
Gap from SOC 2. Network traffic encryption is in place (NET-1, IAC-13). FedRAMP requires FIPS-approved TLS (TLS 1.2+ with approved cipher suites) for all traffic carrying federal data, and disabling non-compliant protocols. All endpoints must be audited for TLS compliance and weak ciphers must be disabled.
Audit all TLS configurations for FIPS compliance: enforce TLS 1.2+ with FIPS-approved cipher suites, disable TLS 1.0/1.1 and non-compliant ciphers, test all external and internal endpoints. Configure load balancers and API gateways to enforce compliant TLS. Document configuration baseline.
Dependencies & notes. Coordinates with KSI-AFR-UCM. May require reconfiguration of load balancers, CDN, and API gateways.
The requirement. Persistently validate the authenticity and integrity of communications between machine-based information resources using automation.
Gap from SOC 2. Encryption of transmissions exists (NET-1). Persistent, automated validation of communication authenticity and integrity (mutual TLS, certificate validation, signed API responses) between internal services is not required by SOC 2 and requires additional implementation.
Implement mutual TLS (mTLS) for service-to-service communications within the authorization boundary. Automate certificate rotation. Validate communication authenticity persistently. Consider service mesh (Istio, Linkerd) for enforcement.
Dependencies & notes. Optional for Moderate. Recommended as a defense-in-depth measure for cloud-native micro-services.
The requirement. Use cryptographic methods to validate the integrity of machine-based information resources.
Gap from SOC 2. Configuration management and assessments exist (CFG-1, IAO-1). Cryptographic integrity validation — container image signing, binary signing, IaC artifact verification using tools like Sigstore/Cosign — is not required by SOC 2 and must be implemented.
Implement container image signing (Sigstore/Cosign, Docker Content Trust). Sign build artifacts and IaC templates. Enforce signature verification at deployment. Deploy file integrity monitoring for critical system files. Integrate alerts into SIEM.
Dependencies & notes. Tooling: Sigstore/Cosign for containers, AIDE or cloud-native FIM for system files. Must integrate into CI/CD pipeline.
The requirement. Persistently identify, review, and mitigate potential supply chain risks.
Gap from SOC 2. Vendor management and third-party agreements exist (TPM-1, TPM-2). FedRAMP adds persistent supply chain risk identification — SBOM maintenance, CISA Secure Software Development Attestation requirements, and formal supply chain risk assessment for all critical suppliers — beyond what SOC 2 requires.
Enhance vendor management program (TPM-2) to meet FedRAMP supply chain requirements: implement SBOM tooling (Syft, CycloneDX) in CI/CD pipeline, collect CISA Secure Software Development Attestations from critical vendors, conduct formal supply chain risk assessments, verify FedRAMP authorization of all external services handling federal data.
Dependencies & notes. Multiple sub-workstreams: SBOM tooling, CISA attestation collection, FedRAMP marketplace verification of all external services.
The requirement. Automatically monitor third-party software information resources for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.
Gap from SOC 2. Vendor management and vulnerability scanning exist (TPM-2, VPM-2). Automated monitoring of upstream third-party software for vulnerabilities (SCA tooling, dependency scanning, contractual vulnerability notification clauses) is not explicitly required by SOC 2 and must be implemented.
Implement automated monitoring of third-party dependencies and upstream software for newly disclosed vulnerabilities: deploy SCA tooling (Snyk, OWASP Dependency-Check, Dependabot) in CI/CD, establish contractual vulnerability notification requirements with critical vendors, subscribe to vendor security advisories.
Dependencies & notes. Extends TPM-2/VPM-2. SCA tooling is well-established and integrates natively into CI/CD.
No. SOC 2 fully satisfies none of the 60 Key Security Indicators — but it is a strong head start. A typical SOC 2 Type II control set partially addresses 52 of 60 KSIs; the remaining 8 have no SOC 2 equivalent at all. The difference is FedRAMP 20x's bar: persistent, automated, machine-readable validation rather than an annual point-in-time audit.
Eight KSIs have no meaningful SOC 2 coverage: Authorization Data Sharing (KSI-AFR-ADS), Collaborative Continuous Monitoring (KSI-AFR-CCM), the FedRAMP Security Inbox (KSI-AFR-FSI), Minimum Assessment Scope (KSI-AFR-MAS), Persistent Validation and Assessment (KSI-AFR-PVA), the customer-facing Secure Configuration Guide (KSI-AFR-SCG), immutable redeployment (KSI-CMT-RMV), and a public vulnerability disclosure program (KSI-PIY-RVD).
Per-KSI work items range from one to twenty-four weeks of effort, and many run in parallel. The largest items are the OSCAL-formatted System Security Plan and authorization boundary (12–20 weeks), the compliance-as-code validation pipeline (16–24 weeks), and the continuous monitoring program (10–16 weeks). See how long FedRAMP 20x takes for the full timeline picture.
Yes — substantially. Incident response, change management, security training, vendor management, logging, and access control processes from SOC 2 all carry forward as the foundation. FedRAMP 20x then asks you to make them persistent and automated, extend them to federal-specific procedures, and prove them with machine-readable evidence instead of an auditor's annual report.
Yes. KSI-AFR-UCM requires cryptographic modules validated under FIPS 140-2 or 140-3 for federal data — a hard requirement with no SOC 2 equivalent. Encryption that satisfies a SOC 2 auditor does not automatically satisfy FedRAMP; every TLS endpoint and crypto library must be audited against CMVP validation.
Workstreet's Trust Engineers validate your real coverage, prioritize the gaps, and build the automated evidence FedRAMP 20x expects — from wherever you're starting.
Talk to a Trust EngineerAll 60 KSIs with the official requirement, your closest SOC 2 controls, and the full scope of work — effort estimates, priorities, and dependencies — as a spreadsheet-ready CSV.
We'll occasionally send FedRAMP 20x updates from Workstreet. Unsubscribe anytime.
Downloading now. Want the gaps turned into a plan?
Talk to a Trust Engineer