Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  / ,

  / SOC 2 Compliance Checklist for EOR Providers

SOC 2 Compliance Checklist for EOR Providers

Picture of Pedro Dias
Copy Link

EORs are often the leaders in data security compliance. As the responsible party for payroll and HR data, the burden of SOC 2 compliance is greater for them than for other companies. But SOC 2 compliance doesn’t have to be complicated. In this article, we’ll guide EOR firms through the process with an easy, step-by-step approach.

What Is SOC 2 Compliance and Why Does It Matter for EOR Providers?

Understanding SOC 2 and Its Role in Employer of Record Services

An Employer of Record processes payroll data, national identification numbers, bank account details, tax filings, and employment records for workers across dozens of countries. In a single month, a mid-sized EOR platform may handle more sensitive personal data than many healthcare organisations. That concentration of risk is precisely why SOC 2 compliance has moved from a nice-to-have to a procurement prerequisite for clients who take data security seriously.

SOC 2 is a security auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates service organisations against a set of Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. Unlike prescriptive frameworks such as PCI DSS, SOC 2 does not mandate a specific list of controls. Instead, it requires organisations to demonstrate that the controls they have designed and implemented actually work.

For EOR providers, this flexibility is both useful and demanding. Useful because it allows controls to be tailored to the specific realities of multi-country payroll operations. Demanding because evidence of effective control operation must be documented and sustained continuously — not assembled in the weeks before an audit.

Why EOR Providers Are High-Value Targets for Data Security Risks

EOR platforms sit at a uniquely dangerous intersection of data sensitivity, operational scale, and third-party dependency. They act as the legal employer in multiple jurisdictions, which means they hold the kind of data that attracts two distinct threats: financially motivated attackers looking for payroll and banking credentials, and regulatory enforcement bodies scrutinising how personal data crosses borders.

The attack surface is broad. EOR providers connect client company HR systems to local payroll engines, tax authorities, benefits administrators, and banking rails. Each integration is a potential entry point. A misconfigured API between an EOR platform and a client HRIS can expose employee records without any external attacker involved at all.

The regulatory exposure compounds the security risk. Under the GDPR alone, penalties for serious data breaches can reach €20 million or 4% of global annual turnover, whichever is higher. For an EOR operating in Europe, Southeast Asia, and Latin America simultaneously, the regulatory surface is enormous.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Schedule

The Business Case for SOC 2 Compliance in the EOR Industry

Enterprise clients and their procurement teams increasingly require SOC 2 Type II certification before signing EOR contracts. A successful audit signals that an EOR provider has implemented and sustained effective security controls over time — not just designed them on paper. That distinction matters enormously in a market where a single data breach can destroy client relationships overnight.

SOC 2 compliance also de-risks the EOR provider itself. Organisations that have gone through the audit process typically discover and remediate control gaps they did not know existed. The internal discipline required to sustain a Type II audit programme produces a more operationally mature organisation, regardless of what any individual client requires.

Pro Tip: Type 1 vs Type 2

In the EOR market, SOC 2 Type II has become the de facto security signal that enterprise procurement teams look for when vetting providers. Type I is no longer sufficient for most Fortune 1000 clients. If an EOR is starting the compliance journey today, the goal should be Type II from the outset.

Which Trust Services Criteria Apply to EOR Providers?

Security (Common Criteria)

Security is the only mandatory Trust Services Criterion in a SOC 2 audit. It covers nine areas of control (CC1 through CC9) grounded in the COSO framework, spanning governance, risk management, access controls, system operations, change management, and incident response. For EOR providers, the security criterion is the foundation on which everything else sits.

Access control is particularly critical. EOR platforms grant dozens or hundreds of internal staff access to employee PII and payroll data, often differentiated by country and client. Multi-factor authentication, role-based access, and rigorous user provisioning and deprovisioning processes are baseline expectations for any SOC 2 auditor.

Availability

Availability assesses whether systems perform as expected and are accessible to users when required. For EOR providers, payroll processing is time-critical. A system outage on a payroll run date does not just affect internal operations — it directly impacts employees’ ability to receive pay on time, which creates legal exposure in many jurisdictions.

Availability controls for EOR providers should address capacity planning, disaster recovery, and system resilience. Demonstrable recovery time objectives and tested business continuity plans are the evidence auditors will want to see.

Confidentiality

Confidentiality applies to any information designated as confidential within the system, including client business information, employment contracts, salary benchmarking data, and any other data the EOR has committed to protect beyond basic legal requirements. It requires both clear data classification processes and active controls to prevent unauthorised disclosure.

EOR providers often hold confidential commercial information on behalf of multiple clients who may be competitors of one another. Logical segregation of client data is therefore not only a security best practice but a direct requirement under the confidentiality criterion.

Processing Integrity

Processing integrity evaluates whether systems process data completely, accurately, in a timely fashion, and without unauthorised modification. This criterion is particularly relevant to payroll operations, where a calculation error can result in incorrect tax remittances, underpaid employees, or regulatory violations.

Input validation controls, reconciliation procedures, and audit trails that confirm payroll data moved accurately from source to payment are the core of a processing integrity programme for EOR platforms.

Privacy

Privacy goes beyond confidentiality to address how personal data is collected, stored, used, retained, and disclosed in line with the AICPA’s Generally Accepted Privacy Principles. It applies when an organisation collects and processes PII — which every EOR provider does by definition.

For EOR providers operating globally, the privacy criterion intersects directly with GDPR, the CCPA, and a growing number of regional data protection regimes. A SOC 2 audit covering Privacy does not substitute for GDPR compliance, but the controls required to meet the privacy criterion are largely the same ones needed to demonstrate regulatory compliance.

Pro Tip: AICPA Trust Service Criteria

The AICPA updated its Trust Services Criteria points of focus in 2022 to reflect evolving cybersecurity threats and technology environments. The underlying five criteria remain unchanged, but the 2022 revision added specific focus areas around vendor risk, software supply chain security, and breach response, areas that are especially relevant to EOR platforms with complex third-party integration ecosystems.

SOC 2 Type I vs. SOC 2 Type II: What EOR Providers Need to Know

SOC 2 Type I: Point-in-Time Design Assessment

A Type I report evaluates whether the controls an organisation has designed are appropriate and in place as of a specific date. It does not assess whether those controls have been operating effectively over time. The auditor is confirming that the controls are correctly designed and that they existed on the date of the assessment.

Type I is faster and less expensive to obtain. For an EOR provider building a compliance programme from scratch, Type I can serve as a milestone that confirms the foundation is solid before moving to the sustained operational evidence required for Type II. It can also be a useful signal to early-stage clients who want assurance that a formal security programme exists.

SOC 2 Type II: Ongoing Operational Effectiveness

A Type II report covers a defined observation period, typically six to twelve months. Auditors assess not just whether controls exist and are well-designed, but whether they operated effectively throughout that period. This requires continuous evidence: access review logs, training completion records, incident response tests, vendor assessments, and so on.

Type II is the standard that enterprise buyers expect. It is a fundamentally different kind of commitment from Type I, requiring that the organisation maintain audit-ready evidence on an ongoing basis rather than preparing for a single point-in-time assessment. For a deeper look at building and sustaining that readiness, see what to expect from a SOC 2 compliance solution.

Which SOC 2 Report Type Should EOR Providers Pursue First?

EOR providers with no existing compliance programme should plan for Type II from the start, treating a Type I as a waypoint rather than a destination. The disciplines required to sustain a Type II audit,  including continuous monitoring for SOC 2, systematic evidence collection, and regular control testing,  take time to establish. Starting that clock earlier reduces the total time to a mature Type II report.

Providers that already have strong security controls in place but lack a formal audit trail are typically better positioned to move directly toward a Type II observation period, using a gap analysis to identify what evidence collection needs to be formalised before the observation window opens.

SOC 2 Compliance Checklist for EOR Providers

The following steps represent the full operational journey from programme initiation to audit-ready posture. This SOC 2 compliance checklist is designed specifically for EOR providers navigating the complexity of multi-country data operations.

Step 1: Define Your Audit Scope

Scope definition is the most consequential decision in the SOC 2 process. The scope determines which systems, processes, and data flows are included in the audit,  and therefore which controls must be evidenced. For an EOR provider, this typically includes the core payroll platform, client onboarding systems, HR data integrations, and any systems that store or transmit employee PII.

Resist the instinct to scope narrowly to reduce cost. Auditors and clients will notice if material systems or data flows have been excluded, and a narrow scope undermines the trust the audit is meant to build.

Step 2: Select Your Trust Services Criteria

Security is mandatory. Given the nature of EOR services, most providers should also include Availability, Processing Integrity, and Privacy. Confidentiality is appropriate for providers that have contractual confidentiality commitments to clients regarding business information beyond standard data protection requirements. See the full breakdown of the Trust Services Criteria to determine the right scope for your organisation.

Step 3: Conduct a Gap Analysis and Readiness Assessment

A readiness assessment and gap analysis compares current controls against the requirements of the selected Trust Services Criteria and identifies what is missing, underdocumented, or not operating as intended. For most EOR providers, gaps surface in vendor risk management, formal access review processes, and evidence collection practices rather than in the underlying security controls themselves.

Step 4: Design and Implement Required Security Controls

Controls must be designed to address the specific risks identified in the gap analysis. For EOR providers, this includes encryption of data in transit and at rest across all environments where employee PII is stored, multi-factor authentication across all in-scope systems, and network segmentation to limit lateral movement in the event of a breach.

Step 5: Develop and Document Policies and Procedures

Every control must be backed by a documented policy that explains what the control does, who is responsible for it, and how compliance is verified. An auditor who cannot locate the policy for a control they are testing will treat it as a gap,  regardless of whether the control is functioning correctly in practice. Required documentation includes an information security policy, an access control policy, a change management policy, a data retention and disposal policy, and a vendor management policy.

Step 6: Implement Employee Security Awareness Training

SOC 2 requires documented, recurring security awareness training for all staff, with role-specific training for employees with elevated access or security responsibilities. Training records must include dates, participants, and topics covered. These records will be requested during the audit, and incomplete records are one of the most common findings in first-time SOC 2 engagements.

Step 7: Establish Access Controls and System Configuration Standards

Access to in-scope systems should be granted on a least-privilege basis, reviewed at regular intervals,  quarterly is the most common expectation,  and immediately revoked upon employee departure. Configuration baselines for all in-scope systems should be documented and enforced, with any deviations logged and reviewed.

Step 8: Set Up Incident Response and Disaster Recovery Procedures

An incident response plan should cover detection, containment, eradication, recovery, and post-incident review, and must be tested at least annually. Disaster recovery procedures should include defined recovery time objectives and recovery point objectives, tested through tabletop exercises or simulations. For EOR providers, GDPR’s 72-hour breach notification requirement makes a well-rehearsed incident response plan not just an audit requirement but a legal one.

Step 9: Perform Ongoing Risk Assessments

SOC 2 requires a documented, repeatable risk assessment process. The assessment should inventory all systems and data flows in scope, identify threats and their likelihood and impact, and document the controls in place to mitigate each risk. For EOR providers, country-specific regulatory changes and new third-party integrations should trigger a risk assessment update.

Pro Tip: Integrate risk assessment reviews into the EOR’s standard product release and vendor onboarding processes. This ensures that new systems and integrations are evaluated before they go live, rather than discovered as gaps during audit evidence collection.

Step 10: Build and Maintain an Audit Log and Evidence Repository

Continuous evidence collection is the operational backbone of a Type II programme. Audit logs should capture access events, configuration changes, and security incidents across all in-scope systems. Evidence of control operation,  completed access reviews, training records, vendor assessments,  should be organised in a central repository accessible to the audit team. Disorganised evidence is one of the common SOC 2 compliance mistakes that delays audits and inflates costs.

Step 11: Implement a Vendor and Third-Party Risk Management Process

EOR providers rely heavily on third parties: local payroll processors, benefits administrators, banking partners, and HR technology integrations. A formal vendor risk management programme should assess vendors before engagement, review their security posture periodically,  including reviewing their own SOC 2 reports where available,  and document the outcomes. This is an area where EOR providers are disproportionately exposed relative to non-EOR technology companies.

Step 12: Engage a Licensed SOC 2 Audit Firm

SOC 2 audits must be performed by a licensed CPA firm. An auditor with experience in HR and payroll technology platforms will better understand the specific risks and control requirements relevant to EOR operations, ask more targeted questions, and complete the audit more efficiently than a generalist firm encountering payroll infrastructure for the first time.

Key Documentation Required for SOC 2 Compliance as an EOR Provider

Control Policies and Procedures Documentation

Every in-scope control must be supported by a written policy. Policies must be current, approved by management, and accessible to employees. Auditors distinguish clearly between a policy that exists and a policy that is actively maintained,  version histories, approval dates, and evidence of annual reviews all support the latter.

Employee Training Records

Training records must document who was trained, when, on what topics, and with what outcome. For EOR providers, role-specific training for payroll staff, HR administrators, and engineers with privileged access is an additional requirement beyond general security awareness training. General awareness training records and role-specific records should be maintained separately and be producible on request.

System Configurations and Access Controls

Auditors will request evidence of system configuration baselines, access control lists, and user access review records. For EOR platforms operating across multiple environments, maintaining consistent, documented configuration standards is a significant operational effort that must begin well before the audit window opens,  not in the weeks preceding it.

Incident Response Plans

A documented, tested incident response plan is a core audit requirement. The plan must define roles and responsibilities, escalation procedures, notification timelines,  particularly relevant for GDPR breach notification obligations, which require notification within 72 hours,  and post-incident review processes. Evidence of annual testing is required; a plan that has never been tested provides much weaker assurance than one with documented tabletop exercise outcomes.

Monitoring and Logging Mechanisms

Evidence that monitoring and logging are operational,  not merely configured,  is a standard audit request. Log retention periods, alerting thresholds, and the results of periodic log reviews should all be documented and producible on request. Auditors will look for evidence of actual review activity, not just system configuration screenshots.

Vendor and Subprocessor Management Records

Records of vendor due diligence,  including the basis for approving each vendor, the results of periodic reviews, and any corrective actions taken,  form a critical part of the audit evidence package. For EOR providers with global operations, this list can be extensive and requires systematic management rather than ad hoc documentation.

EOR-Specific Security Controls to Prioritise

Protecting Employee Personally Identifiable Information (PII) Across Borders

EOR platforms hold some of the most sensitive PII imaginable: national identification numbers, passport details, bank account information, and tax identifiers for employees in dozens of countries. Controls must ensure that this data is encrypted at rest and in transit, that access is restricted to personnel with a legitimate need, and that data is retained only for as long as legally required.

Cross-border data transfers add further complexity. The GDPR restricts transfers of personal data to countries not deemed to provide adequate data protection. China’s data protection framework imposes localisation requirements that prevent certain categories of data from leaving Chinese jurisdiction. These requirements must be mapped into the EOR’s access control and data residency architecture before the audit scope is finalised.

Payroll Data Integrity and Processing Controls

Payroll errors have direct legal consequences. A failure to process correct tax deductions can trigger audits and penalties from tax authorities, potentially implicating both the EOR and the client company. Processing integrity controls,  input validation, reconciliation procedures, and exception reporting,  should be documented and tested as part of the SOC 2 programme, with evidence of regular reconciliation runs available for auditor review.

Multi-Country Data Residency and Access Management

Many EOR platforms use cloud infrastructure to serve global operations, which creates default data flows that may not comply with local data residency requirements. Role-based and geography-based access controls, enforced at the data layer rather than just the application layer, are a meaningful differentiator. A support engineer in one jurisdiction should not have default access to employee data held in another,  and demonstrating that this restriction is actively enforced is a strong audit signal.

Third-Party Integrations and Client System Access Controls

EOR providers often have privileged access to client HR and finance systems. The controls governing this access,  how credentials are stored, how access is granted and revoked, and how activity is logged,  are high-priority audit considerations. Any client system access not governed by a formal access management process represents both a security risk and an audit finding waiting to happen.

Pro Tip: Multi-country EORs

Multi-country EOR operations present a complication that non-specialist auditors may underestimate. The Privacy criterion in a SOC 2 audit does not substitute for GDPR, CCPA, or any other jurisdiction-specific data protection regulation. An EOR provider can pass a SOC 2 audit and still be non-compliant with GDPR if cross-border data transfer mechanisms are not properly implemented. These are parallel requirements, not alternatives.

Preparing for the SOC 2 Audit: Practical Steps for EOR Providers

Conduct a Mock Audit or Internal Readiness Review

A readiness review performed six to eight weeks before the audit begins is the single most effective way to reduce audit surprises. It should test whether evidence can be produced for each in-scope control, identify any controls that have lapsed, and confirm that the audit evidence repository is organised and complete. Think of it as a rehearsal where fixing mistakes still costs nothing.

Resolve Control Gaps Before the Audit Begins

Gaps identified in the readiness review should be remediated before the audit starts, not during it. Remediating a gap after the auditor has identified it results in a qualified or adverse finding in the report. Remediating it beforehand means it simply does not appear as a gap. This requires enough lead time to implement and evidence the corrective control before the audit window closes,  which is another reason why preparation timelines of six months or more are not conservative but realistic.

Maintain Continuous Monitoring to Sustain Audit Readiness

For a Type II audit, the observation period is the audit. Evidence collected during that period must demonstrate consistent control operation, not a burst of activity in the weeks before the assessment. Continuous monitoring for SOC 2,  whether through purpose-built compliance platforms or security information and event management systems,  is a practical necessity for organisations managing large evidence volumes across complex, multi-country environments.

SOC 2 and Related Frameworks: What EOR Providers Should Know

SOC 2 is not the only framework EOR providers will encounter. Understanding how it relates to other standards helps organisations make smarter decisions about where to invest compliance resources. ISO 27001 vs SOC 2 is one of the most common comparisons, and for good reason: both address information security management, but they differ significantly in scope, evidence requirements, and market recognition across geographies.

ISO 27001 is an international standard that requires organisations to establish, implement, maintain, and continually improve an information security management system. It is more widely recognised outside North America and is often the preferred certification for EOR providers operating primarily in European or Asia-Pacific markets. SOC 2, by contrast, is deeply embedded in the North American enterprise procurement process. Many mature EOR providers pursue both, using the overlapping control requirements to build a single evidence base that serves multiple audit programmes simultaneously.

For organisations considering ISO 27001 alongside SOC 2, a structured gap analysis covering both frameworks can identify where controls satisfy requirements for one standard but fall short for the other,  and where a single well-designed control can serve both.

Can EOR providers use compliance automation software for SOC 2?

Compliance automation platforms can meaningfully reduce the effort required to collect and organise audit evidence, monitor controls continuously, and manage the evidence repository. They are particularly useful for EOR providers managing high evidence volumes across multiple systems and geographies. These tools do not replace the need for an accredited SOC 2 auditor, but they can substantially reduce preparation costs and ongoing compliance burden.

SOC 2 and GDPR compliance are parallel requirements that overlap significantly in practice but are not substitutes for one another. Achieving SOC 2 compliance, including the Privacy criterion, demonstrates that robust data protection controls are in place. However, a SOC 2 report does not provide a GDPR compliance certification, and GDPR requirements around data subject rights, cross-border transfer mechanisms, and data processor agreements must be addressed separately. EOR providers should treat both frameworks as independently necessary and jointly beneficial.

Security is mandatory for all SOC 2 audits. For EOR providers specifically, Availability is critical because of payroll processing deadlines, Processing Integrity is essential given the legal consequences of payroll errors, and Privacy is required because EOR platforms collect and process substantial volumes of employee PII. Most EOR providers pursuing a full SOC 2 programme should address all five criteria.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

The EU AI Act in 2026: What It Means for Businesses

The world’s first comprehensive AI law is not a single switch that flips on in August 2026. It is a layered regulation that has been activating in stages since February 2025. As of May 2026, it is already being rewritten to give companies more time on the hardest parts. Anyone trying to plan around a single deadline is working from a map that no longer matches the territory. The law’s reach is also global. Just as GDPR exported European privacy norms worldwide, the EU AI Act is producing a Brussels Effect for artificial intelligence: a regulation drafted in Europe that becomes the de facto global standard. Companies in the US, the UK, Bahrain, and anywhere else with EU customers or EU-facing outputs are already in scope, whether or not they have a European office. This guide cuts through the noise. It explains what the EU AI Act actually requires, who it applies to, which rules are already live, which were just pushed back by the EU’s recent simplification deal, and what the penalties really look like for companies of different sizes. What Is the EU AI Act? The EU AI Act (Regulation (EU) 2024/1689) is a horizontal law that sets harmonised rules for developing, placing on the market, and using artificial intelligence systems across the European Union. It is the first comprehensive AI law passed by any major regulator anywhere in the world, and it entered into force on 1 August 2024. The Act takes a risk-based approach. Rather than regulating AI as a single category, it sorts AI systems into tiers based on the harm they could cause to health, safety, or fundamental rights. The higher the risk, the stricter the obligations. Prohibited uses are banned outright. High-risk uses are heavily regulated. Most everyday AI — like spam filters and product recommenders — is left alone. The law also creates a separate, parallel regime for general-purpose AI (GPAI) models, the foundation models behind systems like ChatGPT, Claude, and Gemini. That regime is enforced at the EU level rather than at the national level. Why Was the EU AI Act Created? The official answer is to foster trustworthy AI in Europe. The real answer is broader: the EU watched generative AI go mainstream in late 2022 and concluded that existing law — particularly GDPR — was not enough to address the specific risks AI systems pose. Opacity in decision-making, bias in hiring tools, biometric surveillance, and the manipulation potential of generative models all sat uneasily in the regulatory gap between data protection law and product safety law. The EU’s stated goals are to protect health, safety, and fundamental rights, while preserving innovation and the single market. The political subtext is the Brussels Effect: do for AI what GDPR did for privacy, and let European rules become the global default by virtue of market access. Brazil, Canada, the UK, several US states, and Gulf jurisdictions, including Bahrain, are already drafting AI rules that borrow heavily from the EU framework. For a broader view of how AI governance is likely to evolve through the end of the decade, the trajectory is already becoming clear. Who Does the EU AI Act Apply To? The Act does not apply to AI itself. It applies to people and organisations that build, sell, or use AI systems. Article 3 defines those roles without reference to company size, so a two-person startup is in scope on the same legal basis as a Fortune 500 enterprise. Providers and Developers A provider is anyone who develops an AI system — or has one developed — and places it on the EU market or puts it into service under their own name or trademark. Providers carry the heaviest load of obligations, particularly for high-risk systems: risk management, technical documentation, conformity assessment, post-market monitoring, and incident reporting. A provider is distinct from a downstream developer who simply integrates a third-party AI component. But the line moves: if you take a general-purpose model and put your name on the resulting product, you can become a provider yourself. Deployers and Operators A deployer is anyone using an AI system in a professional capacity. If you are a bank running a credit-scoring model you bought from a vendor, you are a deployer. Deployers have lighter obligations than providers but still carry real ones: ensuring human oversight, monitoring system behaviour, informing affected individuals, and conducting fundamental rights impact assessments where required. The term operator in the Act is an umbrella that covers providers, deployers, importers, distributors, and authorised representatives. Application Outside the EU This is where many non-EU companies get caught. The AI Act applies extraterritorially. A US LLC training a model in Texas, a UK firm running an AI hiring tool, or a Bahrain-based fintech using AI for credit scoring is in scope the moment the output affects someone in the EU. If a US company develops an AI hiring tool and a German employer uses it on German candidates, the US provider is in scope — even with no EU office. The trigger is whether the system’s output is used in the Union, not where the company sits. Pro Tip: Selling AI tools to EU customers outside the EU. If you sell AI tools to EU customers from outside the EU, you must appoint an authorised representative established in a Member State before placing high-risk systems on the market. This is not optional and is one of the most commonly missed obligations for non-EU providers. The Risk-Based Approach: How the EU AI Act Classifies AI Systems The framework sorts AI systems into four tiers. The obligations scale with the tier. Unacceptable Risk: Prohibited AI Practices Article 5 prohibits eight categories of AI practice outright. These prohibitions became enforceable on 2 February 2025, well before the rest of the Act. The banned practices are: Subliminal or manipulative techniques are designed to distort behaviour and cause significant harm. Exploitation of vulnerabilities related to age or disability. Social scoring by public or private actors —

Read more

CMMC Level 1 Requirements: A Complete Guide

Phase 1 of the Cybersecurity Maturity Model Certification program went live on November 10, 2025. From that date, the Department of Defense can write CMMC requirements directly into new solicitations, and contractors who handle even basic government data cannot win awards without a current CMMC status in the Supplier Performance Risk System (SPRS). For roughly 63 percent of the Defense Industrial Base, that means Level 1: 15 foundational safeguards, an annual self-assessment, and a signed affirmation from a senior official. Level 1 is the smallest version of CMMC. It is also the one most contractors are about to encounter first, and the one with the highest false-confidence rate. This guide covers every requirement, every assessment objective, and every step from scoping to SPRS submission. What Is CMMC Level 1? CMMC Level 1 (Foundational) is the entry tier of the Cybersecurity Maturity Model Certification program, codified in 32 CFR Part 170. It requires defense contractors who handle Federal Contract Information (FCI) to implement 15 basic safeguarding practices and to confirm that implementation through an annual self-assessment. The 15 practices come directly from FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, a clause that has technically applied to federal contractors since 2016. What CMMC added is an assessment methodology and a verification mechanism. Until CMMC, no one was checking whether contractors actually did the 15 things they were contractually obligated to do. Under the final CMMC Program Rule, effective December 16, 2024, that gap is closed. Earlier CMMC drafts described Level 1 as a 17-practice framework because three physical-protection requirements were listed separately. The final rule consolidates them, and the official count now sits at 15 practices with 17 underlying assessment objectives drawn from NIST SP 800-171A. Both numbers are correct, depending on which level of granularity you are working at. What Is the Purpose of CMMC Level 1? The purpose is narrow and specific: to protect FCI from unauthorized disclosure.  FCI is information the federal government either generates or receives during contract performance that is not intended for public release. Think proposal correspondence, delivery schedules, performance reports, and routine contract communications. None of it is classified. None of it is even particularly sensitive in the traditional sense. But aggregated across thousands of contractors and exposed to adversaries, it gives a meaningful picture of what the U.S. government is buying, from whom, and on what timeline. Level 1 exists because too much of the Defense Industrial Base was failing to apply even basic hygiene to that data. CMMC Level 1 turns inconsistent expectations into a yearly verification cycle. CMMC Level 1 Scope The CMMC Assessment Scope for Level 1 is defined in the official DoD CMMC Level 1 Scoping Guide. It covers every information system that processes, stores, or transmits FCI, along with the people, processes, and physical facilities that interact with those systems. In practical terms, scope includes workstations and servers that handle FCI, cloud services used to store or transmit FCI, email systems used to send or receive FCI, file-sharing platforms holding FCI documents, network infrastructure carrying FCI traffic, physical facilities where any of the above are located, and personnel with access to any of the above. Anything that does not touch FCI is out of scope. This is the simplest scoping model in CMMC, and it is also where most contractors trip up. The temptation is to declare a narrow scope (“just the one folder on the file server”) and ignore the email, the laptops, and the backups. Auditors and primes will not accept it. CMMC Level 1 Requirements: All 15 Practices Explained The 15 practices fall across six domains. Each is mapped to a NIST SP 800-171 control identifier, but Level 1 only assesses the subset of objectives relevant to FCI. Access Control (AC) AC.L1-B.1.I – Authorized Access Control Practice: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices. Maintain a current list of users, processes, and devices authorized to access systems holding FCI. This means active user-account management: unique identifiers for each user, accounts disabled promptly when employment ends, and a documented process for reviewing who has access and why. Shared credentials are not acceptable. This is the foundation every other access control practice is built on, and it is where many contractors have their first reckoning with how loosely their environments have actually been managed. AC.L1-B.1.II – Transaction and Function Control Practice: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Apply the principle of least privilege. A user with access to read FCI does not automatically get access to delete it, share it externally, or modify system configurations. Role-based access controls (RBAC) satisfy this requirement. In practice, this means auditing what each role can actually do in your systems and trimming permissions down to what is genuinely necessary for the job function. AC.L1-B.1.III – External Connections Practice: Verify and control or limit connections to and use of external information systems. Know what external systems your in-scope environment connects to — cloud storage, partner networks, contractor laptops on home Wi-Fi — and apply controls to those connections. Acceptable Use Policies, VPN requirements, and explicit allow-lists for external sharing all map here. The key word is verify: you need documented evidence that external connections are inventoried and controlled, not just assumed to be fine. AC.L1-B.1.IV – Control Public Information Practice: Control information posted or processed on publicly accessible information systems. Make sure FCI does not end up on your public website, your company blog, or any other publicly accessible system. This is mostly a process control: establish who is allowed to publish to public-facing systems and what review happens before anything goes live. It sounds obvious, but incidents involving inadvertent FCI disclosure through company websites and public repositories are more common than the industry likes to admit. Identification and Authentication (IA) IA.L1-B.1.V – Identification Practice: Identify information system users, processes acting on behalf of users, or devices. Every user,

Read more

Drata HIPAA Compliance: PHI Safeguards in 2026

Risk analysis failures sit behind 76% of HIPAA enforcement actions in 2025, according to The HIPAA Journal’s annual breach report. That single statistic explains why healthcare organizations and their business associates are rethinking how they manage HIPAA. Its no longer enough to conduct an annual policy review, it is now a continuous control problem. Drata fits that shift. It is a security and compliance automation platform that connects to the systems where PHI lives, maps controls to the HIPAA Privacy, Security, and Breach Notification Rules, and keeps evidence current between formal assessments. This guide covers what Drata actually does for HIPAA: which rules it addresses, how the automation works in practice, what it leaves to humans, and how readiness compares to running parallel frameworks like SOC 2. What Is HIPAA and Why Does Compliance Matter? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the U.S. federal law governing the protection of protected health information (PHI). It applies to two categories of organizations: covered entities (health plans, healthcare clearinghouses, and most providers) and business associates, a category that captures any vendor, SaaS company, or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Enforcement is led by the HHS Office for Civil Rights (OCR). Penalties scale with culpability, capped at roughly $2.1 million per violation category per year after inflation adjustments. OCR’s 2025 enforcement priorities were almost entirely focused on the Security Rule, particularly the requirement to conduct a thorough, organization-wide risk analysis. The agency has confirmed that 2026 will follow the same playbook, with risk management evidence (proof that identified risks are being actively reduced) becoming a separate focus area in its own right. Healthcare also remains the most expensive sector for breaches. IBM’s 2024 Cost of a Data Breach Report put the average healthcare breach at $9.48 million, more than double the cross-industry average. The cost is not abstract: in 2025, OCR penalties for risk analysis failures ranged from $25,000 against small practices up to $3 million against a national medical supplier following a phishing-driven breach. What Is Drata and How Does It Support HIPAA Compliance? Drata is a GRC automation platform that integrates with cloud infrastructure, identity providers, HRIS systems, ticketing tools, and endpoint management to continuously collect evidence and test controls against more than 30 compliance frameworks. HIPAA was added in late 2021 as Drata’s third framework, joining SOC 2 and ISO 27001. For HIPAA specifically, Drata does not certify anyone; there is no formal HIPAA certification anyway, but it operationalizes the work that OCR expects to see when an investigation lands. That includes mapped controls for administrative, physical, and technical safeguards; policy templates for HIPAA-specific requirements like the Business Associate Agreement; embedded workforce training; an integrated risk management module; and an evidence library that auditors and counsel can access during a review. Worth Knowing: There is no government-issued HIPAA certification. Any vendor claiming to make you “HIPAA certified” is using marketing language. What auditors and OCR investigators actually look for is documented, ongoing compliance with the three HIPAA Rules. Drata’s value sits in producing that documentation continuously rather than retroactively. For a deeper look at what formal certification actually involves in adjacent frameworks, see our guide to HIPAA certification. Key HIPAA Requirements Drata Helps You Address HIPAA consists of three operative rules, each with distinct compliance obligations. Drata’s control library maps to all three. HIPAA Privacy Rule The Privacy Rule governs the use and disclosure of PHI in any form: electronic, paper, or verbal. It defines 18 specific identifiers that constitute PHI, sets the minimum necessary standard, and gives patients rights of access, amendment, and accounting of disclosures. Drata supports this through policy templates (notice of privacy practices, minimum necessary use, patient rights procedures), access tracking through integrations with identity providers, and workforce training that covers permissible uses and disclosures. HIPAA Security Rule The Security Rule is where most enforcement activity happens. It applies specifically to electronic PHI (ePHI) and requires three categories of safeguards: administrative, physical, and technical. According to HHS, the Security Rule “requires implementation of appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.” Drata’s control library maps directly to the 45 CFR Part 164 implementation specifications, both required and addressable. HIPAA Breach Notification Rule The Breach Notification Rule requires notification to affected individuals, HHS, and, for breaches affecting 500 or more residents of a state, the media, no later than 60 days after discovery. Drata supports breach response through incident management workflows, policy templates that codify the four-factor risk assessment, and audit trails for breach documentation. The platform does not file your OCR breach report for you; that remains a human task, but it keeps the underlying evidence organized. Important: OCR has explicitly stated that breach notification failures were the second most common reason for a financial penalty in 2025. More than one-fifth of enforcement actions included a breach notification violation. The 60-day clock starts at discovery, not at confirmation, so detection latency directly increases legal exposure. How Drata Automates HIPAA Compliance Automation in Drata operates on four layers: evidence collection, control monitoring, gap detection, and integration with healthcare-relevant tools. The combination is what produces the continuous compliance posture that OCR is now effectively demanding through its risk management initiative. Automated Evidence Collection for HIPAA Audits Drata reports that its platform automates roughly 80% of evidence collection across frameworks. For HIPAA, that means pulling configuration data from AWS, Azure, or GCP; enrollment status from MDM tools like Jamf or Intune; SSO and MFA enforcement from Okta or Entra ID; and onboarding/offboarding records from HRIS platforms. Instead of screenshotting these on demand for an auditor, the platform timestamps and stores them on a continuous basis. Real-Time HIPAA Compliance Monitoring The platform runs automated tests against connected systems daily. If MFA is disabled on an administrator account that has access to a system holding ePHI, the relevant control flips to failing status and the owner

Read more