This table shows the 22 compliance areas where CMMC 2.0 and SOC 2 controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.
| Compliance Area | CMMC 2.0 | SOC 2 |
|---|---|---|
| Access Control | AC.L2-3.1.1, AC.L2-3.1.2 | CC6.1 |
| Least Privilege | AC.L2-3.1.5, AC.L2-3.1.6 | CC6.3 |
| Remote Access | AC.L2-3.1.12, AC.L2-3.1.14 | CC6.1, CC6.6 |
| Session Controls | AC.L2-3.1.10, AC.L2-3.1.11 | CC6.1 |
| Authentication & MFA | IA.L2-3.5.3, IA.L2-3.5.4 | CC6.1, CC6.3 |
| Identifier Management | IA.L2-3.5.1, IA.L2-3.5.2 | CC6.2 |
| Security Awareness & Training | AT.L2-3.2.1, AT.L2-3.2.2 | CC1.4 |
| Audit Logging | AU.L2-3.3.1, AU.L2-3.3.2 | CC7.1, CC7.2 |
| Audit Review & Reporting | AU.L2-3.3.5, AU.L2-3.3.6 | CC7.2, CC4.1 |
| Configuration Management | CM.L2-3.4.1, CM.L2-3.4.2 | CC6.1 |
| Change Control | CM.L2-3.4.3, CM.L2-3.4.4 | CC8.1 |
| Incident Response | IR.L2-3.6.1, IR.L2-3.6.2 | CC7.3, CC7.4 |
| Incident Reporting | IR.L2-3.6.3 | CC7.5 |
| Maintenance Controls | MA.L2-3.7.1, MA.L2-3.7.2 | CC6.1, CC8.1 |
| Media Protection | MP.L2-3.8.1, MP.L2-3.8.2 | CC6.5, C1.1 |
| Media Sanitization | MP.L2-3.8.3 | CC6.5 |
| Physical Protection | PE.L2-3.10.1, PE.L2-3.10.2 | CC6.4 |
| Risk Assessment | RA.L2-3.11.1, RA.L2-3.11.2 | CC3.2 |
| Vulnerability Management | RA.L2-3.11.2, RA.L2-3.11.3 | CC7.1 |
| Security Assessment | CA.L2-3.12.1, CA.L2-3.12.3 | CC4.1 |
| Boundary Protection | SC.L2-3.13.1, SC.L2-3.13.5 | CC6.6 |
| Encryption | SC.L2-3.13.8, SC.L2-3.13.11 | CC6.1, CC6.7 |
For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.