SOC 2 · Trust Services Criteria CC6

Your SOC 2 auditor is sampling logical-access controls. Can you show MFA on the infrastructure behind the app — not just the SSO?

SOC 2 doesn't prescribe MFA by name, but the Common Criteria for logical access — CC6.1, CC6.6, and CC6.7 — are where auditors look for it, and Type II means they test operating effectiveness across the whole period, not a point in time. The SSO login is easy to evidence. What gets sampled and flagged is the production infrastructure behind it: the servers engineers SSH into, the AD that backs internal tools, and the VPN into the environment. Authnull enforces a factor on those paths for the full window and produces the per-login evidence the auditor will request.

Talk to a compliance engineer

At a glance

FrameworkSOC 2 Type II

Key controlsCC6.1 · CC6.6 · CC6.7

Applies toSaaS & service orgs under audit

TimingAcross your audit window

You walk away withSampling evidence for the auditor

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.”

— AICPA Trust Services Criteria, CC6.1

Type II is about operating effectiveness over time. A control you turned on the week before fieldwork won't have the evidence trail across the period — which is why coverage gaps surface as exceptions in the report.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
CC6.1	Logical access controls over protected information assets and infrastructure.	MFA on AD logon, server RDP, and Linux SSH across the production estate.	Covered
CC6.6	Protect against threats from sources outside the system boundary.	RADIUS MFA on VPN and remote-access entry points into the environment.	Covered
CC6.7	Restrict the movement and access of information to authorized users.	Privileged-access MFA on the admin paths that can move or expose data.	Covered
CC7.2	Monitor system components for anomalies and security events.	Per-login records of every challenge feed your monitoring and the auditor's sample.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

App SSO (Okta / Entra)

Cloud console federation

What it leaves for the audit

AD-backed internal tools

Production servers (SSH / RDP)

VPN into prod

Bastion / jump hosts

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

Control-mapped coverage

Enforcement mapped to CC6.1 / CC6.6 / CC6.7 so each criterion ties to evidence.

Full-window logs

Per-authentication records across the audit period — what Type II operating-effectiveness testing samples.

Enforced for the period

Stand up early in the window so coverage spans the whole observation period.

Give the auditor a clean sample across CC6.

Enforce MFA on the infrastructure behind your app for the full audit window, with logs to match. Start free, or align scope with a compliance engineer.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

Cyber insurance renewalRemote · Privileged · Directory PCI DSS v4.08.4.2 · 8.4.1 · 8.4.3 · 8.5.1 CMMC 2.0 Level 2IA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12 HIPAA Security Rule§164.312(d) · 312(a)(2)(i) · 308(a)(4)NIS2 DirectiveArt. 21(2)(j) · 21(2)(d) · Art. 20