SOC 2, CMMC, and AI Training for Technology Teams.

Yes. SOC 2 Trust Services Criteria CC9.2 requires organizations to implement controls to prevent and detect unauthorized access — which includes training staff on security policies and procedures. SOC 2 Type II auditors increasingly look for evidence of ongoing training activity throughout the audit period, not just an annual completion record. Blended training is the most defensible SOC 2 format because it creates documented touchpoints across the full audit window that auditors can map directly to CC9.2 and related criteria.

CMMC 2.0 Level 1 and Level 2 both require security awareness training aligned to NIST 800-171 Practices 3.2.1 and 3.2.2. Practice 3.2.1 requires organizations to ensure that personnel are aware of the security risks associated with their activities. Practice 3.2.2 requires ensuring that personnel are trained to carry out their assigned information security responsibilities. Both practices require documented training records showing who was trained, what content was covered, and when training occurred — formatted for C3PAO assessors and DIBCAC reviews.

SOC 2 security awareness training is scoped to your Trust Services Criteria and maps to CC9.2 and related controls. CMMC cybersecurity training maps to specific NIST 800-171 practices — 3.2.1 and 3.2.2 at minimum — and must cover the specific threats relevant to your CUI and FCI systems. Many technology companies need both simultaneously — particularly IT services firms and SaaS vendors that hold DoD contracts and also undergo SOC 2 audits for commercial customers. Relatones can deploy a single program that produces documentation satisfying both auditors concurrently.

Yes — they are separate obligations. SOC 2 addresses security controls for customer data. CCPA requires documented training for employees who handle California residents' personal data on their rights under the California Consumer Privacy Act — including data subject access requests, deletion rights, opt-out of sale, and breach notification obligations. SOC 2 auditors are increasingly asking for CCPA training records as evidence of privacy controls, but CCPA compliance and SOC 2 compliance are distinct requirements with different documentation standards.

Most Relatones technology company programs are live within two to three weeks of first contact. If your SOC 2 audit window is already open or your audit date is within six weeks, contact us immediately — we have an accelerated deployment process specifically for companies facing imminent audit deadlines. For SOC 2 Type II, we can also help you understand what historical training evidence your auditor will expect to see for the audit period already elapsed.

Yes. MSPs and IT services firms in the DoD supply chain face CMMC obligations based on the CUI and FCI they handle in client environments — regardless of whether they develop software themselves. Our CMMC programs are built for IT services firms and MSPs specifically, covering the NIST 800-171 practices relevant to managed service environments and the documentation format that C3PAO assessors and DIBCAC reviews require for IT service providers.

Yes — and early-stage implementation is the best time to start. Technology companies building toward SOC 2 Type I for the first time need to establish a documented security awareness program before their audit window opens. Starting with blended training from the beginning means your audit period will contain ongoing training evidence from day one — rather than a compressed effort in the weeks before the audit. We deploy first-time SOC 2 security awareness programs for technology startups with 10–500 employees at pricing that reflects growth-stage budgets.