[REVIEW] soc2-gap: add subservice organization and CUEC evidence gates

[NiXouuuu]

Skill Being Reviewed

Skill name: soc2-gap
Skill path: skills/compliance/soc2-gap/

False Positive Analysis

Benign readiness packet that can be incorrectly scored as audit-ready:

system_description:
  hosting_provider: AWS
  payment_processor: Stripe
  identity_provider: Okta
  vendors:
    - name: AWS
      soc2_report_collected: true
      report_period: "2025-01-01 to 2025-12-31"
      subservice_method: "not documented"
      complementary_subservice_controls: []
      cuecs_mapped_to_internal_controls: false
    - name: Stripe
      soc2_report_collected: true
      report_period: "2025-01-01 to 2025-12-31"
      subservice_method: "not documented"
      complementary_subservice_controls: []
      cuecs_mapped_to_internal_controls: false
controls:
  cc9_2_vendor_reviews: "Vendor SOC 2 reports collected annually"

Why this is a false positive:

The skill can score CC9.2/vendor management as substantially complete because it asks whether vendor SOC 2 reports are collected and reviewed. That is necessary, but not sufficient for a SOC 2 Type II readiness conclusion.

For a real SOC 2 system description, critical service providers may be subservice organizations. The service organization needs to decide and document whether each relevant subservice organization is handled through the carve-out or inclusive method, identify the controls it relies on, and map complementary controls/CUECs back to internal control owners. A folder of vendor SOC 2 PDFs without that mapping can look "green" in the current skill while still leaving the system description and control design incomplete.

The AICPA SOC reporting materials discuss service organization system descriptions, subservice organizations, and complementary user entity/subservice organization controls as report-level considerations:

• https://us.aicpa.org/content/dam/aicpa/interestareas/frc/auditattest/downloadabledocuments/info-for-mgmt-of-serv-org-in-soc-engagement.pdf
• https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/soc-2-faq-on-transition-guidance.pdf

Coverage Gaps

Missed variant 1: Carve-out vs inclusive subservice organization scope

subservice_organization:
  name: "AWS"
  supports_system_objectives:
    - physical_security
    - infrastructure_availability
    - environmental_controls
  reporting_method: "unset"

Why it should be caught:

The skill has a vendor inventory requirement and tells the reviewer to collect vendor SOC 2 reports, but it does not require a subservice organization scope matrix. For SOC 2 readiness, a reviewer needs to know whether the vendor is merely a vendor, a carved-out subservice organization, or an included subservice organization. Those choices affect the system description, evidence expectations, and whether the service auditor must test the subservice organization's controls directly.

Missed variant 2: CUEC and complementary subservice control mapping

vendor_report_review:
  vendor: "Cloud provider"
  cuecs_from_vendor_report:
    - "Customer configures logical access to cloud consoles."
    - "Customer reviews privileged users periodically."
    - "Customer enables logging for in-scope workloads."
  mapped_internal_controls: []

Why it should be caught:

The skill currently says to collect vendor SOC 2 reports and vendor risk assessments. It does not require extracting Complementary User Entity Controls (CUECs) or Complementary Subservice Organization Controls (CSOCs) from those reports and mapping each one to an internal control, owner, frequency, and evidence artifact. This is a common readiness failure: the vendor report is present, but the organization has not implemented the controls the vendor assumes customers will operate.

Missed variant 3: Vendor report period gaps and bridge letters

audit_period: "2026-01-01 to 2026-12-31"
vendor_soc2:
  report_period: "2025-01-01 to 2025-12-31"
  bridge_letter: null

Why it should be caught:

For Type II readiness, evidence timing matters. If a vendor SOC 2 report period does not cover the organization's observation period, reviewers often need a bridge letter or other current assurance evidence. The current skill asks for annual vendor SOC 2 reports, but it does not ask whether the vendor report period overlaps the audit period or whether gap coverage exists.

Edge Cases

• Cloud shared responsibility: A cloud provider SOC 2 report can cover provider-operated data center and platform controls while customer-operated IAM, logging, encryption, backup, and network controls remain the customer's responsibility.
• Nested subservice providers: A vendor can rely on its own subservice organizations. The readiness review should capture whether the vendor report carves those out and whether that creates additional CUECs or residual risk.
• NDA-limited reports: Some vendors provide SOC reports under NDA or only summaries. The skill should capture report availability, reviewer, date reviewed, exceptions, and whether a qualified alternative assurance package is acceptable.
• New vendor during audit period: A vendor onboarded mid-period needs change-risk approval and evidence from the effective use date, not just an annual collection checkbox.
• Current raw-source readability issue: SKILL.md and the issue template contain visible mojibake such as — in the raw text. That is minor compared with the scoping gap, but cleaning it would improve professional readability.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: The fix should expand the SOC 2 readiness workflow without changing the core CC1-CC9 structure:
  • add a Subservice Organization Scope Matrix;
  • classify each provider as vendor, carved-out subservice organization, or included subservice organization;
  • extract CUECs/CSOCs from vendor SOC reports;
  • map every CUEC/CSOC to internal controls, owners, frequencies, and evidence;
  • verify report periods, bridge letters, report opinion, exceptions, and relevant criteria coverage.

Comparison to Other Tools

Tool	Catches this?	Notes
Vanta / Drata / Sprinto-style GRC tools	Partial	Usually track vendor report collection and vendor risk reviews, but still require manual CUEC/control mapping and auditor judgment.
Tugboat / AuditBoard-style GRC tools	Partial	Can store vendor evidence and control mappings; they do not automatically decide carve-out vs inclusive scope.
AICPA SOC 2 report guidance	Yes	The report/system-description model accounts for subservice organizations and complementary controls.
Generic security scanners	No	Scanner output can support CC6/CC7 evidence, but it cannot validate SOC 2 system-description completeness.

Overall Assessment

Strengths:

The skill is useful for early SOC 2 readiness. It covers CC1-CC9, optional Trust Services Categories, evidence collection, maturity scoring, and a practical 90-day remediation plan. It also correctly states that only a licensed CPA firm can issue the formal report.

Needs improvement:

The skill under-specifies SOC 2 scoping mechanics around subservice organizations. That can produce an overly optimistic readiness assessment for SaaS companies that rely heavily on cloud, identity, payment, support, analytics, and monitoring providers. In practice, collecting vendor reports is only the first step; the reviewer must prove that relied-upon complementary controls are implemented by the correct party.

Priority recommendations:

1. Add a subservice organization matrix to the scope step with provider role, system dependency, data touched, reporting method, and control reliance.
2. Add a CUEC/CSOC extraction worksheet for every in-scope vendor SOC report.
3. Require report-period coverage checks and bridge-letter evidence when the vendor period does not align with the audit period.
4. Upgrade CC9.2 evidence from "vendor SOC 2 review records" to "vendor SOC 2 review records including opinion, exceptions, period, criteria, subservice method, CUECs/CSOCs, and mapped internal controls."
5. Mark vendor-management readiness as provisional when subservice method or complementary-control mapping is missing.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal or crypto; I can provide payout details privately after acceptance.

[ASUKAAAAA1204]

/attempt #1124

[ASUKAAAAA1204]

Implemented in PR #1618: #1618

Scope:

• Adds a Subservice Organization Scope Matrix to the SOC 2 scope step.
• Requires provider classification as vendor, carved-out subservice organization, or included subservice organization.
• Adds CC9.2 questions and evidence gates for CUEC/CSOC extraction, internal-control mapping, report-period coverage, bridge letters/current assurance evidence, report opinion, exceptions, relevant criteria, and nested subservice carve-outs.
• Updates CC9.2 common gaps for vendor SOC 2 PDFs without subservice treatment, unmapped CUECs/CSOCs, report-period gaps, and cloud shared-responsibility assumptions.
• Adds output deliverables for the subservice matrix and CUEC/CSOC mapping worksheet.
• Updates CC9.2 evidence artifact mapping.

Validation:

• git diff --check -> no whitespace errors; Windows Git emitted only the existing LF/CRLF warning.
• Marker grep confirmed Subservice Organization Scope Matrix, CUEC, CSOC, bridge letter, carved-out, included subservice, report period coverage, and provisional are present.
• Markdown fence balance check -> SKILL.md fence_count=2, tsc-criteria.md fence_count=2, both even.
• Frontmatter smoke check confirmed name, version, allowed-tools, and injection-hardened remain present.
• git diff --stat -> two files changed, 35 insertions, 3 deletions.

Requested as an Improver Moderate / $100 bounty submission. Preferred payment method: crypto; details can be provided privately after maintainer acceptance.