A facilities director at a state university told me recently that her procurement office had just blocked the renewal of a longstanding key management vendor because the vendor "did not have a SOC 2." The vendor in question had been on campus for nine years. They were not breached. They had not done anything wrong. The rule had changed underneath them, and they did not have the artifact procurement now required.
I have heard variants of this story four times in the last six months. It is not a pattern that is going away. So I want to use this post to lay out what SOC 2 actually is, why higher ed procurement is starting to require it, and what facilities directors should be asking their vendors right now — not just KeyDog, but any operational software that lives on campus systems.
What SOC 2 actually is
SOC 2 stands for System and Organization Controls, Type 2. It is an audit framework administered through the American Institute of Certified Public Accountants (AICPA). A SOC 2 audit examines a vendor's controls against five "trust service criteria": security, availability, processing integrity, confidentiality, and privacy.
A vendor undergoing a SOC 2 audit goes through six to twelve months of evidence collection — documented policies, control implementations, observed behaviors — and then a CPA firm certifies whether the controls are designed appropriately and operating effectively. The output is a SOC 2 Type 2 report, typically 60 to 150 pages.
Type 1 vs. Type 2 is worth knowing. Type 1 says the controls exist at a point in time. Type 2 says the controls have been operating for a period (usually six or twelve months). When procurement asks for "a SOC 2," they almost always mean Type 2. Type 1 is treated as a step toward Type 2, not a substitute.
The report is not public. Vendors share it under NDA with prospective customers and renewing customers. The procurement office reads the report, looks at the auditor's opinion, scans the list of identified deficiencies, and either accepts the vendor or asks for remediation.
Why higher ed procurement started requiring it
Three things converged over the last three years.
First, a wave of breaches involving education-sector vendors. The 2023 incident affecting student information systems at multiple universities, the 2024 ransomware attacks on regional community college consortia, and the 2025 incident at a payroll provider all hardened procurement's stance. Public institutions in particular are now under direct pressure from state CIOs and legislative bodies to tighten vendor security requirements.
Second, cyber insurance. Premiums for educational institutions have risen sharply, and underwriters are increasingly asking for documentation of vendor security postures as a condition of coverage. The simplest documentation an underwriter recognises is a SOC 2 Type 2 report. An institution that cannot produce a SOC 2 for a critical vendor is now an institution with a coverage gap.
Third, federal funding conditions. Several recent federal grant programs in the educational and infrastructure space carry cybersecurity clauses that require any vendor handling specified data types to meet defined control standards. SOC 2 is the most commonly accepted evidence of meeting those standards.
The result is that procurement offices that used to wave through small-dollar operational vendors are now applying the same security checklist to a $200-a-month facilities tool as they apply to a $200,000 ERP.
What this means for facilities directors
You are not the one who has to produce a SOC 2. The vendor is. But you are the one whose procurement will block the purchase if the vendor cannot produce one, and you are the one who has to explain to the cabinet why the facilities operation is stalled while you find a replacement.
Some practical things to do.
Inventory your current operational vendors and ask each one for their SOC 2 status. Vendors that have a current Type 2 will share it under NDA in a week or two. Vendors that have a Type 1 and are working toward Type 2 will tell you their target audit window. Vendors that have neither will get evasive. The evasive ones are the ones to start replacing.
For vendors who do not have a SOC 2 and are not on a path to one, find out why. The honest answers are usually "we are too small to afford the audit" or "we have not prioritised it." The first is understandable for a five-person shop. The second is a red flag for any vendor of consequence. SOC 2 is not cheap — a small SaaS company should expect to spend $50,000 to $150,000 on the first Type 2 — but it has become table stakes for operational vendors who want to keep selling into education.
Build the SOC 2 question into your renewal cycle. When a vendor comes up for renewal, the conversation should include their current SOC 2 status, when their next audit cycle closes, and whether any control deficiencies were identified in the last report. If the procurement office is not asking these questions yet, they will be soon.
For vendors you cannot replace and that do not have a SOC 2, document the compensating controls. Sometimes a vendor is irreplaceable in the short term. The procurement office will usually accept this if you can document why the vendor is critical and what additional controls you have in place to mitigate the risk — limited network access, regular access reviews, contractual data handling clauses. Get this in writing.
Where KeyDog is
I want to be straightforward about our position. We are not yet SOC 2 Type 2 certified. We are SOC 2 Type 1 attested as of January 2026 and have engaged an auditor for the Type 2 window that closes in late 2026. We expect to share the Type 2 report with customers under NDA in early 2027.
In the meantime, we have published a security overview that documents our controls in detail — encryption at rest and in transit, role-based access controls, audit logging, vulnerability management, incident response. It is available on request and is the document we share with procurement offices that need evidence ahead of the formal Type 2 report. Several of our customers' procurement offices have accepted it as sufficient interim evidence, with the commitment that we will share the Type 2 when it is available.
If your procurement office is asking for more, please reach out and we will work directly with them. We have done this for half a dozen institutional customers and the process is straightforward.
What to do next
If you have not had the SOC 2 conversation with your facilities vendors yet, this is the year to start. Even if your institution's procurement office has not yet adopted the requirement, it almost certainly will within the next 18 months. The vendors who are not prepared will be the ones causing renewal cycle scrambles in 2027.
For our part, we will keep publishing updates here as our own Type 2 progresses. If you want to talk through what to ask your other vendors, or you want to see our current Type 1 attestation, we are happy to share.
See KeyDog for yourself
Replace the key spreadsheet. Spin up a live demo or talk to our team about your campus.