FAQ.

A typical fractional engagement is a recurring monthly commitment — one-half to one full day per week of direct involvement, plus async availability for incident response and executive escalations. The work cadence is set in the first 30 days: board reporting cadence, security committee participation, vendor and customer-security touchpoints, policy ownership, and the program-level roadmap. The engagement is sized to the program, not billed as a project; the right scope is decided in the discovery call.

Both models are available. For strategy, maturity, or regulatory-readiness assessments, the engagement is outcome-scoped — a fixed deliverable (gap analysis report, program roadmap, board-presentation pack) at a fixed price. For ongoing advisory or fractional leadership, the engagement is time-scoped (per-week or per-month commitment) so you can plan around it. Hourly billing is the exception, not the rule.

CISA · CISM · CCNP · Microsoft. CMMC Registered Practitioner — in process. The credential basis is real and verifiable; the engagement-level capability is grounded in 17+ years across tier-1 financial services (SOX · GLBA · PCI DSS), government and defense cyber (NIST 800-53 · CSF), and enterprise security transformation. The Leadership page details the track record by domain.

Yes. SAM.gov status: Active. UEI: TXQFV5FJX797. CAGE: 1EWP2. Veteran-Owned Small Business designation. NAICS 541519 primary (Other Computer Related Services) plus 541512, 541690, 611420 additional. The capabilities statement is downloadable as a PDF and updated when credentials change.

Key 102 Solutions LLC publishes its own CMMC Level 1 self-attestation through the same platform we use to deliver client work — SPRS-L1-2026-CXH6GR, signed 2026-05-24, RFC 3161 TSA-anchored, publicly verifiable at portal.key102consulting.com/verify/sprs/SPRS-L1-2026-CXH6GR. A prime evaluating us as a sub can verify the attestation independently without relying on our claim or any link we send.

Yes, for engagements with clear scope and a credible RFP or proposal timeline. The fastest path is a 30-minute discovery call to confirm fit and scope, then a teaming letter follows within 2 business days. Bring the solicitation number or a draft scope statement to the call if available.

A $674 diagnostic engagement with Tammie and a practitioner. The session defines your scope, identifies control gaps, and delivers your regulator-ready artifact — HIPAA Security Risk Assessment, PCI SAQ-D, CMMC Level 1 SPRS affirmation, or Logistics SD-1580 alignment, depending on your framework. The $674 credit converts 1:1 into any annual subscription within 14 days, so the Mission Brief is effectively free if you proceed with an ongoing engagement. For CMMC Level 1 contractors, the Mission Brief is itself the L1 package — repeat annually for re-affirmation.

The Mission Brief includes framework scoping. For self-identification: HIPAA applies to covered entities and business associates handling PHI; PCI-DSS applies to anyone storing, processing, or transmitting cardholder data; CMMC applies to DoD contractors and subcontractors in the Defense Industrial Base; Logistics (Nexus) applies to surface transportation operators under TSA SD-1580/82, FMCSA, or PHMSA Pipeline Safety jurisdiction.

Mission Brief account provisioning is immediate. A practitioner is assigned within one business day. Subscription onboarding (Self-Service, Guided, or Managed) is typically complete within 3 business days, including tenant initialization, evidence schema setup, and integration connector configuration.

No. Begin with a Mission Brief. The diagnostic identifies the right tier for your scope, audit horizon, and internal capacity. The Mission Brief credit applies to any tier you subsequently select.

Self-Service is "You drive, you review" — your team operates the framework end-to-end, with portal access and the Global Review Queue available. Guided is "You drive, we review" — your team executes, and a practitioner validates with 2 Consultant Review hours per month plus quarterly readiness reports. Managed is "We drive, you review" — a concierge engagement with monthly assessments, direct regulator liaison, and priority 24-hour Global Review Queue SLA.

CMMC 2.0 Level 2 requires a System Security Plan, a Plan of Action and Milestones, and SPRS score submission — all of which carry assessor-facing artifacts. The Self-Service tier was retired for Fortress because the risk of a self-authored SSP failing C3PAO review is materially higher than for other frameworks. Fortress begins at Guided.

Surface transportation cybersecurity under TSA SD-1580/82 and FMCSA involves incident reporting obligations with regulator-facing timelines (24-hour for cybersecurity incidents under SD-1580). Nexus begins at Guided to ensure practitioner support during reportable events.

Yes. Tier changes take effect at the next billing cycle. Annual subscriptions can convert to a higher tier mid-cycle with prorated billing; downgrades take effect at renewal.

A managed-grade tier with recipient-verifiable deliverables. Every PDF report (Master Audit Report, Quarterly Report, Mission Brief, Policy Pack) carries a SHA-256 and Report ID that the audit recipient can resolve against a public verify endpoint to return a structured attestation — practitioner of record, signing date, integrity status — independent of any link or email the report was delivered through. Master Audit Reports issued at this tier render a dedicated verification page with step-by-step instructions for the auditor. Available as a contracted SOW add-on; not on the public price list.

A public, auditor-facing dashboard that exposes the cryptographic state of your tenant: audit chain integrity, evidence vault freshness, RFC 3161 anchor status, and the current Capability Readiness Score. Public surfaces redact tier, dollar exposure, executive summary findings, and control IDs by default.

The vault uses a three-grade trust model. Grade 1 (server-mediated) means the file is streamed through the server, hashed at ingest, and anchored before the response — the client never holds the canonical hash. Grade 2 (cron-anchored) means a recompute happens on the next cron sweep within 4 hours. Grade 3 (client-claimed) means the hash is what the uploader submitted, recorded but not yet recomputed. Every artifact is tagged with its grade.

Every state change writes a row into audit_events with prev_hash and row_hash columns, forming an append-only cryptographic chain. UPDATE, DELETE, and TRUNCATE are blocked at the trigger level. A verify_audit_chain function walks the chain end-to-end and rejects any break. The chain tail is timestamped hourly to an RFC 3161 trusted timestamp authority for external proof.

RFC 3161 is the IETF standard for trusted timestamps. We use SSL.com's Time-Stamping Authority. Every published quarterly report PDF is submitted to the TSA, and the response (a cryptographic signature binding the PDF hash to a specific moment) is stored immutably with the report. Independent third-party proof that the report existed in its exact form at that time.

Native plugin connectors for Okta, Microsoft Entra ID, and Google Workspace (identity), GitHub (SDLC), and AWS CloudTrail (infrastructure audit log) run on cron. Failed connectors auto-pause after three strikes to prevent silent data drift. Evidence pulled by a plugin is hashed at collection and linked directly to a named control via the Evidence Collector m2m link table. No manual screenshot drives at audit time.

Three are first-class: Okta (API token), Microsoft Entra ID (OAuth 2.0 app registration with Graph permissions Policy.Read.All / Policy.Read.ConditionalAccess / Directory.Read.All / AuditLog.Read.All), and Google Workspace (GCP service account with domain-wide delegation across Admin SDK, Reports, and Cloud Identity Policy APIs). All three pull password policy, MFA / 2-step-verification enforcement, and a user access review on a schedule. The Entra connector degrades gracefully if AuditLog.Read.All is not admin-consented. Google Workspace Reports API audit-log retention requires Business Plus, Enterprise, or Education editions for full coverage; lower tiers degrade with a tier hint surfaced in the install detail.

Four vendors are parsed at upload time: Qualys (PDF ASV Compliance Reports), Nessus / Tenable (.nessus v2 XML), Trustwave / TrustKeeper (PCI ASV PDFs, with the pre-computed PASS/FAIL verdict surfaced separately), and Rapid7 InsightVM / Nexpose (XML). Findings auto-link to framework controls (PCI Req 11.3, CMMC RA.L2-3.11.x, HIPAA Security Rule technical safeguards). Severity uses CVSS-derived scores — Rapid7's proprietary "Real Risk" rating is recorded but not used for compliance grading. Multi-port findings on the same CVE are deduped into one row with a port count.

Cadence is per-framework. PCI = 90 days (Req 11.3.2.1). CMMC = 90 days. NIST = 90 days. HIPAA = 365 days (annual evaluation under §164.308(a)(8)). Logistics = 365 days. A daily cron at 07:00 UTC sweeps every active engagement and emits an in-app notification when a scan goes stale. Notifications dedupe over a 7-day window so you won't get re-notified daily once you're aware.

A 0–100 score and A/B/C tier label computed daily. Weights: coverage (40%), evidence freshness (25%), audit-chain integrity (20%), velocity (10%), hygiene (5%). The tier label uses words — "Compliance Ready" / "Material Gaps" / "Significant Work" — never raw numbers in client-facing surfaces. Daily snapshots build 30 and 90-day trend lines.

Every quarterly readiness report is signed by a named, accountable practitioner. No anonymous AI-generated reports. Specialty-credentialed sign-offs (Cyber AB RP for CMMC, HIPAA Security Officer for HIPAA, PCI QSA for PCI) restore as those credentials and 1099 network members activate.

Postgres Row-Level Security on every tenant-scoped table, keyed to engagement_id. A 65-assertion SQL regression suite (supabase/tests/) verifies isolation on every change to RLS policies or destructive operations. The suite has caught real holes before deploy and is part of the gating criteria for any RLS-touching change.

A signed PDF package for PCI-DSS v4.0.1 Level 2 merchant self-assessment. The bundle contains a 9-section Key 102 body (executive summary, scope narrative, adjudicated findings, evidence appendix, sign-off block) plus the full PCI SSC SAQ-D Merchant questionnaire and the Attestation of Compliance (AoC) with Part 1a pre-filled from your engagement intake. Two render variants are produced from every draft: an internal canonical copy (what gets signed) and an external-share twin with evidence excerpts, file SHAs, and uploader identities redacted — so you can hand a QSA or acquirer the AoC without spilling internal evidence detail.

The Tier 2 PCI Deliverable requires both your practitioner and you to sign before the package locks. The practitioner attests first, which transitions the deliverable to "awaiting customer attestation." You then sign by typing "SIGN AND LOCK" into a step-up confirmation modal, which records the formal attestation language you agreed to. Both attestations land in an append-only table — UPDATE and DELETE blocked at the trigger level — so neither party can revise history after the fact. If new evidence comes in, your practitioner can request a resubmission, which reopens the deliverable; a new version is then rendered and the original attestations remain forensically intact.

Yes. Every Tier 2 PCI Deliverable PDF carries three SHA-256 values in its footer: the cover-stamped hash (printed on the cover page), the byte hash (computed from the merged PDF bytes), and the external-share variant hash (different bytes, distinct hash). Any of the three resolves at the public /verify endpoint, which returns the framework, version number, locked status, both attestation states with practitioner name + credentials snapshot, and the variant the auditor is holding. The endpoint never leaks the readiness tier, findings, control IDs, dollar exposure, or evidence detail — only the metadata an auditor needs to confirm authenticity.

Monthly or annual via Stripe. Annual billing carries an effective discount of 5–15% per tier. The annual savings are displayed on every tier card. Cancellation and refund policy is governed by our Refund Policy.

Sentinel-Rewriting offboarding: PII is rewritten to a deleted-token, auth is banned indefinitely, but the audit chain remains intact. Foreign keys to audit_events, documents, and evidence_items continue to point at the rewritten profile. No hard deletes, ever — destroying audit history is not a recoverable operation.

Yes. 15-minute client-side idle timeout on every authenticated portal session, with a 2-minute warning modal and cross-tab synchronization. The timeout satisfies HIPAA Technical Safeguard §164.312(a)(2)(iii) and CMMC AC.L1-3.1.11.

No. Consultant access is scoped via the consultant_assignments table. Postgres RLS policies enforce that a consultant can only query rows belonging to engagements they are explicitly assigned to. The 65-assertion test suite includes consultant cross-tenant negative tests.