Pricing
Every tier includes the Grade-1 cryptographic vault, hash-chained audit log, and continuous monitoring infrastructure. Tier selection determines the level of practitioner involvement.
Fractional vCISO, strategic advisory, and federal subcontracting are custom-scoped, not priced on this page. Engagements are sized to the program โ start with a discovery call to confirm fit, scope, and the right commitment shape.
Aegis
PHI security under HIPAA Security Rule (ยง164.308โ.312) and the Privacy Rule.
Your HIPAA starting block โ full Security Rule + Privacy Rule policy library and evidence vault with hash-chained audit log. Same regulator-ready foundation that Audit Co-Pilot signs at the top of the ladder.
- โFull HIPAA policy library (Security Rule + Privacy Rule)
- โRisk assessment workbook (annual)
- โEvidence vault with hash-chained audit log
- โAccounting-of-Disclosures register (ยง164.528)
- โUp to 5 user seats
Aegis Self-Service + 2 monthly Consultant Review hours and Tammie AI advisor (HIPAA-tuned). Quarterly readiness reports with practitioner sign-off โ Mission Brief's regulator-grade artifact, now on a recurring cadence.
- โEverything in Aegis Self-Service
- โ2 Consultant Review hours per month
- โTammie AI compliance advisor (HIPAA-tuned)
- โQuarterly readiness reports with practitioner sign-off
- โGlobal Review Queue (4-day SLA)
Concierge HIPAA. Quarterly risk assessments, BAA reviews, incident response retainer (ยง164.308(a)(6)), and direct OCR audit response support. Priority Global Review Queue with next-business-day SLA โ your practitioner sits inside the engagement, not on a ticket queue.
- โEverything in Aegis Guided
- โQuarterly risk assessments and BAA reviews
- โIncident response retainer (ยง164.308(a)(6))
- โDirect OCR audit response support
- โPriority Global Review Queue (next-business-day SLA)
Built for the moment OCR shows up. Every HIPAA artifact signed by a named practitioner, hashed at server-side ingest, anchored to an RFC 3161 timestamp, and verifiable independently of Key 102.
- โEverything in Aegis Managed
- โRecipient-verifiable Master Audit Report (SHA-256 + Report ID)
- โPublic verify endpoint independent of Key 102 clock/database
- โRFC 3161 TSA anchor on every report
- โPractitioner Sign & Seal embedded in tier
Vault
PCI-DSS v4.0.1 evidence collection, SAQ assistance, and AoC readiness.
PCI v4.0.1 task library + evidence vault, calibrated for all 51 future-dated requirements now mandatory under v4.0.1. SAQ-A through SAQ-D applicable. Foundation tier โ upgrade path delivers QSA-grade recipient-verifiable AoC.
- โFull PCI v4.0.1 task library (Requirements 1โ12, all future-dated controls in scope)
- โSAQ-A / SAQ-D guidance and templates
- โEvidence vault with hash-chained audit log
- โASV scan tracking and reminders
- โUp to 5 user seats
Vault Self-Service + SAQ-D walkthrough, quarterly ASV scan review, annual penetration test scoping, and Cardholder Data Environment mapping. Your practitioner walks Req 1โ12 with you before submission.
- โEverything in Vault Self-Service
- โSAQ-D walkthrough and submission assistance
- โQuarterly ASV scan review with consultant
- โAnnual penetration test scoping
- โCardholder Data Environment (CDE) mapping support
Year-round PCI v4.0.1 evidence collection with practitioner + customer two-party AoC attestation. QSA gets a redacted external-share variant with byte-level hash; auditor gets the full canonical bundle. Both verify themselves against the same source of truth.
- โEverything in Vault Guided
- โYear-round evidence auditing
- โTier 2 PCI Deliverable โ signed PDF bundle of SAQ-D + AoC with practitioner + customer two-party attestation
- โExternal-share redacted variant for QSA/acquirer handoff (evidence excerpts kept internal)
- โQSA-handoff-ready bundle and pre-audit dry-runs
- โGrade-1 server-mediated upload for in-scope evidence
Built for the moment your QSA reviews the submission. Tier 2 PCI Deliverable cover-stamped + byte-hashed, with an external-share redacted variant the QSA hits via independent verify endpoint. Acquirer sees the same canonical hash. No vendor-trust required.
- โEverything in Vault Managed
- โTier 2 PCI Deliverable โ cover-stamped + byte-hashed + external-share variant, each independently verifiable
- โRecipient-verifiable AoC + Master Audit Report (SHA-256 + Report ID)
- โPublic verify endpoint independent of Key 102 clock/database
- โRFC 3161 TSA anchor on every report and AoC
- โQSA-direct verification page on every audit-facing PDF
Fortress
CMMC 2.0 Level 2 (Advanced) on NIST SP 800-171 Rev. 2.
CMMC 2.0 Level 2 starting block โ NIST 800-171 Rev. 2 task library (110 controls, 14 families), SPRS calculator + submission, SSP template, POA&M tracker. Foundation tier โ upgrade path delivers full RP-signed deliverables.
- โNIST 800-171 Rev. 2 task library (110 controls, 14 families)
- โSPRS score calculator and submission guidance
- โSystem Security Plan (SSP) template and drafting support
- โPlan of Action and Milestones (POA&M) tracker
- โQuarterly readiness reports
Full CMMC L2 SSP management with practitioner sign-off. C3PAO pre-audit readiness assessment, POA&M management, C3PAO-handoff-ready bundle. Your practitioner owns the SSP โ not a template.
- โEverything in Fortress Guided
- โFull System Security Plan management (drafting, review, updates)
- โC3PAO pre-audit readiness assessment
- โPractitioner review and sign-off
- โC3PAO-handoff-ready bundle
DoD-assessor-grade CMMC deliverables. Practitioner sign-off, RFC 3161 TSA anchor on every SSP / POA&M / SPRS revision, public C3PAO verification page on every assessor-facing PDF. The assessor verifies you without asking us anything.
- โEverything in Fortress Managed
- โRecipient-verifiable SSP, POA&M, and Master Audit Report
- โSHA-256 + Report ID on every PDF; public verify endpoint
- โRFC 3161 TSA anchor on every report โ DoD assessor-grade proof
- โPractitioner Sign & Seal embedded in tier
- โC3PAO-direct verification page on every assessor-facing PDF
Nexus
TSA Security Directive 1580/82, FMCSA, and Pipeline Safety cybersecurity.
TSA SD-1580/82 + FMCSA + PHMSA task libraries, Tammie AI advisor (Logistics-tuned), and 2 monthly Consultant Review hours. Mission Brief's TSA-aligned artifact on a recurring cadence โ incident playbook stays current with the 72-hour clock.
- โTSA SD-1580/82 incident reporting templates
- โFMCSA cybersecurity baseline checklists
- โPHMSA Pipeline Safety control library
- โTammie AI advisor (Logistics-tuned)
- โ2 Consultant Review hours per month
Outsourced Cybersecurity Coordinator embedded in your TSA / FMCSA / PHMSA operations. Priority Global Review Queue (next-business-day SLA), TSA incident response coordination, quarterly regulator-ready summary reports. When the 72-hour clock starts, your coordinator's already on the line.
- โEverything in Nexus Guided
- โOutsourced Cybersecurity Coordinator
- โPriority Global Review Queue (next-business-day SLA)
- โTSA incident response coordination
- โQuarterly regulator-ready summary reports
TSA / FMCSA / PHMSA-grade regulator deliverables. Practitioner sign-off on every incident summary, RFC 3161 TSA anchor on every report, public verify endpoint on every regulator-facing PDF. When the 72-hour clock ends, your submission is already verified.
- โEverything in Nexus Managed
- โRecipient-verifiable incident summaries + Master Audit Report
- โSHA-256 + Report ID on every PDF; public verify endpoint
- โRFC 3161 TSA anchor on every report โ regulator-grade proof
- โTSA-aware practitioner Sign & Seal embedded in tier
- โDirect verification page on every regulator-facing PDF
Start with a Mission Brief โ $674
Diagnostic engagement with Tammie and a practitioner. We map your scope, identify control gaps, and deliver your regulator-ready artifact โ HIPAA SRA, PCI SAQ-D, CMMC Level 1 SPRS affirmation, or Logistics SD-1580 alignment. Credit converts 1:1 into any annual subscription within 14 days.
Four levels of practitioner involvement.
Portal access, full task library, evidence vault, and audit log. Your team operates the framework end-to-end. Practitioner support is available via the Global Review Queue when needed.
2 Consultant Review hours per month, Tammie AI advisor tuned to your framework, and quarterly readiness reports with practitioner sign-off. Your team executes; we validate.
Concierge engagement with monthly assessments, direct regulator liaison, and priority Global Review Queue (24-hour SLA). We operate the framework on your behalf; you attest.
Managed-grade delivery plus recipient-verifiable PDFs. Every Master Audit Report, AoC, and SSP carries a SHA-256 and Report ID resolvable against Key 102's public verify endpoint โ independent of any link, email, or trust in our clock or database. The auditor self-services attestation. See it on our own: portal.key102consulting.com/verify/sprs/SPRS-L1-2026-CXH6GR.