Use code LIVING102 for a free 30-minute consultation
About Key 102 Consulting

Compliance, engineered.

Compliance isn’t something we do to you, or hand off to you — we carry it with you. When the assessor asks the question that decides the engagement, Key 102 is in the room: named on the work, accountable for the answer, on the hook alongside you. That partnership is the product. Everything else on this page is how we keep the promise.

The firm is founded and led by Edward Williams II. The background — deployed US Army cyber operations in Afghanistan and Kuwait, then tier-1 financial-services security (SOX, GLBA, PCI DSS) and enterprise security transformation at scale — is what earns a seat at your table, but it isn’t the pitch. It taught the two things every Key 102 engagement is built on: controls only matter if they hold when challenged, and every team member’s failure is the team’s failure. On a Key 102 engagement, you are on the team — and your audit is our audit.

Compliance has two broken markets. SaaS platforms ship PDFs with your vendor’s logo on them and hope OCR doesn’t ask questions. Big-firm engagements scope you for budgets a 20-person company can’t justify. Key 102 sits in the middle — practitioner-signed, cryptographically verifiable deliverables at SaaS pricing. Registered for federal subcontracting; full capabilities statement for primes and partners.

Phoenix, Arizona — Key 102 headquarters
Capabilities & Credentials
Key 102 Solutions LLC, dba Key 102 Consulting · Phoenix, AZ
SAM.gov UEI
TXQFV5FJX797
Verify on SAM.gov →
CAGE Code
1EWP2
Commercial & Government Entity
CMMC L1 Self-Attestation
✓ Meets Level 1
Verify SPRS-L1-2026-512PCZ →
Signed by Edward Williams, Founder, on 2026-05-24 · TSA-anchored · Publicly verifiable independent of any link or database trust.

What we ship

Two active framework verticals — Fortress (CMMC) and Vault (PCI-DSS) — operating on a single underlying compliance infrastructure: a Grade-1 cryptographic vault, hash-chained audit log, tenant-isolated database, continuous-monitoring integrations, and a daily-snapshotted capability readiness score.

Who we serve

Defense industrial base contractors and subcontractors under CMMC, and Level 1 and Level 2 merchants under PCI-DSS. Organizations that need to pass a real assessment, not just track tasks.

The honest middle

We do not replace human expertise with shallow automated API polling. The platform streamlines the consultant workflow, helping fractional CISOs operate more efficiently while generating tamper-evident evidence chains that make third-party assessments unassailable.

Vanta’s model: Automated, continuous background API polling designed for engineering-led, SaaS-native startups seeking SOC 2/ISO certifications.

Key 102’s model: An "honest-middle," practitioner-multiplier GRC platform designed specifically for the defense supply chain (CMMC) and high-stakes payment ecosystems (PCI-DSS v4.0.1).

Vanta automates the evidence collection layer; Key 102 authors the practitioner-signed, recipient-verifiable deliverable. Vanta plus a practitioner is the right stack — that practitioner can be us.— The 30-second answer when a buyer says they already use Vanta or Drata.

Where we fit

Most regulated SMBs get handed two options, and neither quite fits. Key 102 is built for the space between them — not to win an argument with either side, but because that’s where the work actually needs a partner.

Automation platforms are good at gathering evidence and keeping it tidy. What they can’t do is stand behind it — put a named human signature and an independent cryptographic anchor on the record — so when an OCR investigator or QSA asks how the timestamp on page 3 got there, someone has to answer. We’re who answers.

Big-firm engagements produce genuinely audit-grade work, at scoping fees built for budgets a 20-person SaaS shop or a single-location merchant doesn’t have. We deliver to that same evidentiary bar on economics sized to you.

And one practitioner, however good, can’t carry a CMMC engagement, an SSP refresh, a quarterly report, and an audit response all at once without a gap opening somewhere — and gaps surface as findings. The platform plus the practitioner network is how the coverage holds when more than one thing comes due.

That’s the fit: practitioner-signed, cryptographically anchored, recipient-verifiable deliverables on a platform that scales with you — SaaS economics, regulator-grade output. And if your environment genuinely needs more than this model supports, we’ll tell you, and help you scope what it does. The honest answer is part of the partnership.

Read the full thesis: the missing middle of compliance →

Why we built it this way

Audits succeed or fail on the strength of the evidence chain. We built the platform that auditors deserve: every artifact server-hashed at ingest, every event tied into an append-only chain, every quarterly report timestamped by an RFC 3161 trusted timestamp authority, and every destructive operation gated behind a Type-To-Confirm modal with a structured audit row. No hidden state. No reversible-only-by-support black boxes.

The discipline comes from somewhere specific. The controls catalog underneath every framework Key 102 ships is NIST SP 800-53— the DoD’s federal security baseline. NIST SP 800-171 derives from it; CMMC derives from 800-171; PCI DSS maps cleanly onto it. When military operators talk about “military-grade,” this is the catalog they mean. Key 102’s deliverables are engineered to that lineage, then verified independently of any vendor trust through cryptographic anchoring.

Why your compliance vendor’s PDF is not assessment evidence →

How we work — Army values in practice

Six values from the Army’s operating doctrine map directly onto how compliance work gets delivered. They’re not slogans on a slide. They’re the audit-grade habits that distinguish work that holds from work that doesn’t.

  • Duty

    Practitioner-signed deliverables. Every quarterly report and framework affirmation carries a named, accountable signature — never an anonymous AI summary, never a vendor stamp. The person who signs takes the call when the auditor follows up.

  • Respect

    Respect for the auditor’s role. Every artifact is built so a QSA, OCR investigator, or C3PAO can resolve it independently — recompute the hash, walk the chain, verify the RFC 3161 timestamp. The auditor never has to take our word for anything.

  • Selfless Service

    Built for the SMB that can’t justify Big-4 fees. The customer owns their evidence vault and can export the whole package on demand — manifest, hashes, signed deliverables — regardless of their engagement status. Their compliance, their data.

  • Honor

    Cryptographic anchoring at every layer. The audit chain is append-only by Postgres trigger; deliverables are TSA-timestamped outside our infrastructure. No hidden state, no reversible-only-by-support black boxes. What we ship is what we can defend.

  • Integrity

    Hash-chained audit log. Every artifact server-hashed at ingest; every event linked to the prior row. Tamper-evident by design — corruption surfaces in the chain before it ever reaches a deliverable. The math is the proof, not the marketing copy.

  • Personal Courage

    Take the named-signature accountability that AI-only vendors avoid. The founder signs the work. The practitioner network signs theirs. The customer signs theirs. No one hides behind a model. That’s the discipline that makes the audit hold.

Engagement philosophy

Compliance is a team effort. The practitioner who signs the work, the customer who owns the evidence, the AI advisor (Tammie) who accelerates collection and gap analysis, the agency partner who brokers the engagement, the auditor who validates — each carries their part. The Key 102 platform is engineered for that operating model. Every artifact is named-attributable, but the work belongs to the team.

Every quarterly report is signed by a named, accountable practitioner. Never an anonymous AI summary. Specialty-credentialed sign-offs (PCI QSA for PCI) carry through to the network of 1099 practitioners as those credentials activate. The attestation is always practitioner-attributable.

We eat our own dog food

Key 102 Solutions LLC walks its own CMMC Level 1 self-attestation through the same portal we sell. The signed, TSA-anchored affirmation is publicly verifiable — no email link, no PDF download, no trust in our database required. Anyone can hit the verify URL and resolve it independently.

See Key 102’s own CMMC L1 attestation →

Report ID SPRS-L1-2026-512PCZ · UEI TXQFV5FJX797 · CAGE 1EWP2. Signed by Edward Williams, Founder, on 2026-05-24.

Begin your engagement

Start with a Mission Brief.

Diagnostic engagement with Tammie and a practitioner. We map your scope, identify control gaps, and deliver your regulator-ready artifact — HIPAA SRA, PCI SAQ-D, CMMC Level 1 SPRS affirmation, or Logistics SD-1580 alignment. Credit converts 1:1 into any annual subscription within 14 days.