Compliance, engineered.
Founded and led by Edward Williams II — a US Army IT Specialist who served on deployed cyber teams in Afghanistan and Kuwait before applying the same operating discipline across tier-1 financial services (SOX, GLBA, PCI DSS) and enterprise security transformation at scale. The military teaches that every team member’s failure is the team’s failure. Cyber operations under deployed conditions taught that controls only matter if they hold when challenged. Key 102 was built on both lessons.
Compliance has two broken markets. SaaS platforms ship PDFs with your vendor’s logo on them and hope OCR doesn’t ask questions. Big-firm engagements scope you for budgets a 20-person company can’t justify. Key 102 sits in the middle — practitioner-signed, cryptographically verifiable deliverables at SaaS pricing. Registered for federal subcontracting; full capabilities statement for primes and partners.
What we ship
Two active framework verticals — Fortress (CMMC) and Vault (PCI-DSS) — operating on a single underlying compliance infrastructure: a Grade-1 cryptographic vault, hash-chained audit log, tenant-isolated database, continuous-monitoring integrations, and a daily-snapshotted capability readiness score.
Who we serve
Defense industrial base contractors and subcontractors under CMMC, and Level 1 and Level 2 merchants under PCI-DSS. Organizations that need to pass a real assessment, not just track tasks.
The honest middle
We do not replace human expertise with shallow automated API polling. The platform streamlines the consultant workflow, helping fractional CISOs operate more efficiently while generating tamper-evident evidence chains that make third-party assessments unassailable.
Vanta’s model: Automated, continuous background API polling designed for engineering-led, SaaS-native startups seeking SOC 2/ISO certifications.
Key 102’s model: An "honest-middle," practitioner-multiplier GRC platform designed specifically for the defense supply chain (CMMC) and high-stakes payment ecosystems (PCI-DSS v4.0.1).
“Vanta automates the evidence collection layer; Key 102 authors the practitioner-signed, recipient-verifiable deliverable. Vanta plus a practitioner is the right stack — that practitioner can be us.”— The 30-second answer when a buyer says they already use Vanta or Drata.
What we’re not
We’re not a SaaS automation platform. Those tools collect evidence into PDFs that look professional — until an OCR investigator or QSA asks how the timestamp on page 3 got there. Without a named human signature and an independent cryptographic anchor, the PDF is a formatting exercise.
We’re not a Big-4 consultancy. Those firms produce real audit-grade deliverables — by quoting scoping fees that exceed an SMB’s annual compliance budget, with engagement costs that follow. The math doesn’t work for a 20-employee SaaS or a single-truck trucking operator.
We’re not a solo Registered Practitioner. RPs can be excellent — but a single person can’t carry a CMMC engagement, an SSP refresh, a Q3 quarterly report, and an OCR audit response simultaneously. Coverage gaps surface as audit failures.
Key 102 fills the gap. Practitioner-signed, cryptographically anchored, recipient-verifiable deliverables on a platform that scales with you. SaaS economics, regulator-grade output.
Why we built it this way
Audits succeed or fail on the strength of the evidence chain. We built the platform that auditors deserve: every artifact server-hashed at ingest, every event tied into an append-only chain, every quarterly report timestamped by an RFC 3161 trusted timestamp authority, and every destructive operation gated behind a Type-To-Confirm modal with a structured audit row. No hidden state. No reversible-only-by-support black boxes.
The discipline comes from somewhere specific. The controls catalog underneath every framework Key 102 ships is NIST SP 800-53— the DoD’s federal security baseline. NIST SP 800-171 derives from it; CMMC derives from 800-171; PCI DSS maps cleanly onto it. When military operators talk about “military-grade,” this is the catalog they mean. Key 102’s deliverables are engineered to that lineage, then verified independently of any vendor trust through cryptographic anchoring.
Why your compliance vendor’s PDF is not assessment evidence →
How we work — Army values in practice
Six values from the Army’s operating doctrine map directly onto how compliance work gets delivered. They’re not slogans on a slide. They’re the audit-grade habits that distinguish work that holds from work that doesn’t.
- Duty
Practitioner-signed deliverables. Every quarterly report and framework affirmation carries a named, accountable signature — never an anonymous AI summary, never a vendor stamp. The person who signs takes the call when the auditor follows up.
- Respect
Respect for the auditor’s role. Every artifact is built so a QSA, OCR investigator, or C3PAO can resolve it independently — recompute the hash, walk the chain, verify the RFC 3161 timestamp. The auditor never has to take our word for anything.
- Selfless Service
Built for the SMB that can’t justify Big-4 fees. The customer owns their evidence vault and can export the whole package on demand — manifest, hashes, signed deliverables — regardless of their engagement status. Their compliance, their data.
- Honor
Cryptographic anchoring at every layer. The audit chain is append-only by Postgres trigger; deliverables are TSA-timestamped outside our infrastructure. No hidden state, no reversible-only-by-support black boxes. What we ship is what we can defend.
- Integrity
Hash-chained audit log. Every artifact server-hashed at ingest; every event linked to the prior row. Tamper-evident by design — corruption surfaces in the chain before it ever reaches a deliverable. The math is the proof, not the marketing copy.
- Personal Courage
Take the named-signature accountability that AI-only vendors avoid. The founder signs the work. The practitioner network signs theirs. The customer signs theirs. No one hides behind a model. That’s the discipline that makes the audit hold.
Engagement philosophy
Compliance is a team effort. The practitioner who signs the work, the customer who owns the evidence, the AI advisor (Tammie) who accelerates collection and gap analysis, the agency partner who brokers the engagement, the auditor who validates — each carries their part. The Key 102 platform is engineered for that operating model. Every artifact is named-attributable, but the work belongs to the team.
Every quarterly report is signed by a named, accountable practitioner. Never an anonymous AI summary. Specialty-credentialed sign-offs (PCI QSA for PCI) carry through to the network of 1099 practitioners as those credentials activate. The attestation is always practitioner-attributable.
We eat our own dog food
Key 102 Consulting LLC walks its own CMMC Level 1 self-attestation through the same portal we sell. The signed, TSA-anchored affirmation is publicly verifiable — no email link, no PDF download, no trust in our database required. Anyone can hit the verify URL and resolve it independently.
See Key 102’s own CMMC L1 attestation →
Report ID SPRS-L1-2026-CXH6GR · UEI TXQFV5FJX797 · CAGE 1EWP2. Signed by Edward Williams, Founder, on 2026-05-24.
Start with a Mission Brief.
Diagnostic engagement with Tammie and a practitioner. We map your scope, identify control gaps, and deliver your regulator-ready artifact — HIPAA SRA, PCI SAQ-D, CMMC Level 1 SPRS affirmation, or Logistics SD-1580 alignment. Credit converts 1:1 into any annual subscription within 14 days.