Pricing built to survive audit day.
Every tier ships the Grade-1 cryptographic vault, hash-chained audit log, and continuous monitoring. The tier sets how much we drive.
Fractional vCISO, strategic advisory, and federal subcontracting are custom-scoped, not priced here. Start with a discovery call to confirm fit and scope.
Fortress
CMMC 2.0 Level 2 (Advanced) on NIST SP 800-171 Rev. 2.
CMMC 2.0 Level 2 starting block โ NIST 800-171 Rev. 2 task library (110 controls, 14 families), SPRS calculator + submission, SSP template, POA&M tracker. Foundation tier โ upgrade path delivers full practitioner-signed deliverables.
- โNIST 800-171 Rev. 2 task library (110 controls, 14 families)
- โSPRS score calculator and submission guidance
- โSystem Security Plan (SSP) template and drafting support
- โPlan of Action and Milestones (POA&M) tracker
- โQuarterly readiness reports
Full CMMC L2 SSP management with practitioner sign-off. C3PAO pre-audit readiness assessment, POA&M management, C3PAO-handoff-ready bundle. Your practitioner owns the SSP โ not a template.
- โEverything in Fortress Guided
- โFull System Security Plan management (drafting, review, updates)
- โC3PAO pre-audit readiness assessment
- โPractitioner review and sign-off
- โC3PAO-handoff-ready bundle
DoD-assessor-grade CMMC deliverables. Practitioner sign-off, RFC 3161 TSA anchor on every SSP / POA&M / SPRS revision, public C3PAO verification page on every assessor-facing PDF. The assessor verifies you without asking us anything.
- โEverything in Fortress Managed
- โRecipient-verifiable SSP, POA&M, and Master Audit Report
- โSHA-256 + Report ID on every PDF; public verify endpoint
- โRFC 3161 TSA anchor on every report โ DoD assessor-grade proof
- โPractitioner Sign & Seal embedded in tier
- โC3PAO-direct verification page on every assessor-facing PDF
Vault
PCI-DSS v4.0.1 evidence collection, SAQ assistance, and AoC readiness.
PCI v4.0.1 task library + evidence vault, calibrated for all 51 future-dated requirements now mandatory under v4.0.1. SAQ-A through SAQ-D applicable. Foundation tier โ upgrade path delivers QSA-grade recipient-verifiable AoC.
- โFull PCI v4.0.1 task library (Requirements 1โ12, all future-dated controls in scope)
- โSAQ-A / SAQ-D guidance and templates
- โEvidence vault with hash-chained audit log
- โASV scan tracking and reminders
- โUp to 5 user seats
Vault Self-Service + SAQ-D walkthrough, quarterly ASV scan review, annual penetration test scoping, and Cardholder Data Environment mapping. Your practitioner walks Req 1โ12 with you before submission.
- โEverything in Vault Self-Service
- โSAQ-D walkthrough and submission assistance
- โQuarterly ASV scan review with consultant
- โAnnual penetration test scoping
- โCardholder Data Environment (CDE) mapping support
Year-round PCI v4.0.1 evidence collection with practitioner + customer two-party AoC attestation. QSA gets a redacted external-share variant with byte-level hash; auditor gets the full canonical bundle. Both verify themselves against the same source of truth.
- โEverything in Vault Guided
- โYear-round evidence auditing
- โTier 2 PCI Deliverable โ signed PDF bundle of SAQ-D + AoC with practitioner + customer two-party attestation
- โExternal-share redacted variant for QSA/acquirer handoff (evidence excerpts kept internal)
- โQSA-handoff-ready bundle and pre-audit dry-runs
- โGrade-1 server-mediated upload for in-scope evidence
Built for the moment your QSA reviews the submission. Tier 2 PCI Deliverable cover-stamped + byte-hashed, with an external-share redacted variant the QSA hits via independent verify endpoint. Acquirer sees the same canonical hash. No vendor-trust required.
- โEverything in Vault Managed
- โTier 2 PCI Deliverable โ cover-stamped + byte-hashed + external-share variant, each independently verifiable
- โRecipient-verifiable AoC + Master Audit Report (SHA-256 + Report ID)
- โPublic verify endpoint independent of Key 102 clock/database
- โRFC 3161 TSA anchor on every report and AoC
- โQSA-direct verification page on every audit-facing PDF
Start with a Mission Brief โ $674
Diagnostic engagement with Tammie and a practitioner. We map your scope, identify control gaps, and deliver your regulator-ready artifact โ HIPAA SRA, PCI SAQ-D, CMMC Level 1 SPRS affirmation, or Logistics SD-1580 alignment. Credit converts 1:1 into any annual subscription within 14 days.
Four levels of practitioner involvement.
Portal, full task library, evidence vault, audit log. Your team runs the framework; practitioner support on call via the Global Review Queue.
2 Consultant Review hours/month, Tammie AI advisor tuned to your framework, quarterly readiness reports with practitioner sign-off. You execute; we validate.
Concierge engagement: monthly assessments, direct regulator liaison, priority queue (24-hour SLA). We operate the framework; you attest.
Managed delivery plus recipient-verifiable PDFs. Every Master Audit Report, AoC, and SSP carries a SHA-256 + Report ID resolvable at Key 102's public verify endpoint โ no link, email, or trust in our database required. See it live at portal.key102consulting.com/verify/sprs/SPRS-L1-2026-512PCZ.
