01
We Self-Attest on the Same Portal
Key 102 Solutions LLC publishes its own CMMC Level 1 self-attestation through the portal โ auditor-verifiable independent of any link or database trust.
Key 102 Consulting LLC walks the same SPRS L1 path our customers do. The signed, TSA-anchored affirmation lives at portal.key102consulting.com/verify/sprs/SPRS-L1-2026-CXH6GR (UEI TXQFV5FJX797, CAGE 1EWP2, signed 2026-05-24 by Edward Williams as Founder). Anyone can hit the URL, resolve the Report ID against the anchored chain, and confirm the PDF SHA-256 โ no vendor-trust required. If we wouldnโt bet our own posture on this proof model, we wouldnโt ask you to.
02
Grade-1 Cryptographic Vault
Server-mediated uploads with cryptographic ground truth, not client-claimed integrity.
Every document gets a SHA-256 hash recomputed server-side at ingest. The server-anchored hash is immutable after anchor and becomes the auditor-facing source of truth โ not the client-claimed value the browser sent. Three-grade trust model: client-claimed โ cron-anchored โ server-mediated.
Append-only, tamper-evident Every state change links to the previous event via cryptographic chain.
Audit events form an append-only chain with prev_hash and row_hash on every row. UPDATE, DELETE, and TRUNCATE are blocked at the trigger level. A verify_audit_chain function walks the chain end-to-end and rejects any break. Chain tails are anchored to RFC 3161 trusted timestamps hourly via SSL.com.
04
RFC 3161 Trusted Timestamps
Every published quarterly report PDF is timestamped by an independent TSA.
When a quarterly report is published, the PDF hash is submitted to SSL.com's RFC 3161 Time-Stamping Authority. The TSA response (tsa_response_der) is stored immutably with the report and re-validated on demand. Independent third-party proof that the report existed at a specific moment.
Hard Postgres RLS isolation tested by a 65-assertion regression suite.
Every tenant-scoped table enforces Row-Level Security tied to engagement_id. The supabase/tests/ directory holds 65 hard SQL assertions covering tenant isolation, consultant scoping, and destructive op authorization. The suite has caught real holes pre-deploy. Re-run on every RLS or destructive op change.
06
Practitioner-Signed Reports
Quarterly readiness reports carry a named, accountable practitioner.
No anonymous AI-generated reports. Every quarterly readiness report includes the name of the practitioner who reviewed it. Specialty-credentialed sign-offs (Cyber AB RP for CMMC, HIPAA Security Officer for HIPAA, PCI QSA for PCI) restore as those credentials and 1099 network members activate.
Practitioner + customer signed Tier 2 PCI Deliverables require both your practitioner and you to sign before the package is final.
The Tier 2 PCI Deliverable bundles SAQ-D and the Attestation of Compliance into a single signed PDF. The practitioner attests first; the customer then types "SIGN AND LOCK" through a step-up confirmation to formally accept the language. Both attestations land in an append-only table โ UPDATE and DELETE blocked at trigger โ so neither party can revise history after the fact. The PDF is rendered in two variants: an internal canonical copy (what gets signed) and an external-share twin with evidence excerpts redacted for handoff to QSAs or acquirers. Each variant has its own SHA-256, and the public verify endpoint reports which one a recipient is holding.
08
Capability Readiness Score
Daily-snapshotted 0โ100 score and tier label โ auditor-comprehensible, not vanity metrics.
Every engagement gets a 0โ100 readiness score broken into coverage (40%), evidence freshness (25%), audit chain integrity (20%), velocity (10%), and hygiene (5%). The score maps to an A / B / C tier with words ("Compliance Ready" / "Material Gaps" / "Significant Work"), not raw numbers. Daily snapshots build 30 / 90-day trend lines.
Okta / GitHub / AWS CloudTrail Live evidence collection from integrated plugins, not annual screenshot drives.
Plugin marketplace ships with Okta (identity), GitHub (SDLC), and AWS CloudTrail (infra audit) connectors. Evidence pulls run on cron with three-strike auto-pause for failed connectors. Evidence is hashed at collection and linked directly to controls via the Evidence Collector m2m link table.
10
Sentinel-Rewriting Offboarding
No hard deletes โ PII is rewritten while audit history remains intact.
When a user is offboarded, email becomes deleted-<uuid>@deleted.invalid, auth is banned indefinitely, and PII fields are nulled. Foreign keys to audit_events, documents, evidence_items remain pointed at the rewritten profile so the audit chain stays unbroken. Reversible only by the same admin process.
11
Tammie assists; the practitioner signs
Tammie reads your evidence and surfaces gaps. She does not sign deliverables โ a named Key 102 practitioner reviews every AI suggestion before it lands on anything an assessor reads.
Tammie runs the Mission Brief interview, reads uploaded documents and CSVs, suggests evidence variants per control, and explains your obligations in plain language. Her output is input to a human, never a final authority. Every Tammie interaction is logged alongside the practitioner's review action โ the assessor can trace what was AI-assisted and what was practitioner-original. The 32 CFR Part 170 separation between prep and assessment is preserved by design: Tammie helps you prepare, an independent assessor evaluates the result, and the two roles never collapse into one.
