Documentation

Bastion documentation

Everything you need to take your shop from "where do we even start?" to a documented, scored, defensible CMMC Level 2 posture — entirely in your browser.

Getting started Open the app

Bastion is a self-assessment and preparation aid, not an official CMMC assessment. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.

On this page: Getting started / Setup · Frequently asked questions · Support. For deeper reference, browse the detailed guides: Getting started, Assessment guide, SPRS explained, SSP & POA&M, Integrations, and the Glossary.

Getting started / Setup

Bastion runs entirely in your browser — there is nothing to install and no account to create. Your assessment data, evidence, and CUI live only on your own machine. Here's the path from opening the app to a scored, documented, audit-ready posture.

1. Open the app and create a system profile. From the app, create a profile for the system that handles Controlled Unclassified Information (CUI) — your CMMC "assessment scope." Give it a name and a short description of the boundary (which networks, devices, and people are in scope). You can keep multiple profiles on the Team and Enterprise plans.
2. Work through the 110 controls. Bastion presents all 110 NIST SP 800-171 Rev 2 controls, grouped into the 14 control families (Access Control, Audit & Accountability, Configuration Management, and so on). Each control is written in plain language with practical guidance on what it means for a small shop. For each one, set a status — typically Met, Not Met, Partially Met, Inherited (satisfied by a provider such as your cloud or MSP), or Not Applicable — and add a short note describing how you implement it. Answer honestly: the score and artifacts are only as defensible as your inputs.
3. Read your DoD SPRS score. As you answer, Bastion calculates your Supplier Performance Risk System score live, using the official DoD weighted methodology. You start at 110 and lose points for each control that isn't met — 5, 3, or 1 point depending on the control's weight. The gap dashboard breaks your standing down by control family so you can see where the biggest point losses are and fix the highest-impact gaps first. (See SPRS explained for the full methodology.)
4. Track evidence. For each control, record the proof behind your answer in the evidence vault — the policy, configuration, screenshot, log, or procedure that demonstrates the control is in place. Doing this as you go means you're ready the day an assessor asks "show me." On the Team and Enterprise plans you can auto-evidence technical and documentation controls from Sightline and Cairn.
5. Generate your SSP and POA&M. Once your controls are answered, Bastion turns them into a complete System Security Plan (SSP) — the document that describes how each of the 110 controls is implemented — and a Plan of Action & Milestones (POA&M) — where every open or partial control becomes a tracked item with an owner and a target date. These are the two artifacts every assessor expects. (See SSP & POA&M.)
6. Export and share. Export your assessment, SSP, POA&M, and evidence summary to Markdown and CSV to hand your prime, your assessor, or your team clean, portable artifacts. Everything is generated locally — nothing is uploaded.

Working tip: Don't try to mark everything "Met" on the first pass. Set honest statuses, let the SPRS score and POA&M show you the real gaps, then use the POA&M to drive remediation. Re-open the assessment as you close items and watch your score climb.

Frequently asked questions

What is CMMC Level 2?
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense program that verifies contractors protect sensitive defense information. Level 2 applies to companies that handle Controlled Unclassified Information (CUI) and requires implementing the 110 security controls in NIST SP 800-171. With DoD CMMC enforcement live as of November 2025, primes such as Boeing now make CMMC Level 2 a condition of contract award across their supply chains.
What is NIST SP 800-171?
NIST Special Publication 800-171 is the federal standard defining how non-government systems must protect CUI. It specifies 110 security requirements ("controls") across 14 families — things like access control, multi-factor authentication, audit logging, configuration management, and incident response. CMMC Level 2 is essentially an assessment against these 110 controls. Bastion walks you through all of them in plain language.
How is the SPRS score calculated?
The Supplier Performance Risk System (SPRS) score uses the DoD's official weighted methodology. You begin with a perfect score of 110 and subtract points for each of the 110 controls you do not fully meet. Controls are weighted by risk: most cost 1 point, some cost 3, and the highest-impact controls cost 5. Partially implemented controls generally earn no partial credit — a control is either met or it isn't (with limited exceptions). Because the deductions can exceed 110, scores can be negative. Bastion computes this for you in real time as you answer; see SPRS explained for the full breakdown.
Is my data uploaded anywhere? Where is it stored?
No. Bastion executes entirely in your browser on your own machine. Your assessment answers, evidence, notes, and any CUI you enter are stored locally in that browser and are never transmitted to a server — there is nothing on the other end to leak. This is by design: sensitive defense information should never leave the contractor's control.
Who is Bastion for?
Small and mid-size defense contractors and suppliers that need to reach CMMC Level 2 — often without dedicated GRC staff or the budget for a six-figure consulting engagement. It's also built for large suppliers, primes, MSPs, and multi-entity organizations managing compliance across many entities (see the Enterprise plan on the pricing page).
Does Bastion certify me for CMMC?
No. Bastion is a self-assessment and preparation tool. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, fully documented, and audit-ready so that the official assessment goes smoothly — it does not replace it.
What are the SSP and POA&M, and does Bastion generate them?
Yes. The System Security Plan (SSP) documents how each of the 110 controls is implemented in your environment; the Plan of Action & Milestones (POA&M) lists every control that isn't yet met, with an owner and a target remediation date. Both are mandatory artifacts assessors expect. Bastion builds them directly from your assessment answers, so they stay in sync with your real posture. See SSP & POA&M.
How do the Sightline and Cairn integrations work?
Bastion can auto-evidence controls from tools you already run. Sightline supplies live endpoint posture — encryption, patching, MFA, EDR, logging — to evidence your technical controls. Cairn links your policies, procedures, and training records to the documentation controls they satisfy. The result is that your score reflects real, current data instead of stale screenshots. These integrations are available on the Team and Enterprise plans; see Integrations.
Can I export my data?
Yes. You can export your assessment, SSP, POA&M, and evidence summary to Markdown and CSV at any time, so you can share portable artifacts with your prime, assessor, or team. Exports are generated locally.
Can more than one person work on an assessment?
The Team and Enterprise plans support multiple users and a shared evidence vault so several people can split the work. Enterprise adds multi-entity management for primes, MSPs, and multi-entity organizations handling many entities. See the pricing page for details.
How much does Bastion cost?
Bastion is a commercial product with three plans, priced per organization by size and billed annually — Solo ($79/mo, small suppliers up to ~25 employees), Team ($299/mo, growing suppliers of ~26–250 employees with multiple users), and Enterprise (custom, for 250+ employee suppliers, primes, MSPs, and multi-entity organizations). Full details are on the pricing page. For a quote tailored to your organization, get in touch through the contact form.
What browser do I need?
Any modern, up-to-date browser — Chrome, Edge, Firefox, or Safari. Because Bastion stores your work in the browser, use the same browser and profile to return to an assessment, and use your browser/OS backup practices to protect that data just as you would any other CUI.

Support

Need a hand, found a problem, or have a question this page didn't answer? Get in touch through the contact form and you'll hear back from a human. For sales and pricing questions, see the pricing page or use the same form.

Contact supportOpen the app

New to all this? Start with the step-by-step Getting started guide, keep the Glossary open in a second tab, and read the Assessment guide as you work through your controls.