Docs / Getting started

Getting started

Bastion runs entirely in your browser. Nothing to install, no account, no server. This page takes you from a blank slate to a scored, documented posture in five steps.

Before you start: know your CUI scope

The single most important thing to settle before you touch a single control is scope: where does Controlled Unclassified Information (CUI) live, flow, and get processed in your business? Your assessment only needs to cover the people, systems, and facilities that store, process, or transmit CUI — your "in-scope" environment, sometimes carved out into a dedicated enclave.

Before you create a profile, sketch out:

• What CUI you handle — drawings, specs, technical data, ITAR/EAR material, contract deliverables.
• Where it lives — which laptops, servers, file shares, cloud tenants (e.g. Microsoft 365 GCC High), and email accounts.
• Who touches it — which employees, contractors, and managed service providers.
• What you inherit — controls satisfied by a provider like a FedRAMP-authorized cloud or GCC High tenant. (See Inherited controls.)

Step 1 — Create a system profile

A profile in Bastion represents one system or environment you're assessing — for example "GCC High enclave" or "Engineering CAD network." You can keep multiple profiles side by side, each with its own answers, evidence, score, and artifacts. That's useful when you want to assess separate enclaves, model a target state, or keep a clean baseline.

Open the app, create a profile, and give it a clear name. If you only handle Federal Contract Information (FCI) and not CUI, switch on CMMC Level 1 mode, which narrows the assessment to the 17 FCI safeguarding controls instead of all 110.

Step 2 — Work through the assessment

The assessment walks you through all 110 NIST SP 800-171 Rev 2 controls, grouped into 14 families (Access Control, Audit & Accountability, Configuration Management, and so on). Each control is written in plain language with practical guidance on what it means for a small shop.

For every control you'll set one of five statuses:

For each control you can attach evidence in the per-control evidence vault and write notes describing exactly how the control is implemented. Do this as you go — those notes become the body of your SSP. The full method is in the Assessment guide.

Step 3 — Read your SPRS score

As you answer, Bastion calculates your DoD SPRS score live using the official weighted methodology. The score starts at 110 (a perfect posture) and subtracts weighted points for each control that isn't Met — 5, 3, or 1 points depending on the control's risk weight. The floor is −203.

Your gap dashboard breaks the score down by control family and surfaces your top remediation priorities — the highest-weight gaps to fix first. Don't panic at a low or negative number on day one; that's normal, and it's exactly what the remediation planner is for. See SPRS explained for the full methodology.

Step 4 — Plan your remediation

Use the remediation planner to sequence your open controls. As you mark controls as planned-to-fix, Bastion shows a what-if projected SPRS score so you can see the payoff of each chunk of work before you do it. Take score-history snapshots over time to show your trajectory — useful evidence that you're actively closing gaps.

Step 5 — Generate your artifacts

When you're ready, Bastion generates three documents directly from your assessment:

• System Security Plan (SSP) — documents how each control is implemented. The artifact every assessor expects.
• Plan of Action & Milestones (POA&M) — every open control becomes a tracked entry with an owner and target date.
• Executive readiness report — a one-page summary of score, gaps, and trajectory for leadership.

Everything exports to portable formats, and the whole assessment can be exported to JSON for backup or to move between machines. See SSP & POA&M for details.