Bastion is a self-assessment and preparation aid, not an official CMMC assessment. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion is not a C3PAO and does not issue certifications. It gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.
Browse the docs
Read top to bottom the first time, or jump straight to what you need.
Quick setup (5 min)
The fastest path: open the app, create a profile, run the assessment, and export your SPRS score, SSP, and POA&M — nothing to install, no upload.
Getting started
What to know before you begin, creating a system profile, and the five-step path from first answer to audit-ready artifacts.
How Bastion works
The full picture: the 110-control model, the five statuses, DoD SPRS scoring, profiles, the evidence vault, the generators, and local-only storage.
Assessment guide
How to set each of the 110 controls honestly — the five statuses, what "Inherited" really means, the evidence vault, and notes best practices.
SPRS score explained
The 110 → weighted (5/3/1) methodology, why partial earns no credit, what a negative score means, and how to report to SPRS.
Sightline & Cairn integrations
Auto-evidence technical and documentation controls. The exact JSON shape Bastion imports, with examples for both sources.
Automation & connectors
Pull evidence from MDM, identity, EDR, cloud, and scanners. The import contract, what maps from where, and the local-collector roadmap.
SSP & POA&M
What each artifact is, what assessors expect to see, and how Bastion builds them directly from your assessment.
Glossary
Plain-language definitions of CMMC and NIST terms: CUI, FCI, SPRS, SSP, POA&M, C3PAO, DFARS, enclave, inheritance, and more.
New to all this? Begin with Getting started, then read the Assessment guide as you work through your controls. Keep the Glossary open in a second tab.