Quick setup (5 minutes)
Bastion runs entirely in your browser — there is nothing to install, no account, and no upload. Here's the fastest path from zero to a scored, exportable assessment.
What you get: the guided 110-control assessment, your live DoD SPRS score, the gap dashboard, the SSP and POA&M generators, the evidence vault, and Markdown/CSV/JSON export. Your data lives only in this browser.
Before you start (5-minute prep)
- Know your CUI scope. Identify where Controlled Unclassified Information lives in your business — which laptops, servers, file shares, email, and cloud apps touch it. That set of systems is your "assessment boundary."
- Pull your basics together. Your CAGE code, a one-line system description, and the name of whoever owns IT/security. You'll drop these into the SSP later.
- Use a browser you'll come back to. Your progress is saved in that browser's local storage. Same machine + same browser = your data is there next time. Export a backup if you switch machines.
Step by step
Open the app. Go to the Bastion app. It loads all 110 NIST 800-171 controls instantly. Nothing to download.
Name your system profile. Up top, the default profile is "My System." Rename it to your enclave (e.g., "Engineering CUI enclave"), or add separate profiles if you have more than one boundary.
Work the Assessment tab. For each control, read the plain-language guidance, then set a status: Met, Partially Met, Not Met, Inherited (provided by something like a GCC High tenant), or N/A. Add a note on how you meet it. Be honest — the score only helps if it's real.
Watch your SPRS score. The Dashboard shows your live DoD SPRS score (max 110), readiness by control family, and your CMMC Level 1 status. Hit Save snapshot to start a score-history trend.
Plan your fixes. The Remediation tab sorts your gaps by point value and shows your projected score as you check off what you'll fix — so you target the biggest wins first.
Export your artifacts. Generate your SSP and POA&M, or a full/executive report, from the SSP, POA&M, and Data tabs (Markdown/CSV). Hand them to your prime, your team, or your assessor.
Tips
- Filter to CMMC Level 1 first (Assessment → family filter → "CMMC Level 1") if you only handle FCI, or to get an early win — it's just 17 controls.
- Speed it up with integrations. If you run Sightline or Cairn, export from them and import on the Integrations tab to auto-evidence ~72 technical and ~74 documentation controls. (See Integrations.)
- Back up often. Data → "Export assessment (JSON)" gives you a file you can re-import on any machine or browser.
Bastion is a self-assessment and preparation aid — not an official CMMC assessment, which is performed by an accredited C3PAO. It gets you accurately scored, documented, and audit-ready.