Is this an official CMMC assessment or certification?

No. Bastion is a self-assessment and preparation aid. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.

Does my CUI leave my computer?

No. Bastion runs entirely in your browser on your own machine. Your assessment data, evidence, and CUI are never uploaded to a server — there's nothing on the other end to leak.

The Supplier Performance Risk System is the DoD system where your NIST 800-171 assessment score is reported. The score uses a weighted methodology with a maximum of 110. Bastion calculates it for you using that official methodology.

How does this relate to Boeing's mandate?

With DoD CMMC enforcement live as of November 2025, Boeing has made CMMC Level 2 a condition of contract award across its supply chain. Bastion helps you assess against the 110 controls, document compliance, and produce the artifacts you need to demonstrate readiness.

We have no GRC staff. Can we actually use this?

Yes — that's exactly who Bastion is built for. The guided assessment explains each control in plain language, the scoring and artifacts are generated for you, and no consultant is required to get started.

Bastion — CMMC Level 2 Self-Assessment & SPRS Score Tool

DoD CMMC enforcement went live in November 2025, and primes like Boeing now make CMMC Level 2 a condition of contract award. For small and mid-size suppliers, that means proving compliance against 110 NIST 800-171 controls — often with no GRC staff and no budget for a six-figure consulting engagement. Miss it, and the contracts you depend on go to a supplier who didn't.

Everything you need to get audit-ready

One tool takes you from "where do we even start?" to a documented, scored, defensible posture.

◆

Guided 110-control assessment

Step through every NIST 800-171 control in plain language, with practical guidance on what each one means for your shop.

◆

Live DoD SPRS score

Your Supplier Performance Risk System score updates in real time using the official DoD weighted methodology — no spreadsheet math.

◆

Gap analysis by family

See exactly where you stand across all 14 control families so you fix the highest-impact gaps first.

◆

Auto-generated SSP

Turn your answers into a complete System Security Plan documenting how each control is implemented — the artifact every assessor expects.

◆

POA&M with owners & dates

Every open control becomes a Plan of Action & Milestones entry with an owner and target date, so remediation is tracked, not forgotten.

◆

Evidence tracking

Organize the proof behind each control — policies, configs, logs — so you're ready the day an assessor asks.

◆

Export to Markdown & CSV

Hand your prime, assessor, or team clean, portable artifacts in the format they need.

◆

Runs in your browser

Bastion executes locally. Your CUI, evidence, and assessment never leave your device — there's no server to trust.

Fits the rest of your stack

Bastion auto-evidences controls from the tools you already run — so your score reflects real, current data, not stale screenshots.

Sightline 72 controls

Pulls live endpoint posture — encryption, patching, MFA, EDR, and logging — to auto-evidence your technical controls with real, current data.

Cairn 74 controls

Links your policies, procedures, and training records to the controls they satisfy, auto-evidencing the documentation controls assessors scrutinize most.

How it works

Answer the guided self-assessment across all 110 NIST 800-171 controls, in plain language.

Watch your DoD SPRS score and family-by-family gap analysis update live as you go.

Connect Sightline and Cairn (optional) to auto-evidence technical and documentation controls.

Generate and export your SSP and POA&M — audit-ready and entirely on your machine.

Why Bastion

◆Accurate by design. SPRS scoring follows the official DoD weighted methodology — the number you see is the number that counts.

◆Artifacts in minutes. Audit-ready SSP and POA&M generated in minutes, not the weeks a consultant would bill for.

◆Your CUI stays put. Fully local execution — no cloud upload, no third party holding your sensitive data.

◆Priced for your shop. A straightforward licence — see your SPRS score and get audit-ready without a six-figure consulting engagement.

FAQ

Is this an official CMMC assessment or certification?: No. Bastion is a self-assessment and preparation aid. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.
Does my CUI leave my computer?: No. Bastion runs entirely in your browser on your own machine. Your assessment data, evidence, and CUI are never uploaded to a server — there's nothing on the other end to leak.
What is SPRS?: The Supplier Performance Risk System is the DoD system where your NIST 800-171 assessment score is reported. The score uses a weighted methodology with a maximum of 110. Bastion calculates it for you using that official methodology.
How does this relate to Boeing's mandate?: With DoD CMMC enforcement live as of November 2025, Boeing has made CMMC Level 2 a condition of contract award across its supply chain. Bastion helps you assess against the 110 controls, document compliance, and produce the artifacts you need to demonstrate readiness.
We have no GRC staff. Can we actually use this?: Yes — that's exactly who Bastion is built for. The guided assessment explains each control in plain language, the scoring and artifacts are generated for you, and no consultant is required to get started.

CMMC Level 2, without the consultant.

Everything you need to get audit-ready

Guided 110-control assessment

Live DoD SPRS score

Gap analysis by family

Auto-generated SSP

POA&M with owners & dates

Evidence tracking

Export to Markdown & CSV

Runs in your browser

Fits the rest of your stack

Sightline 72 controls

Cairn 74 controls

How it works

Why Bastion

FAQ

Know your SPRS score today. Keep your contracts tomorrow.