Docs / Assessment guide
Assessment guide
How to work through all 110 NIST SP 800-171 Rev 2 controls honestly. An assessment is only worth as much as its accuracy — inflating a status doesn't fool a C3PAO, it just means you fail the real assessment later.
On this page
Score honestly — it's the whole point
Your self-assessment score gets reported to SPRS, and your eventual CMMC Level 2 certification is verified by an independent C3PAO. If your self-assessed status doesn't match reality, the gap surfaces during the real assessment — and a falsely high self-assessment can carry serious consequences under the False Claims Act. The goal of Bastion is an accurate, defensible picture, so you fix what's broken before an assessor finds it.
Rule of thumb: if you couldn't hand an assessor evidence for a control today, it isn't Met.
Setting each status
| Status | Set it when | SPRS effect |
|---|---|---|
| Met | Every part of the control's requirement is fully implemented and you have evidence to prove it. A control with five sub-requirements is only Met when all five are. | No points deducted. |
| Partially Met | You've implemented some of the control but not all of it. Be honest here — partial progress is real and worth tracking, but it isn't done. | Full point value deducted (no partial credit — see why). |
| Not Met | The control isn't implemented at all, or you haven't started it. | Full point value deducted. |
| N/A | The control genuinely cannot apply to your scoped environment. Document why. | Removed from the denominator; no deduction. |
| Inherited | An external provider fully implements the control on your behalf. Document who and how. | Counts as Met, provided the inheritance is real and documented. |
What "Inherited" means
Some controls aren't implemented by you at all — they're provided by a service you rely on. The classic example is a FedRAMP-authorized cloud or Microsoft 365 GCC High tenant that handles physical security of the data center, certain audit logging, boundary protection, and FIPS-validated encryption for you. When a provider fully satisfies a control, mark it Inherited.
Inheritance is real and legitimate, but it comes with responsibilities:
- Confirm the provider actually covers it. Read their Customer Responsibility Matrix (CRM) or shared-responsibility documentation — not every control you'd like to inherit is fully inherited.
- Capture the proof. In the evidence vault, note the provider, the document, and the specific control they satisfy. Assessors will ask you to show the inheritance.
- Mind the shared controls. Many controls are shared — the provider does part, you do part (e.g. they secure the platform, you configure MFA). A shared control is only Inherited for the provider's portion; your portion still needs to be Met.
See inheritance in the glossary for the formal definition.
Using "N/A" responsibly
N/A is for controls that genuinely cannot apply to your scoped environment — for example, wireless-access controls when you have no wireless networks in scope, or VoIP controls when you run no VoIP. Use it sparingly and always write a justification. An unexplained N/A is a red flag to an assessor; a well-justified one is fine. If there's any doubt about whether a control applies, treat it as in-scope rather than N/A.
The evidence vault
Every control has its own evidence vault where you record the proof behind your status — policy documents, configuration screenshots, log samples, ticket references, or provider attestations. Good evidence is what turns a claim of "Met" into something defensible.
- Be specific. "Access Control Policy v3, section 4.2, approved 2026-01-15" beats "we have a policy."
- Point to where it lives. Bastion keeps everything local; reference the document name and location rather than relying on memory.
- Cover both policy and practice. Assessors want to see that a control is documented and actually operating — a policy plus evidence it's followed.
- Let integrations help. Sightline and Cairn can pre-fill evidence for technical and documentation controls; review and confirm each one.
Notes best practices
The notes you write on each control become the implementation narrative in your SSP. Write them as if explaining to an assessor exactly how the control works in your shop:
- Describe what is in place, how it's configured, and who owns it.
- Name the actual tools and settings (e.g. "MFA enforced via Entra ID Conditional Access for all CUI access").
- For Partially Met / Not Met, note what's missing — that text feeds your POA&M.
- Keep it current. Re-snapshot your score after meaningful changes so your history reflects real progress.