How Bastion works
Bastion is a guided self-assessment engine for NIST SP 800-171 Rev 2 — the 110 controls behind CMMC Level 2. It turns your answers into a defensible DoD SPRS score and the documents an assessor expects, and it runs entirely on your own machine.
1. The 110-control model
CMMC Level 2 is assessed against the 110 security requirements in NIST SP 800-171 Rev 2, organized into 14 control families (Access Control, Audit & Accountability, Configuration Management, and so on). Bastion loads all 110, each with plain-language guidance on what it means and what evidence demonstrates it.
2. The five statuses
| Met | You fully implement the control. Full SPRS credit. |
|---|---|
| Partially Met | Some of the requirement is in place. No SPRS credit — the DoD methodology has no partial credit, so this still counts as a gap. |
| Not Met | Not implemented. Deducts the control's point value. |
| Inherited | Provided by an external provider (e.g., a GCC High tenant or managed service) under a shared-responsibility/CRM. Counts as met; record the provider. |
| N/A | Genuinely doesn't apply to your environment. Excluded from deductions — use sparingly and document why. |
3. The DoD SPRS score
Your score follows the official DoD Assessment Methodology: start at 110, and subtract each unmet control's weight — 5, 3, or 1 point depending on its security impact. The result can range from 110 down to a floor of −203. Bastion calculates it live as you assess, so you always see exactly where you stand and which gaps cost you the most. (See SPRS explained for the full methodology.)
4. System profiles
Each profile is one assessment of one system boundary (enclave). Many suppliers have more than one — e.g., a CUI enclave and a separate corporate network. Create a profile per boundary; each keeps its own assessment, evidence, history, and SSP.
5. The evidence vault
For every control you can attach evidence records — the policy, screenshot, config, log, or training record that proves it. Assessors live on evidence, so capturing it as you go means you're ready the day they ask, and it flows straight into your SSP.
6. The generators
- System Security Plan (SSP) — compiles your system details + every control's status, notes, and evidence into the foundational document every assessment reviews.
- POA&M — turns each open gap into a Plan of Action & Milestones row with an owner and target date (CSV or Markdown).
- Remediation planner — sorts gaps by point value and shows your projected SPRS score as you choose what to fix, so you target the biggest wins first.
- Executive & full reports — a leadership-ready summary and a complete control-by-control report.
7. Where your data lives
Everything you enter is stored only in your browser's local storage, on your machine. Nothing is uploaded — there is no Bastion server holding your data. That's deliberate: your assessment touches CUI-adjacent information, and the safest place for it is your own device. Use Data → Export to back it up or move it between machines.
8. Integrations & automation
Bastion can ingest evidence from the tools you already run — endpoint posture from Sightline, documentation from Cairn — to auto-fill control statuses. It can also pull from other systems (MDM, identity, EDR, cloud) via a local collector. See Automation & connectors.
Bastion is a self-assessment and preparation aid — not an official CMMC assessment (that's done by an accredited C3PAO). It gets you accurately scored, documented, and audit-ready.