Docs / Integrations

Sightline & Cairn integrations

Bastion auto-evidences controls from tools you already run, so your score reflects real, current data instead of stale screenshots. Both integrations work by importing a small JSON file — entirely local, no API keys, no cloud.

On this page

How importing works
Sightline — technical controls (~72)
Cairn — documentation controls (~74)
Field reference
Tips & troubleshooting

How importing works

Each integration exports a JSON file describing what it found. You import that file into Bastion, which maps every entry to a NIST 800-171 control and suggests a status with pre-filled evidence. You then review each suggestion and accept or adjust it — nothing is applied silently. Because import is just a file, no credentials ever leave your machine and your CUI stays local.

The two sources cover complementary halves of the assessment:

Sightline ~72 controls

Live endpoint & infrastructure posture — encryption, patching, MFA, EDR, logging — auto-evidences your technical controls.

Cairn ~74 controls

Policies, procedures, and training records linked to the controls they satisfy — auto-evidences the documentation controls.

Many controls have both a technical and a documentation dimension, so the two sets overlap rather than splitting the 110 cleanly in half — together they touch most of the assessment.

Sightline — technical controls (~72)

Sightline pulls real-time technical posture and emits a list of signals. Each signal maps to one control via its control ID, suggests a status, and carries an evidence string.

{
  "source": "Sightline",
  "signals": [
    {
      "control": "3.13.16",
      "suggest": "met",
      "evidence": "CUI at rest encrypted with BitLocker (XTS-AES-256, FIPS mode) on all 42 in-scope endpoints; verified 2026-06-09."
    },
    {
      "control": "3.5.3",
      "suggest": "met",
      "evidence": "MFA enforced via Entra ID Conditional Access for all users accessing CUI systems; 0 exemptions."
    },
    {
      "control": "3.14.1",
      "suggest": "partial",
      "evidence": "Patching current on 38/42 endpoints; 4 hosts >30 days behind on OS updates."
    }
  ]
}

Cairn — documentation controls (~74)

Cairn links your governing documents to the controls they satisfy and emits a list of documents. Each entry adds a title naming the document, alongside the same control, suggest, and evidence fields.

{
  "source": "Cairn",
  "documents": [
    {
      "control": "3.1.1",
      "suggest": "met",
      "title": "Access Control Policy",
      "evidence": "Access Control Policy v3.2, approved 2026-01-15; defines authorized users, processes, and devices for CUI systems. Sec. 4.2 covers account provisioning."
    },
    {
      "control": "3.2.1",
      "suggest": "met",
      "title": "Security Awareness Training Plan",
      "evidence": "Annual CUI-handling training; 100% completion for in-scope staff, last cycle 2026-03."
    },
    {
      "control": "3.6.1",
      "suggest": "partial",
      "title": "Incident Response Plan",
      "evidence": "IR plan drafted; tabletop exercise not yet conducted."
    }
  ]
}

Field reference

Field	Where	Description
`source`	Top level	Identifies the integration. `"Sightline"` or `"Cairn"`.
`signals` / `documents`	Top level	Array of entries. Sightline uses `signals`; Cairn uses `documents`.
`control`	Entry	The NIST 800-171 control ID in dotted form, e.g. `"3.13.16"`. Must match a real control.
`suggest`	Entry	Suggested status: `"met"`, `"partial"`, `"notmet"`, or `"na"`. Bastion still asks you to confirm.
`evidence`	Entry	Free-text evidence string, written into that control's evidence vault.
`title`	Entry (Cairn)	The document's name, recorded alongside the evidence. Cairn only.

Status strings use the app's internal codes: met, partial, notmet, na. There is no inherited suggestion — mark inheritance yourself (see Inherited controls), since it depends on your provider relationship, not on tool data.

Tips & troubleshooting

Review, don't rubber-stamp. A tool can show MFA is on; only you know whether it's on for every in-scope user. Confirm each suggestion against your real scope.
Control IDs must match. An entry whose control doesn't correspond to a real 800-171 control is skipped. Use the dotted format (3.1.1, not AC.L2-3.1.1).
Re-import to refresh. Posture drifts — patches lapse, policies get revised. Re-export and re-import periodically so your score stays current, then take a new score-history snapshot.
Both at once. Import Sightline and Cairn into the same profile; together they pre-seed most of the assessment, leaving you to handle inheritance, N/A justifications, and the gaps the tools can't see.
Still 100% local. Import reads a file you already have. Nothing is uploaded; your CUI and evidence never leave the browser.

Next: SSP & POA&M Back to docs