CMMC isn't a paperwork drill — it's now the price of admission to the defense supply chain. Here's the regulatory reality, what's actually at stake, and how Bastion gets you there without a six-figure consultant.
DoD CMMC enforcement went live in November 2025. The clause that triggers it — DFARS 252.204-7021 — is now appearing in solicitations and contracts, and it flows down to subcontractors. If you handle Controlled Unclassified Information (CUI) and you can't demonstrate CMMC Level 2, you are no longer eligible to win or keep that work.
Three things changed at once, and together they make compliance non-optional for anyone in the defense supply chain.
CMMC moved from "coming someday" to contractually enforced as of November 2025. The DFARS 252.204-7021 clause makes your CMMC status a condition of award — and it flows down to every sub that touches CUI.
Primes like Boeing have made CMMC Level 2 a condition of contract award across their supply chains. Your customer's compliance obligation becomes your compliance obligation — and they will ask for proof.
CMMC Level 2 maps to all 110 NIST SP 800-171 controls. Your implementation is scored using the DoD weighted methodology and reported in SPRS — the Supplier Performance Risk System the government checks before award.
What SPRS actually is. SPRS is the official DoD repository where your NIST 800-171 self-assessment score lives. The score starts at 110 and points are deducted per unmet control by weight (some controls cost you 5 points, some 3, some 1). A perfect posture is 110; a low or negative score is a visible red flag to every contracting officer who looks you up.
This is no longer just an IT problem. It's a revenue, contract, and legal-exposure problem.
No acceptable CMMC status, no award. The contracts you depend on go to a supplier who did the work — and once you're out of a supply chain, getting back in is far harder than staying in.
Primes must flow CMMC requirements down to subs. If you can't satisfy the flow-down, you become the weak link that jeopardizes your customer's own compliance — and they will route around you.
An inaccurate SPRS score isn't a clerical error. Misrepresenting your assessment to win or keep federal work can trigger False Claims Act exposure. DoJ's Civil Cyber-Fraud Initiative has already pursued contractors for exactly this. The score has to be real.
The requirement is clear. The path most suppliers are sold is not affordable.
◆Consultants charge five to six figures. A full readiness engagement — gap assessment, SSP authoring, POA&M, remediation advisory — routinely runs from the high four figures into six figures, before you've fixed a single control.
◆Most small suppliers have no GRC staff. A machine shop or 30-person manufacturer rarely has a governance, risk, and compliance team. The expertise simply isn't in-house, so the whole thing feels like a wall.
◆The clock is already running. Enforcement is live now. Waiting for budget approval on a consulting engagement can cost you a window in which a competitor gets compliant and wins the work you were counting on.
◆It's not one-and-done. Your posture drifts. New controls slip, evidence goes stale, contracts re-compete. A one-time consultant report is a snapshot; you need something you can re-run.
Bastion gives a supplier with no GRC team a credible, defensible path to CMMC Level 2 — without the consultant invoice.
All 110 controls, scored live with the official DoD weighted methodology. The number you see is the number that gets reported — no spreadsheet math, no guesswork.
Your answers become a complete System Security Plan and a Plan of Action & Milestones with owners and dates — the exact artifacts an assessor expects, generated in minutes.
Bastion shows you which gaps cost you the most points so you fix the highest-impact controls first, and watch your projected SPRS score climb as you go.
Connect Sightline and Cairn to pull real, current technical and documentation evidence — so your score reflects live posture, not stale screenshots.
Bastion runs entirely in your browser. Your CUI, evidence, and assessment never leave your machine — there's no server to trust and nothing on the other end to leak.
Every control is explained in terms that make sense for your shop, so a team with no GRC staff can answer honestly and accurately.
Run the full 110-control assessment and get audit-ready for a straightforward licence fee — not the five-to-six figures a consulting engagement would cost.
Posture changes; so does your score. Re-assess whenever something shifts and keep your artifacts current for the next re-compete.
| The hard way | With Bastion | |
|---|---|---|
| Getting started | Decode 110 controls from the raw NIST publication, or wait on a consultant's calendar. | Open the app and start answering guided, plain-language questions today. |
| SPRS score | Hand-build a weighted spreadsheet and hope the math is right. | Live, official DoD weighted score that updates as you answer. |
| SSP & POA&M | Author from scratch or pay five-to-six figures for someone to write them. | Generated from your answers in minutes, audit-ready. |
| Knowing what to fix first | Guess, or pay for advisory hours. | Gaps ranked by point impact, with projected score as you remediate. |
| Your CUI | Uploaded to a consultant's portal or a SaaS server you have to trust. | Never leaves your browser. Fully local. |
| Cost to know where you stand | Tens of thousands of dollars and weeks of calendar time. | A straightforward licence, and minutes. |
| Staying current | A one-time report that goes stale. | Re-run anytime; optional integrations keep evidence live. |
A bastion is the reinforced strong point built out from a fortification's wall — the position that protects everything behind it. For a defense supplier, your CMMC posture is exactly that: the strong point that protects your contracts, your CUI, and your place in the supply chain. We named the tool Bastion because its job is to help you build and hold that strong point — accurately and on your own terms, without a six-figure consulting engagement.
See your accurate SPRS score and get audit-ready artifacts — without a six-figure consultant and without your CUI leaving your machine.