Is this an official CMMC assessment or certification?

No. Bastion is a self-assessment and preparation aid. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.

Does my CUI leave my computer?

No. Bastion runs entirely in your browser on your own machine. Your assessment data, evidence, and CUI are never uploaded to a server — there's nothing on the other end to leak.

The Supplier Performance Risk System is the DoD system where your NIST 800-171 assessment score is reported. The score uses a weighted methodology with a maximum of 110. Bastion calculates it for you using that official methodology.

How does this relate to Boeing's mandate?

With DoD CMMC enforcement live as of November 2025, Boeing has made CMMC Level 2 a condition of contract award across its supply chain. Bastion helps you assess against the 110 controls, document compliance, and produce the artifacts you need to demonstrate readiness.

We have no GRC staff. Can we actually use this?

Yes — that's exactly who Bastion is built for. The guided assessment explains each control in plain language, the scoring and artifacts are generated for you, and no consultant is required to get started.

Bastion — CMMC Level 2 self-assessment for defense suppliers

The CMMC rule is final. The 48 CFR rule was published Sept 10, 2025 and CMMC Phase 1 began Nov 10, 2025 — Level 2 self-assessment plus discretionary C3PAO via DFARS 252.204-7021. Mandatory Level 2 C3PAO certifications phase in starting ~Nov 10, 2026. Primes like Boeing already make CMMC Level 2 a condition of award. For small and mid-size suppliers — often with no GRC staff and no budget for a six-figure engagement — that means proving compliance against 110 controls now, and being ready to hand off to an assessor when your turn comes.

Everything you need to get audit-ready

One tool takes you from "where do we even start?" to a documented, scored, defensible posture.

◆

Level selector & triage

Pick your scope — L1 (FCI), L2 self-assessment, or L2 C3PAO — or answer three questions and let the built-in triage tell you whether you self-attest or need a third-party assessor.

◆

Guided 110-control assessment

Step through every NIST 800-171 control in plain language, with practical guidance on what each one means for your shop.

◆

Live DoD SPRS score

Your Supplier Performance Risk System score updates in real time using the official DoD weighted methodology — no spreadsheet math.

◆

Gap analysis by family

See exactly where you stand across all 14 control families so you fix the highest-impact gaps first.

◆

Auto-generated SSP

Turn your answers into a complete System Security Plan documenting how each control is implemented — the artifact every assessor expects.

◆

POA&M with owners & dates

Every open control becomes a Plan of Action & Milestones entry with an owner and target date, so remediation is tracked, not forgotten.

◆

Local evidence vault

Attach a file and Bastion computes a SHA-256 hash in your browser, then discards the bytes — only the filename, size, and hash are kept. Your CUI never leaves the machine.

◆

Versioning & diff

Snapshot your assessment over time and see exactly what moved — score change, newly satisfied controls, and any regressions — as proof of an upward trajectory.

◆

C3PAO-ready handoff package

One bundle: SPRS Basic-assessment worksheet, validated SSP, POA&M, evidence index, and the annual Affirming-Official affirmation — assembled locally to cut your assessment bill. Prep, not certification.

◆

Runs in your browser

Bastion executes locally. Your CUI, evidence, and assessment never leave your device — there's no server to trust.

Fits the rest of your stack

Bastion auto-evidences controls from the tools you already run — so your score reflects real, current data, not stale screenshots.

Sightline 72 controls

Pulls live endpoint posture — encryption, patching, MFA, EDR, and logging — to auto-evidence your technical controls with real, current data.

Cairn 74 controls

Links your policies, procedures, and training records to the controls they satisfy, auto-evidencing the documentation controls assessors scrutinize most.

One package an assessor can actually use

When it's time to face a C3PAO, you hand off a single bundle instead of starting from a blank page — which is where the assessment bill comes down.

📋 SPRS Basic-assessment worksheet. The exact fields you transcribe into SPRS via PIEE — score, requirements implemented, open items, and the 180-day plan-of-action date. You post it yourself; Bastion never touches a DoD system.

📄 Validated SSP + POA&M. A completeness review flags the gaps an assessor challenges first — Met controls with no evidence, unattributed inheritances — so your SSP and POA&M go in clean.

🔎 Evidence index. A flat table of every evidence item across all controls, with locally computed SHA-256 hashes for attached files — integrity facts an assessor needs, with no CUI in the document.

✍️ Annual Affirming-Official affirmation. A ready-to-sign affirmation per 32 CFR 170.22, with a cadence reminder so the required annual re-affirmation doesn't slip.

The bundle is assembled locally and stamped with a SHA-256 integrity hash so a recipient can confirm it wasn't altered after handoff. An optional redacted export strips notes and evidence locations while keeping status, scores, ownership, and dates — safe to share outside your CUI boundary. It's labeled as preparation, not a CMMC certification.

How it works

Pick your level — L1, L2 self-assessment, or L2 C3PAO — or run the triage if you're not sure.

Answer the guided self-assessment across all 110 NIST 800-171 controls, in plain language.

Watch your DoD SPRS score and family-by-family gap analysis update live as you go.

Attach evidence — hashed locally, never uploaded — and snapshot your assessment to track progress.

Connect Sightline and Cairn (optional) to auto-evidence technical and documentation controls.

Export the full C3PAO-ready handoff package — SSP, POA&M, SPRS worksheet, evidence index, and affirmation — entirely on your machine.

Why Bastion

◆Accurate by design. SPRS scoring follows the official DoD weighted methodology — the number you see is the number that counts.

◆Artifacts in minutes. Audit-ready SSP and POA&M generated in minutes, not the weeks a consultant would bill for.

◆Your CUI stays put. Fully local execution — no cloud upload, no third party holding your sensitive data.

◆Priced for your shop. A straightforward licence — see your SPRS score and get audit-ready without a six-figure consulting engagement.

FAQ

Is this an official CMMC assessment or certification?: No. Bastion is a self-assessment and preparation aid. Official CMMC Level 2 certification is performed by an accredited C3PAO. Bastion gets you accurately scored, documented, and audit-ready so that assessment goes smoothly.
What's in the C3PAO handoff package?: One bundle: an SPRS Basic-assessment worksheet, a validated SSP, a POA&M, an evidence index (with locally computed hashes for attached files), and the annual Affirming-Official affirmation. It's assembled in your browser and stamped with a SHA-256 integrity hash. Handing an assessor a complete, organized package is how you cut the assessment bill — but it's preparation, not certification.
Do I assess at Level 1 or Level 2?: Bastion's level selector covers L1 (17 FCI controls, pass/fail self-assessment), L2 self-assessment (all 110 controls, self-attested), and L2 C3PAO (all 110, prepared for a third-party assessor). If you're not sure, the built-in triage asks three questions about your contracts and data and suggests a level — confirm it against your actual DFARS/FAR clauses.
Does my CUI leave my computer?: No. Bastion runs entirely in your browser on your own machine. Your assessment data, evidence, and CUI are never uploaded to a server — there's nothing on the other end to leak. When you attach an evidence file, Bastion hashes it locally with SHA-256 and discards the bytes; only the filename, size, and hash are kept.
What is SPRS?: The Supplier Performance Risk System is the DoD system where your NIST 800-171 assessment score is reported. The score uses a weighted methodology with a maximum of 110. Bastion calculates it for you using that official methodology.
How does this relate to Boeing's mandate and the 2026 timeline?: The 48 CFR final rule published Sept 10, 2025, and CMMC Phase 1 began Nov 10, 2025 — Level 2 self-assessment plus discretionary C3PAO. Mandatory L2 C3PAO certifications phase in starting around Nov 10, 2026. Boeing already makes CMMC Level 2 a condition of award across its supply chain. Bastion helps you assess against the 110 controls now, document compliance, and assemble the handoff package you'll need when a C3PAO assessment is required.
We have no GRC staff. Can we actually use this?: Yes — that's exactly who Bastion is built for. The guided assessment explains each control in plain language, the scoring and artifacts are generated for you, and no consultant is required to get started.

CMMC Level 2, without the consultant.

Everything you need to get audit-ready

Level selector & triage

Guided 110-control assessment

Live DoD SPRS score

Gap analysis by family

Auto-generated SSP

POA&M with owners & dates

Local evidence vault

Versioning & diff

C3PAO-ready handoff package

Runs in your browser

Fits the rest of your stack

Sightline 72 controls

Cairn 74 controls

One package an assessor can actually use

How it works

Why Bastion

FAQ

Know your SPRS score today. Keep your contracts tomorrow.