Help Center / Getting started

Getting started

Bastion runs entirely in your browser — nothing to install, no account, no server. This page covers what it is, the local-first promise, how to choose your level, and your first run.

On this page

What Bastion is (and isn't)
The local-first promise
Choosing your level: L1, L2-self, L2-C3PAO
Not sure? Use the triage
Your first run, step by step
A quick tour of the tabs

1. What Bastion is (and isn't)

Bastion is a guided, browser-based tool that walks defense suppliers through a NIST SP 800-171 Rev 2 self-assessment — the standard that underpins CMMC Level 2. As you mark each control, it calculates a live DoD SPRS score, finds your gaps, and generates the documents an assessor expects: a System Security Plan (SSP), a Plan of Action & Milestones (POA&M), an SPRS worksheet, an affirmation, and a complete C3PAO handoff bundle.

Bastion is…	Bastion is not…
A self-assessment and preparation aid that mirrors the official DoD Assessment Methodology.	An official CMMC assessment or certification.
A way to get accurately scored, documented, and audit-ready before an assessor arrives.	A C3PAO. It cannot issue, grant, or guarantee a CMMC certification.
Fully local — your data stays on your machine.	Connected to SPRS, PIEE, or any DoD system. You transcribe your results into SPRS yourself.
A practical, plain-English guide for small shops.	Legal advice. Confirm scope and obligations against your contract clauses and an authorized assessor.

2026 context. The 48 CFR final rule was published Sept 10, 2025; CMMC Phase 1 began Nov 10, 2025 (self-assessment plus discretionary C3PAO via DFARS 252.204-7021). Mandatory Level 2 C3PAO certifications phase in starting ~Nov 10, 2026. Bastion reflects these facts in its copy and is positioned as preparation, not certification.

2. The local-first promise

This is the heart of Bastion. Your CUI never leaves your machine.

No backend. Bastion is static HTML, CSS, and vanilla JavaScript. There is no server to send data to.
No sign-up, no telemetry. Nothing is tracked, logged, or phoned home.
Everything stays in localStorage. Your answers, notes, evidence references, and settings live only in this browser, on this device.
Files are hashed, not uploaded. When you attach an evidence file, Bastion computes a SHA-256 hash in your browser and immediately discards the bytes — the file itself never moves. (See the evidence vault.)
Exports are local downloads. Every SSP, POA&M, worksheet, and bundle is generated in-browser and saved to your machine.

Because everything is local, the flip side is on you: clearing your browser data or switching devices loses your work unless you've exported a JSON backup first. See Backup & restore. The full security model is in Security & privacy.

3. Choosing your level: L1, L2-self, L2-C3PAO

The first real decision is your scope. Open the app and go to the Scope tab. Bastion offers three levels — picking one scopes the control set and tells you whether you self-attest or need a third-party (C3PAO) assessment.

Level	Who it's for	Controls in scope	How it's assessed	SPRS score?
CMMC Level 1 (FCI)	You handle Federal Contract Information (FCI) but no CUI.	17 FCI safeguarding requirements (FAR 52.204-21)	Annual self-assessment	No — pass/fail at L1
CMMC Level 2 — self-assessment	You handle CUI, and no contract has (yet) invoked a C3PAO requirement.	All 110 NIST SP 800-171 Rev 2 requirements	Self-attested (Phase 1)	Yes — scored 0…110 (floor −203)
CMMC Level 2 — C3PAO certification	A contract requires a third-party assessment, or your CUI work is on a sensitive/prioritized acquisition.	All 110 requirements	Third-party (C3PAO)	Yes — prepared for handoff

On the Scope tab, click any of the three cards to select it. The selected level is highlighted and a Current scope strip confirms the standard and assessment type. Selecting L1 narrows the assessment to the 17 FCI controls and hides SPRS-specific features (there is no SPRS score at Level 1). Selecting either L2 level loads all 110 controls.

The difference between the two L2 levels is intent, not controls. Both assess the same 110 requirements. "L2-self" frames the output as an annual self-attestation; "L2-C3PAO" frames the handoff bundle for a third-party assessor (and labels the bundle accordingly). A Contracting Officer can still require a C3PAO at their discretion even when you've chosen L2-self — re-triage when a new solicitation lands.

4. Not sure? Use the triage

If you don't know which level applies, use the Quick triage at the bottom of the Scope tab. It asks three yes/no questions about your contracts and data and suggests a level. Confirm the suggestion against your actual DFARS/FAR clauses.

Triage question	If checked…
We store, process, or transmit CUI.	You're at least Level 2. If unchecked, Bastion suggests Level 1 (FCI only).
A contract/solicitation already requires a CMMC L2 C3PAO assessment. (DFARS 252.204-7021)	Bastion suggests L2 — C3PAO. A CO has invoked a third-party requirement, so prepare and hand off.
Our CUI work is on a sensitive / prioritized DoD acquisition.	Bastion suggests L2 — C3PAO (plan for it). These programs are most likely to require a C3PAO as phasing rolls out.

How the suggestion resolves, in order of priority:

C3PAO already required → L2 — C3PAO. "Your contract requires a C3PAO (third-party) assessment."
No CUI → L1. "Likely CMMC Level 1 — annual self-assessment."
CUI on a prioritized acquisition → L2 — C3PAO. "Plan for a Level 2 C3PAO assessment."
CUI, no C3PAO trigger yet → L2 — self. "Likely CMMC Level 2 — self-assessment (for now)."

Click Apply this scope to set the suggested level. Your triage answers are saved per profile, so you can revisit them later.

5. Your first run, step by step

Open the app over HTTP. Click Open the app. If you're running the files locally, serve them over HTTP (e.g. python3 -m http.server 8000 then visit http://localhost:8000/) — browsers block the control-data fetch on file://. If you see "Couldn't load the control set," that's the cause; see Troubleshooting.

Name your system profile. Bastion starts with a "My System" profile. Use the System profile bar at the top to Rename it (e.g. "GCC High enclave") or add a + New profile for a separate enclave. Each profile keeps its own answers, evidence, score, and artifacts.

Set your scope. On the Scope tab, pick L1 / L2-self / L2-C3PAO, or run the triage.

Work the assessment. On the Assessment tab, set a status for each control and add notes/evidence as you go. See The assessment.

Read your score and plan. The Dashboard shows your live SPRS score and gaps; the Remediation tab projects what-if scores so you can target the biggest wins. See Scoring.

Generate artifacts and the bundle. Use the SSP, POA&M, and Handoff tabs to produce your documents and the C3PAO-ready package. See SSP & POA&M and the handoff bundle.

Back up. On the Data tab, export a JSON backup. Do this regularly. See Backup & restore.

6. A quick tour of the tabs

Tab	What it's for	Learn more
Dashboard	Live score, assessed %, open gaps, family progress, and score-history snapshots + diff.	Scoring, Versioning
Scope	Level selector (L1 / L2-self / L2-C3PAO) and the assessment-type triage.	Above
Assessment	The control list — set status, notes, evidence, and POA&M fields per control.	The assessment
Remediation	What-if planner: check gaps to close and see the projected SPRS score; export a roadmap.	Scoring
SSP	Enter system details and generate the System Security Plan.	SSP & POA&M
POA&M	Every open gap as a tracked entry; export CSV or Markdown.	SSP & POA&M
Handoff	Conditional-status readiness, SSP lint, the affirmation, and the assembled C3PAO bundle.	Handoff bundle, Affirmation
Integrations	Import endpoint posture from Sightline and documentation evidence from Cairn to auto-evidence controls.	Integrations (docs)
Data	Export/import JSON, executive & full reports, and reset the profile.	Backup & restore

Next: The assessment Back to Help Center