Bastion is a self-assessment and preparation aid β it is not a CMMC certification, and it is not legal advice. Official CMMC Level 2 certification is performed only by an accredited C3PAO. Bastion is not a C3PAO and does not issue certifications. It gets you accurately scored, documented, and audit-ready. Always confirm your results against your actual contract clauses and an authorized assessor. See the full disclaimer.
Local-first, always. Bastion runs entirely in your browser. There is no backend, no sign-up, and no telemetry. Your CUI, notes, and evidence never leave your machine. Read how the local-first promise is enforced.
Browse the Help Center
Read top to bottom the first time, or jump straight to a topic. Every page is cross-linked.
Getting started
What Bastion is, the local-first promise, choosing your level (L1 FCI / L2 self / L2 C3PAO) with the triage, and your first run.
The assessment
The 14 control families, marking controls Met / Partial / Not Met / N/A / Inherited, and writing evidence notes that become your SSP.
Scoring, conditional status & POA&M eligibility
The SPRS math (110 β 5/3/1 weights, floor β203), the 80% conditional threshold, the 180-day clock, and which controls can't be POA&M'd.
SSP & POA&M + completeness lint
Generating your System Security Plan and Plan of Action & Milestones, and the SSP completeness lint that flags fragile claims.
The annual affirmation
The Affirming-Official workflow per 32 CFR 170.22, recording an affirmation, the cadence reminder, and exporting the statement.
The C3PAO handoff bundle
One bundle: SPRS worksheet, eligibility summary, SSP, POA&M, evidence index, affirmation β plus export redaction and a SHA-256 integrity hash.
The local evidence vault
Attaching and hashing evidence files in your browser β what's stored, what's discarded, and how the SHA-256 hash proves integrity.
Assessment versioning
Score-history snapshots, the SPRS diff between any snapshot and now, and the exportable remediation progress narrative.
Security & privacy
The local-first architecture, zero CUI egress, redaction, integrity hashing, and how to back up and move your data safely.
Troubleshooting & FAQ
Which level am I? Score & POA&M questions, conditional status, evidence re-verify, export/import, reset β plus the "not a certification" disclaimer.
"How do I�" recipe index
Jump straight to the exact steps for a common task.
| I want to⦠| Go to |
|---|---|
| Open Bastion for the first time | Getting started β First run |
| Figure out whether I'm L1, L2-self, or L2-C3PAO | Getting started β The triage |
| Set a control's status | The assessment β Marking controls |
| Understand why "Partial" earns no points | Scoring β Partial earns no credit |
| Know if I'm eligible for conditional status | Scoring β Conditional status |
| See which gaps I can put on a POA&M | Scoring β POA&M eligibility |
| Generate my SSP | SSP & POA&M β Generate the SSP |
| Generate my POA&M (CSV or Markdown) | SSP & POA&M β Generate the POA&M |
| Fix SSP completeness lint findings | SSP & POA&M β Completeness lint |
| Record the annual affirmation | Affirmation β Record it |
| Attach & hash an evidence file | Evidence vault β Attach & hash |
| Build the C3PAO handoff bundle | Handoff bundle β Build it |
| Export a redacted bundle (no CUI free text) | Handoff bundle β Redaction |
| Verify a bundle wasn't tampered with | Handoff bundle β Integrity hash |
| Save a score snapshot and see my trend | Versioning β Snapshots |
| Export a remediation progress narrative | Versioning β Progress narrative |
| Back up my whole assessment | Security β Backup & restore |
| Move my work to another computer | Security β Backup & restore |
| Reset / wipe a profile | Troubleshooting β Reset |
| Fix "Couldn't load the control set" | Troubleshooting β Load error |
New to all this? Read Getting started first, then The assessment as you work through your controls. Keep the project Glossary open in a second tab for any term you don't recognize.