Help Center / SSP & POA&M

SSP & POA&M + completeness lint

Your System Security Plan and Plan of Action & Milestones are built directly from the assessment you've already done — no separate data entry. The completeness lint catches the weak spots before an assessor does.

On this page

Generate the SSP
What's in the generated SSP
Generate the POA&M
POA&M fields and eligibility
The SSP completeness lint
Executive & full reports

1. Generate the SSP

The System Security Plan (SSP) documents how each requirement is implemented. It's the artifact every assessor expects to see. Bastion assembles it from your control statuses, notes, and named evidence.

Open the SSP tab.

Fill in your system details — Company / organization, CAGE code, System name, System description, CUI scope / boundary, and Assessor name. These populate the SSP header. They save automatically.

Click "⬇ Generate SSP (Markdown)." A Markdown file downloads to your machine.

Because the SSP is built from your assessment, the better your implementation notes and evidence, the more complete the SSP. Write notes as you assess and the SSP largely writes itself.

2. What's in the generated SSP

Section	Source
Header table (profile, company, CAGE, system name, CUI scope, assessor, date, current SPRS score)	SSP-tab fields + live score
System Description	The "System description" field
Boilerplate sections (from the SSP template)	`ssp-template.json`
Security Requirement Implementation — every in-scope control, grouped by family, with its status, inheritance provider, notes, and named evidence	Your assessment

Each control line reads like: "3.1.1 Limit System Access to Authorized Users — Met: [your notes] Evidence: [evidence names]." Inherited controls note the provider. The SSP can also be generated in a redacted form (notes and evidence stripped) as part of the handoff bundle.

3. Generate the POA&M

The Plan of Action & Milestones (POA&M) lists every open gap (Partially Met or Not Met) as a tracked remediation item. Open the POA&M tab to see them sorted by point weight.

Review the open gaps. If there are none, Bastion tells you there's nothing to put on a POA&M — a good sign.

Fill in Milestone, Owner, and Target date for each gap (these stay in sync with the Assessment and Remediation tabs).

Export. Click ⬇ Export CSV (for spreadsheets/trackers) or ⬇ Export Markdown (human-readable, with eligibility column).

4. POA&M fields and eligibility

Column	Meaning
Control / Weakness	The control ID, title, and its current status.
SPRS points	How many points the gap is costing you (−5 / −3 / −1).
POA&M-eligible (Markdown export)	Yes, or "No — must fully meet" for 3-/5-point or explicitly ineligible controls. See eligibility rules.
Milestone	What you'll do to close the gap.
Owner	Who's accountable.
Target date	When it'll be done (mind the 180-day clock).

A POA&M is not a place to park hard controls forever. Only 1-point, non-ineligible requirements may ride on a POA&M, and they're subject to a 180-day closeout. The Markdown export flags any gap that must be fully met so you don't mistakenly defer a blocking control.

5. The SSP completeness lint

On the Handoff tab, Bastion runs an automatic SSP completeness review ("lint"). It scans every control and flags claims that an assessor is likely to challenge — typically a status asserted with no supporting notes or evidence. Fix these before handoff to keep your SSP defensible.

Finding	Severity	Why it matters
Met with no implementation notes and no named evidence	High	An unsupported "Met" is the first thing a C3PAO probes. There's nothing to verify.
Met with notes but no named evidence in the vault	Medium	You've described it but can't point to proof. Attach or reference evidence.
Inherited with no provider / CRM source named	Medium	An unattributed inheritance can't be verified. Name the provider.
N/A with no justification	Low	Assessors expect a documented rationale for why a control doesn't apply.

The Handoff tab shows a count of findings (and how many are high severity) plus a table. Zero findings means every Met / Inherited / N-A control carries a justification or named evidence — the goal before you assemble the bundle. To clear findings, go back to the Assessment tab and add the missing notes, evidence, or provider.

6. Executive & full reports

Beyond the SSP and POA&M, the Data tab generates two narrative reports:

Executive readiness report (Markdown) — a one-page summary for leadership: bottom-line score, requirements implemented, open gaps, L1 readiness, the fastest path (top-10 highest-weight gaps and the points they'd recover), top remediation priorities, and posture by family.
Full report (Markdown) — the executive summary plus a complete per-control detail listing (every control, status, and note).

Next: The annual affirmation Back to Help Center