Help Center / The assessment
The assessment
The Assessment tab is where you do the work: set a status for every in-scope control, capture notes, and attach evidence. Those notes and evidence become the body of your SSP and the support for your SPRS score.
On this page
1. The 14 control families
NIST SP 800-171 Rev 2 organizes its 110 requirements into 14 families. At Level 2 all 110 are in scope; at Level 1 only the 17 FCI controls appear. Each control ID looks like 3.family.number (e.g. 3.1.1 is the first Access Control requirement).
| Prefix | Family |
|---|---|
| 3.1 | Access Control |
| 3.2 | Awareness & Training |
| 3.3 | Audit & Accountability |
| 3.4 | Configuration Management |
| 3.5 | Identification & Authentication |
| 3.6 | Incident Response |
| 3.7 | Maintenance |
| 3.8 | Media Protection |
| 3.9 | Personnel Security |
| 3.10 | Physical Protection |
| 3.11 | Risk Assessment |
| 3.12 | Security Assessment |
| 3.13 | System & Communications Protection |
| 3.14 | System & Information Integrity |
The Dashboard shows a progress bar per family so you can see at a glance which families are strong and which need work. There's no required order — work the families in whatever sequence suits your team.
2. Anatomy of a control card
Each control appears as a card with:
- Control ID and title (e.g.
3.1.1 — Limit System Access to Authorized Users). - Badges: the SPRS point weight (5 pts / 3 pts / 1 pt), a CMMC L1 badge if the control is one of the 17 FCI controls, and Sightline / Cairn badges if an integration can auto-evidence it.
- The requirement text in plain language.
- "What this means & how to meet it" — an expandable section with a discussion of the control and the kind of evidence assessors expect.
- Status buttons — Met / Partial / Not Met / Inherited / N/A.
- A detail area that appears below: notes, the evidence vault, and (for gaps) POA&M fields.
3. Marking controls: the five statuses
For every control, click exactly one status button. Be honest — the score is only as useful as the inputs. Status drives both your SPRS score (Scoring) and your SSP/POA&M.
| Status | Use it when… | SPRS effect | Counts as… |
|---|---|---|---|
| Met | The control is fully implemented today and you can prove it with evidence. | No deduction | Implemented / satisfied |
| Partially Met | Some but not all of the control's requirements are in place. | Full deduction — no partial credit (why) | Open gap |
| Not Met | The control is not implemented. | Full deduction | Open gap |
| N/A | The control genuinely does not apply to your environment — document a justification. | No deduction | Implemented / satisfied |
| Inherited | An external provider (e.g. FedRAMP / GCC High) supplies the control. | No deduction | Implemented / satisfied |
Both Partially Met and Not Met deduct the full point weight from your SPRS score and become open gaps eligible for the POA&M and remediation planner. The DoD methodology gives no partial credit. Read why partial earns no credit before you decide it's "close enough."
4. A closer look at "Inherited"
Mark a control Inherited when an external provider implements it for you under a shared-responsibility / Customer Responsibility Matrix (CRM) — for example, physical security of a FedRAMP-authorized data center, or platform controls in a GCC High tenant.
When you select Inherited, a "Inherited from (provider / CRM)" field appears. Always name the provider or CRM source. An Inherited control with no provider named is flagged by the SSP completeness lint (medium severity) because an assessor can't verify an unattributed inheritance claim.
5. A closer look at "N/A"
Use N/A only when a control genuinely doesn't apply to your environment (for example, a wireless-access control when you operate no wireless). Write the justification in the notes. N/A with no rationale is flagged by the completeness lint (low severity) — assessors expect a documented reason, not a silent skip.
6. Implementation notes
Every control has a free-text notes box. Write, in your own words, exactly how the control is implemented (or, for a gap, why it isn't and what's planned). These notes flow directly into your SSP, so good notes save you rework later.
- Be specific. Name the tool, policy, or process ("Enforced via Entra ID Conditional Access requiring MFA for all CUI-enclave sign-ins").
- Point to proof. Reference the evidence you've attached so an assessor can connect claim to artifact.
- Notes are CUI-sensitive. They stay local, but when you share a bundle you can redact them. Don't paste actual CUI into a note.
Notes save automatically (debounced) as you type — there is no save button.
7. The evidence vault on a control
Each control has its own evidence vault. Click + Evidence to add an item with a Name, a Type (policy, procedure, plan, screenshot, config, log, record, other), and a Location / link. You can optionally 📎 Attach & hash the actual file — Bastion computes a SHA-256 hash in your browser and stores only the filename, size, and hash; the file's bytes are never stored or transmitted. The full mechanics are in The local evidence vault.
Naming evidence matters for scoring readiness: a control marked Met with no notes and no named evidence is a high-severity lint finding — exactly what a C3PAO challenges first.
8. POA&M fields on a gap
When a control is Partially Met or Not Met, the detail area adds three POA&M fields: Remediation milestone, Owner, and Target date. Fill these in here and they stay in sync with the POA&M and Remediation tabs — edit in any one place and it updates everywhere. See SSP & POA&M.
9. Filtering, searching, and the score chip
The Assessment toolbar helps you navigate 110 controls:
- Family filter — show all families, a single family, or the special ★ CMMC Level 1 (17 controls) view to focus on the FCI subset.
- Status filter — show all, or only Not assessed / Met / Partial / Not Met / Inherited / N/A. Filtering to Not assessed is the fast way to find what's left.
- Search — type to match a control ID, title, or requirement text.
- Score chip — a live readout in the corner showing your SPRS score (or FCI met count at L1) and the number implemented, updating as you mark controls.