Help Center / The C3PAO handoff bundle

The C3PAO handoff bundle

One Markdown file that pulls together everything a C3PAO or prime needs to review your readiness — assembled locally, optionally redacted, and stamped with a SHA-256 integrity hash. This is preparation material, not a certification.

On this page

What's in the bundle
Build the bundle
The SPRS worksheet
The evidence index
Export redaction
The integrity hash
Level 1 and the bundle

1. What's in the bundle

The bundle is a single Markdown document with a header (company, CAGE, system, date, scope, and a "CUI never left the machine" note) followed by these sections in order:

#	Section	What it contains
1	SPRS self-assessment worksheet	The fields you'd transcribe into SPRS (see below).
2	Conditional-status & POA&M eligibility summary	Status (final / conditional / not-eligible), score vs. threshold, the 180-day closeout date, blocking controls that must be fully met, and POA&M-eligible open items. See Scoring.
3	SSP completeness review	The lint findings table.
4	Evidence index	Every attached/referenced evidence item across all controls (see below).
5	Remediation progress (if a prior snapshot exists)	The SPRS diff + narrative since your last snapshot. See Versioning.
6	System Security Plan (SSP)	The full generated SSP.
7	Plan of Action & Milestones (POA&M)	Open gaps with eligibility, owners, targets.
8	Affirmation of continuous compliance	The affirmation statement.

The bundle header labels the scope (e.g. "CMMC Level 2 — self-assessment" vs. "C3PAO certification") and reminds the reader that mandatory L2 C3PAO certifications phase in starting ~Nov 10, 2026, and that the package is preparation, not certification.

2. Build the bundle

Finish your assessment and clear as many lint findings as you can.

Fill in system details on the SSP tab and record an affirmation on the Handoff tab.

Open the Handoff tab and review the readiness strip and SSP completeness review.

Click "⬇ Export handoff package." Bastion assembles the full bundle, computes its SHA-256 integrity hash, and downloads it as a single Markdown file.

Or export pieces: "⬇ Export redacted" for a sanitized copy, or "⬇ SPRS worksheet only" for just the worksheet.

3. The SPRS worksheet

The SPRS self-assessment worksheet mirrors the fields you enter when posting a Basic self-assessment to SPRS via PIEE. Bastion does not connect to any DoD system — you transcribe these values yourself.

Field	Source
Company / OSA, CAGE code, System / scope name	Your SSP-tab org fields + profile name
Assessment type	Basic (self-assessment)
Assessment standard	NIST SP 800-171 Rev 2 (110 requirements)
Assessment date	Today (export date)
Score	Your live SPRS score / 110
Requirements implemented	Count satisfied (Met / N-A / Inherited)
Open requirements (on POA&M)	Count of open gaps
Plan-of-action completion date	Assessment date + 180 days (or N/A if no open gaps)
Conditional-status threshold (≥80%)	Met / not met against the score-88 floor

If any open requirement is not POA&M-eligible, the worksheet adds a warning that those must be fully met before award.

4. The evidence index

The bundle includes a true evidence index — a flat table an assessor can walk through, listing every evidence item across all controls. Each row shows the control, evidence name (or filename), type, kind (attached file vs. reference), location, and — for attached files — the first 16 characters of the SHA-256 hash.

Hashes are computed locally in your browser (via SubtleCrypto) before they ever reach the index. The index notes how many items are attached files (hashed) vs. references, and reminds the reader that files are hashed in-browser and never transmitted — you share the actual files inside your CUI boundary. See the evidence vault.

5. Export redaction

Click "⬇ Export redacted (no notes/evidence text)" to produce a sanitized bundle safe to share outside your CUI boundary. Redaction is about keeping operator-entered free text (which may contain CUI) out of a document that leaves your control.

Redacted (removed/masked)	Retained (structural facts)
Implementation notes (shown as [REDACTED])	Control status for every requirement
Evidence locations / links	SPRS score and conditional-status picture
Free-text evidence reference names	Ownership, dates, milestones
CUI scope / system description free text	Attached-file filenames + SHA-256 hashes (integrity facts an assessor needs)

The redacted bundle carries a banner stating that notes and evidence locations were removed but status, scores, ownership, and dates are retained — and that the unredacted package should be shared only inside your assessment boundary. The downloaded filename is tagged -redacted.

6. The integrity hash

Every exported bundle ends with a SHA-256 integrity hash of its own content, computed locally in your browser. This lets a recipient confirm the file wasn't altered after you handed it off.

Find the hash line at the very bottom of the exported bundle: "Package integrity (SHA-256): …."

To verify later, remove that final hash line from the file, then re-hash the remaining content (e.g. shasum -a 256) and compare it to the recorded hash. A match means the bundle is unchanged.

If SubtleCrypto isn't available in your browser (rare; can happen on insecure non-localhost http:// origins), the hash line is omitted and the bundle still exports normally. Use http://localhost or https:// to get the integrity hash. See Security & privacy.

7. Level 1 and the bundle

SPRS scoring, conditional status, and the C3PAO handoff are Level 2 concepts. If you've selected a Level 1 scope, the Handoff tab shows a notice: CMMC L1 is a pass/fail annual self-assessment of 17 FCI requirements with no SPRS score. Switch to a Level 2 scope on the Scope tab for the full handoff package.

Roadmap. A dedicated L1 attestation export (an FCI-specific affirmation/attestation artifact analogous to the L2 bundle) is on the roadmap and not yet available. Today, L1 users can still use the assessment, the executive/full reports, and the JSON export.

Next: The evidence vault Back to Help Center