Help Center / Troubleshooting & FAQ
Troubleshooting & FAQ
Self-serve answers to the most common problems and questions. If something isn't working, start here — most issues have a one-line fix.
On this page
Troubleshooting
"Couldn't load the control set" / app stuck on "Loading…"
Browsers block fetch on the file:// protocol, and Bastion loads its control data that way. Serve the files over HTTP.
python3 -m http.server 8000 (or any static server).http://localhost:8000/ and navigate to the app — not the file:// path.If it's hosted (e.g. GitHub Pages) and still fails, confirm the assets/data/*.json files are present and that a .nojekyll file exists so paths resolve under a project sub-path.
My SPRS score isn't showing / says "Not started"
The score appears once you've assessed at least one control. If you're on a Level 1 scope, there is no SPRS score by design — L1 shows "X / 17 FCI met." Switch to a Level 2 scope on the Scope tab for SPRS scoring.
My score is "provisional"
That label means some controls are still Not assessed. The score reflects only what you've marked so far. Filter the Assessment to Not assessed to find and finish the rest.
My data disappeared
Bastion stores everything in this browser's localStorage (see where data lives). Data is lost if you cleared site data, switched browsers or devices, used private/incognito mode, or are on a different profile. Causes and fixes:
| Symptom | Cause | Fix |
|---|---|---|
| Everything's blank after clearing browsing data | localStorage was wiped | Re-import your last JSON backup (Data tab). Export regularly going forward. |
| Work missing in a different browser/computer | Storage is per-browser, per-device | Move via JSON export → import. See Backup & restore. |
| Different answers than expected | You're on a different system profile | Switch profiles in the top bar. |
| Nothing persists between sessions | Private/incognito window | Use a normal window. |
The integrity hash is missing from my export
SHA-256 hashing needs a secure context. Over plain http:// on a non-localhost address, crypto.subtle may be unavailable, so the hash line is omitted (the bundle still exports). Use http://localhost or https://. See Hashing & integrity.
An evidence file attached but shows no hash
Same secure-context cause. The attach still records the filename and size; serve over localhost/HTTPS to get the SHA-256.
Imported Sightline/Cairn JSON skipped some controls
Import maps each signal to a control ID. Any item whose control ID isn't in the set is skipped, and Bastion reports the skipped count. Check the JSON's control values against the 110 IDs. Review every auto-applied status before trusting it.
FAQ — Which level am I?
How do I know if I'm L1, L2-self, or L2-C3PAO?
Short version: handle no CUI (FCI only) → Level 1. Handle CUI → Level 2; if a contract/solicitation has invoked a C3PAO requirement (DFARS 252.204-7021) or your work is on a sensitive/prioritized acquisition → L2-C3PAO, otherwise L2-self for now. Run the triage on the Scope tab and confirm against your contract clauses.
What's the difference between L2-self and L2-C3PAO in the app?
The same 110 controls and the same scoring. The difference is framing: L2-self frames output as an annual self-attestation; L2-C3PAO frames the handoff bundle for a third-party assessor. A Contracting Officer can still require a C3PAO even under L2-self.
When do mandatory C3PAO assessments start?
The 48 CFR final rule was published Sept 10, 2025; Phase 1 began Nov 10, 2025 (self-assessment + discretionary C3PAO). Mandatory Level 2 C3PAO certifications phase in starting ~Nov 10, 2026. Confirm specifics against your solicitations.
FAQ — Score & POA&M
Why didn't my score go up when I marked something "Partial"?
By design. The DoD methodology gives no partial credit — Partially Met deducts the full weight, the same as Not Met. You get the points only when it's fully Met. See why partial earns no credit.
Why is my score negative?
Deductions can sum past 110, so a mostly-unmet posture scores below zero, floored at −203. It's normal early on. Use the remediation planner to climb. See negative scores.
Which gaps can I put on a POA&M?
Only 1-point requirements that aren't on the explicit ineligible list. All 3-point and 5-point gaps must be fully met, as must six specific controls (3.1.20, 3.1.22, 3.12.4, 3.10.3, 3.10.4, 3.10.5). Control 3.13.11 is a special FIPS case. Full rules and the ineligible list: POA&M eligibility.
How long do I have to close POA&M items?
180 days from the conditional-status date. Bastion computes the completion date as assessment date + 180 days. See the 180-day clock.
How do I report my score to the DoD?
Bastion doesn't connect to any DoD system. Transcribe the values from the SPRS worksheet into SPRS via PIEE yourself.
FAQ — Conditional status
Am I eligible for conditional status?
You need a score of ≥ 88 (80% of 110) and zero open gaps that aren't POA&M-eligible. The Handoff tab reports your state as Final, Conditional eligible, or Not yet eligible. See conditional status.
It says "Not yet eligible" but my score is above 88 — why?
You have one or more open gaps that can't be POA&M'd (a 3-/5-point control or one of the explicitly ineligible controls). Those block conditional status until fully met. Check the "Must be fully met before award" list on the Handoff tab.
FAQ — Evidence & integrity
Does attaching a file upload it anywhere?
No. The file is hashed in your browser and the bytes are discarded; only filename, size, and SHA-256 are kept. Nothing is transmitted. See the evidence vault.
How do I re-verify a file's hash later?
A one-click re-verify is on the roadmap. For now, re-hash the file with shasum -a 256 yourfile and compare it to the hash shown on the evidence item or in the evidence index. A match means it's unchanged.
How does a recipient verify a handoff bundle wasn't altered?
Remove the final "Package integrity (SHA-256)" line, re-hash the remaining content, and compare to the recorded hash. See the integrity hash.
FAQ — Export, import & reset
How do I back up my assessment?
Data tab → Export assessment (JSON). That file is your save. Import it later via Import assessment (JSON). See Backup & restore.
How do I move my work to another computer?
Export the JSON, copy it across your secure channel, then import it into a profile on the other machine.
How do I reset or wipe a profile?
Data tab → Reset this profile (confirm the prompt). This erases that profile's assessment, org, history, planned items, affirmation, level, and triage. Export first if you might want it back. To remove a whole profile, use Delete in the profile bar (you must keep at least one profile).
Can I assess more than one system?
Yes. Create multiple profiles (profile bar → + New). Each has its own independent assessment, score, evidence, and artifacts.
FAQ — What Bastion is
Does using Bastion make me CMMC certified?
No. Bastion is a self-assessment and preparation aid. Official Level 2 certification comes only from an accredited C3PAO. See the disclaimer.
Is my data sent to Bastion or anyone else?
No. There is no backend, no account, and no telemetry. Everything stays in your browser. See Security & privacy.
Is there an L1 attestation export?
Not yet — a dedicated L1 attestation export is on the roadmap. L1 users can still run the assessment and export the executive/full reports and JSON.
Not a certification / not legal advice
Bastion is an independent self-assessment and preparation aid. It is not an official CMMC assessment, it does not issue or guarantee any CMMC certification, and it is not legal advice.
Official CMMC Level 2 certification is performed only by an accredited C3PAO. Bastion is not a C3PAO and is not affiliated with, endorsed by, or sponsored by Boeing, the U.S. Department of Defense, the Cyber AB, or any C3PAO. The scoring, conditional-status, POA&M-eligibility, and affirmation behavior summarized in this Help Center paraphrase the DoD Assessment Methodology, 32 CFR 170.21, and 32 CFR 170.22 — always confirm against the source regulations, your actual contract clauses (DFARS/FAR), and an authorized assessor. The 48 CFR final rule was published Sept 10, 2025; CMMC Phase 1 began Nov 10, 2025; mandatory Level 2 C3PAO certifications phase in starting ~Nov 10, 2026.