NIST 800-171: Protect CUI, Prove It, Score It
Fintra maps the 110 practices that protect Controlled Unclassified Information onto real controls, helps you build the SSP and POA&M, and organizes the evidence behind your SPRS self-assessment.
What NIST 800-171 is
NIST SP 800-171 specifies 110 security practices, across 14 control families, that non-federal organizations must implement to protect Controlled Unclassified Information (CUI). It is required by DFARS 252.204-7012 for many DoD contractors and underpins CMMC Level 2. Contractors self-assess and post a score to the Supplier Performance Risk System (SPRS), with a Plan of Action & Milestones for gaps.
Who needs NIST 800-171
- DoD contractors and subs handling CUI under DFARS 7012
- Suppliers building toward CMMC Level 2, which is based on 800-171
- Organizations receiving CUI from federal civilian agencies
- Companies that must post and defend an SPRS self-assessment score
The 14 families
| Family (sample) | Focus | Fintra domain |
|---|---|---|
| Access Control | Least privilege, remote access | Access Control, Identity & MFA |
| Audit & Accountability | Logging and review | Logging & Monitoring |
| Configuration Management | Baselines and change control | Change Management |
| Incident Response | Detect, report, respond | Incident Response |
| System & Comms Protection | Encryption, boundary defense | Encryption, Network Security |
How Fintra helps you prepare
- Map all 110 practices across the 14 families to the canonical control library
- Reuse SOC 2 and ISO 27001 evidence for overlapping practices
- Draft the SSP and maintain a live POA&M for open gaps
- Track evidence freshness so your SPRS score reflects the real, current state
The AI angle: governed actions become NIST 800-171 evidence
Vanta and Drata watch your cloud config; Fintra also governs the AI agents and automations acting inside your business. For every action, the Policy Decision Point returns a verdict - allow, allow-with-logging, step-up, human-review, or recommend-block - with an Action Trust Score and reason, and writes it to a tamper-evident evidence ledger. The decision layer is what produces the NIST 800-171 evidence proving your controls operated; actual gating happens where you wire a Policy Enforcement Point (for example, the Fintra MCP tool-call boundary).
- Policy decisions (allow / step-up / human-review / recommend-block) recorded as evidence, not just logs
- An Action Trust Score per actor, so an agent that drifts loses standing before it causes a finding
- Decision Intelligence: an auditor-grade explanation of why any single action got the verdict it did
- Hash-chained ledger you can verify, so evidence can be shown to be untampered
Frequently asked questions
Does Fintra calculate my SPRS score?
Fintra organizes the practice-by-practice status and evidence that your SPRS self-assessment is based on, so the score you post is defensible and current. You submit the score to SPRS; Fintra keeps the underlying assessment honest and up to date.
How does 800-171 relate to CMMC?
CMMC Level 2 is an assessed implementation of NIST 800-171’s 110 practices. Building 800-171 readiness in Fintra directly advances your CMMC Level 2 position.
Is 800-171 seeded?
It is framed as prepare-for. Fintra maps the practices and reuses seeded SOC 2 / ISO 27001 controls for the overlap, but the full 800-171 catalog is not seeded like our core frameworks, and no certification is implied.
Does Fintra replace my auditor or assessor?
No. Fintra is the control, policy, and evidence layer - it makes your program continuously audit-ready and cuts preparation from weeks to days. The audit, certification, or attestation itself is still performed by an independent, qualified auditor, assessor, or authorizing body.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.