Compliance Frameworks

NIST 800-171: Protect CUI, Prove It, Score It

Fintra maps the 110 practices that protect Controlled Unclassified Information onto real controls, helps you build the SSP and POA&M, and organizes the evidence behind your SPRS self-assessment.

Talk to usFree to start - no card required.

What NIST 800-171 is

NIST SP 800-171 specifies 110 security practices, across 14 control families, that non-federal organizations must implement to protect Controlled Unclassified Information (CUI). It is required by DFARS 252.204-7012 for many DoD contractors and underpins CMMC Level 2. Contractors self-assess and post a score to the Supplier Performance Risk System (SPRS), with a Plan of Action & Milestones for gaps.

Who needs NIST 800-171

  • DoD contractors and subs handling CUI under DFARS 7012
  • Suppliers building toward CMMC Level 2, which is based on 800-171
  • Organizations receiving CUI from federal civilian agencies
  • Companies that must post and defend an SPRS self-assessment score

The 14 families

Family (sample)FocusFintra domain
Access ControlLeast privilege, remote accessAccess Control, Identity & MFA
Audit & AccountabilityLogging and reviewLogging & Monitoring
Configuration ManagementBaselines and change controlChange Management
Incident ResponseDetect, report, respondIncident Response
System & Comms ProtectionEncryption, boundary defenseEncryption, Network Security
NIST 800-171 families and Fintra mapping

How Fintra helps you prepare

  • Map all 110 practices across the 14 families to the canonical control library
  • Reuse SOC 2 and ISO 27001 evidence for overlapping practices
  • Draft the SSP and maintain a live POA&M for open gaps
  • Track evidence freshness so your SPRS score reflects the real, current state

The AI angle: governed actions become NIST 800-171 evidence

Vanta and Drata watch your cloud config; Fintra also governs the AI agents and automations acting inside your business. For every action, the Policy Decision Point returns a verdict - allow, allow-with-logging, step-up, human-review, or recommend-block - with an Action Trust Score and reason, and writes it to a tamper-evident evidence ledger. The decision layer is what produces the NIST 800-171 evidence proving your controls operated; actual gating happens where you wire a Policy Enforcement Point (for example, the Fintra MCP tool-call boundary).

  • Policy decisions (allow / step-up / human-review / recommend-block) recorded as evidence, not just logs
  • An Action Trust Score per actor, so an agent that drifts loses standing before it causes a finding
  • Decision Intelligence: an auditor-grade explanation of why any single action got the verdict it did
  • Hash-chained ledger you can verify, so evidence can be shown to be untampered

Frequently asked questions

Does Fintra calculate my SPRS score?

Fintra organizes the practice-by-practice status and evidence that your SPRS self-assessment is based on, so the score you post is defensible and current. You submit the score to SPRS; Fintra keeps the underlying assessment honest and up to date.

How does 800-171 relate to CMMC?

CMMC Level 2 is an assessed implementation of NIST 800-171’s 110 practices. Building 800-171 readiness in Fintra directly advances your CMMC Level 2 position.

Is 800-171 seeded?

It is framed as prepare-for. Fintra maps the practices and reuses seeded SOC 2 / ISO 27001 controls for the overlap, but the full 800-171 catalog is not seeded like our core frameworks, and no certification is implied.

Does Fintra replace my auditor or assessor?

No. Fintra is the control, policy, and evidence layer - it makes your program continuously audit-ready and cuts preparation from weeks to days. The audit, certification, or attestation itself is still performed by an independent, qualified auditor, assessor, or authorizing body.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Defend your SPRS score

Map the 110 practices, draft the SSP, and keep evidence current.

Talk to us