Federal security managers expect that most federally run systems are actively engaging with FISMA compliance for protecting federal data and systems. However, as we all know, federal information does not remain only in federally operated systems. Data and IT systems connect via the internet and other networks for business, operations and research. Information about citizens, banking and finance, research and development, and many other federal connected systems transmit data outside the federal networks—and their security compliance standards. So it makes sense that FISMA would adapt to address more than the original scope of perceived threats and specifically address systems and data security that inter-agency networks, vendors, contracts and supply chain puts at risk.
In plain English, any company or organizations that contracts with the federal government and handles, processes or stores sensitive types of government information must comply with the security controls described in SP 800-171. This instruction impacts a range of "external service providers," including state and local governments, non-profits, materials vendors and systems integrators. The effective date was 2017.
"Controlled Unclassified Information" (CUI) is a categorization of information that encompasses any information that could be considered non-public/sensitive. This information used to be known as "Sensitive but Unclassified" (SBU). SBU changed to CUI as part of government-wide efforts to better mark, manage and address risks to this information.