Waiting for CMMC implementation to secure your network?  The Department of Defense recently reminded its contracting officers, and by extension contractors, that there are already requirements in place mandating secure standards for covered contractor information systems.  The memo was meant as a “reminder” to contracting officers, meaning that contractors can expect to see increased oversight in this area very soon.  One existing clause, DFARS 252.204-70, requires contractors to provide adequate security on covered contractor information systems and has been in place since October 2016.  Additional rules that have since been implemented have put more teeth into those requirements.  Among those was a November 2020 interim rule that requires DOD agencies to include DFARS 252.204-7020 in most contracts and task orders.  This clause requires contractors to post self-assessment scores regarding compliance with the National Institute of Standards and Technology (NIST) SP 800-171.  Even if the relevant clause is not in the contract or task order, the DOD memo states that contractors are still required to implement all NIST SP 800-171 requirements, or to have a plan of action and milestones for each requirement not yet implemented.  It is contractor failure to take steps to ensure compliance with this standard that led to the creation of CMMC.  Contractors absolutely do need to pay attention to security requirements in their contracts, whether selling to DOD or any other agency.  Similarly, they should remember that the government has the ability to check for compliance with these standards, just as with any contract provision.  Contractors found to not be in compliance will likely face adverse action.  This could include contract or task order termination.  Make sure your company understands its security compliance responsibilities.