Defense contractors unsure how to comply with DoD cyber regs, says report


Photo Credit: Airbus

A requirement for contractors with Department of Defense facility security clearances to create a written insider threat program plan has left those affected with unanswered questions, according to a report by international law firm Crowell & Moring LLP.

In the firm’s third annual regulatory outlook, “Regulatory Forecast 2017: What Trump Means for Business,” Crowell & Moring touch on the opportunities, challenges, risks and reforms in nine focus areas.

A key takeaway in cybersecurity regulation is contractors must proactively engage with the DoD’s Defense Security Service to avoid compliance issues with the amended National Industrial Security Operating Manual.

The five minimum requirements for the insider threat program are that a senior official be designated to establish and execute it; a written implementation plan be developed; “relevant and credible information” regarding potential insider threats be reported; managers and all cleared employees must go through training with annual refreshers; and information security controls must be on classified information systems to monitor activity.

However, questions linger about plan logistics, content and training and how to implement a program consistent with legal, civil liberties and privacy policies. Therefore, privacy experts should be key advisors early and often when crafting a program, says Crowell & Moring partner Adelicia Cliffe.

Additionally, interdisciplinary teams could assist collaboration across management, legal and technical groups. Resources to comply and monitor compliance could be significant, so should be planned for in advance. Subcontractors, vendors and other business partners could also provide an avenue to sensitive material, so contractors should consider extending training programs to third parties. And contractors should use the program as a reason to review and upgrade their current IT, security policies and security procedures.

Because of the developing regulations and standards being imposed by governments, as well as the fear of increasingly sophisticated cyberattacks and litigation, Crowell & Moring sees cybersecurity shifting to a team focus that includes risk managers, lawyers and CEOs alongside IT professionals. 

The entire report, which looks at how the new administration, Congress and the federal courts are reshaping the regulatory state and impacting businesses, can be downloaded on

The firm will also be hosting an ongoing webinar and podcast series to discuss the impact on business of the Trump administration’s first year, focusing on developments in four topics:

  • Defending America — Borders, Homeland & National Security;
  • Deconstructing the “Administrative State;”
  • The Nation’s Health Care; and
  • Restoring American Jobs & Infrastructure.

It will launch May 24 and be hosted at