Skip navigation

Sié Chéou-Kang CenterPrivate Security Monitor

A press briefing by the Commission on Wartime Contracting in Iraq and Afghanistan


Laws and Regulations

This section contains U.S. federal laws and administrative regulations that regulate private military and security activity, control the government's procurement and use of private military and security services, and subject companies to potential legal liability in U.S. courts. It also contains an explanation of U.S. federal agency use and oversight of private security providers.

Jump to: Federal Laws and Regulations | Agency Regulations | SOFAs | Contracts

Federal Laws and Regulations

This section contains federal statutes and acquisition regulations applicable to private military and security service providers. Even before the industry's rise, the U.S. had laws in place that provided some regulation of contractors providing military and security services, including the Federal Acquisition Regulations (FAR) and additional agency rules to govern contracts with private security firms. The U.S. also had tools for regulating the export of military services through the International Transfer of Arms Regulations (ITAR) of the Arms Export Control Act. This provided a convenient, if cursory, regulatory structure as the industry took off in the 1990s.

However, the explosive growth in the role of military and security contractors in Iraq and Afghanistan revealed that the U.S. lacked the capacity to effectively control the industry—the U.S. government did not have adequate personnel to oversee contracts with various U.S. agencies or export licenses for contracts between PMSCs and foreign governments. In response to several well publicized incidents in Iraq and Afghanistan involving PMSC personnel, the U.S. took note of failures in its regulatory process and proposed a variety of steps to correct them. Congress used its appropriations powers to demand more information about, and affect the legal status of, contractors on the battlefield. Congress also amended various statutes to extend the jurisdiction of U.S. law (and potential legal liability) over persons serving with or accompanying armed forces in the field. A variety of other legislation has been proposed but not yet passed, including some that would limit the kinds of jobs that private contractors can perform. 

Jurisdictional Statutes

There was a problem returning the records.

Procurement Regulations

There was a problem returning the records.

National Defense Authorization Acts

There was a problem returning the records.

Proposed Legislation

There was a problem returning the records.

Agency Regulations

In addition to U.S. and host nation laws, private military and security contractors hired by U.S. government agencies are subject to agency-specific regulations and policy. U.S. federal agencies are endowed with broad policy-making powers and promulgate rules and procedures related to their substantive missions. There are three executive departments that issue rules, policy and regulations concerning PMSCs: the Departments of Defense, Justice, and State. One federal agency created by Congress—USAID—has implementing partners that utilize PMSCs and thus USAID also issues regulations related to the use of private security services. One of the most important agency rules is 32 C.F.R. 159, "Private Security Contractors Operating in Contingency Operations" which implements the statutory requirements of Section 832 of NDAA 2011. In July 2012, the DOD proposed an amendment to the FAR to implement these requirements government-wide and establish minimum processes and requirements for the selection, accountability, training, equipping, and conduct of personnel performing private security functions outside the U.S. 

To supplement departmental rules, U.S. government agencies have attempted to coordinate their use of PMSCs through Memorandums of Understanding in 2007, 2008, and 2010. Those MOUs can be found below. Other federal agencies tasked with oversight of agency activity have weighed in too, issuing audits, reports, and recommendations about PMSCs to assist government decision-makers. The output of oversight agencies can be found in the section U.S. Research and Oversight Bodies.  

Department of Defense

The U.S. Department of Defense (DOD) has employed more private military and security contractors than any other U.S. government agency. Publicly available instructions, policy and initiatives to manage PMSCs in support of DOD operations appear on the dedicated Department of Defense page of the Private Security Monitor site. 

Department of Justice

The International Criminal Investigative Training Assistance Program (ICITAP) is an office within the Criminal Division of the Department of Justice (DOJ) that provides training for foreign law enforcement agencies in new and emerging democracies and assists in the development of police forces relating to international peacekeeping operations.
Since its creation in 1986, ICITAP has conducted training programs in numerous countries throughout the world, including Haiti, Bosnia, Kosovo and Iraq. Because ICITAP performs the majority of its work in foreign countries, it utilizes a combination of federal employees and contractor support.

On March 28, 2011, the DOJ awarded an ICITAP program support contract to the private security company MPRI. MPRI previously held a contract with the DOJ to perform similar services. Under the new contract, MPRI contractor personnel will furnish administrative, logistical, professional, and technical labor. The contract includes a base period of performance of one year with six additional option periods of one year each for a total period of performance of seven years. Although the contract is not public, the government-issued Statement of Work is available, and it provides insight into the security sector training and capacity-building work MPRI will perform.

The contract with MPRI likely includes terms to control and constrain MPRI's operations. This is known by reference to the publically-available Request for Proposals that was issued by the DOJ when it was seeking contractors to carry out ICITAP training. The DOJ will monitor contract compliance and MPRI's compliance with applicable U.S. laws.

As an additional precaution, ICITAP's contractor personnel are also vetted by the DOJ Criminal Division's security program staff before they are authorized to participate in any program activity. However, this has not always been a successful safeguard. In 2003, ICITAP, at the request of the DOD, established a program through which it provided subcontractor advisors and trainers to assist with the reconstruction and development of the Iraqi police and prison systems. The program was paid for by the Department of State. Contractors involved in the Iraq ICITAP program were accused of misconduct, and U.S. government officials accused the DOJ of failing to properly screen its contractors. The report on these findings, issued by the DOJ Office of Inspector General, A Review of ICITAP's Screening Procedures for Contractors Sent to Iraq as Correctional Advisors (February 2005) reviews the procedures in place at the time and provides a glimpse into ICITAP's use of contractors.

Other information about ICITAP contractors could not be found. For more information about ICITAP generally, visit the ICITAP website.

Department of State

The Bureau of Diplomatic Security of the State Department is responsible for the protection of State Department personnel and facilities in the U.S. and abroad. The State Department has become increasingly reliant on the private sector; approximately 90 percent of all Diplomatic Security personnel are contractors. In addition to hiring contractor protective service details for U.S. and foreign government high-level officials, the State Department uses security contractors to protect embassies, other government offices, and U.S. installations abroad.Information about how the State Department oversees its private security contractors appears on the dedicated State Department page of the Private Security Monitor site. 

Department of Commerce

The Department of Commerce and the Department of State jointly provide oversight and controls for United States export regulations. The two agencies exercise separate jurisdiction over categories and types of products, and carry out the work through their specific administrative divisions tasked with export control. Particularly relevant to U.S. private military and security companies operating abroad are the regulations covering "dual use" items, commercial items that could have military applications -- items like truck parts, electronic components and computers.

The Department of Commerce oversees its area through the Bureau of Industry and Security (BIS), which ensures effective export control by enforcing U.S. Export Administration Regulations. In the area of dual-use export controls, the Bureau will vigorously administer and enforce such controls to stem the proliferation of weapons of mass destruction and the means of delivering them, to halt the spread of weapons to terrorists or countries of concern, and to further important U.S. foreign policy objectives.

The Department of State's Directorate of Defense Trade Controls (DDTC) has jurisdiction over defense articles and services. This includes rifles and handguns and certain optical sighting devices.

The current system operates using two separate 'control lists' from each agency, each with different approaches to identifying and controlling products. The Department of State administers the Munitions List, which includes items specifically designed for military applications and uses fairly broad and general terms. The Commerce Department administers the Commerce Control List, which is a far more specific list of mostly dual use items.


The U.S. Agency for International Development (USAID) is an independent agency that provides economic, development and humanitarian assistance around the world in support of the foreign policy goals of the United States. To carry out its mission, USAID operates in countries recovering from conflicts or disasters, and contracts with other U.S. agencies, international organizations, and the private sector to provide humanitarian assistance and aid. These entities, called "implementing partners" by the USAID, often procure security services from private companies to assist with operations in complex environments. Thus, USAID does not usually maintain any direct contracts with private security companies, and implementing partners have primary oversight responsibilities for their security providers. Nevertheless, in managing its contracts and grant agreements, USAID has some degree of oversight for private security activities. And, in recent years, the U.S. Congress has mandated that USAID change its "hands off" approach and adopt regulations for PMSCs employed by implementing partners. 

Oversight by Contract

Pursuant to clause 44.2 of the Federal Acquisition Regulations contracting agencies must consent to the use of subcontractors. Therefore, when a USAID implementing partner seeks to subcontract a security provider, a USAID contracting offer must provide or deny consent for this action after an independent review of the subcontractor and its business practices (see FAR 44.202-2). Additionally, as of March 2008, FAR clause 52.225-19must be included in contracts that require contractor personnel to perform outside the U.S. in support of a diplomatic mission designated as a danger-pay post. The clause provides general and specific operational requirements for security contractors, including use of force, uniform specifications, and compliance with all applicable U.S. and host nation laws and regulations. Because USAID operations in Iraq and Afghanistan are part of the missions defined in clause 52.225-19, these requirements are to be included in all USAID contracts with implementing partners.

Oversight Required by Federal Law

Sections 861 and 862 of the National Defense Authorization Act for Fiscal Year 2008, as amended, require USAID and other federal agencies to undertake significant reforms related to contracting in Iraq and Afghanistan. NDAA FY 2008 section 861 directed the Secretaries of Defense and State and the Administrator of USAID to execute a memorandum of understanding about interagency cooperation on security contracting procedures, the establishment of a common database to track contractor personnel, and accountability for government PMSCs. This MOU was effectuated in July 2008. NDAA FY 2008 section 862 required future government contracts for security services to contain clauses on the selection, training, equipping, and conduct of personnel performing private security functions. Agencies were also required to establish a system for incident reporting.

In addition, 32 CFR Part 159.4(c), Private Security Contractors Operating in Contingency Operations, 11 August 2011 required the Chief of Mission in a designated area of combat to issue Mission-wide instructions for non-DOD PMSCs.

According to reports by the USAID Office of Inspector General, the requirements of NDAA FY 2008 and 32 CFR 159 have not been fully implemented in Iraq or Afghanistan. In Afghanistan, USAID/Afghanistan has drafted but not yet issued instructions to oversee the qualifications and conduct of all private security contractors employed by the Agency. Moreover, no standardized process for incident reporting exists. In Iraq in 2008, USAID/Iraq issued a Mission-wide notice to all contractors specifying incident reporting procedures. Existing contracts were amended to reflect this new policy. However, the USAID OIG reported that this notice does not comply with the incident reporting requirements of NDAA FY 2008 or 32 CFR Part 159.4(c).

U.S. Agency Memorandums of Understanding

There was a problem returning the records.

Status of Forces Agreements

A U.S. Status of Forces Agreement (SOFA) is entered into by the president with a foreign government to set the legal protections and rights of U.S. military forces and Department of Defense personnel operating in that foreign country. These agreements are entered into during peacetime and war. The U.S. has more than 100 agreements with other countries that may be considered SOFAs, though some are classified.

To learn more about the U.S. SOFAs, read the U.S. Congressional Research Service report Status of Forces Agreement (SOFA): What Is It, and How Has It Been Utilized? by R. Chuck Mason (5 January 2011).


The U.S. is participating in two military operations in Afghanistan, with separate mandates and SOFAs for each operation. U.S.-led coalition forces and personnel that are part of the 2001 "Operation Enduring Freedom" are covered by an exchange of notes between the U.S. government and Afghanistan. Personnel of the International Security Assistance Force (ISAF), a NATO-led coalition, are covered by a Military Technical Agreement concluded between ISAF and the Afghan government.


There was a problem returning the records.


There was a problem returning the records.


In the initial period following the US invasion of Iraq agreements in place exempted contractors from Iraqi laws and legal processes. Those agreements have by superseded by the U.S.-Iraq Withdrawal Agreement, under which contractors are subject to the jurisdiction of Iraqi authorities and courts. The Withdrawal Agreement is commonly referred to as the SOFA between the United States and Iraq.


There was a problem returning the records.


The relationship between private military and security companies and their clients is usually set forth in a contract, unfortunately few contracts are publicly available. Some general information about contractual arrangements is already online, particularly from the Department of Defense. The DOD discloses all contracts valued at 6.5 million dollars or more, but the legal documents for each contract are rarely posted.  

Many of the contracts currently available are the result of Freedom of Information Act requests by think tanks,  investigative NGOs and the media (for example, the Center for Public Integrity). A listing of publicly available U.S. government contracts is below.

Department of State Contracts

There was a problem returning the records.

Department of Defense Contracts

There was a problem returning the records.