JUNE 12, 2023
This article from the US has important implications and transferability to Australia.
As government policies and rules on drones proliferate, drone buyers confront a sea of security focused phrases, from “NDAA compliance” to “Blue UAS” and beyond. This blog answers the key questions we hear the most:
- What type of secure drone do I need?
- What is the Blue UAS list and is it the same as NDAA compliance?
- I was told to get a drone from the Blue List – what does that mean?
- What if it is an American made drone?
- If the drone has some parts from China, or says “Made in China”, can it still be compliant?
Before we go further, a couple of caveats. 1) This isn’t meant to be legal advice, and 2) it only covers developments in the U.S.
Every federal and state security policy revolves around the same core concern: our geopolitical adversaries are using untrustworthy technology to gain a strategic advantage. In response, policy makers are increasingly taking action by issuing requirements to curb potential threats among drones used within their jurisdiction.
NDAA Compliance: What is it and what does it mean for Unmanned Aerial Systems?
In the drone industry, “NDAA compliance” is shorthand for “supply chain security.” NDAA compliance refers to a federal law prohibiting the U.S. Department of Defense (DoD) from buying drones:
- manufactured in a covered foreign country, or by a company based in a covered foreign country; or
- that use flight controllers, radios, data transmission devices, cameras, gimbals, ground control systems, or operating software manufactured in a covered foreign country or by a company based in a covered foreign country.
That law, Section 848 of the Fiscal Year 2020 National Defense Authorization Act (NDAA), defined a “covered foreign country” to mean China. In 2022, Congress updated the law to include Russia, Iran and North Korea. Recently, Congress extended the law even further to apply to the private sector. Beginning in October 2024, private companies can not use DJI to perform contracts for the Department of Defense.
NDAA compliance is primarily focused on the supply chain–where the drone and its key components are made, and where the manufacturer is based. Importantly, it is not a rule that the drone must be 100% free of all parts from a covered foreign country, only those specifically listed in #2 above.
How does a drone become NDAA compliant? There is no single formal certifying body for NDAA compliant UAS. Companies can self-certify. But one organization has stepped up to make this easier, at least for the DoD.
Beyond NDAA: What it Means to be Blue UAS or on the “Blue List”
To make it easier for military services to buy secure commercial drones, DoD’s Defense Innovation Unit created a program known as Blue UAS. Selection as a Blue UAS drone verifies NDAA compliance. But it doesn’t stop there. In addition to evaluating supply chain security, the Blue UAS program conducts demanding cybersecurity assessments, ensuring approved drones can protect sensitive military information. The result of these extensive assessments yielded the Blue sUAS list, colloquially called the “Blue List.”
NDAA Compliance vs. BlueUAS: Tradeoffs for Takeoff
If you’re a private company or state and local organization, is selecting a drone as easy as reviewing the Blue UAS list, selecting one, and calling it a day? Likely, no.
To meet military-grade security requirements, every Blue UAS must be “offline”, unable to connect to the internet. That requirement makes sense for the military, but for the vast majority of organizations that means an inability to benefit from capabilities that enable live streaming, software updates, and seamless data sharing with systems of record.
Enterprise-grade security is typically enough for most private sector organizations. Skydio’s Security Trust Center can provide examples of the types of enterprise-grade security you should be seeking. Additionally, some organizations have ‘online’ versions of the same drone found on the Blue sUAS list with full NDAA compliance, such as the Skydio X2E.
American-Made Drones: Satisfying Fast-Moving Federal and State Policies
In recent years, federal and state rules on trustworthy drones have multiplied. Those actions began at the federal level. It is federal policy to prevent the use of taxpayer dollars to buy drones made by companies based in China and to “to encourage the use of domestically produced UAS.” Congress has also enacted laws requiring the military and the U.S. Coast Guard to use secure, NDAA-compliant systems. Consistent with overall federal policy, many federal departments have issued their own restrictions on using or funding drones made in China, including the Departments of Interior, Justice and Homeland Security.
States often follow the federal government’s lead on security matters. At least six states have issued their own restrictions on untrustworthy drones by state or local agencies: Arkansas, Texas, Indiana, Mississippi, California, and Florida. Florida also passed a $25M grant program to support agencies transitioning to secure systems in 2023-2024. Although some states impose supply chain security requirements, none require the use of a Blue UAS drone. In general, drones produced domestically by U.S. companies will satisfy state laws.
Outside of companies that do business with DoD, private enterprises generally are not required to follow these federal and state policies. Even so, many organizations, particularly in critical infrastructure sectors, are electing to choose American-made drones for added safety and security. Trustworthy technology is good for business, and knowing your drone purchases will not be grounded by future legislation reduces risk.
Acknowledge to Skydio