Securing the Skies: Landmark Proposed Rule Contains New Security Requirements for Expanded Commercial Drone Deployments

The Transportation Security Administration (TSA) recently proposed an expanded role regulating unmanned aircraft systems (UAS), or drones.  On August 7, 2025, the Federal Aviation Administration (FAA) and TSA published a joint Notice of Proposed Rulemaking (proposed rule), titled Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations (BVLOS).  Through this landmark proposed rule, the FAA and TSA aim to provide industry with a clear path forward for streamlined UAS operations for a variety of purposes, including package delivery, agriculture, aerial surveying, civic interest (public safety), and flight testing.  Comments on the proposed rule are due October 6, 2025.

This proposed rule includes TSA-led security measures that will have significant ramifications for the deployment of commercial drones.  This is our second alert in a series covering the proposed rule.  See our previous alert for a general overview of the proposed rule and where it fits into the world of civil aviation regulation.  Stay tuned for additional alerts diving deeper into other key features of this significant rulemaking.

TSA’s Security Mission

Congress created TSA in the aftermath of September 11, 2001, through the Aviation and Transportation Security Act (ATSA), and it later became part of the Department of Homeland Security (DHS).  Under ATSA, TSA is broadly tasked with enhancing security for “all modes of transportation” by assessing national security risks, developing security procedures, and enforcing compliance with these procedures.

TSA’s security remit is far-reaching.  TSA is often best known for its aviation security mission, but it also plays a key role in surface transportation (public transit, railway systems, and pipelines), and port and maritime security.  Among other functions, TSA engages in various forms of cargo screening, conducts passenger identification and personnel background checks, and assists with intelligence coordination and the development of security standards.  For example, TSA issued cybersecurity requirements in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) after a 2021 ransomware attack on a pipeline, promulgated security training requirements in 2020 for certain higher-risk freight railroad carriers and bus companies, and conducts background checks on maritime workers who need to access secure areas of ports and vessels.   

Drones offer a promising means of quickly transporting goods, among other uses.  As their use has expanded, so have related national security concerns.  Drones can be used to interfere with manned aircraft, carry illicit or dangerous cargo, and attack critical infrastructure.  The proposed rule cites Executive Order 14307, issued on June 6, 2025, which states that “criminals, terrorists, and hostile foreign actors have intensified their weaponization of these technologies, creating new and serious threats to our homeland” and “[d]rug cartels use UAS to smuggle fentanyl across our borders . . . .”  According to written testimony submitted by a DHS Acting Assistant Secretary for a 2022 hearing before the Senate Committee on Homeland Security and Governmental Affairs: (1) since 2021, TSA had reported nearly 2,000 drone sightings near U.S. airports (including incidents requiring evasive action by pilots to avoid fatal collisions); (2) since 2019, drone incidents had required airports to fully halt operations three times; and (3) in 2021, drone incidents had caused airports to partially suspend operations over 30 times.  According to the testimony, during 2021-2022, the Federal Bureau of Investigation (FBI) identified 235 reports of suspicious drone flights at or near chemical plants in Louisiana, with similar incidents reported in Oklahoma and Texas.  More recently, in the fall and winter of 2024, sightings of drone formations on the East Coast prompted a joint investigation by DHS, the Department of Defense, and the FBI, alongside significant public concern.

Until now, TSA’s security efforts related to drones have focused primarily on screening drones at airport checkpoints and Counter-Unmanned Aircraft Systems (C-UAS) operations.  But lawmakers on both sides of the aisle have expressed the importance of ensuring that security and innovation go hand in hand.  In fact, the House Committee on Transportation and Infrastructure recently approved bipartisan legislation that would, if enacted, reauthorize and expand C-UAS authorities for DHS, the Department of Justice, and FAA.  This proposed rule marks a key step forward in TSA’s efforts to enhance its oversight of security in commercial drone operations in collaboration with FAA and industry.

TSA’s Role in Proposed Rule

The proposed rule lays out two key security-related roles for TSA: (1) vetting key personnel through security threat assessments and (2) establishing standard security programs for package delivery operations.

(1) Security Threat Assessments

TSA proposes to conduct security threat assessments (STAs) of certain covered persons that are most integral to the security of drone operations.  Because individuals with malicious intent in these positions could cause some of the greatest damage, TSA proposes that they be vetted through a so-called Level 3 STA, which includes a check against criminal history, immigration, and intelligence-related databases and watchlists.  As in other vetting services that TSA provides for the FAA, the FAA will then use these assessments to deny or revoke UAS operating certificates, as applicable.  Covered persons would be required to renew their STAs as needed or risk removal from their positions.  

The proposed rule does not define different tiers of threat assessments, but a DHS Privacy Impact Assessment (PIA) of a different proposed rule on the vetting of certain surface transportation employees, from 2023, describes three tiers of STAs that could be the basis of the proposed rule’s approach.  The tiers build upon each other.  A Level 1 STA is limited to screening against government watchlists, a Level 2 STA includes Level 1 screening as well as an immigration status check, and a Level 3 STA also includes a criminal history check.

The scope of covered persons in the proposed rule includes operations supervisors and flight coordinators, those with unescorted access to the UAS, unescorted individuals involved in cargo loading and transport on the UAS, and those with unescorted access to the control or flightpath of the UAS.  TSA and FAA specifically invite comments on this list, particularly as to whether individuals who own or control corporate entities conducting BVLOS operations should be included.  As a related example, TSA notes that STA requirements currently exist for owners of indirect air carriers (companies that arrange movement of air cargo on behalf of shippers but do not operate aircraft themselves).

While it appears the enrollment process for the STA will be solidified further in the final rule, the proposed rule suggests that applicants will undergo the assessment at a TSA enrollment center by providing certain required information about their identity and background.

TSA estimates overall fees of $244 per required Level 3 STA, with an estimated 1.5 hours needed to undergo vetting.  TSA is required by law to collect fees to recover all costs of the vetting process.

(2) Security Programs for Package-Delivery Operations 

TSA cites significant national security considerations regarding drone package deliveries, including potential abuse by drug cartels, criminals, terrorists, and hostile foreign actors.  As a result, the rule proposes requiring operators to obtain TSA approval of their security programs.  In the proposed rule, TSA offers a glimpse of requirements that might be included in a TSA-approved security program.  TSA would work with operators who already have security programs to identify any necessary modifications.

There is precedent for these security programs in TSA’s current regulatory structure.  Domestic and foreign carriers to and from the United States have long been required to utilize TSA-approved security programs.  Operators can request amendments to TSA’s standard security program, and TSA can grant exemptions.  A summary of TSA security program requirements for cargo and airlines can be found on TSA’s website.  In the proposed rule, TSA indicates that (1) it may expand this requirement to other BVLOS activities in its final rule, and (2) it would consider limiting the scope of regulated package delivery systems by intended use, payload, range, or other limiting factors.

TSA has not provided a cost estimate for adoption of a limited security program because the needed program will differ based on the entity and activity at issue.

Key Takeaways

• Submit a Comment: Comments are due by October 6, 2025.  The FAA and TSA encourage stakeholders to provide input on operational requirements, technical standards, risks, and regulatory burdens.  The public comment period is a significant opportunity to provide industry expertise on drone operations, raise any concerns about proposed requirements, and seek clarification of undefined or unclear terms.
• Know The Stakeholders: Although this is a joint proposed rule, the agencies plan to concurrently issue separate final rules.  A final rule is expected in January or February 2026, and stakeholders should monitor official statements for any relevant timeline updates.  The timeline—plus the joint issuance of the proposed rule with language citing the agencies’ continued cooperation—underscores the importance of considering the various stakeholders in crafting effective feedback on the rulemakings.  Moreover, interagency review conducted by the Office of Information and Regulatory Affairs (OIRA) affords an opportunity for federal government stakeholders other than the authoring agencies to weigh in on the rulemakings.  And, once rules are under OIRA review, interested parties can request a meeting with OIRA under Executive Order 12866.
• Account for Security Risks: Ensuring the security of UAS operations will likely remain a government priority in light of the growing national security concerns raised by UAS operations and strong focus on those concerns by both the legislative and executive branches.  Stakeholders weighing in on this proposed rule should account for policymakers’ prevailing view of these security risks when preparing their comments.