Navigating the Drone Divide: NDAA, Blue, Green Compliance & the Rise of Alternative Suppliers

Next year, 2025 there will be two types of drone business in America, those that have considered alternatives to DJI and Autel and those that have put their head’s in the sand.

The clock is ticking for agencies to prove and promulgate facts that show that DJI and Autel present no security threat. If they don’t at the tail end of 2025 companies that didn’t care will be scrambling for new drones and answers.

Language around the drones that will be compliant should Autel and DJI be banned is confusing. For that reason I have prepared a rough guide to the terms here on the last day of 2024.

The water has been muddied with Donald Trump Jr joining the board of a company that is doing it’s best to sell to the military with NDAA flight controllers. But don’t be fooled it’s important to note that they have not designed anything. Not the hardware or software, they are dependant on other peoples work. If the slider moves towards higher standards they will have to move to meet them. Of course with a President in your pocket, NDAA, Blue and Green standards might stay lower for the next four years.

NDAA is around because of worries:-

NDAA Compliance:

Foreign Influence: A major driver behind the various drone-related regulations is the fear of foreign influence and control, particularly from China. The US government seeks to minimise reliance on potentially compromised technology. The “American Security Drone Act of 2023” reflects this by prohibiting government purchase card use for drones from identified “covered foreign entities”.

Data Security & Vulnerabilities: Concerns exist that foreign-made drones could be used for data collection, espionage, or to create backdoors into critical systems. The focus on cybersecurity in both the “Blue UAS” and “Green UAS” programs demonstrates this.

Critical Infrastructure: The wide usage of drones in essential sectors raises security risks. These range from critical infrastructure inspection to emergency response, which needs robust cyber security to prevent vulnerabilities.

NDAA Compliance:

Definition: NDAA compliance stems from Section 848 of the Fiscal Year 2020 National Defense Authorization Act (NDAA). It restricts the Department of Defense (DoD) from purchasing drones and drone components manufactured in certain foreign countries (primarily China, Russia, Iran, and North Korea) or by companies based in these countries.

Key Components: Compliance focuses on vital components such as “flight controllers, radios, data transmission devices, cameras, gimbals, ground control systems, operating software, and data storage”.

Supply Chain Security: The objective of NDAA compliance is to ensure supply chain security. This extends to ensuring that components aren’t sourced from untrusted entities.

Expansion: As of October 2024, these NDAA restrictions are expanding to include private companies undertaking contracts for the DoD.

The Blue program addresses all of these to a higher level.

Blue UAS Program:

DoD Initiative: The Blue UAS program is run by the Defense Innovation Unit (DIU) and aims to verify and scale secure commercial drone technology for the DoD. This helps simplify the DoD’s secure drone procurement process.

Stringent Security: Blue UAS certification involves rigorous cybersecurity assessments and supply chain security reviews in addition to verifying NDAA compliance.

Offline Operation: Blue UAS drones are often “offline” (i.e. not connected to the internet), which is a strong security measure but could limit the functionality of these drones in certain civilian sectors.

These people are holding he hoops that companies have to jump through for Blue UAS.

DIU (Defense Innovation Unit):

Facilitating Commercial Tech: DIU is a critical link for commercial tech companies seeking to work with the DoD. They aim to “minimize upfront costs” and “reduce the time to award.” They provide a streamlined approach that includes rapid decision-making and scalable prototyping contracts. They focus on addressing the current needs of their DoD partners.

Solicitation Process: Companies need to respond to specific solicitations on DIU’s website to work with them.

Agile Processes: DIU’s agile processes, contract authorities, and expert team help accelerate paths to revenue for companies.

The next one is a bit of a land grab from AUVSI. An organisation that had DJI on it’s board and happily took their shilling and now thinks otherwise.

Green UAS Program:

AUVSI scheme: Green UAS was developed to address non-DoD agencies, state and local governments, and private sector entities that require secure drones but might not require the stringent requirements of the Blue UAS.

Flexibility: Unlike Blue UAS, Green UAS permits more flexibility, including allowing internet connectivity, live streaming, and software updates, which are important features for commercial drone operators.

Cybersecurity Focus: Green UAS certification still adheres to strict cybersecurity and supply chain standards. AUVSI is responsible for the administration and certification for this program.

NDAA Compliance: Green UAS drones are also NDAA compliant ensuring they meet similar supply chain requirements. Green UAS represents an “essential middle ground” providing secure options for non-military users that require security and supply chain integrity without overly restrictive standards.

AUVSI (Association for Unmanned Vehicle Systems International):

Trusted Cyber Program: AUVSI’s Trusted Cyber Program has worked with DIU since 2022, collaborating to build shared commercial cyber standards.

Administering Green UAS: AUVSI administers the Green UAS certification program, providing an assessment and certification framework for commercial drones. This makes a more affordable alternative to Blue UAS certification, mainly for non-DoD customers.

Non Profit: AUVSI is a non-profit organization, but it does charge a fee for the certification in order to offset investment costs.

Bridge to Blue: Green UAS-certified companies may have an opportunity to opt-in to data sharing with DIU through AUVSI, making a smoother pathway for transition to the Blue UAS Framework list.

An important thing to have in the back of your mind.

The American Security Drone Act of 2023:

Prohibitions: Section 1826 states “Government-issued Purchase Cards may not be used to procure any covered unmanned aircraft system from a covered foreign entity”.

Covered Foreign Entity: The Act defines “covered foreign entities” as those on the Consolidated Screening List, entities subject to foreign government direction, those deemed a national security risk, entities domiciled in or controlled by China, and subsidiaries/affiliates of these entities.

Covered Unmanned Aircraft Systems: This term references the definition in section 44801 of title 49 of the United States Code.

Effective Immediately: The prohibition took effect immediately when the act was signed.

Cyber Security Frameworks:

Frameworks: Green UAS certification is measured against 4 main areas: corporate cyber hygiene, product & device security, remote operations and connectivity and supply chain risk management.

Cyber Hygiene: Covers a company’s cyber security strategy including alignment with standards like ISO and NIST.

Device Security: Ensures drones and components are designed and manufactured to protect data supporting operations.

Remote Operations: Ensures command and control is only conducted by authorized operators and transmitted data is protected.

Supply Chain: Includes physical vulnerability assessments, bill of materials review, and NDAA compliance verification.

This is the one that everyone has been getting their knickers in a twist over, some say its defeated, some say it’s still coming.

The Countering CCP Drones Act:

House Approval: Passed in the House, which seeks to add DJI to the FCC’s Covered List.

FCC Covered List: Inclusion means new DJI drones would be banned from operating on US communication networks

Senate Review: Currently under review by the Senate as part of the NDAA for 2025.

Reasons: The act is based on national security concerns including data collection, backdoors and the potential disruption of critical infrastructure. It also is based on the economic need to reduce reliance on Chinese tech.

If you are a commercial operator, or fancy becoming one in America, start following the words. You might just need them.

Related