At long last, FAA proposes rule restricting drone operations over critical infrastructure

Background

The NPRM implements Section 2209 of the FAA Extension, Safety and Security Act of 2016 (FESSA), as amended, and is consistent with two Executive Orders issued by the Trump Administration seeking to increase airspace security and transparency while also supporting the growing domestic drone marketplace.  The proposal comes amid a documented rise in security incidents involving rogue drones at critical infrastructure sites, including attempts to disrupt electrical grid infrastructure using modified drones, unauthorized surveillance of chemical and energy facilities, and the use of drones to deliver contraband to correctional facilities. By creating a standardized petition-and-review process, the FAA aims to move beyond ad hoc security measures and establish a durable, transparent framework for protecting the nation's most vital assets from unmanned aircraft threats.

Key Highlights of the Proposed Rule

• Two Types of Restrictions—Standard and Special UAFRs: The NPRM creates two categories of airspace restrictions. A Standard UAFR would function as a “virtual no trespassing sign” that prohibits unauthorized drone operations within a defined lateral boundary and altitude ceiling over a facility, while still permitting certain qualifying operations. In comparison, a Special UAFR would function as a more restrictive designation for particularly sensitive sites—typically federal facilities with a national security nexus—that effectively prohibits all UAS operations except those specifically approved by the requesting agency and the FAA. Both proposed UAFR types carry a maximum five-year duration and must be renewed at least 120 days before expiration. The NPRM also distinguishes between continuous and part-time UAFRs, where continuous UAFRs would be active 24 hours per day, year-round, while part-time UAFRs are proposed to be active 24 hours per day but for no more than 290 consecutive days per year. The part-time UAFR is designed to accommodate facilities with seasonal or intermittent operations, such as outdoor commercial venues.
• Broad Eligibility Across Critical Infrastructure Sectors: To be eligible, a fixed site facility would need to constitute “critical infrastructure” under 42 U.S.C. § 5195c(e) and satisfy sector-specific criteria set forth in new Subpart C of the NPRM. The proposal adopts the sixteen critical infrastructure sectors established by the Department of Homeland Security (DHS) and details specific threshold requirements for each sector. The FAA estimates that approximately 125,000 fixed sites across all sectors may be high-priority candidates for UAFR applications based on the thresholds established in the NPRM.
• Rigorous Application and Demonstration-of-Need Requirements: Applicants would be required to submit detailed information through a web-based UAFR Module, including facility descriptions, legal property boundaries, identification of critical assets vulnerable to UAS threats, and a comprehensive demonstration of need addressing existing UAS traffic patterns, specific vulnerabilities, and the consequences of a successful attack. Facilities would also need to maintain protective security measures, including restricted access, designated security personnel, security monitoring, and the capability to receive broadcast Remote Identification (Remote ID) messages under 14 CFR Part 89. The FAA has published a draft Advisory Circular, “Unmanned Aircraft Flight Restrictions,” in the rulemaking docket proposing detailed instructions on how to submit application information.
• Safe Harbors for Commercial Drone Operations: To enable continued growth of the commercial drone sector, the NPRM establishes "allowed operations" categories under Subpart G that would permit certain FAA-regulated commercial drone operators to transit Standard UAFRs because they meet a higher burden of safety and security. Qualifying operators include those operating under Part 91 (to include Public Aircraft Operations (PAOs)), Part 107 (small UAS), proposed Part 108 (beyond visual line-of-sight (BVLOS)), Part 135 (air carrier and package delivery), and Part 137 (agricultural operations), provided they broadcast Remote ID, transit the UAFR in the shortest time practicable, and notify the facility's designated site manager in advance. This framework is designed to balance security objectives with national objectives around American drone dominance.
• Public Comment Opportunities on Individual UAFRs: Each proposed UAFR would undergo its own notice-and-comment rulemaking, with a minimum 30-day public comment period, before the FAA issues a final determination. This would provide drone operators, community stakeholders, and other affected parties a meaningful opportunity to challenge or shape individual restrictions. Applicants would also be required to describe the externalities of their proposed UAFR, including costs and disruptions to commercial UAS routes.
• Enforcement and Penalties: Violations of Special UAFRs issued for national security or homeland security purposes may carry criminal penalties under 49 U.S.C. § 46307 for knowing or willful violations, in addition to civil penalties and certificate suspension or revocation. Standard UAFR violations would be subject to civil enforcement under existing FAA mechanisms. The proposal also adds new prohibitions at § 91.134 and amends § 107.45 to expressly bar unauthorized UAS operations within a UAFR.

Key Areas Where the FAA Is Seeking Comment

The proposed rule is now open for public comment for 60 days following publication in the Federal Register. Comments can be submitted through the Federal eRulemaking Portal at regulations.gov under Docket No. FAA-2026-4558 until July 6, 2026.

The FAA has specifically requested public input on several issues that are directly relevant to commercial drone and critical infrastructure operators. Stakeholders should consider submitting comments on the following:

• Eligibility and Sector Criteria: Whether the proposed sector‑specific thresholds appropriately capture high‑risk facilities, and how to address sectors where criteria are not yet defined.
• Scope of Permitted Drone Operations: Whether additional categories of UAS operations should be allowed within UAFRs beyond Parts 91, 107, 108, 135, and 137, and under what conditions.
• Operational Flexibility Within UAFRs: Whether the requirement to transit in the “shortest practicable time” adequately accommodates non‑transitory activities (e.g., inspection, First Amendment uses) or requires clarification.
• Access and Notification Framework: Whether the proposed case‑by‑case notification regime should be replaced or supplemented with automated or pre‑approval mechanisms (e.g., Remote ID “whitelisting”).
• Scope of Restricted Airspace: Whether UAFR boundaries should be strictly limited to property lines or adjusted (expanded or narrowed) based on facility‑specific risk profiles.
• Security and Remote ID Requirements: Whether the proposed baseline security measures, including Remote ID sensing, are sufficient, and whether additional performance standards or data retention requirements are needed.
• Application and Process Design: Whether alternative approaches (e.g., website-based notice, pre‑filing SRMA assessments, or staggered application windows) would improve efficiency and scalability.
• Operational and Economic Impacts: The extent to which UAFRs may disrupt commercial routes or impose costs, including whether sector‑specific limitations on access are warranted.

Authored by Lisa Ellman, Laura Jennings Ochoa, Matt Clark, and Hanson Causbie.