Drones And The Federal Government: What Contractors Need To Know About The Latest OMB Guidance

Highlights

• An Office of Management and Budget (OMB) memorandum issued on Nov. 21, 2025, establishes comprehensive requirements regarding the procurement and use of secure unmanned aircraft systems (UAS) by federal agencies and recipients of federal funds.
• The memorandum is based on the American Security Drone Act, which directs the OMB to develop government-wide policy for UAS procurement in coordination with the U.S. Departments of Homeland Security, Transportation and Justice and in consultation with the National Institute of Standards and Technology.
• This Holland & Knight alert review key aspects of the memorandum, such as information security requirements, and what they mean to manufacturers and procurers of UAS for federal purposes.

The Office of Management and Budget (OMB) on Nov. 21, 2025, issued a memorandum establishing comprehensive requirements for the procurement and use of secure unmanned aircraft systems (UAS) by federal agencies and recipients of federal funds. This guidance implements the requirements of the American Security Drone Act (ASDA or Act)¹ and establishes a government-wide framework for UAS acquisition and use. In addition to ensuring compliance with the ASDA, OMB's objectives include counteracting the effects of purchasing foreign-made drones and reinforcing the integrity and security of federal operations.

For government contractors and grant recipients, the new framework signals a strategic shift. Compliance with these standards now is essential for eligibility in federal UAS procurement and funding and supporting broader national security and economic objectives. Agencies and their partners must integrate these requirements into every stage of the UAS life cycle, from market research and acquisition planning to operational use and data management, ensuring that federal information remains secure and that U.S. technological leadership is preserved. This Holland & Knight alert breaks down key aspects of the memorandum below.

Background and Legislative Framework

The memorandum is grounded in the ASDA, Pub. L. No. 118-31 (2023), which directs the OMB to develop government-wide policy for UAS procurement in coordination with the U.S. Departments of Homeland Security, Transportation and Justice and in consultation with the National Institute of Standards and Technology (NIST). The ASDA was enacted in response to mounting concerns over the use of insecure, foreign-manufactured drones in federal operations. Such systems pose significant risks, including unauthorized access to sensitive data, hidden surveillance capabilities and uncontrollable flight behavior. Beyond cybersecurity, the Act addresses broader strategic and economic risks, such as undermining the U.S. drone industry, eroding technological sovereignty and exposing federal operations to supply chain disruptions.

The memorandum fulfills statutory requirements by providing a detailed framework for agencies to assess and mitigate information security risks throughout the UAS procurement life cycle. It supplements existing procurement laws and regulations, including the Federal Acquisition Regulation (FAR) Subpart 40.2, which prohibits the procurement and operation of UAS manufactured or assembled by certain foreign entities. The policy also incorporates input from NIST and aligns with OMB Circular No. A-130, which governs federal information management.

Scope of the Policy

The memorandum applies to all federal agencies procuring UAS for non-U.S. Department of War (DOW) and non-Intelligence Community operations,² as well as agencies issuing grants and cooperative agreements to nonfederal entities for UAS procurement that involves processing, storing or transmitting federal information. Covered activities include direct agency procurement and federal funding mechanisms, such as grants and cooperative agreements, where UAS may be used to handle federal data. The policy is designed to ensure that security requirements are integrated at every stage of the acquisition process and that both agencies and funding recipients adhere to robust information protection standards. This broad scope reflects the government's commitment to minimizing reliance on adversarial technology and supporting secure, domestically produced UAS solutions.

Procurement Requirements for Agencies

Federal agencies are subject to a comprehensive set of procedural and technical requirements when procuring UAS designed to ensure both operational effectiveness and robust information security. Within 180 days of the memorandum's issuance, agencies must recognize UAS as both aircraft and information technology (IT) systems, integrating the information security risk procedures outlined in the memorandum, regardless of the country of manufacture or assembly of the UAS.

Specifically, under the memorandum, federal agencies that are not part of the DOW or Intelligence Community must establish a process to address security risks during the entire life cycle of procurement of UAS. The memorandum describes the below key steps in the procurement process:

• Market Research. Agencies are required to first gather information on product capabilities that will meet the agency's needs and assess which options align with the memorandum's security requirements, including access control (such as multifactor authentication), software and firmware updates, and robust data protection measures based on sensitivity and level of confidentiality.
• Acquisition Planning and Solicitation Development. Agencies must craft requirements with sufficient detail to enable vendors to submit proposals that allow for complete impact assessments using Federal Information Processing Standard (FIPS) 199. This includes identifying and documenting the type of information that may be stored in, processed by, or transferred to or from a UAS. At this step, agencies are also required to consider whether awarding the contract to a particular domestic source is necessary for compliance, even if it entails noncompetitive acquisition procedures.
• Contract Award. Agencies must evaluate offerors based on criteria that ensure compliance with the necessary security capabilities described in the framework, including access control requirements (such as multifactor authentication), software and firmware updates, and data protection measures tailored to the sensitivity and confidentiality of the information involved.
• Contract Performance. After delivery, agencies must adhere to established policies and use functional systems to implement risk mitigation measures throughout the UAS life cycle.

Security Standards and Capabilities

The memorandum establishes minimum security capabilities that must be met for any UAS procured by federal agencies or funded through federal grants and cooperative agreements. These standards are designed to protect federal information, including privacy data and other controlled unclassified information, from unauthorized access, use, disclosure, disruption, modification or destruction.

Impact Assessment Procedures

Before procurement, agencies must conduct an impact assessment using FIPS 199 or successor publications. This assessment, performed jointly by information security and operational personnel, identifies the types of information the UAS will store, process or transmit – such as positional data, audio and video – and determines the potential impact of loss of confidentiality, integrity or availability. The results guide the selection of appropriate security categories and system impact levels.

Access Control Requirements

After completing the required impact assessment for each UAS procured through a contract, grant or cooperative agreement, agencies must ensure that both the procurement and use of the UAS will comply with access control requirements, software and firmware update requirements, and data protection measures. For access control, agencies are expected to implement appropriate authentication measures for remote access to UAS ground control stations, following the standards set forth in NIST Special Publication 800-63.³ Where the overall system impact level for availability is moderate or high, OMB further recommends that agencies consider managing the UAS program under the IT asset framework described in NIST SP 1800-5.

Software and Firmware Update Protocols

With respect to software and firmware updates, agencies' policies must ensure that updates originate only from the UAS manufacturer or a trusted third party, as determined by the authorizing official. Moreover, the technology used for installing and downloading software or firmware for these updates must be isolated from enterprise agency information systems. Additionally, when the overall system impact level for integrity is moderate or high, operators are required to conduct file integrity checks and test updates before mission operations.

Data Protection Requirements

Data protection requirements include encrypting mission-related data both "at rest" and during data collection or transmission. Agencies should further ensure they retain the ability to opt out of downloading, uploading or transmitting UAS data unless required by statute or regulation. These measures collectively support the integrity and security of federal operations involving UAS, in line with the OMB memorandum's objectives.

Regarding sensitive or confidential data that a UAS collects, stores or processes, the following protocols apply:

• Agencies should ensure the data is cryptographically secured using an approved and validated cryptographic algorithm or module.
• Agencies should consider acquiring UAS with remote security capabilities, such as the operator's (rather than the manufacturer's) ability to wipe or lock the UAS remotely.
• Operators should remove any federal information with a moderate or high confidentiality designation that the UAS collected after the completion of each mission.
• Agencies should employ technical controls to disable data storage and transmission to non-approved systems when the overall system impact level for confidentiality is high.

Exemptions and Waivers

The memorandum provides specific pathways for agencies to seek exemptions or waivers from the established UAS procurement security requirements under defined circumstances. Exemptions are available from Section 1829 of the ASDA,⁴ while waivers or exemptions are available from Sections 1823, 1824 and 1825 of the ASDA.⁵

Exemptions Under Section 1829

An agency head may grant an exemption from the security requirements in the memorandum if he or she determines in writing that compliance would prevent the agency from obtaining a UAS capable of fulfilling mission-critical performance requirements. The exemption is valid only if the agency head documents the factual and logical bases for the determination, including the date, a description (with quantity and value) of the products covered and the time period for the exemption (not to exceed three years from the effective date). This authority may be delegated only to a deputy secretary or equivalent, not to lower-level officials. All exemption documentation must be available to OMB upon request and included in relevant system security plans and contract files.

Exemptions and Waivers Under Sections 1823, 1824 and 1825

The ASDA establishes prohibitions on the acquisition or operation of UAS manufactured or assembled by certain foreign entities using federal funds. However, exemptions are available to specific agencies under certain circumstances, and waivers may be granted on a case-by-case basis by the agency head with approval from the OMB director, after consultation with the Federal Acquisition Security Council. Agencies must prepare documentation identifying the applicable exemption or waiver and make it available to OMB upon request. For waivers, agencies must also notify the relevant congressional committees after OMB approval and before exercising the waiver.

These processes ensure that exemptions and waivers are tightly controlled, well-documented, and subject to oversight, balancing mission needs with the imperative of information security.

Procurement Through Grants and Cooperative Agreements

Agencies issuing grants or cooperative agreements that provide funds for UAS procurement must implement additional requirements to ensure security compliance by nonfederal recipients.

• Inclusion of Security Requirements in NOFOs: Notices of Funding Opportunity (NOFOs) must incorporate the information security requirements in the memorandum. Applicants must address these requirements in their proposals and describe their risk-based approach to applying them in subsequent procurement solicitations.
• Risk Assessment and Proposal Evaluation: Agencies are required to conduct risk assessments and evaluate recipients' proposals for responsiveness to the security requirements outlined in the NOFO, ensuring that only compliant projects receive funding.
• Award Terms and Conditions: The specific security requirements must be included in the terms and conditions of grants and cooperative agreements, obligating recipients to incorporate these standards into their own UAS procurement processes.
• Ongoing Monitoring: Agencies must monitor federal awards to ensure that recipients adhere to the information security requirements throughout the duration of the award.

Additionally, effective Dec. 22, 2025, federal funds may not be used to procure or operate UAS that are prohibited under the ASDA, with limited exemptions and waiver provisions for certain agencies and mission types.

Compliance and Monitoring Requirements

Ongoing compliance and monitoring are central to the memorandum's framework, ensuring that both agencies and recipients maintain robust security postures throughout the UAS life cycle.

Agencies are responsible for applying appropriate safeguards during and after UAS use, consistent with the assessed risk and relevant law and policy. This includes implementing technical controls, maintaining access control policies and ensuring that all security requirements are met and documented. Agencies must also conduct regular oversight, including audits and reviews, to verify adherence to security standards by both internal personnel and external funding recipients.

Recipients of federal funds are subject to compliance monitoring by the awarding agency, which may include reporting obligations, audits and corrective action requirements. Documentation of compliance, exemptions and waivers must be maintained and made available to OMB and other oversight bodies as required.

Further, manufacturers and operators doing business with the federal government should remain mindful of agencies' plans for compliance with OMB's instructions in the memorandum, which requires agencies to update policies and ensure compliance in accordance with the memorandum no later than May 20, 2026. These instructions further require agencies to conduct risk-based analyses and employ risk mitigation measures tailored to the level of risk during the entire information life cycle as defined by OMB Circular A-130 when procuring or using or even after using a UAS.⁶

Notably, these requirements are supplemental to ongoing compliance obligations and requirements under other federal regulations, including but not limited to FAR Subpart 40.2, which prohibits the procurement and operation of UAS that certain foreign entities manufacture or assemble. Finally, the OMB instructions generally do not apply to the DOW or Intelligence Community.⁷

Additional Considerations

Though OMB Memorandum M-26-02 provides necessary details for non-DOW agencies' compliance with the ASDA, vendors that seek to do business with the federal government should also stay abreast of general updates regarding DOW procurements, as awareness of lessons learned or preferences from use of UAS in either DOW or non-DOW agencies are worthy of consideration. The U.S. Army, for example, released its Second Sources Sought Notification (SSN) to accelerate acquisition of small UAS for the Company-Level Directed Requirement on Nov. 24, 2025. Perhaps the most noteworthy update from the SSN is the UAS Marketplace Strategy, in which the Army will identify and bring onboard vetted solutions to its UAS Marketplace Storefront. In using a marketplace strategy, the Army seeks to streamline the process for acquisition and use cutting-edge capabilities to maintain leadership in UAS operations. The Army has stated that it works closely with the commercial industrial base and its Project Management Office for UAS to adapt capabilities and concepts based on feedback from soldiers using UAS.

In addition, the DOW continues to employ its Drone Database Hub through the Defense Innovation Unit, which provides a Cleared List of UAS that DOW has vetted in accordance with the American Security Drone Act,⁸ Section 817 of fiscal year (FY) 2023 National Defense Authorization Act⁹ and Section 848 of the FY 2020 NDAA.¹⁰ The program for adding UAS to the Cleared List, often regarded as "Blue UAS," is the DOW's approach for rapidly prototyping and scaling commercial UAS technology for the DOW's use. The Blue UAS model will likely continue and remain updated with each new statutory provision that applies to UAS that the DOW uses.

Conclusion and Key Takeaways

The OMB memorandum marks a significant evolution in federal UAS procurement, underscoring the government's commitment to safeguarding sensitive information and supporting domestic technological capabilities. Compliance is not merely a regulatory obligation but a strategic imperative – failure to adhere to these requirements can result in operational, legal and reputational risks for both agencies and contractors.

Key obligations for government contractors include:

• integrating robust information security requirements into all stages of UAS procurement and operation, including market research, solicitation, contract performance and post-delivery monitoring
• conducting and documenting impact assessments to determine the appropriate security controls for each UAS acquisition
• ensuring that all software, firmware and data management protocols meet the minimum standards set forth in the memorandum, with particular attention to access controls, encryption, and data retention or erasure
• maintaining thorough documentation of compliance, exemptions and waivers and being prepared for oversight or audit by federal authorities

The memorandum's requirements extend to recipients of federal grants and cooperative agreements, making it essential for all entities in the UAS supply chain to understand and implement the new standards. As the regulatory environment continues to evolve, proactive engagement with these requirements will be critical for maintaining eligibility for federal contracts and funding, as well as for supporting the broader national security and economic objectives that underpin the policy.

In summary, the new framework demands heightened vigilance, transparency and collaboration across the government contracting community. By prioritizing security and compliance, contractors can help ensure the integrity of federal operations and contribute to the resilience of the U.S. UAS industry.

If you have questions about how these new requirements may impact your organization's UAS procurement, grant compliance or contracting strategies, or if you need tailored guidance on implementing robust information security measures, please contact the authors of this alert. Our team regularly advises government contractors and grant recipients on navigating evolving federal procurement standards and can help ensure your business remains compliant and competitive in this rapidly changing regulatory environment.

Footnotes

1. Pub. L. No. 118-31, §§ 1821-32 (41 U.S.C. § 3901 note), 137 Stat. 136, 691-99 (2023).

2. See below for additional information related to DOW/Intelligence Community UAS procurement.

3. Digital Identity Guidelines, NIST SP 800-63-3 (March 2, 2020).

4. Pub. L. No. 118-31 at § 1829, 137 Stat. at 696 (titled "Government-Wide Policy for Procurement of [UAS]," requires collaboration of agencies to develop the security protocol and protections described in the memorandum).

5. Pub. L. No. 118-31 at §§ 1823, 1824, and 1825, 137 Stat. at 692-95 (titled "Prohibition on Procurement of Covered Unmanned Aircraft Systems from Covered Foreign Entities," "Prohibitions on Operation of Covered [UAS] from Covered Foreign Entities," and "Prohibition on Use of Federal Funds for Procurement and Operation of [UAS] from Covered Foreign Entities," respectively).

6. See also Pub. L. No. 118-31 at § 1829, 137 Stat. at 696-97.

7. "Intelligence Community" is defined at 50 U.S.C. § 3003.

8. FY 2024 NDAA, Pub. L. No. 118-31, §§ 1821-32 (41 U.S.C. § 3901 note), 137 Stat. 136, 691-99 (2023) (commonly known as the American Security Drone Act).

9. James M. Inhofe FY 2023 NDAA, Pub. L. No. 117-263, § 817 (10 U.S.C. § 4871 note) 136 Stat. 2395, 2707 (2022).

10. FY 2020 NDAA, Pub. L. No. 116-92, § 848 (10 U.S.C. § 2302 note), 133 Stat. 1198, 1508 (2019).