Balancing Security and Scalability: Drone Industry Calls for Risk-Based TSA Regulations on BVLOS Operations

By: Dawn Zoldi

With the comment period for the Part 108 Beyond Visual Line of Sight (BVLOS) Notice of Public Rulemaking (NPRM) just days away, comments from drone delivery and critical infrastructure experts who dissected the Transportation Security Administration’s (TSA) proposed security requirements at the recent Commercial Drone Alliance (CDA) Summit, illuminated deep concerns that the industry should heed. This article details that Summit discussion. While promoting security remains essential, the current regulatory proposal threatens to overwhelm the industry with burdensome requirements that overlook the robust, risk-based practices already in place. A risk-calibrated regulatory model would better support safety and industry growth.

For those unfamiliar, BVLOS flights enable drones to travel far beyond the operator’s direct view, which will unlock large-scale package delivery, infrastructure inspection and utility applications. The Federal Aviation Administration (FAA) introduced a NPRM that addresses a wide range of topics related to BVLOS. The TSA’s NPRM, which it put out in tandem with the FAA’s notice, seeks to extend regulatory oversight for BVLOS drone operations akin to the rules in traditional aviation. It emphasizes both physical and cyber security controls for all players in the BVLOS space. (See AG White Paper on the joint NPRM here).

Specifically, the TSA’s proposal highlights the need for thorough personnel vetting, strict access controls and a comprehensive framework intended to safeguard not just the drone and its payload, but the broader airspace and the public. As one expert at the Summit noted, the requirements are sweeping. They introduce a highly regulatory environment, akin to passenger-carrying airliners, that fails to proportionally address the unique security profile of modern drone operations.

The crux of industry’s concerns relate directly to the disproportionate impact of new security mandates as envisioned by the TSA NPRM. For example, the rule proposes background screening and vetting for every individual who may have access, however incidental or fleeting, to packages destined for drone transport. The intention is to prevent unauthorized individuals from interfering with the logistics chain or tampering with cargo.

Yet, as one expert observed, this blanket approach risks capturing scenarios far beyond what is necessary or practical:

• Security Checks: If enforced literally, every employee in a store, from teenage part-timers to long-term shift supervisors, could require a background check simply because they might contact a package scheduled for drone delivery. (The logical extension of this would require checks for the entire public at Walmart!)
  
• Controlled Areas: Restaurants and retail stores could be compelled to create physically separated, secure areas for cargo awaiting pickup, a logistical burden that far outweighs the minimal risks posed by a 5-pound or 6-pound drone payload.

Panelists challenged the logic of applying high-stakes air cargo security frameworks to the delivery of everyday goods, such as meals, groceries and small consumer products, where the risks posed by small drones are not commensurate with the layers of TSA-proposed oversight.

Drone operators, especially in the delivery sector, underscored that robust security frameworks are already foundational to their business model. Decades of experience managing large and complex logistics networks for parcel delivery, integrating layers of peer-reviewed best practices related to automation, personnel compartmentalization, cybersecurity, and compliance with established rules underpin their operations.

Industry experts noted that drone delivery companies have developed fulfillment systems where:

• The personnel loading cargo onto drones have no knowledge of its destination or direct control of the drone’s route.
  
• Advanced automation virtually eliminates opportunities for tampering, with pre-programmed routes and rigorous system checks that render human intervention almost impossible.
  
• Industry risk mitigation extends well beyond regulatory compliance because it is driven by the companies’ own imperative to avoid financial and reputational risk.

Notably, drone companies have reached significant operational milestones. One major operator noted that their company has accomplished 150 million autonomous miles and 47 million deliveries, safely and securely, with no cost to society and long before these potential federal mandates.

Further elaborating on security in today’s leading drone operator models, automation and the segregation of duties enhance safety and security in these ways:

• Employees involved in packing, staging or loading have no way of controlling or rerouting drone flights.
  
• Cybersecurity controls, including systems designed to prevent both unauthorized internal and external access, add further layers of protection.
  
• Remote pilots or management personnel cannot unilaterally alter drone routes or interfere with mission-critical software. Most operators are unable to pinpoint a package’s final destination.

This compartmentalization limits the possible harm that any single employee could cause. Even a complex insider threat scenario would require breaching several independent layers of physical, personnel and cyber defenses. As one speaker noted, it would take a Mission Impossible-level infiltration to genuinely threaten operational integrity as it currently exists today.

The conversation made it clear that the new TSA rule, as written, would pose steep economic and operational challenges for industry. Requiring detailed background checks and access controls for all staff in a delivery ecosystem, many of whom have only nominal contact with a package, would render current business models unworkable.

Consider the paradigm shift imposed on not just the drone industry, but also on their customers like retail and food businesses. Instead of leveraging existing, cost-efficient delivery workflows, stores and restaurants could be forced to:

• Build entirely separate, controlled storage areas for goods intended for drone transport. This would duplicate staff and physical infrastructure.
  
• Vet and fingerprint every person coming in contact with cargo. This is a fundamental mismatch for these high-turnover industries, which rely heavily on flexible, part-time staff.
  
• Redesign physical spaces and operational practices. Most small businesses simply cannot absorb this challenge and expense.

Experts questioned whether there is any meaningful improvement in public safety or security commensurate with those costs. Most drone deliveries consist of low-value, everyday goods. As one expert pointed out, the risk of a teenager packing a takeout box with something harmful is negligible compared to the dangers posed by large ground vehicles that haul hazardous materials on public streets and highways on a daily basis.

Participants were quick to point out that external mandates do not need to drive robust security, because it is simply a business necessity. A security breach, whether the result of tampering, theft or data loss could pose an existential risk to these companies, especially those operating at scale. The industry has responded by prioritizing proactive, practical security controls that directly address the realities of daily operation:

• Drones are equipped with end-to-end encryption, controlled access and highly automated chains of custody, especially for precious cargo like medical samples.
  
• Cargo flows, from restaurants to homes, hospitals to labs, are monitored, logged and managed using systems that minimize security gaps and prevent tampering.
  
• Security best practices continuously evolve with operational experience. This allows companies to adapt quickly to new threats faster than regulatory requirements ever could.

Ultimately, the threat profile in most drone delivery contexts (think: food, medicine, retail) is relatively low, while the reputational and financial incentives to maintain airtight security are incredibly high.

Throughout the panel, one principle garnered broad support: each operation’s risk profile should drive the intensity and nature of required security measures. Applying security controls indifferently, without regard to payload, mission or operating context, risks stifling innovation and safe business growth.

Summit experts pointed to the success of TSA in collaborating with the aviation sector on risk-calibrated approaches for other modes of transportation. Just as applying large-aircraft security policies to small private planes does not make sense, neither does assuming that a five-pound drone delivering a burrito requires airline-style vetting procedures.

Instead, the future of drone security lies in:

• Adopting graduated, risk-based frameworks that adjust security requirements to the scale, scope and context of actual operations.
  
• Engaging with industry partners to ensure that rules enhance, rather than duplicate or obstruct, protections, which has already been proven in practice.
  
• Focusing resources on high-value targets and plausible threat scenarios, not theoretical risks with negligible real-world likelihood.

As summed up at the Summit, security regulations should be right-sized, practical and economically sustainable. New rules should focus on unique drone vulnerabilities and augment, not duplicate, risk mitigation efforts already underway.

Several panelists connected the dots between the TSA’s proposal and the potential for wide-ranging unintended negative consequences. Beyond higher costs and operational friction, the rules could lead to:

• Small businesses being priced or screened out of drone delivery and logistics partnerships. This would erode competition.
  
• Gig-economy and part-time workers could lose access to flexible employment opportunities.
  
• Supply chains for time-critical goods (medical delivery, for instance) might experience unnecessary delays, with no clear gain in public safety.

Heavy-handed requirements could nudge the sector toward more informal, unregulated practices. This would ultimately increase, rather than reduce, security risks.

To be clear, the drone sector does not oppose security regulation. Far from it. Companies are eager to collaborate, educate regulators and co-design rules that reflect the realities of technology and risks on the ground. The industry’s own interest in preserving safety, security and operational continuity aligns it closely with the federal objective of public protection.

What industry leaders seek is a sophisticated regulatory approach, one that builds on what works, rather than layering on requirements that duplicate protections or create new vulnerabilities by exhausting resources on low-risk scenarios. 

The path forward, according to the summit’s consensus, is collaborative rulemaking based on operational data, scenario modeling and real-world risks, not theoretical possibilities.

As the drone sector moves further toward mainstream, large-scale deployment, especially in BVLOS operations, the need for right-sized security regulation will intensify. The TSA’s NPRM represents an important step in recognizing those needs. But the takeaway from the Commercial Drone Alliance Summit is clear: regulation must be smart, balanced and tailored to the true risks of drone operations.

The drone industry has already developed layers of best practices and security protocols that protect customers, employees and the public as a matter of good business. Overlaying these with overly prescriptive requirements risks stymying industry progress and operational safety, without delivering material gains in public protection. The way forward must involve an open, ongoing dialogue between industry and the regulator, one that weighs risk, operational realities and the sector’s demonstrated strong record of safety and security.