Restrictive and technically unfounded legislation continues to hem in the drone industry, exacerbating security concerns and making procurement increasingly difficult to navigate.
For public safety agencies, infrastructure teams, commercial security organizations, construction firms, utilities, and enterprise operators considering fleet procurement, the conversation has shifted from “Which UAS should we buy?” to “Can we defend this decision to leadership, IT, legal, procurement, and the public?”
That pressure has only increased since the FCC’s Covered List update and the broader legislative conversation around foreign-made uncrewed aircraft systems. As we covered in our recent blog, [What the FCC’s Covered List Update Means For Unreleased Drone Systems and Components], the current framework is primarily an equipment authorization issue, affecting what new hardware does or does not receive FCC ID approval to enter the American market.
That means the question is no longer limited to whether a platform is secure, capable, or operationally proven. Even if an organization determines that a new UAS is the best fit for its mission, that product still needs FCC equipment authorization before it can be legally marketed, sold, or purchased in the U.S.
This is where the OnDefend security assessment could become important. Even more dangerous, it might instill hope that technical evidence could loosen legislation hamstringing the industry’s growth.
The report gives vested teams and legislators validated evidence to evaluate. It directly addresses concerns around data sovereignty, unauthorized access, RF emissions, supply chain integrity, and drone manipulation risk. But unless that evidence influences the policy and authorization environment, any renewed hope for future product availability may be short-lived.
That is the tension drone fleet managers now face: technical validation may support continued confidence in these systems, but market access for future products remains in the hands of regulators and legislators.
DJI’s recently released independent security assessment from OnDefend deserves attention because it gives the industry something more concrete than assumptions. Now the question is whether that evidence [read “hope”] will matter in the decisions that shape future drone availability in the United States.
On The Horizon
Subscribe to On the Horizon for UVT updates, public safety drone insights, technology news, and field-tested guidance on DFR, cUAS, remote operations, training, and program development.
Want In? Subscribe today!
What OnDefend Tested
The OnDefend assessment focused on three national security concerns that have been central to the conversation surrounding DJI: data sovereignty, hardware vulnerabilities, and drone manipulation risk.
The systems evaluated included the DJI Air 3S with RC 2 controller and DJI Fly app, along with the DJI Matrice 4E with RC Plus 2 Enterprise controller and DJI Pilot 2 app. According to the executive report, the engagement period ran from October 21, 2025 through March 13, 2026. Bolstering the value of the assessment, consumer units were purchased independently without prior notification to DJI, while enterprise units were sourced from existing dealer stock to reflect standard U.S. market distribution, ensuring the tested systems represented what real customers actually receive.
DJI Matrice 4E
RC Plus 2 Enterprise Controller
The assessment included static and dynamic application security testing of DJI Fly and DJI Pilot 2, network traffic analysis across standard and Local Data Mode operation, controller jailbreak and privilege escalation testing, full-spectrum RF scanning, PCB-level hardware teardown, near-field component analysis, supply chain verification, and RF exploitation testing that included replay, jamming, and injection attempts.
OnDefend was thorough, testing what the systems were doing at the application, controller, hardware, firmware, RF, and supply chain levels.
The Findings
During the window of testing, OnDefend reported:
No clear evidence of hidden backdoors.
No data transmissions outside the United States.
No viable pathways for hijacking or weaponization.
No critical or high-risk findings.
The broader findings summary reported:
Zero critical-risk findings.
Zero high-risk findings.
Zero medium-risk findings.
The report included, ten low-risk findings, and thirteen observations . The low-risk findings were primarily related to application security configurations, session handling, wireless hardening, and similar items that are common in complex mobile and embedded systems. The report stated that none presented a realistic risk to safe drone operation or widespread exposure of confidential information.
Concerning data protection, the report found no evidence of any transmitted data being sent outside the United States from the controller devices or UAS flight-control applications. Observed connections resolved to U.S.-based IP addresses, including expected services and content-delivery infrastructure.
For RF emissions, OnDefend found no unexplained radio emissions. The report states that observed RF emissions were traced back to known system functions. Some emissions were not included in the FCC documentation at the start of the engagement but were later confirmed to be artifacts of documented signal-synthesis methods, not covert channels.
For supply chain integrity, the assessment found no tampering and no unauthorized hardware modifications.
What The Report Does NOT Mean
This assessment is important, but it doesn't mean every DJI system in every configuration has been tested forever. It does not mean firmware, software, hardware revisions, cloud services, or operational settings never need to be reviewed again. It does not mean fleet managers can ignore internal risk management protocol.
OnDefend says as much in the report. To maintain national security assurance, the report recommends ongoing testing of firmware, software updates, and verification of hardware and chip integrity for continuous validation.
This is how security SHOULD BE approached.
Data protection is not a one-time certification that removes all future questions, nor should it be assumed based on country of origin. It is a discipline. Systems change. Firmware changes. Software changes. Infrastructure changes. Threat methods change. A meaningful security posture requires ongoing validation and strong operational controls.
For example, the report found that Local Data Mode prevented user data from being sent from the system’s flight-control application to internet-based locations. But it also recommended that operators disable the controller’s network connection in addition to Local Data Mode for complete isolation.
That is exactly the kind of nuance that often gets lost in public conversations.
The platform can have security controls. Operators must be educated to use them correctly.
Technical Evidence Is Only Part of the Policy Conversation
As previously stated, the OnDefend assessment directly addresses many of the concerns that have shaped the greater country of origin conversation in the United States.
Still, there is reason for pause. One independent security assessment does not automatically change regulation, procurement pressure, or the broader policy direction. But what it can do is help the American people see through the smoke and mirrors of a politically charged landscape and engage with their government representatives. This is the means by which documented evidence should be taken seriously by the people shaping policy.
For years, drone purchasing decisions have been influenced by more than operational performance. National security concerns, domestic manufacturing priorities, industry lobbying, and legislative pressure have all played a role in shaping what agencies and enterprises are able to buy.
If the stated concerns are data sovereignty, unauthorized access, hidden transmissions, supply chain tampering, or manipulation of the UAS, then independent technical assessments like this should matter. They give legislators, regulators, procurement teams, IT departments, and operators something more grounded to evaluate.
Whether this assessment changes the direction of policy remains to be seen.
The FCC’s Covered List framework is still active. The agency’s UAS FAQ explains that certain UAS and UAS critical components are restricted from receiving new equipment authorizations, while exemptions exist for systems such as Blue UAS Cleared List products and qualifying domestic end products through January 1, 2027.
Reuters also reported that DJI is urging U.S. lawmakers to lift restrictions on its newest drone models following the independent review, while the company continues to challenge the FCC’s December 2025 action.
That said, the ball is in your court. Here is where you can engage with your local representatives to make your voice heard and help move our industry forward.
If this technology matters to your work, make your voice heard!
Engage with your local representatives and help move the industry toward decisions grounded in evidence, operational reality, and the needs of the people using these systems every day.
“The people using this technology every day need to be part of the conversation shaping its future. Public safety agencies, infrastructure teams, utilities, and enterprise operators understand the real-world value of these systems because they rely on them to do critical work. If technical evidence is available, it should be part of the decision-making process, and I would encourage our industry to make sure legislators hear from the teams directly impacted by these policies.”
- Chris Fink | Founder and CEO, Unmanned Vehicle Technologies
Why Procurement Decisions Still Require Balance
The drone market is under pressure.
Some teams are freezing purchases because they are afraid of making the wrong decision. Others are rushing toward alternatives that may satisfy a policy preference but fail to deliver the same capability, reliability, ecosystem maturity, or cost efficiency their mission requires.
Both reactions can hurt a program.
When procurement decisions are made under pressure, the conversation can quickly become too narrow. Teams are pushed toward simple categories: approved or restricted, foreign-made or domestic, safe or unsafe, DJI or not DJI.
Instead, procurement should be driven by mission requirements, security posture, lifecycle cost, regulatory constraints, supportability, and operational readiness.
For some organizations, already-authorized DJI systems may still be the most practical option for the mission. For others, domestic or Blue UAS platforms may be required by policy, funding source, customer expectation, or internal risk tolerance. In many programs, the right answer will not be a single platform for every use case. It may be a mixed fleet designed around mission needs, compliance requirements, and sustainment realities.
The goal is not to defend one manufacturer while blindly dismissing another. The goal is to make sure the people doing the work have access to the best available drone tools for their mission. That includes first responders using this technology to save lives, front-line workers maintaining the infrastructure that keeps our lights and heat on, and the countless industries and teams that have integrated UAS into daily workflows.
But getting there requires honest evaluation. It requires acknowledging independent findings when they exists, understanding policy constraints when they apply, and knowing the difference between current authorized systems and future systems that may be affected by FCC equipment authorization rules.
Most importantly, it requires looking at the full program, including hardware, software, training, support, batteries, payloads, repair pathways, data handling, and the people responsible for keeping the work moving.
How UVT Helps Teams Navigate This
UVT works with public safety agencies, enterprise organizations, utilities, construction firms, commercial security organizations, and critical infrastructure operators that need more than product recommendations.
These teams need sustainable plans and fleets that can grow to suit their needs.
They need to know which systems fit their mission, how to manage procurement risk, how to handle data securely, how to prepare for policy shifts, and how to keep their fleets operational.
As an end-to-end drone and robotics integrator, UVT supports customers through consultation, program design, hardware and software integration, training, regulatory guidance, BVLOS enablement, cUAS strategy, remote operations, and long-term sustainment.
We dont' push every customer toward the same manufacturer or the same conclusion. Our role is to help organizations see through the smoke and mirrors of a complicated industry, understand what information matters, and equip them with the education needed for empowered decision-making.
That means helping teams evaluate reports like the OnDefend assessment within the full context of their program. Technical evidence matters, but so do policy constraints, procurement timelines, data workflows, support requirements, training needs, and long-term sustainment.
The goal is clarity.
Clarity about the current policy's. Clarity about what the technology does. Clarity about how your data moves. Clarity about what, where, and how your team needs to operate with confidence. And clarity about next steps if or when the market shifts again.
Clarity is one of many ways UVT helps teams stay Always On.
Need answers? Our team is looking forward to answering your questions.