Skip to content

U.S. Federal Agencies Issue Rule on How Local Law Enforcement Can Take Down Drones

Slowly, but surely, the U.S. government is creating some clarity about how state and local agencies can legally use counter-uncrewed aerial systems (C-UAS).

The U.S. Department of Justice (DOJ) and U.S. Department of Homeland Security (DHS) issued an interim final rule that is retroactively effective and allows state, local, and tribal law enforcement and correctional agencies to set up C-UAS programs and operations. The move to make an interim rule effective is unusual, but the agencies say it is necessary to address the rapidly escalating threat of UAS incursions.

And with that, let’s get into our July Legal Report.

0626-lr-counter-drone-authorities-law-enforcement.jpg
Illustration by iStock, Security Management

 

U.S. Federal Agencies Issue Rule on How Local Law Enforcement Can Take Down Drones

The DOJ and DHS issued an interim final rule that provides guidance on how U.S. state and local law enforcement agencies can legally use counter-uncrewed aerial systems (C-UAS).

The rule published on 6 July explained that UAS (drone) incursions over mass gatherings and critical infrastructure sites present a threat to public safety, crewed aircraft, and lawfully operating UAS. DHS, DOJ, the U.S. Department of Defense, and the U.S. Department of Energy already have the authority to respond to these incursions, but the rule explained that federal C-UAS resources are not sufficient for the scope of the threat.

The risk exposure is also rapidly growing. The rule specifically mentioned the 2026 FIFA World Cup, which began 11 June and continues through 19 July and, in the United States, includes 11 host cities. The rule said that as of 20 June DHS and the FBI have recorded more than 600 drone incursions into restricted airspace across U.S. host-city venues.

What’s in the rule? The interim final rule, which became retroactively effective on 1 July even while it is still open for public comment until 4 September, lays out how state, local, tribal, and territorial (SLTT) law enforcement and correctional agencies can use C-UAS authorities under the SAFER SKIES Act.

Generally, the rule requires that these agencies must have a C-UAS implementation policy that designates an agency approving official who meets certain criteria; designates personnel authorized to exercise C-UAS authority and the recurrent training requirements for those personnel; establishes procedures for handling, retaining, and disseminating data acquired during C-UAS operations; provisions for public notice about the potential use of C-UAS authority; and standing tactical procedures for executing C-UAS operations.

The technical procedures could include engagement protocols that account for risk to people and property on the ground and in the air, escalation procedures, use-of-force considerations, ground intercept team procedures, render safe procedures, evidence collection and chain-of-custody procedures, communications procedures, system operating procedures, data handling and purge procedures, operation plan requirements, and post-operation procedures.

“The agency’s implementation policy must address the chain of command for mitigation decisions and must make clear that noncertified personnel, regardless of rank, may not direct mitigation actions that override the certified operator’s professional judgment on whether the conditions for mitigation are present,” the rule explained.

Before taking a mitigation action, personnel closest to the operational situation are required to determine in real time if there is a credible threat that warrants C-UAS action. Credible threats could be assessed using specific intelligence, behavioral indicators, and payload or physical configuration indicators, among other indicators.

The mitigation action the agency takes needs to be proportionate to the identified threat. Six U.S. federal agencies maintain an authorized technologies list of the broad types of technologies that are authorized under the SAFER SKIES Act to be used for C-UAS detection and mitigation. They include radio-frequency (RF) detection with command and control signal interception, RF protocol manipulation, and RF disruption with broadband and protocol specific jamming.

The same agencies also maintain an authorized systems list, which includes three main categories of systems, seven vendors, and 21 systems that U.S. federal agencies are using now for C-UAS. Agencies will have the ability to nominate systems for review and potential inclusion on the list in the future.

To take C-UAS mitigation actions, personnel must have a current Mitigation Certification from the FBI’s National Counter-UAS Training Center for the type of technology being used and hold a valid remote pilot certificate.

“Before taking any mitigation action that may result in the disabling, damage, or destruction of an unmanned aircraft, personnel must consider whether the threat posed by the UAS outweighs the risk of collateral harm to public safety,” the rule explained. “A mitigation action that creates a greater risk to public safety than the threat it is intended to address is not proportionate and must not be taken.”

Collateral harm includes the risk of falling debris, damage to people or property on the ground, disruption to communications systems, and risks to aviation safety, civilian aviation and aerospace operations, aircraft airworthiness, or the use of the airspace.

SLTT agencies are also required to provide verbal or electronic notification to the Federal Aviation Administration (FAA) within 5 minutes—or as soon as operationally practicable—of using a mitigation measure of the C-UAS system. Detection and warning operations are exempted from this requirement. There are civil penalties for violating the procedures in the interim final rule, including up to $150,000 in fines for some infractions.

Some limitations. The rule limits when C-UAS may be legally used. Appropriate use cases include SLTT agencies’ actions to protect people, facilities, and assets; venues for large-scale public gatherings or events; critical infrastructure; and correctional facilities. It expressly prohibits using C-UAS for the sole purpose of collecting evidence for criminal prosecution and sets out additional requirements for using drones for a specific operation.

The rule is also explicit about the roles contractors can play in C-UAS mitigation. They are allowed to provide technical support, maintenance, and training assistance, but contractors—including private security personnel—are prohibited from operating C-UAS mitigation systems, making credible threat determinations, or executing mitigation actions.

“An arrangement in which a contractor exercises de facto operational control of a C-UAS mitigation system during an operation, including an arrangement described as a turnkey, managed service, or operator-provided C-UAS service, constitutes an unauthorized delegation of authority and is grounds for suspension of accreditation or certification,” according to the rule.

Partnership options. The interim rule also lays out mutual-aid procedures, which are designed to allow larger SLTT agencies to provide C-UAS mitigation for smaller agencies that may not have the staff or budget to support their own operation—which can often cost around $500,000, said Michael Torphy, FBI assistant section chief, Unmanned Aviation Branch, in a webinar hosted by the InfraGard National UAS/C-UAS Cross Sector Council on 9 July.

Instead, Torphy said that the bureau envisions that most SLTT agencies will opt to conduct just C-UAS detection because it is more affordable and officers can complete the required training for the Detection and Warning Certification remotely. The current course is available to law enforcement agencies through an FBI portal. It includes 12 modules with a 20-question assessment at the end that officers must score at least 80 percent on. The entire course takes about 90 minutes to complete.

Larger SLTT agencies, however, will likely create C-UAS mitigation programs and send officers to the FBI’s training center to complete their Mitigation Certification—which has no expiration date at this time. So far, officers from 43 different agencies have completed the certification course. Torphy said he anticipates the bureau will train about 150 people each year with courses available each month.

Torphy also clarified that the interim rule does not make it illegal for organizations that are conducting drone detection using camera, radar, acoustic sensors, remote ID, and other non-intercept RF detection methods to continue doing so. For instance, many stadiums where professional sports are played and critical infrastructure operators are already using these types of systems for UAS incursion detection.

Word on the street. As of press time, only one public comment was uploaded to the interim final rule docket. Roborounds, an advanced projectile materials laboratory focused on C-UAS, wrote that the defense community should keep analog and mechanical solutions at the forefront of C-UAS efforts.

“Jamming, disruption, and tracking are what forced the drone war in Ukraine to adopt the fiber-optic line, and it worked,” the comment said.

U.S. Supreme Court Drops the Mic

The U.S. Supreme Court wrapped up its term on 30 June 2026, releasing a significant number of opinions at the end of the month. Here’s a quick rundown of the decisions relevant to security professionals.

Personal liability protected. The Court ruled that Damon Landor cannot sue Louisiana prison staff for monetary damages for shaving his head during his intake process, removing Landor’s 20-year-old dreadlocks that he maintained as part of his Rastafarian faith. Justice Neil Gorsuch wrote for the majority that U.S. law did not permit Landor to sue the individual guards who violated his constitutional rights when they handcuffed him and shaved his head because Congress can only spend money for general welfare under the Constitution’s “Spending Clause”—it cannot regulate conduct.

“Individuals may not be held liable in their personal capacities under a Spending Clause statute unless those individuals have voluntarily and knowingly consented to answer lawsuits under the statute,” Gorsuch explained.

Limited liability upheld. The Court significantly limited the ability of foreigners to bring lawsuits in U.S. courts that allege violations of international law. Justice Amy Coney Barret wrote for the majority in Cisco Systems v. Doe that the Alien Tort Statute only allows lawsuits based on the small number of claims that the U.S. Congress had in mind when it passed the law in 1789. The Court also determined that the Torture Victim Protection Act does not let people file lawsuits for aiding and abetting torture.  

The ruling stems from a lawsuit originally filed by practitioners of the Falun Gong religion, who claimed that Cisco and two of its top executives aided and abetted human rights abuses by helping the Chinese government create its massive online surveillance system, known as the “Golden Shield.” Cisco has consistently denied the allegations.

Firearms restrictions revoked. The Court struck down a Hawaii law that prohibited firearm owners from bringing their guns onto private property open to the public unless they had permission of the property owner. Justice Samuel Alito wrote for the majority that Hawaii’s law requiring express consent departed from standard common-law rule on access to private property held open to the public.

“Under (common-law) rule, everyone, including those lawfully carrying firearms, may enter unless expressly prohibited from doing so,” he explained. “By contrast, under the new Hawaii law, no one carrying a firearm may enter without the property owner’s express authorization.”

Other News to Note…

Anthropic is out of the hot seat. The U.S. Department of Commerce lifted restrictions on Anthropic’s artificial intelligence (AI) models, reversing a 12 June order that required the company to restrict access to its Claude Fable 5 and Claude Mythos 5 models to foreign nationals.

The department issued the restriction after it learned that Amazon researchers had bypassed Fable 5’s safeguards so it could be used to identify software vulnerabilities. After it received the order, which was effective immediately, Anthropic suspended access to both of its models for all users. It then worked with the Commerce Department to address its concerns, as well as introduced new safeguards to prevent future jailbreaks of its models.

A new approach for an organized foe. The European Commission proposed new measures to strengthen the EU’s response to evolving organized criminal activity. The new measures include equipping Europol to better support member states through:

  • Faster and more automated information sharing by creating a secure, scalable, and sovereign cloud infrastructure and police shared data space so investigators can work jointly—virtually—on common cases

  • Europol Support Offices in member states that are staffed by police officers with previous Europol experience who can facilitate access to Europol’s investigatory systems

  • A technology and innovation hub to provide an EU-wide picture of capability needs for law enforcement so member states invest in critical technologies to support investigations

  • Greater cooperation with EU agencies and bodies, including Eurojust and the European public prosecutor’s office


“Criminals are highly adept at exploiting the opportunities of the digital realm, operating effectively across borders without limitations,” said Henna Virkkunen, executive vice president for tech sovereignty, security, and democracy, in a press release. “With today’s proposals, we are strengthening both Europol and Eurojust so that Europe can respond faster, including in the fight against online criminal activities, share information more effectively, and bring criminals to justice more efficiently.”

Minneapolis assassination suspect admits guilt. Vance Boelter, 58, pled guilty in federal court to killing a Minnesota lawmaker and her husband to avoid prosecutors seeking the death penalty. Instead, Boelter will serve two consecutive life sentences—plus 40 years—for plotting to target elected officials, stalking them, and disguising himself as a police officer to carry out the assassination of Minnesota House Speaker Melissa Hortman and her husband, Mark Hortman, at their home in Minneapolis in June 2025. Boelter also shot and critically injured Minnesota State Senator John Hoffman and his wife, Yvette Hoffman, during that same attack spree.

Boelter still faces Minnesota state charges for the incident. He is scheduled to appear in Hennepin County Court on 3 August, but no trial date has yet been set.

Kenya Ebola ward suspended. Kenya Health Minister Aden Duale suspended construction on 23 June of an Ebola quarantine center for Americans. Kenya’s high court had already ordered construction on the site to stop to allow a lawsuit challenging the effort to move forward, but work continued, major protests broke out, and three people died because of them.

Duale was held in contempt of court one day before announcing the suspension of the project.

The project is part of an effort to respond to the ongoing Ebola outbreak in the Democratic Republic of the Congo (DRC). As of 4 July, the World Health Organization had tracked 1,561 confirmed Ebola cases, 506 confirmed Ebola deaths, and 354 suspected Ebola cases.

Speed Reads

Below is a quick recap of recent court cases, legislation, and regulations that affect the security industry and employers.

Court Cases

Arson. A U.S. district judge declared a mistrial after jurors failed to reach a unanimous verdict on the charges against Jonathan Rinderknecht, who prosecutors claim started the California Palisades Fire in January 2025. The U.S. government is retrying the case, and a new trial date is set to begin 19 October.

Corruption. A South Korean district court sentenced former First Lady Kim Keon Hee to seven years in prison for accepting luxury gifts from people seeking business and political favors.

Cybercrime. Thalha Jubair, 20, and Owen Flowers, 18, pled guilty to violating the UK’s Computer Misuse Act by carrying out several cyberattacks as part of the Scattered Spider community. One of their attacks targeted Transport for London, causing £39 million ($52 million) in damage.

Detention. A U.S. federal appeals court ruled that people detained by U.S. Immigrations and Customs Enforcement who are awaiting the outcome of their deportation proceedings must be granted a bond hearing within 90 days.

Discrimination. A U.S. district judge ruled that a class action lawsuit against Workday can move forward. The suit alleges that Workday’s AI-powered human resources software screened job applicants in ways that violated federal bans on discrimination against workers with disabilities and California law.

Espionage. John R. Bolton, a former national security advisor to U.S. President Donald Trump, pled guilty to violating the Espionage Act because he used his personal accounts to send classified information to family members unauthorized to access it.

Fraud. A U.S. federal jury convicted former U.S. Army civilian contractor Joseph Lavar Davis, 47, of conspiracy to commit theft of government property and substantive count of theft of government property for stealing more than 200 pallets of Meals-Ready-to-Eat (MREs) from Fort Bliss, a U.S. Army post in New Mexico and Texas.

Ransomware. Finnish authorities arrested and extradited Peter Stokes, 19, to the United States to face charges of conspiracy, computer intrusion, and fraud, for his alleged role in ransomware attacks as part of the Scattered Spider community.

Terrorism. A Thai court sentenced Bilal Mohammed and Yusufu Mieraili to death for their roles in a terrorist attack on a Bangkok shrine in 2015 that killed 20 people and injured more than 120 others. The UN has criticized the men’s convictions, claiming they were not granted a fair trial.

Legislation

Audits. Illinois Governor JB Pritzker signed legislation into law that requires frontier artificial intelligence (AI) developers with more than $500 million in revenue to create, publish, and regularly update an AI framework that includes assessments on catastrophic risks and cybersecurity. The law also subjects these developers to annual third-party audits of their safety plans.

Information. South Korea is now enforcing an amended version of the Information and Communications Network Act, which allows courts to award damages against news outlets and social media influencers for spreading false information.

Regulations

Communications. The U.S. Federal Communications Commission (FCC) adopted new rules that exempt submarine cable applications from a national security risk review licensing process when they can certify to a high security standard that the cables are structured to increase certainty, predictability, and faster timelines for the licensing process.

Energy. Russia banned diesel fuel exports through 31 July to shore up its domestic market after Ukrainian drone attacks on Russian oil refineries initiated gas shortages. The strikes are among the latest developments in the war, which began when Russia invaded Ukraine in February 2022.  

Fraud. The U.S. Commodity Futures Trading Commission released draft regulations on the types of bets on prediction markets that would not be in the public interest and can be blocked from trading, including activities that involve assassination, gaming, terrorism, war, or conduct that is illegal under federal law. The regulations are open for public comment until 27 July 2026.

Money laundering. The Board of Governors of the Federal Reserve System published a proposed rule that would require supervised banks to establish and maintain effective anti-money laundering and countering the financing of terrorism programs, also known as AML/CFT programs, reasonably designed to identify, assess, and mitigate risks of illicit finance. The proposal is open for public comment until 8 September 2026.

Thanks for reading! We’ll be back with more legal analysis in August!

What security-related regulatory developments are you following? Please email your thoughts to [email protected].

Megan Gates is the senior editor at Security Management. Connect with her via email or on LinkedIn.

arrow_upward