On May 6, 2026, the Federal Aviation Administration published one of the most consequential drone-related rulemakings of the past decade. The proposed rule — Restrict the Operation of Unmanned Aircraft in Close Proximity to a Fixed Site Facility — would create a new airspace designation called the Unmanned Aircraft Flight Restriction (UAFR), giving owners and operators of critical infrastructure facilities a formal regulatory pathway to restrict drone operations over their sites.
If you are responsible for security at a chemical plant, power generating facility, oil refinery, hospital trauma center, dam, state prison, defense contractor site, financial services data center, or any of the dozens of other facility types covered by the rule, this is essential reading. The proposal will reshape how airspace protection is requested, granted, and enforced — and it sets a clear baseline for what the FAA expects facilities to have in place before they ask for that protection.
Below: what the rule does, who qualifies, what the FAA expects of you, what it does not do, and how to make your voice heard before the comment period closes on July 6, 2026.
A UAFR is, in plain language, a legal airspace designation that prohibits unauthorized drone operations within defined horizontal and vertical limits over a specific facility. Think of it as a “virtual no-trespassing sign” for the airspace above your site — one that the FAA enforces and that compliant drone operators are legally obligated to avoid.
The proposed rule actually creates two distinct types of restriction:
Both types share core characteristics: a horizontal boundary that cannot extend beyond the applicant’s property line; a vertical ceiling generally capped at 400 feet above ground level (with limited exceptions for facilities with structures over 300 feet); and either continuous (year-round, 24/7) or part-time (up to 290 consecutive days per year, also 24/7) activation.
Both have a five-year term, after which the operator must apply for renewal.
The proposed rule limits eligibility to fixed site facilities — permanent structures, buildings, or assets with defined geographic boundaries — that fall within one of the 16 critical infrastructure sectors identified in National Security Memorandum 22.
The FAA has worked with each Sector Risk Management Agency to develop sector-specific eligibility criteria. The criteria vary considerably by sector, but at a high level, the rule covers:
Two sectors — food and agriculture and water and wastewater systems — do not yet have eligibility criteria in the proposed rule. The FAA is explicitly seeking public comment on what those criteria should look like.
This is the section that will shape day-to-day reality for facility operators. Under proposed § 74.56, any facility seeking a UAFR must demonstrate that it has all of the following protective security measures already in place:
Access to the facility, certain areas of the facility, or its key components must be restricted. The FAA expects facilities seeking airspace protection to have already addressed ground-based security — a UAFR is intended to supplement existing protections, not substitute for them.
The facility must have personnel whose role includes responsibility for security operations.
The facility must have security monitoring in place — cameras, patrols, or equivalent measures to maintain awareness of activity at and around the site.
This is the most consequential of the four for anyone evaluating their drone detection posture today. The facility must have “the capability, either directly or through a contracted service, to receive broadcast Remote Identification messages from unmanned aircraft operating within or in close proximity to the requested unmanned aircraft flight restriction.”
In other words, Remote ID receiving capability is not optional, and it is not aspirational. It is a baseline expectation — the FAA’s minimum standard for what a facility must already have in place before it asks for airspace protection. The capability must be compatible with 14 CFR part 89, the existing Remote ID rule.
Two practical implications of this requirement deserve attention. First, the FAA explicitly allows facilities to meet this requirement either directly (by deploying their own equipment) or through a contracted service (by subscribing to a third party that provides the capability). This recognizes that not every facility has the in-house technical capacity to install and maintain RF receiving equipment, and creates a clear pathway for working with specialized providers.
Second, the FAA is explicitly seeking comment on whether more advanced standards should apply — including whether more stringent Remote ID broadcast requirements should be imposed on drones operating within a UAFR, and whether additional standards should apply to RID sensing technology itself. This is a strong signal that today’s baseline is exactly that — a baseline — and that more sophisticated requirements may follow.
This is critical, and it is the part of the rule most likely to be misunderstood. A UAFR establishes a legal airspace designation. It does not authorize the use of detection or mitigation technology that would otherwise be prohibited under federal law.
In the FAA’s own language: “The proposed rule and established UAFR do not provide relief from federal criminal laws to authorize the facility operator or proprietor to use equipment or technology designed to detect, take control of, destroy, or otherwise interfere with an unmanned aircraft.”
If your facility currently has independent legal authority to operate detection or mitigation equipment under existing federal law — for example, under 6 U.S.C. 124n, 10 U.S.C. 130i, or comparable authorities for federal agencies — the UAFR does not change that authority. If you do not have such authority, the UAFR does not grant it.
What the UAFR does provide is a clear legal designation: a “virtual no-trespassing sign” that compliant drone operators are obligated to avoid, and that gives FAA, the Department of Justice, and law enforcement a clearer basis for distinguishing lawful operations from unlawful ones in the airspace around your facility.
Even within an active UAFR, certain trusted operator categories will still be permitted to transit the airspace. The FAA’s rationale is that some commercial and governmental drone operations have already met rigorous safety and security standards — including security threat assessments by the Transportation Security Administration — and should not be wholly excluded from the airspace.
Allowed operations within a Standard UAFR include drones operated under Parts 91, 107, the proposed Part 108 (the FAA’s forthcoming framework for routine beyond visual line of sight operations), Part 135 (commercial package delivery), and Part 137 (agricultural operations) — each subject to specific certificate requirements.
All allowed operators must broadcast Remote ID, must transit the UAFR in the shortest time practicable, and must notify the facility site manager of the operation in advance — providing identifying details including airman certificate number, Remote ID serial number, and the time and area of the planned operation.
Special UAFRs apply more restrictive access controls: no operations are permitted without permission from the using agency, and non-using-agency operators also need approval from the FAA Administrator.
The proposed application process has four stages.
First, the applicant must demonstrate the facility meets the basic eligibility criteria — that it is a fixed site facility, that it is critical infrastructure under the statutory definition, that it falls within one of the sector-specific criteria in subpart C, that it has the four protective security measures in § 74.56, and that it has critical assets vulnerable to drone threats.
Second, the applicant must demonstrate need. This means describing existing drone activity in close proximity to the facility (over the previous 24 months, where data is available), the specific vulnerabilities the facility has to drones, the consequences if those vulnerabilities were exploited, and how a UAFR would integrate into the facility’s broader security plan.
Third, the applicant must address externalities — how the proposed restriction would affect adjacent landowners and other airspace users, and what the applicant has done or will do to minimize those effects.
Fourth, the applicant must provide environmental information sufficient for the FAA to comply with the National Environmental Policy Act, including identification of any sensitive land uses or protected resources within or adjacent to the proposed UAFR boundary.
If the FAA conditionally approves the application, it publishes a notice of proposed rulemaking in the Federal Register and accepts public comments for at least 30 days. After reviewing comments, the FAA makes a final determination within 90 days of the original application submission. Approved UAFRs are published in the Federal Register and posted on a publicly accessible FAA website.
Denied applicants have 30 days to either correct deficiencies or petition for reconsideration. The FAA estimates the application cost to applicants at between $5,000 and $10,000 per UAFR, with security monitoring infrastructure costs of approximately $2,800 one-time and $1,000 annually for an example Remote ID receiving system.
If your facility is potentially eligible for a UAFR, there are four things worth doing in the near term — regardless of whether you ultimately apply.
Subpart C of the proposed rule contains the sector-specific eligibility criteria. Read your sector carefully. The thresholds (megawatt capacity for power generation, barrels-per-day for refineries, inmate population for correctional facilities, attendance figures for commercial facilities, and so on) are specific and quantitative, and they determine whether your facility is even in scope.
The four § 74.56 protective security requirements are already what most well-run critical infrastructure facilities have in place — with the notable exception of Remote ID receiving capability. Audit what you have today against the four requirements. The gap, for most facilities, will be the RID capability.
If you do not have Remote ID receiving capability today, you have two pathways to compliance: deploy it directly, or contract for it as a service. Both are explicitly recognized in the rule. Deploying it directly involves installing RF antennas and receiving infrastructure compatible with 14 CFR part 89; contracting for it means working with a provider that delivers the capability as a managed service. Either pathway is acceptable.
It is worth considering Remote ID receiving capability not just as a checkbox for a future UAFR application, but as a foundational element of your facility’s airspace situational awareness. The FAA is explicitly signaling that this capability is a baseline expectation. It is unlikely to become less important over time.
The comment period is open through July 6, 2026. The FAA is asking specific questions throughout the rule — on whether expanded lateral boundaries should ever be permitted, on whether additional Remote ID standards should apply within UAFRs, on what additional facility types should be eligible, on whether the application process should run through the Federal Register or a website-first approach, and many others.
If your facility, your sector, or your operational reality is not adequately represented in the proposed rule, this is the moment to say so. Comments can be filed at regulations.gov under docket FAA–2026–4558.
Stepping back from the operational details: the FAA’s proposal is the clearest signal yet that airspace protection for critical infrastructure is moving from a discretionary security investment to a regulated capability. The four § 74.56 requirements — restricted access, security personnel, security monitoring, and Remote ID receiving capability — are now codified as the federal baseline.
That has implications well beyond the UAFR application process itself. It establishes a reference standard that procurement teams, insurers, regulators, and industry peers will increasingly look to. It accelerates the maturation of the counter-UAS market from a patchwork of one-off deployments to a recognized layer of critical infrastructure security. And it makes the case, decisively, that Remote ID is not a niche capability — it is foundational.
AirGuard’s Basic tier was built around exactly this capability: Remote ID detection and real-time alerting compatible with 14 CFR part 89, designed to give facility operators the airspace awareness the FAA now expects them to have. For facilities considering a UAFR application, or for security leaders who simply want to align with where federal expectations are headed, that is the place to start.
If your facility is potentially eligible for a UAFR and you are evaluating what compliance with the § 74.56 protective security requirements looks like in practice — or if you simply want to understand how a multi-layered drone detection capability fits into your existing security stack — our team is ready to help.
Schedule a demo: www.airsight.com/contact-us/book-a-demo
Editor’s note: This post summarizes a complex federal rulemaking and is intended for informational purposes. It is not legal advice. Facility operators evaluating a UAFR application should consult qualified counsel and review the full text of the proposed rule.