The FCC Just Bought the Drone and IT Industries Three More Years to Get This Right
TL;DR
The FCC quietly extended a critical waiver on May 8 that allows already-deployed DJI, Autel, and other Covered List drones and foreign-manufactured routers to continue receiving security patches and firmware updates through at least January 1, 2029. Without it, existing rules would have frozen firmware on lawfully operating devices the moment they landed on the Covered List, creating an unpatched security liability in the field. The waiver doesn’t change Covered List status, doesn’t reopen the door for new DJI or Autel equipment authorizations, and doesn’t affect Blue UAS or federal procurement requirements. What it does is give the drone industry and enterprise IT ecosystem the runway to execute an orderly transition without simultaneously managing a firmware security crisis on deployed hardware. The FCC has also signaled it intends to make this permanent through rulemaking. For commercial operators, network security teams, and IoT practitioners, this one matters.
On May 8, 2026, three days before a high-stakes FCC reply comment deadline, the Commission’s Office of Engineering and Technology quietly published DA 26-454, a two-and-a-half page public notice that, in the understated language of federal rulemaking, extended and expanded a critical waiver affecting every commercial drone operator, UAS manufacturer, and enterprise IT manager in the United States. The document received little fanfare. It deserves considerably more attention.
The waiver in question, originally issued in January 2026 for drones and again in March for covered routers, grants a reprieve from rules that would have otherwise prohibited software and firmware updates on devices appearing on the FCC’s Covered List: a rolling register of communications equipment deemed a national security risk, primarily covering hardware produced in China. At the center of that list sit names every drone professional knows: DJI and Autel.
With DA 26-454, OET has now extended that waiver through at least January 1, 2029, and expanded its scope to include not just routine Class I permissive changes but Class II permissive changes as well, the more substantive firmware modifications that previously required an FCC filing. In plain terms: drones and routers that were already legally operating in the U.S. before they landed on the Covered List can keep receiving security patches, bug fixes, and compatibility updates for the foreseeable future.
What the Rule Said And Why It Created a Crisis
To understand why this waiver matters, you need to understand the rule it’s relieving. In October 2025, the FCC adopted revisions to 47 CFR §§ 2.932(b) and 2.1043(b), effective December 2025. Those rules excluded Covered List equipment from the certification procedures that normally allow manufacturers to push permissive changes, including routine software and firmware updates, without running the full equipment authorization process again.
On its face, that sounds like a reasonable security precaution. The logic is intuitive. The operational reality is considerably messier.
The problem is that the Covered List doesn’t distinguish between new devices seeking authorization and devices already lawfully operating in the field. When DJI and Autel products landed on the list in December 2025, and covered routers followed in March 2026, the rule as written would have frozen their firmware at whatever version existed at the moment of listing. No security patches. No bug fixes. No compatibility updates. For operators who had invested heavily in these platforms, that wasn’t a security measure. It was a ticking clock.
From the Operator Perspective: At Helios Visions, we run a mixed fleet across complex commercial environments, facade inspections on Chicago high-rises, photogrammetry on active construction sites, and chimney inspections at manufacturing plants. The idea that a security rule would leave field-deployed hardware unable to receive the very patches that address known vulnerabilities is not a security win. It’s a security liability dressed up as policy. An unpatched drone running stale firmware in a critical infrastructure environment is far more dangerous than one receiving vetted software updates from its manufacturer.
The Waiver’s Scope And What It Doesn’t Cover
OET’s language in DA 26-454 is careful and worth reading precisely. The waiver covers software and firmware updates that “mitigate harm to U.S. consumers”, broad enough to encompass security patches, vulnerability remediations, and compatibility fixes, but deliberately framed around consumer protection rather than manufacturer convenience. The FCC is not opening a back door for feature additions dressed up as firmware updates. This is a narrow safety valve, not a wholesale exemption.
Equally important is what the waiver does not cover. It only applies to prohibitions on Class I or Class II permissive changes for already-authorized devices. New equipment authorizations for Covered List products remain blocked. And crucially for federal procurement, the Blue UAS framework, IDOT compliance requirements, and DoD contracts, the waiver changes nothing. Covered equipment is still covered equipment.
The waiver is not a rehabilitation of DJI or Autel in the eyes of federal procurement. It is an acknowledgment that existing operators shouldn’t be left holding insecure hardware while the policy framework catches up to commercial reality.
Why This Is Good for the Drone Industry
For commercial UAS operators, DA 26-454 is the difference between an orderly transition and a forced march. The drone industry did not arrive at its current sophistication overnight; it was built on years of investment in platforms, training, workflows, and integrations deeply intertwined with specific hardware ecosystems. A sudden firmware freeze on dominant hardware would not have accelerated the transition to Blue UAS-compliant platforms. It would have destabilized it.
Flight control systems depend on regular updates to address GPS signal processing anomalies, obstacle avoidance calibration, and radio frequency management. These are not luxury features; they are the operational baseline for safe flight. Leaving that software frozen in amber while operators continue flying in urban airspace and near critical infrastructure is not a conservative policy posture. It is a reckless one.
The extension to January 2029 also gives the domestic UAS manufacturing ecosystem, Skydio, Shield AI, Inspired Flight, and others advancing through the Blue UAS framework, the runway they need. The approved platform list remains limited compared to the breadth of missions the commercial sector demands. A precipitous firmware cutoff on incumbents would have created an operational vacuum that domestic manufacturers are not yet positioned to fill.
IT Industry Perspective: From my position chairing the GTIA IoT Advisory Council, I see this waiver through a broader connected-device lens. The UAS ecosystem is not isolated; it is woven into the same enterprise IT fabric as IoT sensors, edge compute nodes, and industrial wireless systems. The principle the FCC is establishing here, that already-authorized devices retain the right to receive security updates even when placed on a restricted list, matters well beyond drones. It is a foundational position for responsible connected-device governance.
Why This Is Equally Good for Enterprise IT and Cybersecurity
The inclusion of covered routers in DA 26-454 is where this story crosses cleanly from the drone industry into mainstream enterprise IT, and it deserves equal attention from network architects, CISOs, and managed service providers.
The March 2026 addition of foreign-manufactured routers to the Covered List created the same firmware freeze problem for a vastly larger installed base. NIST’s definition under Internal Report 8425A encompasses an enormous swath of hardware sitting at the edge of enterprise networks, branch offices, and home-office deployments. Frozen firmware in that environment is not a theoretical risk. It is an active vulnerability surface.
Every cybersecurity practitioner understands that unpatched network infrastructure is among the highest-priority attack vectors in any threat model. Routers are the first hop and the first target. Nation-state actors and ransomware operators have consistently demonstrated that unpatched router firmware is a preferred initial access vector. The irony of a national security rule creating a national security liability by prohibiting security updates is not lost on professionals who manage that threat landscape daily.
By extending the waiver through 2029, OET has allowed the enterprise IT ecosystem to continue executing responsible patch management programs while the policy framework and domestic supply chain alternatives mature. For IT departments operating under compliance mandates that require current firmware on network devices, this waiver is not just operationally convenient. It is a compliance lifeline.
Cybersecurity Lens — GTIA IoT Advisory Council: We talk about Zero Trust architecture constantly in enterprise IT circles, but Zero Trust begins with knowing what software is running on every device in your environment, and having the ability to keep it current. A rule that prevents firmware updates on network infrastructure devices fundamentally undermines that posture. The GTIA community has been watching this intersection of supply chain security policy and operational cybersecurity hygiene with considerable concern. DA 26-454 shows the FCC is listening to that operational reality.
The Rulemaking Signal And What Comes Next
Perhaps the most consequential line in DA 26-454 is the one most likely to be overlooked: OET states it will “as soon as practicable, recommend to the full Commission that it consider codifying this waiver through a rulemaking.” That is not boilerplate. That is a policy direction signal.
It suggests the Commission recognizes what operators, IT professionals, and security researchers have been arguing: there is a meaningful distinction between prohibiting new equipment authorizations for national security reasons and denying security updates to already-deployed devices that will continue operating regardless of policy. The former is a supply chain intervention. The latter is a security own-goal.
If the Commission codifies this waiver, establishing a permanent framework that preserves the right to security updates for already-authorized devices even when placed on the Covered List, it would represent a significant maturation of U.S. communications security policy. It would also create predictability for operators simultaneously navigating Blue UAS procurement transitions, federal contract requirements, and the practical realities of running commercial operations on hardware that won’t disappear from inventories the moment a domestic alternative becomes available.
The Bottom Line
DA 26-454 will not make headlines in the mainstream technology press. It is three pages of regulatory prose released on a Thursday afternoon before a comment deadline. But for the commercial drone sector and the enterprise IT community, it represents something genuinely important: evidence that the FCC is capable of threading the needle between national security imperatives and operational cybersecurity realities.
The waiver does not rehabilitate covered equipment. It does not open a back door for new authorizations. It does not change the trajectory toward a domestic-first, Blue UAS-forward procurement environment. What it does is ensure that the path to that future does not run through a landscape of unpatched, increasingly vulnerable hardware, in the air, and on the network.
Three more years is not a solution. But it is enough time to build one if the industry, the regulators, and the domestic manufacturing ecosystem use it well. At Helios Visions and across the GTIA community, that is exactly what we intend to do.
The FCC comment record in ET Dockets 26-22 and 26-23 remains open for reply comments through today, May 11, 2026. If you have a stake in how this framework evolves, be on the record.
Ted Parisot is Co-Founder of Helios Visions, a Chicago-based aerial intelligence firm specializing in AEC aerial operations, facade inspection, and reality capture. He holds an FAA Part 107 Certificate and serves as Chair of the GTIA IoT Advisory Council.
FCC Document: DA 26-454 | ET Docket No. 21-232 | Released May 8, 2026