Client Alert - FAA Proposes Rulemaking to Allow UAS Flight Restrictions Over Certain Critical Infrastructure

On May 6, 2026, the FAA published the long-awaited Notice of Proposed Rulemaking (NPRM), Designation – Restrict the Operation of Unmanned Aircraft in Close Proximity to a Fixed Site Facility, commonly referred to as the “2209” rulemaking. As mandated by Section 2209 of the FAA Extension, Safety and Security Act of 2016, the proposed rule would establish a process to allow certain facility owners and proprietors to request and maintain an unmanned aircraft flight restriction (UAFR) to protect public safety and critical infrastructure. While the FAA proposes to limit UAFR eligibility to certain fixed site facilities across sixteen critical infrastructure sectors, the proposed rule would significantly expand the tools available to non-federal entities to address safety and security risks from unmanned aircraft systems (UAS).

Under federal law, state and local governments are generally preempted from regulating UAS operations, including prohibitions on operations over critical infrastructure. While state and local law enforcement may request that the FAA establish a temporary flight restriction over eligible public gatherings, the proposed 2209 rule would provide critical infrastructure owners and proprietors with a mechanism to request ongoing UAS flight restrictions over their facilities. Owners, proprietors, and state and local agencies interested in protecting such facilities in their jurisdictions should review the facilities eligible for UAFRs, as well as the FAA’s proposed sector-specific application criteria. Comments on the proposed rule are due July 6, 2026.

Eligible Facilities

Section 2209 tasked the FAA with establishing criteria and processes for restricting UAS operations over certain critical infrastructure. Through Executive Order 14305, Restoring American Airspace Sovereignty (June 6, 2025), the President directed that the forthcoming 2209 rule should define “critical infrastructure” coextensively with 42 U.S.C. § 5195c(e) and the designated critical infrastructure sectors identified in National Security Memorandum 22 of April 30, 2024 (NSM–22), which includes the chemical, commercial, communications, manufacturing, dams, defense, emergency services, energy, financial services, food and agriculture, government, healthcare, information technology, nuclear, transportation, water, and wastewater sectors.

The FAA evaluated facility types within these sectors, in coordination with other agencies, to determine which types of facilities may warrant a UAFR. The FAA then developed sector-specific eligibility criteria which materially limit the types of facilities that may apply for a UAFR. For example, within the transportation sector, airport owners and proprietors are not eligible to apply, relying instead on existing processes to manage UAS operations near airports, but owners and proprietors of rail facilities may request a UAFR to the extent of their “rail secure areas,” as defined by 49 C.F.R. § 1500.3. In the commercial sector, the FAA’s criteria excludes stadiums or venues where events may be covered by other temporary flight restrictions, such as sporting events, marathons, and parades. The FAA specifically requests comment on its decision to limit UAFRs to the fixed site facilities within the sixteen NSM-22 sectors, whether there are facilities within other sectors the agency should consider, and what application criteria should apply.

Restriction Application and Designation

To apply for a UAFR, the FAA proposes to require owners and proprietors to demonstrate that that their facility meets the sector-specific criteria and that there is a safety or security need for the UAFR. Applicants would need to describe the potential UAS activity over the facility, the nature and vulnerability of the facility’s assets, and potential consequences or effects if the UAS exploited a vulnerability. Entities must also explain how the UAFR would be integrated into the facility’s security plans to supplement existing security measures. UAFRs would be published in the Federal Register for notice and comment before the FAA makes a final determination.

If granted, the “Standard UAFR” would have clearly defined horizontal and vertical limits within which UAS operations would be restricted, unless the operation falls within certain exceptions, including broadcasting the identity of the operator through Remote ID (14 C.F.R. Part 89) and providing notification to the fixed site facility. The rule also proposes “Special UAFRs” that would significantly restrict UAS operations around sensitive federal sites and other eligible facilities where security or operational integrity could be compromised by routine UAS activity.

Bigger Picture: How the Proposal Fits Into the Evolving UAS Regulatory Framework

The FAA is simultaneously working to significantly expand UAS operations through the Beyond Visual Line of Sight (BVLOS) rulemaking, which would establish a regulatory pathway for both recreational and commercial use of large UAS (up to 1,320 lbs.) to operate beyond the operator’s visual line of sight. As recognized by the FAA, compliant UAS operators would be expected to avoid any airspace subject to an established UAFR. However, UAFRs may also provide a benefit with respect to noncompliant UAS operations, in that they may prove important to future evaluations of whether counter-UAS (C-UAS) support is required to protect certain critical infrastructure. In December, through the SAFER SKIES Act, Congress paved the way for non-federal law enforcement agencies to deploy C-UAS technologies against UAS posing a credible threat to people, facilities, or operations, including critical infrastructure, subject to federal oversight. The federal implementation of the SAFER SKIES Act is ongoing.

The proposed 2209 NPRM would make significant strides in helping certain critical infrastructure owners and proprietors address the anticipated increase in UAS operations around the United States. However, the rule limits the entities that may apply for UAFRs and may leave certain facilities vulnerable. Critical infrastructure owners and proprietors, state and local governments, and non-federal law enforcement should review the NPRM, alongside the broader UAS regulatory and C-UAS legal framework, to determine if the proposed regulation provides adequate protection for their facilities.

For additional information, please reach out to John Putnam, Subash Iyer, Laura Kilgarriff, Steven Osit, or any other Firm attorney with whom you normally work.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
algoliasearch-client-js	1 year	Necessary in order to optimize the web site's search-bar function . The cookie ensures accurate and fast search results.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-unclassified	1 year	Description is currently not available.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year	Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
_ga_#	1 year	Used by Google Analytics to collect data on the number of times a user has visited the web site as well as dates for the first and most recent visit.

Cookie	Duration	Description
ads/ga-audiences	1 year	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behavior across web sites.
guest_id	1 year 1 month	Twitter sets this cookie to identify and track the website visitor. It registers if a user is signed in to the Twitter platform and collects information about ad preferences.

Client Alert – FAA Proposes Rulemaking to Allow UAS Flight Restrictions Over Certain Critical Infrastructure

Steven L. Osit

Subash Iyer

Laura K. Kilgarriff

John E. Putnam