The US has long feared foreign influence on its defense industrial base.
Over the years, there have been several high-profile scandals concerning the injection of foreign-built counterfeit components into critical defense systems. Among the most notable is a 2012 incident where a congressional investigation uncovered widespread use of Chinese-built counterfeit electronics in American F-15, F-16, and C-17 aircraft.
This resulted in enhanced measures to protect the US Defense Industrial Base from the procurement of critical components and sub-components for weapon systems. Over the years, and with the evolution of technology, both the threat and the control measures have matured. Today, the imperative to rapidly field secure, non-Chinese-origin systems on NATO’s Eastern Flank and in the Indo-Pacific has made supply chain integrity an urgent priority for the Department of Defense.
As European defense technology companies look to the US markets for growth, they must design their products, supply chains, and business processes with these US compliance requirements in mind. Here, we focus on compliance for unmanned aerial systems (UAS), assuming that the same standards can be applied to uncrewed systems across the land and maritime domains.
Foundations of Compliance
The foundational document for establishing Department of Defense (DoD) standards for UAS is the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which mandates compliance with NIST SP 800-171. This framework is legally rooted in the National Defense Authorization Act for Fiscal Year 2024 (NDAA). Subtitle B of this Act reflects the principles of the American Drone Security Act.
In recent years, the Secretary of Defense has assigned the Defense Innovation Unit (DIU) with managing the NDAA compliance vetting for Commercial Off the Shelf (COTS) UAS. The DIU program for managing these systems is known as the Blue UAS Cleared List. Assessments for inclusion on this list are conducted by six contracted third-party vendors who were selected through competitive solicitations. Starting in January 2026, the Defense Contract Management Agency (DCMA) will take over responsibility for vetting COTS UAS.
DCMA was chosen for its expertise in manufacturing quality assurance and supplier production verification, signaling the DoD’s shift toward continuous supply chain monitoring. While the current US administration has lowered the barrier of entry for foreign firms, this shift indicates a more robust interest in managing supply chain risks. Developing processes for supply chain provenance should be a primary planning factor for European firms.
Although the procedural changes for applications have not been announced, UAS developers can still design for compliance with both the NDAA and DoD Instruction 5000.83, as well as the published NIST standards.
Despite the forthcoming transition, DIU has established a streamlined two-tiered system that we assume will persist. The fastest path to the Blue UAS Cleared List is to achieve Green UAS Certification through recognized third-party assessors. Once cleared, a platform is eligible for procurement. Best-of-breed systems that meet specific capability gaps are further designated as Blue UAS Select, a more competitive tier.
DIU currently assesses compliance along seven categories:
· NDAA Compliance: Focusing on foreign ownership, supply chain, and cybersecurity.
· Protection for Sensitive Data: Focuses on access controls, data, and radio encryption.
· Configuration Management: Focuses on version control and update processes.
· Update Mechanism: Focuses on the security of the software and updates.
· Privacy and Data Handling: Focuses on ensuring private data is not compromised.
· Data Location and Transmission Controls: All sensitive technical data, including Controlled-
Controlled Unclassified Information (CUI) and export-controlled data (ITAR/EAR) must be physically hosted within the United States. European data centers will not suffice; you must provision US-sovereign cloud environments.
Central to NDAA compliance is avoiding covered entities at any point in the development process, ownership, production, or supply chain. A covered foreign entity is an organization included on a list developed by the Federal Acquisition Security Council (FASC) and published in the System for Award Management (SAM).
This list encompasses entities on the Consolidated Screening List (CSL), those subject to extrajudicial direction from a foreign government, those determined to pose a national security risk, or those domiciled in or subject to influence by the People’s Republic of China (PRC) or the Chinese Communist Party (CCP).
When assessing operations for covered entities, it is best to err on the side of caution and rely on judgment as well as formal systems. There are several ways to investigate: the FASC and the CSL mentioned above.
The FASC has only published a single entity to the Supply Chain Security Order as of 15 November 2025. The FASC can be accessed and monitored at SAM.gov with a registered account. Although sparse, the FASC will expand quickly and should be used in conjunction with the CSL. Do not assume that just because a firm is not found on either list, it is not without problems; always apply judgment and your own research to meet the intent of the law.
Compliance in Integrated Business Planning and Development
Achieving CMMC 2.0 Level 2 compliance is not the next step, but a non-negotiable prerequisite. It is required for all companies handling CUI and represents the US government’s baseline trust requirement. This must be factored into all planning. European companies looking to sell or partner must deliberately build business processes and IT infrastructure to monitor and document compliance. We can broadly divide these into two broader categories: Business and Operations, and Digital Development.
Business and Operations is concerned with avoiding issues related to conflicts arising from covered influence or ownership of the company or its supply chain. European firms with deep ties to foreign governments must prepare to address Foreign Ownership, Control, or Influence (FOCI) by establishing a US-based entity and pursuing a Special Security Agreement (SSA) with the DCSA. Well-documented and transparent governance is central to doing business in the US.
Mitigating operational and supply chain risk requires robust IT processes to document a hierarchical, auditable Bill of Materials (BOM) for each platform and software. European manufacturers must impose flow-down requirements on suppliers to ensure complete traceability and verification of Country of Origin (CoO) down to sub-tier components. Beyond the CSL, there are proprietary SaaS services for continuous monitoring of supply chain risk and adding traceability to the master BOM.
Digital Development includes all aspects related to cybersecurity, data location and transmission, update procedures, data privacy and handling, and configuration management. This focus encompasses the entire Blue UAS Framework (hardware, firmware, GCS software, and data link). Developers should refer to NIST SP 800-171 as the core standard for protecting CUI, along with NIST SP 800-53 Rev 5 for specific controls.
For example, control CA-8 addresses penetration testing, and controls SR-1 through SR-12 address standards and controls for supply chain risk management. Leveraging these NIST standards and templates can form the foundation of a compliance program and guide the engineering process to align with US go-to-market business requirements.
Whether the third-party assessors will be maintained when the Blue List transitions to DCMA has yet to be announced. However, DIU has published a list of compliant components on their website across categories such as flight controllers, companion computer software, GNSS devices, and flight controllers. Developers can assume these frameworks will remain clear.
Firms looking to design for the US market can utilize these pre-vetted components to streamline the validation process and reduce the cost of achieving certification. However, smart integration goes beyond engineering standards. This decision touches every aspect of the strategy and business plan.
Everything from demand forecasting for sub-components to decisions about hiring talent, the location of production facilities, the location of data facilities, and supply chain responsiveness will be driven by early integration choices. Furthermore, developers should anticipate the effects of demand pressures as the drone industry expands, creating greater demand for early-cleared frameworks.
Conclusion
The newfound energy and innovation in Europe hold tremendous potential for competing with and enhancing the US Defense Industrial Base. The combined innovation of both markets can improve the security of the West. However, the price of entry into the US Defense market is rigorous and disciplined compliance. As European firms develop their US go-to-market strategy, they must do so with careful attention to regulatory and programmatic requirements.
The new and recently published defense procurement strategy seeks to streamline the ability to procure the best innovation amongst our allies. Balancing the need for streamlined procurement with robust security protocols is not just good for the government; it is good for business.
