New “Be Air Aware” resources tie drones directly into cyber and incident-response planning.

The Cybersecurity and Infrastructure Security Agency (CISA) has released three new guidance documents aimed at helping critical infrastructure owners and operators understand and manage the risks posed by unmanned aircraft systems (UAS). The products, all under CISA’s “Be Air Aware™” banner, are designed to move drone risk out of the abstract and into concrete security and incident-response playbooks.

The guides—“Unmanned Aircraft System Detection Technology Guidance for Critical Infrastructure,” “Suspicious Unmanned Aircraft System Activity Guidance for Critical Infrastructure Owners and Operators” and “Safe Handling Considerations for Downed Unmanned Aircraft Systems”—arrive as incursions near sensitive sites become more common. 

“The new risks and challenges from UAS activity demonstrate that the threat environment is always changing, which means our defenses must improve as well,” said CISA Acting Director Madhu Gottumukkala in announcing the release. “CISA’s Be Air Aware™ resources are designed to empower critical infrastructure owners and operators with the information they need to better safeguard their systems and assets.”

Steve Casapulla, CISA’s Executive Assistant Director for Infrastructure Security, framed the move as part of implementing Executive Order 14305, which calls for stronger domestic airspace security: “By addressing the escalating UAS threats, including the frequent incursions at critical infrastructure facilities, we are taking proactive measures to protect our nation’s vital assets.” 

Three guides, one lifecycle: detect, assess, handle

CISA’s new materials are explicitly aimed at critical infrastructure, not just federal agencies. They are meant to be folded into existing physical security, cybersecurity, and emergency-response plans rather than treated as standalone drone policies. 

1. Detection technology guidance: choosing and integrating C-UAS sensors

The Unmanned Aircraft System Detection Technology Guidance for Critical Infrastructure focuses on what to buy and how to deploy it. It walks owners and operators through:

• Assessing their environment and risk profile: identifying high-value assets, likely threat actors, and the physical and RF environment around a site.
• Selecting appropriate detection technologies—radar, RF, EO/IR, acoustic, or fused systems—based on terrain, RF clutter, and mission needs, rather than vendor claims alone.
• Integrating detection into existing operations, with an emphasis on feeding alerts into security operations centers, video management systems, and incident-response workflows instead of standing up a disconnected “drone console.”

Importantly for UAS and C-UAS vendors, CISA also flags cyber and supply-chain risk associated with detection systems themselves, especially cloud-managed platforms and those with opaque hardware/software bills of materials. That reinforces a trend already visible in federal procurement: C-UAS sensors are being treated as high-value IT/OT assets, not just perimeter gadgets.

2. Suspicious activity guidance: turning detections into decisions

The Suspicious Unmanned Aircraft System Activity Guidance for Critical Infrastructure Owners and Operators picks up where detection leaves off: what to do when you actually see a drone.

At a high level, it encourages facilities to:

• Normalize routine airspace use—mapping out expected UAS operations around a site (survey work, deliveries, nearby recreation areas, special events) so that security teams don’t overreact to every quadcopter.
• Define “suspicious” in operational terms, looking at flight patterns, timing, proximity to vulnerable assets, unusual payloads, use of lights, and whether the aircraft is broadcasting Remote ID or showing up on detection feeds.
• Use a tiered response model, distinguishing between clearly benign operations, suspicious-but-inconclusive behavior, and suspected criminal or safety-of-life threats that warrant escalation to law enforcement and aviation authorities.

The guidance is effectively a decision-support layer on top of detection technology. For operators, it reduces the risk of “alarm fatigue” and provides a defensible rationale for when to log, when to monitor, and when to escalate.

3. Safe handling guidance: when a drone is on the ground

The third document, Safe Handling Considerations for Downed Unmanned Aircraft Systems, addresses a scenario that is increasingly common but often under-planned: a drone landing or crashing inside a facility perimeter.

CISA’s default assumption is conservative—unknown downed drones should be treated as potential explosive and cyber threats until proven otherwise. The guide stresses:

• Pre-planning with law enforcement and emergency services, including roles, contact trees, and integration into existing emergency action plans.
• Initial on-scene actions: securing the area, keeping bystanders away, recognizing hazards such as batteries or fuel, and presuming that cameras or sensors may still be recording.
• Documentation and chain-of-custody practices, treating the aircraft and any onboard media as evidence that could be relevant for criminal or intelligence investigations.

For infrastructure operators, it’s a push to move from ad hoc “someone pick it up and put it in a closet” responses to structured, documented handling that protects safety, data, and potential legal proceedings.

Why this matters now: from guidance to funded deployments

CISA explicitly links them to Executive Order 14305, which calls for a more coherent federal approach to domestic UAS threats, and to its broader Critical Infrastructure Security and Resilience Month campaign, which is intended to raise awareness of emerging risks and resilience measures. 

They also land in a policy environment where federal dollars for drone detection and security are starting to move, particularly through the Department of Homeland Security and FEMA. The new FEMA Counter-UAS Grant Program, for example, will provide $500 million over two years to help states and localities build UAS detection and response capabilities around mega-events such as the 2026 FIFA World Cup—funding that can only be used for technologies and practices consistent with federal law and guidance. 

Taken together, that means the Be Air Aware materials are likely to become de facto reference documents for:

• State and local agencies writing investment justifications for C-UAS grants.
• Critical infrastructure operators updating security and emergency plans to account for UAS.
• Vendors trying to show that their detection, workflow, and training offerings align with federal expectations rather than just marketing rhetoric.

For the UAS and C-UAS ecosystem: a clearer playbook

For both the UAS and C-UAS sides of the market, CISA’s new guides do a few important things:

• They define the problem in operational, not abstract, terms: drones are part of the facility’s cyber-physical risk surface, with specific indicators and response actions, not just a headline risk.
• They reinforce that detection is only useful if embedded in disciplined workflows: normalizing airspace, classifying behavior, documenting incidents, and coordinating with law enforcement.
• They elevate downed-UAS handling from an afterthought to a defined element of incident response, with clear implications for safety, digital forensics, and liability.

CISA is urging critical infrastructure owners and operators to “Be Air Aware” by integrating these considerations into existing security and emergency-response plans, not spinning up separate UAS silos.

For operators, that means pulling CISOs, physical security directors, and emergency managers into the same conversation about drones. For vendors, it means being ready to map products and services directly against the functions these guides describe—detect, assess, and safely handle—in a way that fits within current law and the rapidly maturing federal guidance landscape.