The Federal Aviation Administration has given the public an extra month to weigh in on one of the most consequential drone rulemakings in years, after the agency's proposed Section 2209 rule drew nearly 900,000 public comments by its original deadline. In a notice published in the Federal Register on June 30, 2026, the FAA pushed the comment period back from July 6 to August 5, 2026 — a full 30-day extension that reflects both the scale of public interest and the complexity of what the rule would actually do.

At its core, the proposed rule would give owners and operators of critical infrastructure — chemical plants, dams, hospitals, defense installations, and other fixed sites spanning 16 designated categories — a formal mechanism to petition the FAA for Unmanned Aircraft Flight Restrictions, or UAFRs, over their facilities. It is the long-awaited implementation of Section 2209 of the FAA Extension, Safety, and Security Act of 2016, which directed the agency to build a process for restricting drone flights near sensitive fixed sites. The underlying notice of proposed rulemaking was issued May 6, 2026, according to legal analysis from Beveridge & Diamond, and it is that NPRM's mechanics that nearly a million commenters have now weighed in on.

What the Rule Would Actually Require

According to reporting from DroneXL published July 3, 2026, the rule as proposed would impose specific obligations on drone operators transiting a Standard UAFR — the type of restriction most facility petitions are expected to seek. Those obligations include broadcasting Remote ID while inside the restricted airspace and, in some cases, providing advance notice to the facility of the flight — though, notably, that notification does not amount to an approval requirement; facilities cannot deny an operator's transit. The requirements would apply across the operational spectrum the FAA regulates: Part 91 general operations, Part 107 small commercial drone flights, Part 108 covering beyond-visual-line-of-sight operations, Part 135 air carrier operations, and Part 137 agricultural aircraft operations.

Critically, the rule is a petition-based system rather than a blanket restriction. A facility owner — say, a utility operating a dam or a hospital system — would have to apply to the FAA to have its site designated, presumably making a case for the security or safety risk that unrestricted drone overflight poses. That application-driven structure is part of what has drawn such intense comment volume: it puts the burden of justification, and potentially of disclosure, on the facility itself.

Why Nearly a Million Comments?

The volume of public input — reported by DroneLife on July 1, 2026 as "nearly 900,000 comments" submitted before the original deadline — is enormous for an FAA rulemaking of this type, and it points to a rule that touches far more stakeholders than a typical airspace notice. Drone operators, infrastructure owners, security vendors, civil-liberties advocates, and hobbyists all appear to have skin in the game.

An FAA spokesperson told DroneLife the extension gives "commenters additional time to analyze the proposed rule and prepare their response," a fairly standard explanation for extending a comment window swamped by volume and complexity rather than simple opposition.

But the substance of the disagreement, as captured in expert commentary gathered by DroneLife, cuts in two directions. Jennifer Daskal, a Venable attorney and former Department of Homeland Security official, called the rule "a pretty consequential rule that has real potential to change the security environment in a quite positive way for critical infrastructure owners and operators" — a capability many have wanted for years as counter-UAS incidents near critical facilities have proliferated. At the same time, Daskal flagged a specific worry: the rule's mechanism for facilities to document and disclose their security vulnerabilities as part of a UAFR petition could become, in her words, "a honeypot — a treasure trove of information" — a centralized repository of exactly the kind of sensitive site-vulnerability data that adversaries would want to access, whether through a records request, a data breach, or simple aggregation of many petitions across the country.

That tension — between giving infrastructure operators a real restriction mechanism and creating a new, potentially exploitable dataset about their weaknesses — appears to be one of the central fault lines in the public comment record, alongside more conventional debate over operational burdens (Remote ID broadcast and facility-notification requirements) that the rule would place on ordinary drone operators simply trying to fly through restricted zones legally.

Melissa Swisher, chief revenue officer at counter-drone vendor SkySafe, framed the rulemaking differently, calling it "an important inflection point" because "it recognizes that the critical infrastructure security doesn't stop at that fence line anymore" — a nod to the reality that a facility's perimeter fence does nothing to stop a drone incursion from altitude.

What Happens Next

With the comment window now open through August 5, 2026, the practical next steps are straightforward but consequential. Anyone with a stake in the outcome — infrastructure owners hoping to use the new petition process, drone operators who would need to comply with transit rules near designated sites, security vendors, or civil-liberties groups concerned about data handling — has roughly another month to file comments in the Federal Register docket. After the window closes, the FAA will need to review the comment record — a record that, at nearly a million submissions before the extension even took effect, is almost certain to grow substantially larger — before moving toward a final rule.

Given the volume already logged, that review process alone could take considerable time, and the final rule's provisions on both the petition mechanics and the disclosure/documentation requirements that worry critics like Daskal remain very much open questions.

Why It Matters

Section 2209 has been on the FAA's to-do list since 2016, and its eventual implementation will determine how thousands of critical facilities — power plants, hospitals, dams, military installations — can legally exclude drones from their airspace, and what compliance will look like for the commercial, recreational, and BVLOS operators who need to fly nearby or through those zones under Parts 91, 107, 108, 135, and 137. The near-million-comment response shows this is not a niche airspace tweak: it sits at the intersection of critical-infrastructure security, drone-industry operations, and data-privacy risk. How the FAA balances a facility's need to justify a flight restriction against the risk of stockpiling sensitive vulnerability data in a single federal system will shape both the physical security of American infrastructure and the practical rules of the sky for every operator flying near it.

Sources