Senators Demand DJI Drone Disclosures from Contractors at Nuclear and Border Sites

Two senators are pressing major construction contractors about DJI drone use at nuclear facilities and border security sites. The letters follow GSA Inspector General findings that contractors used DJI equipment at sensitive locations. But the real question isn’t whether the drones were secure. It’s whether the contractors had legal authorization to use them at all.

• What: Senators Hassan and Peters demand Hensel Phelps, Brasfield & Gorrie, and Bechtel disclose DJI drone ownership, waivers, and security policies
• Who: Three construction giants building nuclear weapons labs, missile bases, and border facilities
• When: Responses due January 15, 2026
• Why it matters: Section 889 is a manufacturer-based ban. Security configuration may not matter legally without a DNI waiver.

The letters released yesterday cite the GSA Inspector General’s March 2025 alert memorandum, which documented DJI drone use at the San Luis, Arizona Land Port of Entry. The GSA OIG concluded this violated Section 889 of the FY2019 NDAA, Executive Order 13981, and GSA acquisition regulations.

What We Know and What We Don’t

The GSA OIG report identifies the drone hardware as a DJI Mavic 3 Enterprise. What we don’t know is how it was configured.

Modern DJI enterprise drones offer multiple security options. Local Data Mode severs internet connections and prevents data transmission to DJI servers. Network Security Modes in the DJI Pilot 2 app let operators choose their connectivity level. Third-party solutions like Paladin Drones add additional security layers. Contractors can also air-gap operations entirely, storing data only on isolated local systems.

The GSA OIG report doesn’t address whether the contractor employed any of these measures. It identifies the hardware manufacturer and concludes that using DJI equipment violated applicable regulations.

Hensel Phelps told Reuters it takes “security of government data seriously and implements robust protection of all drone data to ensure that no data leaves Hensel Phelps’ secure systems.” That suggests some security measures are in place, but doesn’t specify what.

What the Senators Are Asking

The letters request detailed information covering Fiscal Years 2020 through 2025:

• Lists of all drones owned, operated, or leased, including make and model
• All DOD, Intelligence Community, NNSA, and DHS contracts where drones were operated
• All waivers sought for DJI drone use at government facilities
• All policies and procedures related to cybersecurity, including network connectivity and data storage
• Description of any testing or auditing to evaluate and mitigate potential DJI security risks
• Network connectivity or data storage arrangements involving covered foreign countries

The cybersecurity policy and testing questions should reveal what security measures these contractors actually used. If they were running Local Data Mode, using third-party security solutions, or operating air-gapped systems, that will come out in their responses.

The Legal Question: Does Security Configuration Matter?

Here’s where it gets complicated. Section 889 of the FY2019 NDAA is a manufacturer-based prohibition, not a security-configuration standard.

The law prohibits federal contractors from using “covered telecommunications equipment or services” from specified entities. DJI is on the Section 889 blacklist. The prohibition is based on who made the equipment, not how it’s configured.

The only statutory exceptions are narrow: services connecting to third-party facilities (backhaul, roaming, interconnection), or telecommunications equipment that literally cannot route or redirect user data. Running Local Data Mode on a DJI drone doesn’t appear to create a legal exception under Section 889.

Waivers are possible. Agency heads could grant one-time waivers until August 13, 2022, when that authority expired. Since then, only the Director of National Intelligence can grant waivers, which require Congressional notification and FASC consultation.

This creates an important distinction. Even if a contractor implemented robust security measures with Local Data Mode enabled, air-gapped data storage, and third-party validation, they would likely still need a DNI waiver to legally use DJI equipment on federal contracts. Good security practices don’t automatically substitute for legal authorization.

What the GSA Inspector General Found

The GSA OIG alert memorandum from March 2025 documents the situation at the San Luis I Land Port of Entry in Arizona. The construction contractor “frequently used a [DJI] drone to take aerial photographs to document construction progress.”

This is a Security Level III facility housing Customs and Border Protection and Immigration and Customs Enforcement. It processes 3 million vehicles and 2.5 million pedestrians annually. The $394 million expansion project is adding vehicle inspection lanes and secondary processing areas.

The GSA OIG concluded that PBS Region 9 “has not taken appropriate steps to ensure that the construction contractor has complied with applicable security requirements covering the use of drones.”

A separate GSA OIG report from September 2024 found DJI drone use at six Northern Border ports of entry in New York State.

The GSA OIG reports focus on the manufacturer prohibition. They don’t evaluate whether contractors had security measures in place that might mitigate data risks. The finding is based on the equipment’s origin: DJI equipment was used where DJI equipment is prohibited.

The Contractors Under Scrutiny

Bechtel Corporation builds nuclear weapons labs and missile bases. They co-hosted a webinar with DJI in 2017 titled “Getting Started with Drones in Construction.” A July 2025 LinkedIn post celebrating their drone program featured a DJI drone and mentioned 1.5 million images collected over the past decade.

Hensel Phelps contracts for nuclear weapons facilities and Southwest Border ports of entry. A company profile and executive interview from 2020 remains on DJI’s website.

Brasfield & Gorrie works on ports of entry and military bases. DJI featured them in a 2017 case study. They did not immediately comment.

DJI responded that its “products have been reviewed by government agencies and independent third parties in past audits and consistently found to be safe and secure.”

DroneXL’s Take

There’s a disconnect in how this issue is being framed.

The national security conversation focuses on data security: can DJI drones transmit sensitive information to unauthorized parties? That’s a technical question with technical answers. Local Data Mode, air-gapped operations, and third-party security solutions can address those concerns. Multiple independent audits have found no evidence of unauthorized data transmission from properly configured DJI equipment.

But Section 889 isn’t a technical standard. It’s a manufacturer ban. The law doesn’t ask whether your DJI drone is configured securely. It asks whether your drone was made by DJI. If yes, you need a waiver to use it on federal contracts.

The senators’ questions will reveal what security measures these contractors employed. That matters for understanding actual risk. But legally, the question that determines compliance may be simpler: do they have DNI waivers?

For Part 107 operators working federal contracts, this distinction is critical. You can implement every security measure available. You can air-gap your operations completely. You can hire third-party auditors to validate your data handling. None of that appears to substitute for the legal authorization that Section 889 requires.

The contractors’ January 15 responses will clarify the situation. If they have DNI waivers, the story changes significantly. If they have robust security policies but no waivers, they may have done everything right technically while still being non-compliant legally. We’ll be watching for those responses.

Have you worked federal contracts with DJI equipment? Were you asked about waivers or security configurations? Let us know in the comments.