Does ESC firmware need to be NDAA-compliant?

While NDAA statutes define covered components primarily by hardware manufacturer, defense programs increasingly require auditable firmware as part of supply-chain security reviews. AM32 — an open-source firmware maintained outside of covered entities — is preferred because its entire codebase can be independently reviewed. Closed-source firmware from unverified sources introduces auditability risk.

What documentation do procurement offices need for ESC compliance?

Procurement offices typically require: (1) Certificate of Conformance (CoC) attesting NDAA §848, §817, ASDA FY24, and EO 13981 compliance; (2) Country of Origin letter; (3) Bill of Materials with manufacturer and country-of-origin per component line; (4) traceability statements from sourcing through assembly; (5) test and qualification data.

What is the difference between NDAA §848 and ASDA for ESC procurement?

NDAA §848 (FY2020) applies only to the Department of Defense. The American Security Drone Act (ASDA, FY2024) extended equivalent restrictions to the entire federal government. An ESC procured for a civilian federal agency — DHS, CBP, DOI, DOE — must comply with ASDA. An ESC for a DoD program must comply with both §848/§817 and ASDA.

Is Blue UAS listing required for NDAA compliance?

No. Blue UAS listing is a DoD pre-vetting framework — it simplifies procurement for program offices by providing a pre-cleared list, but it is not a statutory requirement. An ESC can be NDAA-compliant and procurable under a federal contract without Blue UAS listing. Blue UAS listing speeds up the procurement process.

What Makes an ESC NDAA-Compliant? A Procurement Guide

Q: What is an NDAA-compliant ESC?

An NDAA-compliant ESC is an electronic speed controller that is not manufactured or substantially transformed by a covered foreign entity (as defined under NDAA §848 and §817), is accompanied by a Certificate of Conformance, and has documented supply-chain provenance at the component level. The ESC's firmware must also not originate from a covered entity.

Q: Can a Chinese-branded ESC be NDAA-compliant?

No. If an ESC is manufactured or substantially transformed by a Chinese company on DoD's Section 1237 list, it is a covered component regardless of how it is branded, repackaged, or resold. Relabeling a Chinese ESC does not change its compliance status.

// The Short Answer

The one-paragraph answer.

An NDAA-compliant ESC is an electronic speed controller that (1) is not manufactured or substantially transformed by any company on DoD's covered-entity list — primarily Chinese firms linked to the People's Liberation Army or Chinese state apparatus; (2) uses firmware that is either open-source and auditable or verifiably produced outside covered entities; and (3) ships with a CoC, CoO letter, and a BOM that traces every component to a non-covered manufacturer. Compliance is not self-declared — it requires documentation that survives procurement-office audit.

// Covered Components

Why ESCs are explicitly covered.

NDAA §848 (FY2020) includes a statutory list of covered UAS components. Electronic speed controllers appear on that list alongside flight controllers, cameras, radios, ground control stations, and data transmission devices. The legislative intent was to close every power and control pathway in a drone platform against supply-chain compromise.

The threat model is straightforward: an ESC sits between the battery and every motor. A compromised ESC could desync a motor at a critical moment, drain the battery pack in a controlled pattern to reduce operational range, or report falsified telemetry upstream. Because the ESC is the final stage of the propulsion authority chain, it has both the access and the position to cause mission failure.

The list has not been narrowed in subsequent NDAA cycles. Section 817 (FY2023) tightened the definitions and added operational restrictions on existing inventory. The American Security Drone Act (ASDA, FY2024) extended these prohibitions from DoD to the entire federal government. An ESC that was prohibited for DoD programs in 2020 is now prohibited for every federal agency.

// Four Regimes

The four compliance regimes.

A fully compliant ESC for federal drone programs must satisfy all four of these requirements simultaneously. They are layered: each subsequent regime builds on or extends the previous one.

1. NDAA §848 (FY2020) — DoD baseline

Section 848 of the FY2020 NDAA prohibits the Department of Defense from procuring or operating UAS or covered components manufactured by entities owned, controlled by, or connected to the governments of China, Russia, Iran, or North Korea. It established the initial covered-entity list and the definition of covered UAS components. Applies to all DoD procurement and operations.

2. NDAA §817 (FY2023) — DoD tightened

Section 817 of the FY2023 NDAA tightened the §848 definitions, expanded the list of prohibited entities, and added operational restrictions on covered UAS already in DoD inventory. It also clarified that ESCs, flight controllers, and communication modules are covered regardless of final assembly location or rebranding. Any product substantially transformed by a covered entity remains a covered component.

3. American Security Drone Act (FY2024) — whole of government

The ASDA, enacted in the FY2024 NDAA, extended NDAA-equivalent covered-UAS restrictions from DoD to every federal agency. Civilian agencies — DHS, CBP, DOI, DOE, USDA, and others — cannot procure, operate, or use drones or covered components from covered entities. An operational ban on already-owned covered UAS took effect in December 2025. The practical effect: a drone OEM selling to any federal customer must now maintain the same compliance posture previously required only for DoD programs.

4. Executive Order 13981 (2021) — national security supply chain

Executive Order 13981 directs federal agencies to prioritize domestically sourced hardware for national security technology applications, reinforcing the NDAA prohibitions with a broader supply-chain security mandate. For ESC procurement, EO 13981 provides an independent compliance basis that some agency solicitations reference alongside FAR 52.225 clauses.

// Non-Compliance

What makes an ESC non-compliant.

Non-compliance can occur at the hardware, firmware, or documentation level. Any one of the three is sufficient to fail a procurement review.

Hardware: manufactured or transformed by a covered entity

If the bare PCB is fabricated in China, if the SMT assembly is performed in China, or if any major subassembly is produced by a company on DoD's Section 1237 list, the ESC is a covered component. This applies even if final test, packaging, or distribution occurs outside China. "Substantial transformation" is the legal threshold — not country of final assembly or country of shipping.

Firmware: IP from a covered entity or unauditable source

The NDAA's covered-component definition includes "operating software" embedded in components. Firmware developed by or licensed from a covered entity would be implicated. Even where firmware is not from a covered entity, closed-source firmware introduces a supply-chain security risk — a security reviewer cannot confirm there are no backdoors. Open-source firmware (AM32) is auditable; proprietary firmware is not. DoD programs increasingly require auditable firmware.

Documentation: no CoC, no COO, no component-level BOM

An ESC that may be compliant in hardware cannot be verified without documentation. Procurement offices require a Certificate of Conformance (CoC), a Country of Origin (CoO) letter, and a BOM that identifies the manufacturer and country of origin for each component line item. Without these documents, the ESC fails the procurement gate regardless of its actual hardware provenance.

// Supplier Evaluation

What to look for in a compliant supplier.

US design and manufacture: The ESC must be designed and manufactured outside covered entities. For the highest confidence, the PCB layout, component selection, schematic design, firmware development, SMT assembly, conformal coating, and final test should all occur in the United States. Design-in-China, assemble-in-the-US strategies introduce ambiguity about "substantial transformation."
Auditable open-source firmware: AM32 firmware — available on GitHub under an open-source license, maintained by contributors outside covered entities — allows security teams and DoD reviewers to audit the full firmware codebase. Preference for open-source firmware in defense programs is increasingly formalized in program requirements. The QuadDrive 80A ships with AM32; BLHeli is also available.
Component-level BOM with country-of-origin: Every component on the BOM must be sourced from a non-covered-entity manufacturer, and the supplier must document the manufacturer name, part number, and country of origin for each line item. Passive components (capacitors, resistors) sourced from Taiwanese, Japanese, or American manufacturers are acceptable. Components from Chinese manufacturers on the covered list are not.
Ready documentation package: The supplier should be able to deliver the full compliance documentation package at the time of shipment — not weeks later after a request cycle. A CoC, CoO letter, NDAA documentation, traceability statements, and test results should be standard deliverables, not premium options.
Lot-level traceability: Each production lot should be traceable from component sourcing through PCB assembly, conformal coating, test, and shipment. If a component substitution occurs (a second-source part), the customer should be notified and the BOM updated before shipment — not retroactively disclosed after a qualification issue.

// Documentation

The documentation package your procurement office will ask for.

When a federal drone program submits for contracting or a DoD prime flows down compliance requirements to its ESC supplier, these are the documents that will be requested. Having them ready before the question is asked distinguishes a program-ready supplier from an aspirational one.

CoC — Certificate of Conformance: Per unit / per lot, signed
CoO — Country of Origin Letter: For BAA/TAA representations
NDAA Compliance Documentation: Full BOM with mfr + COO per line
Traceability Statements: Sourcing → assembly → shipment
Performance & Test Results: Lot-level electrical, thermal, environmental
Firmware Audit Trail: Version, source, open-source preferred
Change Notification Policy: Customer-notified before substitutions

Lirith provides all of the above as standard deliverables for every production program. See the full documentation package →

// Red Flags

Red flags in supplier evaluation.

—No BOM available. A supplier who cannot provide a component-level BOM with manufacturer and country-of-origin has no documented compliance basis.
—CoC references "NDAA compliant" without specificity. A CoC should cite specific statutes (§848 FY20, §817 FY23, ASDA FY24). Generic self-attestation without statutory reference does not satisfy procurement office requirements.
—Manufacture in China or by a listed entity. Confirmed by BOM review, factory audit, or country-of-origin investigation. Relabeling or repackaging does not change this.
—Closed-source firmware with no audit option. If neither the customer nor a security reviewer can inspect the firmware codebase, it cannot be cleared for programs with supply-chain security requirements.
—Documentation available "upon request" with long lead times. Compliance documentation that takes weeks to produce was not maintained as part of the manufacturing process. It was reconstructed after the fact — a significant quality and traceability risk.
—No component substitution policy. If the supplier does not have a written policy requiring customer notification before any BOM change, substitutions can occur silently — breaking the compliance record without your knowledge.

// FAQ

Frequently asked questions.

What is an NDAA-compliant ESC?

An ESC that is not manufactured by a covered foreign entity, uses auditable firmware, and ships with a CoC, CoO, and component-level BOM documenting non-covered-entity sourcing throughout the supply chain.

Can a Chinese-branded ESC be NDAA-compliant?

No. If manufactured or substantially transformed by a Chinese company on DoD's Section 1237 list, it is a covered component regardless of branding, repackaging, or distribution channel.

Does firmware need to be NDAA-compliant?

NDAA statutes focus primarily on hardware manufacturers. However, defense programs increasingly require auditable firmware. AM32 (open-source, non-covered-entity) is preferred because its full codebase can be independently reviewed.

What's the difference between §848 and ASDA?

§848 applies to DoD only. ASDA (FY2024) extends the same restrictions to the entire federal government. An ESC for any federal program — not just military — must now comply with ASDA.

Is Blue UAS listing required?

No — Blue UAS listing is a pre-vetting framework that speeds procurement, not a statutory requirement. An ESC can be fully NDAA-compliant and procured on a federal contract without Blue UAS listing.

Where can I buy an NDAA-compliant ESC?

Lirith manufactures the QuadDrive 80A — a US-designed, US-manufactured quad ESC compliant with NDAA §848, §817, ASDA FY24, and EO 13981, with full documentation package standard. Contact sales@lirith.com.

// Related Resources