(1) On or before January 1, 2026, the division, in consultation with the Department of Administrative Services, the Committee on Pacific Conflict, the Nebraska State Patrol, and the Law Enforcement Drone Association or any other organization that creates and implements best practices and standards of training for the use of drones in law enforcement, shall create and regularly maintain a document known as the List of Secure Drones Authorized for Purchase that contains names of devices and vendors of drones and unmanned aerial systems that are:

(a) Cleared by the United States Department of Defense through its Blue UAS Program;

(b) Determined to be compliant with the requirements of the National Defense Authorization Act for Fiscal Year 2024, Public Law 118-31;

(c) Determined by the division to be designed, maintained, modified, or operated in such a manner that they are incapable, under normal operating conditions, of transmitting data to unauthorized persons or entities; or

(d) Otherwise determined to present no threat to the security of the State of Nebraska as specified in subsection (2) of this section.

(2) For purposes of the Secure Drone Purchasing Act, drones are considered to present no threat to the security of the State of Nebraska if the following cybersecurity and data protection requirements are met:

(a) All video footage, images, and telemetry data collected, transmitted, or stored by the drone is housed in the United States and managed in accordance with federal and state privacy laws, cybersecurity standards, and guidelines issued by the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation;

(b) The system enforces end-to-end encryption for data-at-rest and data-in-transit using AES-256 encryption and transport layer security protocols to prevent unauthorized access;

(c) The system operates on a secured, segmented network to mitigate cybersecurity risks. Multifactor authentication and role-based access controls are enforced for all drone platform access;

(d) The drone incorporates tamper-proof hardware to prevent unauthorized modifications;

(e) The drone incorporates real-time monitoring systems capable of detecting unauthorized access, cyber threats, or operational anomalies and automated countermeasures; and

(f) State agencies, political subdivisions, and their contractors conduct annual independent security audits and obtain certifications demonstrating compliance with the National Institute of Standards and Technology Cybersecurity Framework 2.0, ISO27001, and SOC 2.

(3) In creating and maintaining the List of Secure Drones Authorized for Purchase, the division may consult with recognized cybersecurity experts from the private and public sectors, the Nebraska State Patrol and other law enforcement agencies, the Nebraska National Guard, the Nebraska Emergency Management Agency, the office of the Chief Information Officer, or other pertinent entities to ensure the integrity and security of all data collected by unmanned aerial systems used in this state.

(4) The List of Secure Drones Authorized for Purchase shall be published on the division's website and updated at least every six months. The division may maintain the confidentiality of any information and documents related to its assessment and decisionmaking process collected or created under the Secure Drone Purchasing Act and withhold such information from public disclosure pursuant to subdivision (5) of section 84-712.05.

(5) Those devices and vendors on the division's List of Secure Drones Authorized for Purchase shall be preferred over others in state and local procurement actions.