This article (click Read More below) describes a scenario in which a product "Trust Registry" could be effective and valuable in helping consumers identify trusted drone products and avoid buying risky products. A Trust Registry is part of a comprehensive "Radical Transparency" capability that can help to rebalance cyber risks so that consumers do not assume all of the risk and liability of a cyber breach. A Software Product "Trust Registry" lists trusted products along with a dynamic "Trust Score" per product/version indicating its current level of trustworthiness. A "Trust Score" for software products is akin to the Credit Scores calculated by FICO scoring entities that provide visibility into the "trustworthiness of a person", before making a loan or a job offer. Consumers can check the "Trust Registry" and current "Trust Score" for a software product to verify its trustworthiness before buying, such as a drone. Software is like food, it can go bad overnight and should not be used. This happens when a new vulnerability is reported that makes software products untrustworthy and mitigation steps are needed to prevent a cyber incident from occurring.
The Department of Commerce proposed order is available in the Federal Register. “Securing the unmanned aircraft systems technology supply chain is critical to safeguarding our national security,” said Commerce Secretary Gina Raimondo, who called the rulemaking notice an “essential step in protecting the United States from vulnerabilities posed by foreign entities,”
How does a "Trust Registry" differ from a "Banned Entity List", that is frequently used by the US Government? They are nearly exact opposites in the information they convey. A "Banned Entity List" list products that are banned, which implies that any product not on the list is "safe to buy". A Trust Registry lists products that parties have declared to be trustworthy, for their purposes, which means that any product not listed in the Trust Registry is assumed to be untrusted and possibly harmful. A Trust Registry applies a risk averse approach to decision making by assuming that any product not listed in the "Trust Registry should be considered untrustworthy. Parties that use "Banned Entity Lists" could purchase and install a harmful product, which should be on the "Banned List", but may not be present due to timing or resource constraints. A "Trust Registry" is a more "risk averse" approach to decision making with regard to the identification of trusted/untrusted products. If a product is not listed in the "Trust Registry" then it is NOT trusted, by default.
The IETF is working on a "Trust Registry" standard under the Supply Chain Integrity, Transparency and Trust (SCITT) work group.
As of today, there are no "trusted drone products", in the Trust Registry operated by Business Cyber Guardian, called SAG-CTR™