§ 124.6 Agency implementation policy.
(a) Requirement. Before conducting any operations under this part, each SLTT law enforcement or correctional agency must adopt and maintain an agency implementation policy governing the exercise of authority under 6 U.S.C. 124n(a)(2). The agency implementation policy is comprehensive. It governs all operations the agency conducts under this part, including detection and warning operations, and it addresses the detection and warning matters listed in paragraph (g) of this section. An agency that adopts and maintains an agency implementation policy under this paragraph is not required to adopt a separate policy under paragraph (g) of this section. An agency that conducts only detection and warning operations may instead adopt the abbreviated policy under paragraph (g) of this section. The agency implementation policy must, at a minimum:
(1) Designate an Agency Approving Official meeting the requirements of § 124.2;
(2) Designate the personnel authorized to exercise C-UAS authority and describe the recurrent training requirements applicable to such personnel;
(3) Establish procedures consistent with § 124.14 for the handling, retention, and dissemination of data acquired during C-UAS operations, including written anonymization standards specifying the aggregation thresholds, identifier suppression, and re-identification risk assessment used to qualify a data product as pattern data;
(4) Include provisions for public notification regarding the potential use of C-UAS authority within the agency's jurisdiction;
(5) Ensure compliance with the requirements of this part; and
(6) Detail standing tactical procedures governing the execution of C-UAS operations, including engagement protocols that account for the risk to persons and property on the surface and in the air before engagement, escalation procedures, use of force considerations, ground intercept team procedures, render safe procedures, evidence collection and chain-of-custody procedures, communications procedures, system operating procedures, data handling and purge procedures consistent with the retention requirements of this part, operation plan requirements, and post-operation procedures that incorporate data purge verification.
(b) Legal counsel review. The implementation policy must be reviewed and concurred in by the agency's legal counsel before adoption and upon each annual renewal. The review must specifically address the privacy and civil liberties requirements of this part, including the data retention, minimization, and dissemination provisions, and the interplay of proposed C-UAS operations and implementing policies with applicable State, local, Tribal, or territorial law. For an agency that has a designated official responsible for the agency's privacy and civil liberties compliance, regardless of title, the implementation policy must also be reviewed by that official.
(c) Alternative certification for agencies without in-house counsel. For an agency without in-house counsel, the review required by paragraph (b) of this section may alternatively be satisfied by review and certification by a State, local, territorial, or Tribal attorney's office that the implementation policy addresses each element required by paragraph (a) of this section. An agency obtaining a certification under this paragraph (c) must document the basis for using this paragraph (c). Certification pursuant to this paragraph (c) does not relieve the agency of any compliance obligation under this part.
(d) Portal attestation. Upon adoption of the implementation policy, the agency head or designee must certify compliance through the Federal C-UAS coordination portal by attesting that the agency has adopted an implementation policy addressing each element required by paragraph (a) of this section. The portal records the certifying official, agency, and date of attestation. The implementation policy is not subject to pre-approval by the NCUTC. The NCUTC retains authority to audit implementation policies and to suspend certification or accreditation under § 124.5. The attestation must be renewed annually.
(e) Retention and availability. The agency must retain the implementation policy and make it available to the Attorney General or the Secretary of Homeland Security, or their designee, upon request, including during compliance audits under § 124.16.
(f) Operating without attestation. An agency that conducts operations under this part without a current portal attestation is in violation of this part, and the absence of an attestation constitutes grounds for compliance action under § 124.16.
(g) Detection and warning policy. An SLTT law enforcement or correctional agency that conducts only detection and warning operations requiring the authority of, or the relief from certain laws provided by, 6 U.S.C. 124n may adopt a detection and warning policy in lieu of the implementation policy required by paragraph (a) of this section. A detection and warning policy must satisfy the requirements of this section, except that it need not include the standing tactical procedures of paragraph (a)(6) of this section. The agency must designate an Agency Approving Official under paragraph (a)(1) of this section and complete the portal attestation under paragraph (d) of this section, which must be renewed annually. For purposes of that attestation, a detection and warning policy need address only the elements of paragraph (a) of this section that apply to detection and warning operations.