Cross-Border Mission Handoff
14-Region ML-DSA Handoff State Machine
Drone missions crossing regulatory jurisdiction boundaries — from national airspace into a different regulatory authority's domain — require a verifiable authority transfer that is accepted by both the departing and receiving jurisdiction. The QCBMH engine (M226) implements a 14-region handoff state machine where each state transition is ML-DSA signed, KSL-custody-chained, and auditable by both regional authorities without sharing operational payload data.
Capability specification
- 01
14-region handoff state machine: PENDING → INITIATED → ACCEPTED → ACTIVE → COMPLETED / REJECTED
- 02
NIST FIPS 204 ML-DSA signature on every state transition
- 03
KSL custody chain: departure authority signs handoff initiation; receiving authority signs acceptance
- 04
Audit trail accessible to both regional authorities without payload data exposure
- 05
57-test green suite covering state machine boundary conditions, ML-DSA signature verification, and custody chain integrity
How it works
Handoff Initiation
The departure regional authority initiates a handoff with an ML-DSA signed state transition carrying the mission identifier, boundary crossing time, and receiving region identifier. No operational payload data is included.
Receiving Authority Acceptance
The receiving regional authority reviews the handoff record and signs an acceptance transition with its own ML-DSA key. The custody chain now includes both signatures, establishing joint audit accountability.
Active Transfer
On acceptance, the mission transitions to ACTIVE under the receiving authority's jurisdiction. Both regional authority audit trails receive the complete custody chain for their records.
Standards we follow
- STD-01
NIST FIPS 204 — Module-Lattice-Based Digital Signature Standard (ML-DSA handoff signatures)
- STD-02
NIST FIPS 180-4 — Secure Hash Standard (custody chain hash)
- STD-03
ICAO Annex 11 — Air Traffic Services (cross-jurisdictional authority reference)
Areas served
This capability is deployed across 14 operational regions. Regulatory alignment details vary by jurisdiction — consult engineering for jurisdiction-specific deployment guidance.
Frequently asked questions
What happens if the receiving authority rejects the handoff?
A REJECTED state transition is signed by the receiving authority and appended to the custody chain. The mission remains under the departure authority's jurisdiction. The departure authority receives the rejection record with the receiving authority's signature for its audit trail. The platform does not automatically re-route or escalate — that decision belongs to the human authorities involved.
Talk to engineering
For capability evaluation, integration guidance, and deployment scoping, submit a brief to the engineering team.
Submit engineering brief