B. Summary of Regulatory Provisions

In addition to revising definitions applicable to the REAL ID Act to incorporate mDLs, this rule amends 6 CFR part 37 to enable TSA to grant a temporary waiver to States that TSA determines issue mDLs consistent with specified requirements concerning security, privacy, and interoperability. This rule enables Federal agencies, at their discretion, to accept for REAL ID official purposes, mDLs issued by a State that has been granted a waiver, provided that the underlying physical card upon which the mDL was based is REAL ID-compliant. The rule applies only to Federal agency acceptance of State-issued mDLs as defined in this final rule for REAL ID official purposes, but not other forms of digital identification, physical driver's licenses or physical identification cards, or non-REAL ID purposes. Any temporary waiver issued by TSA would be valid for a period of 3 years from the date of issuance.

To obtain a waiver, § 37.9(a) requires a State to submit an application, supporting data, and other documentation to establish that their mDLs meet the criteria specified in §§ 37.10(a) and (b) (discussed in Part III.C.4., below) concerning security, privacy, and interoperability. If TSA determines, upon evaluation of a State's application and supporting documents, that a State's mDL could be securely accepted under the terms of a waiver, TSA may issue such State a certificate of waiver. TSA intends to work with each State applying for a waiver on a case-by-case basis to ensure that its mDLs meet the minimum requirements necessary to obtain a waiver. This rulemaking establishes the full process for a State to apply for and maintain a waiver, including: instructions for submitting the application and responding to subsequent communications from TSA as necessary; specific information and documents that a State must provide with its application; requirements concerning timing, issuance of decisions, requests for reconsideration; and post-issuance reporting requirements and other terms, conditions, and limitations. To assist States that are considering applying for a waiver, TSA has developed guidelines, entitled, “Mobile Driver's License Waiver Application Guidance” (hereinafter “TSA Waiver Guidance” or “the Guidance”), which provides non-binding recommendations of some ways that States can meet the application requirements set forth in this rulemaking.^[35] This final rule makes several technical and administrative changes to the NPRM, as set forth in Table 1, above. These changes are as follows:

• Corrections to agency name, website address, points of contact for access and compliance with reporting requirements:See §§ 37.4, 37.8(d), 37.9(a)-(c), (e)(2) & (e)(5)(i), 37.10(c), and Appendix A, paragraph 8.6.
• Corrections to inadvertent omissions, typographical errors, paragraph numbering, title/version number of publications:See §§ 37.3, 37.4, 37.4(c)(1), 37.8(d), 37.4(g)(4) & (7), 37.10(a)(4), Appendix A, paragraphs 1.1, 2.13, 2.2, 8.4, 8.5, 8.8.
• Clarifying that “days” means “calendar days”:See §§ 37.9(b), 37.9(c), 37.9(e)(2), (4)(i) & (5)(ii), and Appendix A, paragraph 6.3.

C. Specific Provisions

This section describes the final regulatory provisions in this rule, including the changes discussed above. Unless otherwise noted, these provisions were described in the NPRM.

1. Definitions

The final rule adds new definitions to subpart A, § 37.3, consistent with those proposed in the NPRM. In particular, new definitions for “mobile driver's license” and “mobile identification card” are necessary because the current regulations predated the emergence of mDL technology and, therefore, do not define these terms. Additionally, the definitions reflect changes made by the REAL ID Modernization Act, which amended the definitions of “driver's license” and “identification card” to specifically include “mobile or digital driver's licenses” and “mobile or digital identification cards.” The definitions in this rule provide a more precise definition of “mobile driver's license” and “mobile identification card” by clarifying that those forms of identification require a mobile electronic device to store the identification information, as well as an electronic device to read that information. The rule also adds a new definition of “mDL” that collectively refers to mobile versions of both State-issued driver's licenses and State-issued identification cards as defined in the REAL ID Act. ( print page 85347)

The final rule includes additional definitions to explain terms used in the waiver application criteria set forth in §§ 37.10(a)-(b) and Appendix A to subpart A of this part (Appendix A). Generally, this rule defines terms that lack a common understanding or that are common terms of art for information systems, and that require an explanation to enable stakeholders to comply with the rule. The definitions were informed by TSA's knowledge and experience, as well as a publication by the National Institute of Standards and Technology (NIST).^[36] For example, the rule adds definitions for “digital certificates” and “certificate systems,” which are necessary elements of risk controls for the IT systems that States use to issue mDLs. In addition, this final rule adds a definition for “certificate policy,” which forms the governance framework for States' certificate systems. A State must develop, maintain, and execute a certificate policy to comply with the requirements set forth in Appendix A. In addition, “Digital Signatures” are mathematical algorithms that States use to validate the authenticity and integrity of a message. Each of these terms is fundamental to understanding the requirements set forth in this rule.

The final rule adds a definition for “provisioning” which was not proposed in the NPRM. See § 37.3. As defined by this final rule, “provisioning” means the process by which a State transmits and installs an mDL on an individual's mobile device. Although TSA did not receive any comments seeking clarity or requesting the addition of this or other definitions, TSA believes provisioning is a critical concept that requires a definition in order to facilitate stakeholder compliance.

2. TSA Issuance of Temporary Waiver and State Eligibility Criteria

The final rule adds to subpart A new § 37.7, entitled “Temporary waiver for mDLs; State eligibility.” This waiver framework temporarily allows Federal agencies to accept for official purposes mDLs (which today are all non-compliant) issued by States with a waiver, if the mDL is based on a REAL ID-compliant physical card, when REAL ID enforcement begins on May 7, 2025 ( see § 37.8, discussed in Part III.C.3., below). However, the waiver framework does not apply to any other requirements in 6 CFR part 37 or physical cards. Section 37.7(a) authorizes TSA to issue a temporary certificate of waiver to States that meet the waiver application criteria set forth in §§ 37.10(a) and (b). TSA's determination of whether a State satisfies these requirements will be based on TSA's evaluation of the information provided by the State in its application ( see Part III.C.4., below), as well as other information available to TSA. Federal agencies are not required to accept mDLs, and retain discretion to determine their own policies regarding identity verification.

Although NPRM § 37.7(a) stated that a waiver would exempt a State's mDLs from meeting the card-based compliance requirement of § 37.5(b), the final rule deletes this clause because a waiver impacts Federal agency acceptance, not State issuance, of non-compliant mDLs. Stated differently, a waiver allows Federal agencies to accept non-compliant mDLs issued by States to whom TSA has granted a waiver. As discussed above in this preamble, the waiver application criteria set forth temporary security requirements commensurate with REAL ID standards for physical cards, ensuring that mDLs meeting the criteria are suitable for Federal acceptance. However, States cannot issue REAL ID-compliant mDLs until TSA sets forth such requirements in the subsequent Phase 2 rulemaking.

Section 37.7(b) sets forth criteria that a State must meet to be eligible for consideration of a waiver. These criteria require that the issuing State: (1) is in full compliance with all applicable REAL ID requirements as defined in subpart E of this part, and (2) has submitted an application, under §§ 37.10(a) and (b) demonstrating that the State issues mDLs that provide security, privacy, and interoperability necessary for Federal acceptance.^[37] The NPRM proposed paragraph (b)(3) of this section, which provided an additional waiver eligibility criterion that a State must issue mDLs only to individuals who have been issued REAL ID-compliant physical cards. However, the final rule does not adopt this proposal given TSA's evaluation of public comments (see Part IV.A.) that this provision would have made a State ineligible for a waiver if the State issued mDLs to both individuals with REAL ID-compliant physical cards and individuals with non-compliant physical cards. The final rule similarly amends § 37.10(a)(1)(vii), as proposed by the NPRM, to remove a provision that would have required States to issue an mDL only to a resident who has been issued a valid, unexpired, and REAL ID-compliant physical card that underlies the mDL. See Part III.C.4, below.

3. Requirements for Federal Agencies that Accept mDLs

The final rule adds to subpart A new § 37.8, entitled “Requirements for Federal agencies accepting mDLs issued by States with temporary waiver.” This section requires that any Federal agency that elects to accept mDLs for REAL ID official purposes must meet four requirements in new § 37.8. First, under § 37.8(a), a Federal agency must confirm that the State holds a valid certificate of waiver. Agencies would make this confirmation by verifying that the State's name appears in a list of States to whom TSA has granted a waiver. TSA will publish this list on the REAL ID website at www.tsa.gov/​real-id/​mDL (as provided in § 37.9(b)(1)).

Second, § 37.8(b) requires Federal agencies to use an mDL reader to retrieve mDL data from an individual's mobile device and validate that the data is authentic and unchanged following the processes required by industry standard ISO/IEC 18013-5:2021(E).^[38]

Third, under § 37.8(c), Federal agencies may accept, consistent with the deadlines set forth in § 37.5, only those mDLs that are issued based on an underlying physical card that is REAL ID compliant. Agencies would make this determination by confirming that mDL data element “DHS_compliance” has a value of “F”. As discussed in Part III.C.8.a., below, the data field “DHS_compliance” (defined in the American Association of Motor Vehicle Administrators Mobile Driver's License (mDL) Implementation Guidelines Version 1.2 (Jan. 2023) (AAMVA Guidelines)) enables an mDL to convey the REAL ID compliance status of the underlying physical card. TSA notes that § 37.8(c) is a new provision that was not included in the NPRM. TSA intended, in proposed §§ 37.7(b)(3) and 37.10(a)(1)(vii) of the NPRM, that Federal agencies would accept only mDLs issued by States to whom TSA has issued a waiver, and that are based on an underlying physical card that is REAL ID-compliant. Final rule § 37.8(c), together with revisions to § 37.10(a)(1)(vii) (see discussion in Part III.C.4., below), achieves that intent.

Finally, under § 37.8(d), if a Federal agency discovers that acceptance of a State's mDL is likely to cause imminent or serious threats to security, privacy, or data integrity, the agency must report the threats to TSA at www.tsa.gov/​real-id/​mDL within 72 hours of such ( print page 85348) discovery. Examples of reportable threats include cyber incidents and other events that cause serious harm to a State's mDL issuance system. Reports may contain SSI, and if so, would be subject to requirements of 49 CFR part 1520. Although the NPRM did not propose the SSI protection provision, TSA evaluated comments to the NPRM ( see Part IV.W., below) seeking clarification on SSI protection for other information (State waiver applications) and determined that SSI protection is warranted for Federal agency reports under this § 37.8(d), which has been added in this final rule. TSA will consider whether such information warrants suspension of that State's waiver under § 37.9(e)(4)(i)(B) ( see discussion in Part III.C.6., below). If TSA elects not to issue a suspension, Federal agencies would continue to exercise their own discretion regarding continuing acceptance of mDLs.

4. Requirements for States Seeking To Apply for a Waiver

The final rule adds to subpart A new § 37.9, which sets forth a process for a State to request a temporary certificate of waiver established in new § 37.7. As provided in § 37.9(a), a State seeking a waiver must file a complete application as set forth in §§ 37.10(a) and (b), following instructions available at www.tsa.gov/​real-id/​mDL. Sections 37.10(a) and (b) set forth all information, documents, and data that a State must include in its application for a waiver. If TSA determines that the means that a State implements to comply with the requirements in §§ 37.10(a) and (b) provide the requisite levels of security, privacy, and data integrity for Federal acceptance of mDLs for official purposes, TSA would grant such State a waiver. This rule does not, however, prescribe specific means (other than the requirements specified in Appendix A, which is discussed further in Part III.C.4.iv, below) that a State must implement. Instead, States would retain broad discretion to choose and implement measures to meet these requirements based on factors appropriate to that State.

(i) Application Requirements

As set forth in §§ 37.10(a)(1) through (4), a State is required to establish in its application how it issues mDLs under the specified criteria for security, privacy, and interoperability suitable for acceptance by Federal agencies, as follows:

• Paragraph (a)(1) sets forth requirements for mDL provisioning. Specific requirements include:

○ Encryption of mDL data and an mDL holder's Personally Identifiable Information,

○ Escalated review of repeated failed provisioning attempts,

○ Authentication of the mDL applicant's mobile device,

○ Mobile device identification keys,

○ User identity verification controls,

○ Applicant presentation controls,

○ Encoding of the “DHS_compliance” data field. States must populate this data field to correspond to the REAL ID compliance status of the underlying physical driver's license or identification card that a State has issued to an mDL holder. Specifically, “DHS_compliance” should be populated with “F” if the underlying card is REAL ID compliant, or as required by American Association of Motor Vehicle Administrator (AAMVA) Mobile Driver's License (mDL) Implementation Guidelines v. 1.2, Section 3.2 (IBR'd; see § 37.4), or “N” if the underlying card is not REAL ID-compliant. Although § 37.10(a)(1)(vii) of the NPRM proposed requiring that States issue an mDL only to a resident who has been issued a valid, unexpired, and REAL ID-compliant physical card that underlies the mDL, the final rule does not adopt this provision, based on TSA's evaluation of public comments (see Part IV.A.), that this provision would have made a State ineligible to apply for a waiver if the State issued mDLs to both individuals with REAL ID-compliant physical cards and individuals with non-compliant physical cards,

○ Data record requirements, and

○ Records retention specifications.

• Paragraph (a)(2) specifies requirements for managing state certificate systems, which are set forth in Appendix A.
• Paragraph (a)(3) requires a State to demonstrate how it protects personally identifiable information of individuals during the mDL provisioning process.
• Paragraph (a)(4) requires a State to explain the means it uses to:

○ Issue mDLs that are interoperable with requirements set forth in standard ISO/IEC 18013-5:2021(E),

○ Comply with the “AAMVA mDL data element set” as defined in the AAMVA Guidelines v. 1.2, Section 3.2,^[39] and

○ Use only those algorithms for encryption,^[40] secure hash function,^[41] and digital signatures that are specified in ISO/IEC 18013-5:2021(E), and in NIST FIPS PUB 180-4, 186-5, 197-upd1, 198-1, and 202.

(ii) Audit Requirements

Section 37.10(b) requires a State to submit an audit report prepared by an independent auditor verifying the accuracy of the information provided by the State in response to § 37.10(a), as follows:

• Paragraph (1) sets forth specific experience, qualifications, and accreditations that an auditor must meet.
• Paragraph (2) requires a State to provide information demonstrating the absence of a potential conflict of interest of the auditing entity.

The term “independent” does not exclude an entity that is employed or contracted by a State, so long as that entity is independent of ( i.e., not an employee or contractor) the State's driver's licensing agency. TSA provides this clarification at the request of commenters (see Part IV.U., below).

(iii) Waiver Application Guidance

As set forth in § 37.10(c), TSA has published Mobile Driver's License Waiver Application Guidance on the REAL ID website at www.tsa.gov/​real-id/​mDL to assist States in completing their applications. The Guidance provides TSA's recommendations for some ways that States can meet the requirements in § 37.10(a)(1). The Guidance does not establish legally enforceable requirements for States applying for a waiver. Instead, the Guidance provides non-binding examples of measures and practices that States may choose to consider as part of their overall strategy to issue mDLs. States continue to exercise discretion to select processes not included in the Guidance. Given the rapidly-evolving cyber threat landscape, however, TSA may periodically update the Guidance to provide additional information regarding newly published standards or other sources, or recommend mitigations of newly discovered risks to ( print page 85349) the mDL ecosystem. TSA will publish a notice in the Federal Register advising that updated Guidance is available, and TSA will publish the updated Guidance on the REAL ID website at www.tsa.gov/​real-id/​mDL and provide a copy to all States that have applied for or been issued a certificate of waiver. Updates to the Guidance will not impact issued waivers or pending applications. Although the NPRM proposed that TSA would publish updated Guidance in the Federal Register , in addition to TSA's website, the final rule modifies this requirement to provide that the agency will publish in the Federal Register only a notice of availability of updated guidance, but the Guidance itself will be published on TSA's website. This change will enable TSA to more expediently provide updated guidance to the public.

(iv) Appendix A: Requirements for State mDL Issuance Systems

Appendix A sets forth fundamental requirements to ensure the security and integrity of State mDL issuance processes. More specifically, these requirements concern the creation, issuance, use, revocation, and destruction of the State's certificate systems and cryptographic keys. Appendix A consists of requirements in eight categories: (1) Certificate Authority Certificate Life Cycle Policy, (2) Certificate Authority Access Management, (3) Facility, Management, and Operational Controls, (4) Personnel Security Controls, (5) Technical Security Controls, (6) Threat Detection, (7) Logging, and (8) Incident Response and Recovery Plan. Adherence to these requirements, described below, ensures that States issue mDLs in a standardized manner with security and integrity to establish the trust necessary for Federal acceptance for official purposes.

• Certificate Authority Certificate Life Cycle Policy requirements (Appendix A, paragraph 1) ensure that a State issuing an mDL creates and manages a formal process which follows standardized management and protections of digital certificates. These requirements must be implemented in full compliance with the references cited in Appendix A: CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates; CA/Browser Forum Network and Certificate System Security Requirements; ISO/IEC 18013-5:2021(E), Annex B; NIST Framework for Improving Critical Infrastructure Cybersecurity; NIST SP 800-53 Rev. 5; and NIST SP 800-57.^[42]

• Certificate Authority Access Management requirements (Appendix A, paragraph 2) set forth policies and processes for States concerning, for example, restricting access to mDL issuance systems, policies for multi-factor authentication, defining the scope and role of personnel, and certificate system architecture which separates and isolates certificate system functions to defined security zones. These requirements must be implemented in full compliance with the references cited in Appendix A: CA/Browser Forum Network and Certificate System Security Requirements; NIST Framework for Improving Critical Infrastructure Cybersecurity; NIST 800-53 Rev. 5; NIST SP 800-63-3; and NIST SP 800-63B.^[43]

Although NPRM Appendix A, paragraph 1.1, proposed requiring States to comply with NIST SP 800-53B (among other references) as part of States' development of a policy to govern their certificate systems, the final rule does not adopt the proposal requiring compliance with NIST SP 800-53B. Document NIST SP 800-53B, “Control Baselines for Information Systems and Organizations,” defines minimum security and privacy risk controls for Federal Government agencies to protect information security systems. In addition, the publication provides guidance, but not requirements, for other entities that implement NIST SP 800-53 Rev. 5 in their own organizations. Although TSA did not receive any public comments on NIST SP 800-53B, after re-evaluating the usefulness of this document, TSA concludes that other provisions in the final rule prescribe the necessary security and privacy requirements for States issuing mDLs, and NIST SP 800-53B only serves as guidance without providing security or privacy enhancements. Accordingly, the inclusion of NIST SP 800-53B is unnecessary, and the final rule therefore declines to adopt the NPRM's proposal.

• Under the requirements concerning Facility, Management, and Operational Controls (Appendix A, paragraph 3), States must provide specified controls protecting facilities where certificate systems reside from unauthorized access, environmental damage, physical breaches, and risks from foreign ownership, control, or influence. These requirements must be implemented in full compliance with the references cited in Appendix A: NIST SP 800-53 Rev. 5.^[44]

• Personnel security controls (Appendix A, paragraph 4) require States to establish policies to control insider threat risks to certificate systems and facilities. Such policies must establish screening criteria for personnel who access certificate systems, post-employment access termination, updates to personnel security policy, training, records retention schedules, among other policies. These requirements must be implemented in full compliance with the references cited in Appendix A: NIST SP 800-53 Rev. 5 and CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates.^[45]

• Technical security controls (Appendix A, paragraph 5) specify requirements to protect certificate system networks. In addition, States are required to protect private cryptographic keys of issuing authority root certificates using dedicated hardware security modules (HSMs) of Level 3 or higher and document signer private cryptographic keys in hardware security modules of Level 2 and higher. Dedicated HSMs are used (1) solely for IACA root private key functions and no other functions within the State's certificate system, including document signer private key functions, and (2) exclusively to support a single State. States are not permitted to share with any other State an HSM that physically supports multiple States. Other controls are specified regarding certificate system architecture and cryptographic key generation processes. These requirements must be implemented in full compliance with the references cited in Appendix A: CA/Browser Forum Network and certificate system Security Requirements; CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates; NIST Framework for Improving Critical Infrastructure Cybersecurity; NIST SP 800-53 Rev. 5; NIST SP 800-57; and NIST FIPS PUB 140-3.^[46]

• Under requirements for threat detection (Appendix A, paragraph 6), States must implement controls to monitor and log evolving threats to various mDL issuance infrastructure, including digital certificate, issuance, and support systems. These requirements must be implemented in ( print page 85350) full compliance with the references cited in Appendix A: CA/Browser Forum Network and certificate system Security Requirements; NIST Framework for Improving Critical Infrastructure Cybersecurity; and NIST SP 800-53 Rev. 5.^[47]

• Logging controls (Appendix A, paragraph 7) require States to record various events concerning certificate systems, including the management of cryptographic keys, and digital certificate lifecycle events. The controls set forth detailed requirements concerning specific types of events that must be logged, as well as timeframes for maintaining such logs. These requirements must be implemented in full compliance with the references cited in Appendix A: CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates; NIST Framework for Improving Critical Infrastructure Cybersecurity; and NIST SP 800-53 Rev. 5.^[48]

• Incident Response and Recovery Plan (Appendix A, paragraph 8) requires States to implement policies to respond to and recover from security incidents. States must act on logged events, issue alerts to relevant personnel, respond to alerts within a specified time period, perform vulnerability scans, among other things. In particular, States must report to TSA atwww.tsa.gov/​real-id/​mDL within 72 hours of discovering a reportable cybersecurity incident. In response to comments to the NPRM seeking clarity on the reporting requirements ( see Part IV.V.5.c., below), the final rule adds a provision that reportable incidents are those defined in the TSA Cybersecurity Lexicon at www.tsa.gov that could compromise the integrity of a certificate system. These requirements must be implemented in full compliance with the references cited in Appendix A: CA/Browser Forum Network and Certificate System Security Requirements; CISA Federal Government Cybersecurity Incident & Vulnerability Response Playbooks; ^[49] DHS National Cyber Incident Response Plan; NIST SP 800-53 Rev. 5; and NIST Framework for Improving Critical Infrastructure Cybersecurity.^[50] Information submitted in response to this section may contain SSI, and if so, would be subject to requirements of 49 CFR part 1520. Although the NPRM did not propose the SSI protection provision, TSA evaluated comments to the NPRM (see Part IV.W., below) seeking clarification on SSI protection for other information (State waiver applications) and determined that SSI protection is warranted for State reports under this Appendix paragraph 8, which has been added in this final rule.

5. Decisions on Applications for Waiver

Section 37.9(b) establishes a timeline and process for TSA to issue decisions on a waiver application. Under this paragraph, TSA endeavors to provide States a decision on initial applications within 60 calendar days, but not longer than 90 calendar days. TSA will provide three types of written notice via email: approved, insufficient, or denied.

If TSA approves a State's application for a waiver, TSA will issue a certificate of waiver to that State, and include the State in a list of mDLs approved for Federal use, published by TSA on the REAL ID website at www.tsa.gov/​real-id/​mDL.^[51] A certificate of waiver will specify the date that the waiver becomes effective, the expiration date, and any other terms and conditions with which a State must comply, as provided under § 37.9(d). A State seeking to renew its certificate beyond the expiration date must reapply for a waiver, as provided in § 37.9(e)(6).

If TSA determines that an application is insufficient, did not respond to certain information required in §§ 37.10(a) or (b), or contains other deficiencies, TSA will provide an explanation of such deficiencies and allow the State an opportunity address the deficiencies within the timeframe specified in § 37.9(b)(2). TSA will permit States to submit multiple amended applications if necessary, with the intent of working with States individually to enable their mDLs to comply with the requirements of §§ 37.10(a) and (b).

As provided in § 37.9(b)(3), if TSA denies an application, TSA will provide the specific grounds for the basis of the denial and afford the State an opportunity to submit a new application or to seek reconsideration of a denied application. Under § 37.9(c)(1), States will have 90 calendar days to file a request for reconsideration, and TSA will provide its final determination within 60 calendar days. Instructions for seeking reconsideration are provided by TSA on the REAL ID website at www.tsa.gov/​real-id/​mDL. As provided in § 37.9(c)(2), an adverse decision upon reconsideration would be considered a final agency action. However, a State whose request for reconsideration has been denied may submit a new application for a waiver.

6. Limitations, Suspension, and Termination of Certificate of Waiver

Section 37.9(e) sets forth various terms regarding a certificate of waiver. Specifically, under paragraph (e)(1) of this section, a certificate of waiver is valid for a period of three years from the date of issuance. This period was selected to align with the frequency of States' recertification under § 37.55(b).

Paragraph (e)(2) requires that a State must report to TSA if, after it receives a waiver, it makes significant modifications to its mDL issuance processes that differ in a material way from information that the State provided in its application. If the State makes such modifications, it is required to report such changes, at www.tsa.gov/​real-id/​mDL, 60 calendar days before implementing the changes. This requirement is intended to apply to changes that may undermine the bases on which TSA granted a waiver. The reporting requirement is not intended to apply to routine, low-level changes, such as systems maintenance and software updates and patches. States that are uncertain about whether a change would trigger the reporting requirements should contact TSA as directed at www.tsa.gov/​real-id/​mDL. The final rule added this provision to contact TSA to provide greater certainty to States, following TSA's evaluation of public comments seeking clarification about the reporting requirements specified in the NPRM (see Part IV.S., below).

Paragraph (e)(3) requires a State that is issued a waiver to comply with all requirements specified in §§ 37.51(a) and 37.9(d)(3).

Paragraph (e)(4) sets forth processes for suspension of certificates of waiver. As provided in § 37.9(e)(4)(i)(A), TSA may suspend the validity of a certificate of waiver if TSA determines that a State:

• fails to comply with any terms and conditions (see § 37.9(d)(3)) specified in the certificate of waiver;
• fails to comply with reporting requirements (see § 37.9(e)(2)); or
• issues mDLs in a manner that is not consistent with the information the State provided in its application for a waiver under §§ 37.10(a) and (b).

Before suspending a waiver for these reasons, TSA will provide such State written notice via email that it intends to suspend its waiver, along with an explanation of the reasons, information on how the State may address the deficiencies, and a timeline for the State to respond and for TSA to reply to the ( print page 85351) State, as set forth in § 37.9(e)(4)(ii). TSA may withdraw the notice of suspension, request additional information, or issue a final suspension. If TSA issues a final suspension of a State's certificate of waiver, TSA will temporarily remove the name of that State from the list, published at www.tsa.gov/​real-id/​mDL, of mDLs approved for Federal acceptance for official purposes.^[52] TSA intends to work with States to resolve the conditions that result in a final suspension, and resume validity of that State's waiver. A State receiving a final suspension may apply for a new certificate of waiver by submitting a new application following the procedures in § 37.9(a).

TSA additionally may suspend a State's waiver at any time upon discovery that Federal acceptance of a State's mDL is likely to cause imminent or serious threats to the security, privacy, or data integrity of any Federal agency, as set forth in § 37.9(e)(4)(i)(B). These are more exigent circumstances than those set forth in § 37.9(e)(4)(i)(A). Examples of such triggering events include cyber-attacks and other events that cause serious harm to a State's mDL issuance systems. If a State discovers a reportable cybersecurity incident, as defined in the TSA Cybersecurity Lexicon available at www.tsa.gov, that it believes could compromise the integrity of its mDL issuance systems, paragraph 8.6 of Appendix A requires States to provide written notice to TSA as directed at www.tsa.gov/​real-id/​mDL, of such incident within no more than 72 hours of discovery. If TSA determines such suspension is necessary, TSA will provide written notice via email to each State whose certificate of waiver is affected, as soon as practicable after discovery of the triggering event, providing an explanation for the suspension, as well as an estimated timeframe for resumption of the validity of the certificate of waiver.

Under § 37.9(e)(5)(i), TSA may terminate a certificate of waiver for serious or egregious violations. More specifically, TSA may terminate a waiver if TSA determines that a State:

• does not comply with REAL ID requirements in § 37.51(a);
• is committing an egregious violation of any terms and conditions (see § 37.9(d)(3)) specified in the certificate of waiver and is unwilling to cure such violation;
• is committing an egregious violation of reporting requirements (see § 37.9(e)(2)) and is unwilling to cure such violation; or
• provided false information in its waiver application.

As required in § 37.9(e)(5)(ii), before terminating a certificate of waiver, TSA will provide written notice via email of intent to terminate, including findings supporting the termination and an opportunity for the State to present information. As specified, a State would have 7 calendar days to respond to the notice, and TSA will respond via email within 30 calendar days. TSA may withdraw the notice of termination, request additional information, or issue a final termination. Under § 37.9(e)(5)(iii), if TSA issues a final termination of a State's certificate of waiver, TSA will remove the name of that State from the list of mDLs approved for Federal acceptance for official purposes. A State whose certificate of waiver has been terminated may apply for a new certificate of waiver by submitting a new application.

Section 37.9(g) provides that information provided by States in response to paragraphs (a), (b)(2), (c), (e)(2), (e)(4)(ii), and (e)(5)(ii) of this section, which concern requirements on States to apply for and maintain a waiver, may contain SSI and therefore must be handled and protected in accordance with 49 CFR part 1520. Although the NPRM did not propose § 37.9(g), the final rule adds this provision based on TSA's evaluation of comments to the NPRM (see Part IV.W., below) seeking clarification on SSI protection for information in State waiver applications. TSA determined that a provision concerning SSI protection is warranted not only for information in State waiver applications, but also for other information provided by States in response to §§ 37.9(b)(2), (c), (e)(2), (e)(4)(ii), and (e)(5)(ii), which has been added in this final rule.

7. Effect of Status of Waiver on REAL ID Compliance

Section 37.9(f) clarifies that the status of a State's issued certificate of waiver, including the status of a pending application for a waiver, has no bearing on TSA's determination of that State's compliance or non-compliance with any other section of this part. A certificate of waiver that TSA has issued to a State is not a determination that the State is in compliance with any other section in this part. Similarly, an application for a waiver that TSA has deemed insufficient or denied, or a certificate of waiver TSA has suspended or terminated, or that has expired, is not a determination that the State is not in compliance with any other section in this part.

8. Incorporation by Reference

Sections 37.8(b) and 37.10(a) and Appendix A of this final rule provide that States must comply with applicable sections of specified industry standards and government guidelines. The Office of Federal Register (OFR) has published regulations concerning IBR.^[53] These regulations require that, for a final rule, agencies must discuss in the preamble to the rule the way in which materials that the agency IBRs are reasonably available to interested persons, and how interested parties can obtain the materials. Additionally, the preamble to the rule must summarize the material.^[54]

The final rule amends subpart A, § 37.4, by revising the introductory paragraph and adding new IBR material specified below. TSA has worked to ensure that IBR materials are reasonably available to the class of persons affected. All materials may be obtained from their publisher, as discussed below, and certain materials as noted are available in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002. In addition, all but one of the IBR'd standards (ISO/IEC 18013-5:2021(E), discussed in Part II.D., below) are available to the public for free at the hyperlinks provided, and all are available for inspection on a read-only basis at TSA. Please contact TSA at Transportation Security Administration, Attn.: OS/ESVP/REAL ID Program, TSA Mail Stop 6051, 6595 Springfield Center Dr., Springfield, VA 20598-6051, (866) 289-9673, or visit www.tsa.gov. You may also contact the REAL ID Program Office at REALID-mDLwaiver@tsa.dhs.gov or visit www.tsa.gov/​REAL-ID/​mDL.^[55]

The rule revises the introductory paragraph proposed in the NPRM to clarify availability of IBR materials. Specifically, the final rule replaces DHS with TSA as a location where IBR material is available for inspection, and provides additional points of contact at TSA. TSA also notes that certain material is available in the Federal Docket Management System at https://regulations.gov, docket number TSA-2023-0002. The final rule makes these revisions given TSA's evaluation of public comments concerning access to IBR materials (see Part IV.K., below).

The final rule IBRs the following material: ( print page 85352)

a. American Association of Motor Vehicle Administrators

In September 2022, the American Association of Motor Vehicle Administrators (AAMVA) published Mobile Driver's License (mDL) Implementation Guidelines Version 1.2 (Jan. 2023) (AAMVA Guidelines), American Association of Motor Vehicle Administrators, 4401 Wilson Boulevard, Suite 700, Arlington, VA 22203, available at https://aamva.org/​getmedia/​b801da7b-5584-466c-8aeb-f230cef6dda5/​mDL-Implementation-Guidelines-Version-1-2_​final.pdf (last visited July 17, 2024). The AAMVA Guidelines are available to the public for free at the link provided above. The AAMVA Guidelines adapt industry standard ISO/IEC 18013-5:2021(E) (discussed in Part II.D.4., below), for State driver's licensing agencies through the addition of more qualified recommendations, as the ISO/IEC standard has been developed for international purposes and may not meet all purposes and needs of States and the Federal Government. For example, Part 3.2 of the AAMVA Guidelines modify and expand the data elements specified in ISO/IEC 18013-5:2021(E), in order to enable the mDL to indicate the REAL ID compliance status of the underlying physical card, as well as to ensure interoperability necessary for Federal acceptance. AAMVA has added mDL data fields “DHS_compliance” and “DHS_temporary_lawful_status.” These data fields provide the digital version of the requirements for data fields for physical cards defined in 6 CFR 37.17(n)^[56] and 6 CFR 37.21(e),^[57] respectively. As discussed generally in Part III.C.4, below, §§ 37.10(a)(1) and (4) of this rule require a State to explain, as part of its application for a waiver, how the State issues mDLs that are compliant with specified requirements of the AAMVA Guidelines.

b. Certification Authority Browser Forum

The Certification Authority Browser Forum (CA/Browser Forum) is an organization of vendors of hardware and software used in the production and use of publicly trusted certificates. These certificates are used by forum members, non-member vendors, and governments to establish the security and trust mechanisms for public key infrastructure-enabled systems. The CA/Browser Forum has published two sets of requirements applicable for any implementers of PKI, including States that are seeking to deploy certificate systems that must be publicly trusted and used by third parties:

• Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates v. 1.8.6 (December 14, 2022), available at https://cabforum.org/​wp-content/​uploads/​CA-Browser-Forum-BR-1.8.6.pdf (last visited July 17, 2024), establishes a set of fundamental controls for the management of publicly trusted certificate authorities, including the controls and processes required for the secure generation of digital signing keys; and
• Network and Certificate System Security Requirements v. 1.7 (April 5, 2021), available at https://cabforum.org/​wp-content/​uploads/​CA-Browser-Forum-Network-Security-Guidelines-v1.7.pdf (last visited July 17, 2024), establishes a broad set of security controls needed to securely manage a publicly trusted certificate authority and key infrastructure management system.

CA/Browser Forum, 815 Eddy St, San Francisco, CA 94109, (415) 436-9333. To issue mDLs that can be trusted by Federal agencies, each issuing State must establish a certificate system, including a root certification authority that is under control of the issuing State. TSA believes the CA/Browser Forum requirements for publicly trusted certificates have been proven to be an effective model for securing online transactions. As discussed generally in Part III.C.4, below, Appendix A, paragraphs 1, 2, and 4-8, require compliance with specified requirements of the CA/Browser Forum Baseline Requirements and/or Network and Certificate System Security Requirements.

c. DHS and Cybersecurity and Infrastructure Security Agency

DHS protects the nation from multiple threats, including cybersecurity, aviation and border security, among others. The Cybersecurity and Infrastructure Security Agency (CISA), a component of DHS, is the operational lead for Federal cybersecurity and the national coordinator for critical infrastructure security and resilience. DHS and CISA have published two guidelines which are relevant to the operations of States' mDL issuance systems:

• DHS, National Cyber Incident Response Plan (Dec. 2016), available at https://www.cisa.gov/​uscert/​sites/​default/​files/​ncirp/​National_​Cyber_​IncidentResponse_​Plan.pdf (last visited July 17, 2024), further standardizes the response process for cyber incidents including the preparation, detection and analysis, containment, eradication and recovery, and post-incident activities. Department of Homeland Security, 2707 Martin Luther King Jr. Ave. SE, Washington, DC 20528; (202) 282-8000; and
• CISA, Federal Government Cybersecurity Incident & Vulnerability Response Playbooks (Nov. 2021),^[58] available at https://www.cisa.gov/​sites/​default/​files/​publications/​Federal_​Government_​Cybersecurity_​Incident_​and_​Vulnerability_​Response_​Playbooks_​508C.pdf (last visited July 17, 2024), was developed consistent with the direction of Presidential Policy Directive 41 (PPD-41) to establish how the U.S. responds to and recovers from significant cyber incidents which pose a risk to critical infrastructure, including the identity issuance infrastructure operated by U.S. States issuing mDLs.

Cybersecurity and Infrastructure Security Agency, Mail Stop 0380, 245 Murray Lane, Washington, DC 20528-0380, (888) 282-0870. These guidelines, available for free at the links provided above and in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002, provide details on best practices for management of systems during a cybersecurity incident, providing recommendations on incident and vulnerability response. Management of cybersecurity incidents and vulnerabilities is critical to maintenance of a State's mDL issuance IT infrastructure. As discussed generally in Part III.C.4, below, Appendix A, paragraph 8, requires compliance with specified requirements of the DHS National Cyber Incident Response Plan and the CISA Federal Government Cybersecurity Incident & Vulnerability Response Playbooks.

d. International Organization for Standardization and International Electrotechnical Commission

International standards-setting organizations, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC),^[59] are jointly drafted ( print page 85353) international standards specific to mDLs.^[60] In September 2021, ISO and IEC published ISO/IEC 18013, Part 5, entitled, “Personal identification—ISO-compliant driving licence.” ISO/IEC 18013-5:2021(E), Personal identification—ISO-compliant driving licence—Part 5: Mobile driving licence (mDL) application (Sept. 2021), International Organization for Standardization, Chemin de Blandonnet 8, CP 401, 1214 Vernier, Geneva, Switzerland, +41 22 749 01 11, www.iso.org/​contact-iso.html. This standard is available for inspection at TSA as discussed above. In addition, TSA is working with the American National Standards Institute (ANSI), a private organization not affiliated with DHS, to add this standard to the ANSI IBR Standards Portal which provides free, read-only access.^[61] TSA has participated in the development of these standards as a non-voting member of the United States national body member of the Joint Technical Committee.^[62]

Standard ISO/IEC 18013-5:2021(E) standardizes communications interfaces between an mDL holder and an entity seeking to read an individual's mDL for identify verification purposes, and between a verifying entity and a State driver's licensing agency. This standard also sets full operational and communication requirements for both mDLs and mDL readers. Standard ISO/IEC 18013-5:2021(E) applies to “attended” mode verification, in which both the mDL holder and an officer or agent of a verifying entity are physically present together during the time of identity verification.^[63] TSA believes ISO/IEC 18013-5:2021(E) is critical to enabling the interoperability, security, and privacy necessary for wide acceptance of mDLs by Federal agencies for official purposes. Specifically, § 37.8 of this rule requires Federal agencies to validate an mDL as required by standard ISO/IEC 18013-5:2021(E), and § 37.10(a)(4) requires a State to explain, as part of its application for a waiver, how the State issues mDLs that are interoperable with this standard to provide the security necessary for Federal acceptance.

e. National Institute for Standards and Technology

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and quality of life. As part of this mission, NIST produces measurements and standards relied on by the U.S. agencies and industry.

i. Federal Information Processing Standards

NIST maintains the Federal Information Processing Standards (FIPS) which relate to the specific protocols and algorithms necessary to securely process data. This suite of standards includes:

• NIST FIPS PUB 140-3,Security Requirements for Cryptographic Modules (March 22, 2019), available at https://nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.140-3.pdf (last visited July 17, 2024), specifies the security requirements for cryptographic modules that are used to secure the keys which are used in digitally signing mDLs, and properly securing these keys is essential to creating a publicly trusted certificate authority for mDL issuance;
• NIST FIPS PUB 180-4,Secure Hash Standard (SHS) (August 4, 2015), available at https://nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.180-4.pdf (last visited July 17, 2024), specifies the secure hash standard, a cryptographic algorithm necessary to provide message and data element integrity while using the transaction modes specified in ISO/IEC 18013-5:2021(E) for mDL data transmission;
• NIST FIPS PUB 186-5,Digital Signature Standard (DSS) (February 3, 2023), available at https://nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.186-5.pdf (last visited July 17, 2024), specifies digital signature standards used in ISO/IEC 18013-5:2021(E) standard to provide data integrity for mDL data elements issued by states; and
• NIST FIPS PUB 197-upd1,Advanced Encryption Standard (AES) (May 9, 2023) available at https://nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.197-upd1.pdf (last visited July 17, 2024), specifies the Advanced Encryption Standard, which is a cryptographic algorithm used to securely encrypt data messages used in the transmission of mDL data in ISO/IEC 18013-5:2021(E).

Although the NPRM proposed to IBR the prior (2001) version, NIST FIPS PUB 197, the final rule IBRs the current (May 2023) updated version, NIST FIPS PUB 197-upd1, which NIST confirms makes editorial improvements, but no technical changes to the version specified in the NPRM.^[64] TSA has reviewed the updates and confirms they are formatting and stylistic clarifications. Although the public had an opportunity to comment, no such comments were received. Given the absence of public comments, no substantive changes to the updated standard, and to ensure continuing public access to this standard, the final rule IBRs the updated version, NIST FIPS PUB 197-upd1, which is consistent with the NPRM's proposal to IBR the previous version. TSA concludes that the compliance impact on stakeholders of both versions of this standard is identical.

• NIST FIPS PUB 198-1,The Keyed-Hash Message Authentication Code (HMAC) (July 16, 2008) available at https://nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.198-1.pdf (last visited July 17, 2024), specifies the keyed hash message authentication code which is an essential cryptographic algorithm to create a properly interoperable mDL using ISO/IEC 18013-5:2021(E); and
• NIST FIPS PUB 202,SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (August 4, 2015) available at https:// ( print page 85354) nvlpubs.nist.gov/​nistpubs/​FIPS/​NIST.FIPS.202.pdf (last visited July 17, 2024), specifies the secure hash algorithm 3, a cryptographic algorithm necessary to provide message and data element integrity in ISO/IEC 18013-5:2021(E) for mDL data transmission.

National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899. This suite of FIPS standards, available in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002, are critical to the transactions required for mDLs, and any Federal systems which interact with or are used to verify an mDL for REAL ID official purposes will be required to use the algorithms and protocols defined. As discussed generally in Part III.C.4, below, § 37.10(a)(4) requires compliance with specified requirements of NIST FIPS PUB 180-4, 186-5, 197-upd1, 198-1, and 202, and Appendix A, paragraph 5, requires compliance with FIPS PUB 140-3.

ii. Security and Privacy Controls for Information Systems and Organizations; Key Management

NIST has published several guidelines to protect the security and privacy of information systems:

• NIST SP 800-53 Rev. 5,Security and Privacy Controls for Information Systems and Organizations (September 2020), available at https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-53r5.pdf (last visited July 17, 2024), specifies a broad set of security and privacy controls which states must use to manage the information systems involved in the issuance and management of mDLs;
• NIST SP 800-57 Part 1, Rev. 5,Recommendation for Key Management: Part 1—General (May 2020), available at https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57pt1r5.pdf (last visited July 17, 2024), provides general recommendations for states managing cryptographic keys that are used to securely issue mDLs;
• NIST SP 800-57 Part 2, Rev. 1,Recommendation for Key Management: Part 2—Best Practices for Key Management Organizations (May 2019), available at https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57pt2r1.pdf (last visited July 17, 2024), provides best practices states must follow while managing cryptographic keys; and
• NIST SP 800-57 Part 3, Rev. 1,Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance (January 2015) available at https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57Pt3r1.pdf (last visited July 17, 2024), provides for application specific controls for the management of cryptographic keys.

National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899. All of these documents are available in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002.

All four of these standards relate to the administration of a certificate system including: access management; certificate life-cycle policies; operational controls for facilities and personnel; technical security controls; and vulnerability management such as threat detection, incident response, and recovery planning. Due to the sensitive nature of State certificate system processes and the potential for significant harm to security if confidentiality, integrity, or availability of the certificate systems is compromised, the minimum risk controls specified in Appendix A require compliance with the NIST SP 800-53 Rev. 5 “high baseline” as set forth in that document, as well as compliance with the specific risk controls described in Appendix A. In addition, and as discussed generally in Part III.C.4, below: Appendix A, paragraphs 1-8, require compliance with NIST SP 800-53 Rev. 5; paragraphs 1 and 5 require compliance with NIST SP 800-57 Part 1, Rev. 5; paragraph 1 requires compliance with NIST SP 800-57 Part 2 Rev. 1; and paragraph 1 requires compliance with NIST SP 800-57 Part 3, Rev. 1.

iii. Digital Identity Guidelines

NIST has published NIST SP 800-63-3, which covers technical requirements for Federal agencies implementing digital identity: NIST Special Publication 800-63-3, Digital Identity Guidelines (June 2017), National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899, available at https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-63-3.pdf (last visited July 17, 2024)and in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002.

The Digital Identity Guidelines define technical requirements in each of the areas of identity proofing, registration, user authentication, and related issues. Because TSA is not aware of a common industry standard for mDL provisioning that is appropriate for official REAL ID purposes today, TSA views the Digital Identity Guidelines as critical to informing waiver application requirements for States regarding provisioning. As discussed generally in Part III.C.4, below, under § 37.10(a)(2) of the final rule, which requires compliance with Appendix A, a State must explain, as part of its application for a waiver, how the State issues mDLs that are compliant with NIST SP 800-63-3 to provide the security for mDL IT infrastructure necessary for Federal acceptance.

NIST has also published Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management (June 2017), National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899, available at https://nvlpubsnist.gov/​nistpubs/​specialpublications/​nist.sp.800-63b.pdf (last visited July 17, 2024) and in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002. This document, which is a part of NIST SP 800-63-3, provides technical requirements for Federal agencies implementing digital identity services. The standard focuses on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated and establishes three authenticator assurance levels. As discussed generally in Part III.C.4, below, § 37.10(a)(2) of this rule requires compliance with Appendix A, which requires a State to explain, as part of its application for a waiver, how the State manages its mDL issuance infrastructure using authenticators at assurance levels provided in NIST SP 800-63B.

iv. Framework for Improving Critical Infrastructure Cybersecurity

NIST has published Framework for Improving Critical Infrastructure Cybersecurity v. 1.1 (April 16, 2018), National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899, available at https://nvlpubs.nist.gov/​nistpubs/​CSWP/​NIST.CSWP.04162018.pdf (last visited July 17, 2024). This document, available in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002, provides relevant information for cybersecurity for States issuing mDLs. As discussed generally in Part III.C.4, below, certain requirements from the NIST Framework for Improving ( print page 85355) Critical Infrastructure Cybersecurity have been adopted in Appendix A, paragraphs 1, 2, and 5-8.

D. Impacted Stakeholders

This final rule applies to State driver's licensing agencies issuing mDLs that seek a temporary waiver from TSA for its mDLs. The waiver established by this rule enables Federal agencies to accept such mDLs for official purposes, defined in the REAL ID Act as accessing Federal facilities, entering nuclear power plants, boarding Federally regulated commercial aircraft, and any other purposes that the Secretary shall determine. Any Federal agency that chooses to accept mDLs for official purposes must procure a reader in order to receive an individual's identity data.

This final rule does not apply to:

• States that do not seek a waiver for mDLs;
• Non-State issuers of other forms of digital identification; or
• Federal agencies that elect not to accept mDLs.

A State seeking a waiver for Federal acceptance of its mDLs for official purposes is required to file with TSA a complete application and supporting documents.^[65] A State must demonstrate how its mDLs meet the requirements for a waiver set forth in §§ 37.10(a) and (b) when completing the application.

E. Use Cases Affected by This Rule

This final rule applies only to Federal acceptance of mDLs for official purposes, defined by the REAL ID regulations as accessing Federal facilities, entering nuclear power plants, and boarding Federally regulated commercial aircraft. Any other purpose is beyond the scope of this rulemaking. For example, a waiver issued under this rule does not apply to any of the following:

• mDL acceptance by Federal agencies for non-REAL ID official uses (e.g., applying for Federal benefits);
• mDL acceptance by non-Federal agencies (e.g., State agencies, businesses, private persons);
• Commercial transactions; or
• Physical driver's licenses or identification cards.

Nothing in this rule requires Federal agencies to accept mDLs, as each Federal agency retains the discretion to determine its identification policies. Additionally, nothing in this rule requires a State to seek a waiver or issue mDLs.

F. Severability

TSA notes that these changes impact multiple provisions that are not necessarily interrelated and can function independent of one another. As such, TSA believes that some of the provisions of each new part can function sensibly independent of other provisions. Therefore, in the event that any provisions in this rulemaking action as finalized are invalidated by a reviewing court, TSA intends remaining provisions to remain in effect to the fullest extent possible.

IV. Discussion of Comments

TSA published the NPRM on August 30, 2023,^[66] and the deadline for public comments was October 16, 2023. TSA received 31 comments,^[67] including some comments that were submitted shortly after the comment period closed. TSA carefully considered every comment received as part of the official record, including those that were submitted late. Comments and TSA's responses are as summarized by topic below.

A. Waiver Eligibility

Comments: Several State driver's licensing agencies, an association, and some vendors expressed concerns that under §§ 37.7(b)(3) and 37.10(a)(1)(vii) of the NPRM, TSA would issue waivers to States that issued mDLs only to holders of REAL ID-compliant physical cards, but a State that issues mDLs to two groups of individuals—both holders of REAL ID-compliant AND non-compliant physical cards—would be ineligible for a waiver because of issuance to the latter group. Stated differently, a State's issuance of mDLs to holders of non-compliant physical cards alone would remove the State's eligibility to apply for a waiver.

Another commenter requested clarification regarding whether a State may still apply for and receive a waiver after enforcement of the REAL ID Act and regulations begins on May 7, 2025.

TSA Response: TSA agrees with commenters and is revising the final rule to clarify that a State will not be excluded from eligibility to apply for a waiver if a State issues mDLs to both REAL ID compliant and non-compliant physical cardholders. The intended purpose of TSA's requirement is for States to ensure that an individual's mDL matches the compliance status of the underlying physical card, and for States to issue an mDL in a manner that enables a verifying Federal agency to confirm the underlying physical card's REAL ID compliance status.

Consistent with that intent, and to address commenters' concerns, the final rule makes three changes to the NPRM. First, this final rule deletes § 37.7(b)(3), as proposed by the NPRM, which provided as a criterion of waiver eligibility that a State must issue mDLs only to individuals who have been issued REAL ID-compliant physical cards.

Second, the final rule deletes a similar requirement from § 37.10(a)(1)(vii), as proposed by the NPRM, which provided that States must issue an mDL only to a resident who has been issued a valid, unexpired, and REAL ID-compliant physical card that underlies the mDL. The final rule modifies this provision to require States to populate this data field to correspond to the REAL ID compliance status of the underlying physical driver's license or identification card that a State has issued to an mDL holder. Specifically, § 37.10(a)(1)(vii)(A) requires mDL data element “DHS_compliance” to be populated with “F” if the underlying card is REAL ID-compliant, or as required by the AAMVA Guidelines,^[68] Section 3.2. In addition, § 37.10(a)(1)(vii)(B) requires mDL data element “DHS_compliance” to be populated “N” if the underlying card is not REAL ID-compliant.

Third, the final rule adds new § 37.8(c), which requires Federal agencies to confirm that the physical card underlying the mDL is REAL ID-compliant, as Federal agencies will only be permitted to accept mDLs if the underlying card is REAL ID-compliant. Federal agencies would make that determination by reviewing data element “DHS_compliance” and confirming that it has been marked “F.” These changes ensure—without compromising a State's waiver eligibility—that an individual's mDL matches the compliance status of the physical card, and that Federal agency will accept only those mDLs that are based on a REAL ID-compliant underlying physical card.

Separately, in response to the commenter's question regarding waiver applications after REAL ID enforcement begins on May 7, 2025, TSA confirms that a State indeed may apply for and receive a waiver after enforcement begins.

B. Conditions on Federal Agencies Accepting mDLs

Comments: An association requested clarification concerning requirements ( print page 85356) on Federal agencies that choose to accept mDLs. Specifically, the commenter noted that the preamble provided that one of the “conditions for TSA acceptance” is that TSA has determined the mDL issuing State is REAL ID-compliant. The commenter sought clarification on the timing of when this compliance determination is made, specifically, whether this is a one-time determination, whether it is made at the time when TSA is reviewing a State's application, or if the State's re-certification schedule is applicable.

TSA Response: First, TSA notes that this rule does not set conditions only for “TSA Acceptance.” Instead, the rule sets forth requirements for all Federal agencies who choose to accept mDLs for official purposes as defined in the REAL ID Act. Second, TSA clarifies that determination of a State's REAL ID compliance status is not a requirement for other Federal agencies to make. The only conditions on Federal agencies who accept mDLs are set forth in § 37.8, which requires the agency to: (1) confirm the State holds a valid waiver by reviewing the specified TSA website, (2) use an mDL reader to communicate with and validate an individual's mDL, (3) confirm that the underlying physical card is REAL ID-compliant, and (4) notify TSA within 72 hours of the discovery of specified security, privacy, or data integrity threats. A State's compliance status is an element of a State's eligibility to apply for a waiver, as set forth in § 37.7(b)(1), and TSA will make this determination when reviewing a State's application. However, TSA acknowledges that the preamble to the NPRM states that a Federal agency must make this compliance determination. TSA has revised the preamble to this final rule to reflect the intended requirements.

In response to comments, TSA also provides further clarification on the timing of its determination of a State's compliance status. TSA will make an initial determination of State compliance status at the time of application, but this is not a one-time determination. States have a continuing obligation, under 6 CFR 37.55(b), to maintain their compliance status by recertifying compliance every 3 years, an obligation which continues throughout the duration of the waiver. If recertification occurs after a State is issued a waiver and TSA determines the State is no longer in compliance, the waiver may be subject to review pursuant to § 37.9(e)(5).

C. Waiver Application Criteria

1. Personally Identifiable Information and Privacy

Comments: An association remarked that § 37.10(a)(1)(i) introduces additional requirements concerning individuals' Personally Identifiable Information (PII) that are not related to mDL issuance and exceed existing requirements in the regulations. The commenter advised that the rule should not expand REAL ID requirements that are unrelated to mDLs.

The association further noted that although privacy is an important concept, it applies mostly to the agreement between an issuing State and the mDL holder, and that the only applicability to verifying Federal agencies is ensuring that the agency receives only the information necessary for identity verification. The commenter therefore recommended updating § 37.10(a)(3) so that States are only required to provision mDLs to digital wallets in a manner that will release only the data requested by the verifier. Additional privacy requirements, the commenter submitted, while important to individuals and States, may not affect verifying agencies.

TSA Response: Sections 37.10(a)(1)(i) and (a)(3) of this rule extend to mDLs PII protections that are analogous to those in the existing regulations regarding physical cards. This rule is adding mirroring PII provisions because mDLs involve a new data set and additional elements that must be protected, which are not addressed in the current regulations. Section 37.10(a)(1)(i) requires encryption of PII, and § 37.10(a)(3) requires an explanation of the means used to protect PII during processing, storage, and destruction of mDL records and provisioning records. Nothing in this final rule modifies or imposes new requirements regarding physical cards. While TSA concurs that there is a privacy interest between individuals and States, verifying Federal agencies have an equally important privacy interest in trusted mDL transactions.

2. Provisioning

Comments: An association contended that although the intended goal of §§ 37.10(a)(1)(iii)-(vi) is the step of “binding,” which means ensuring that an mDL is provisioned to the correct mDL holder's device, binding has no value to verifying Federal agencies, other than copy protection, at the time of identity verification. The association questions, therefore, the need for these requirements.

TSA Response: “Binding,” a critical step in mDL provisioning, refers to the process where the issuing State binds, or pairs, the mDL data to a specific device through the generation of the device key and signing of the mobile security object. Binding is critically important to all stakeholders involved in an mDL transaction, including verifying Federal agencies, as they share a strong interest in a secure, trusted mDL ecosystem in which identity data is protected during mDL provisioning, provided only to the rightful holder of the data, bound to that holder's device, and resists cloning to other devices unless approved by the issuing State. Section 37.10(a)(1) sets forth requirements for provisioning, and the requirements specified in § 37.10(a)(1)(iii)-(vi) provide the requisite security and privacy protections to achieve secure binding. The TSA Waiver Guidance also sets forth recommendations for provisioning and binding. To clarify the relationship between provisioning and binding, the final rule adds a new definition to § 37.3 for “provisioning.”

3. AAMVA mDL Implementation Guidelines

Comments: AAMVA noted that § 37.10(a)(4) refers to version 1.1 of the AAMVA Guidelines, conflicting with § 37.4, which incorporates by reference version 1.2 of this document.

TSA Response: TSA agrees that § 37.10(a)(4) of the NPRM inadvertently listed version 1.1, instead of version 1.2, of the AAMVA Guidelines. TSA notes that the NPRM correctly cited version 1.2 in all other instances ^[69] where it referenced the AAMVA Guidelines, and only made a typographical error to version “1.1” in a single instance, in § 37.10(a)(4). TSA did not receive any comments to the contrary. Accordingly, the final rule has made a technical correction in § 37.10(a)(4) to address this typographical error and correctly refer to version 1.2.

4. Resident Address Data Element

Comments: AAMVA submitted that § 37.10(a)(4)(i) of the NPRM characterizes the “resident_address” data element as “optional,” despite that the AAMVA Guidelines define this data element as mandatory.

TSA Response: TSA clarifies that the “resident_address” data element required in § 37.10(a)(4)(i) refers to the data element as defined in the ISO/IEC 18013-5:2021(E) standard namespace “org.iso.18013.5.1,” not any data ( print page 85357) elements defined in the AAMVA Guidelines. The use of the term “optional” in § 37.10(a)(4)(i) reflects ISO/IEC's designation of that data element as defined in ISO/IEC 18013-5:2021(E). For clarification, despite ISO/IEC's designation of “resident_address” as an “optional” data field in ISO/IEC 18013-5:2021(E), § 37.10(a)(4)(i) of this final rule mandates inclusion of that data field.

D. TSA Waiver Application Guidance

Comments: An association recommended that the TSA Waiver Guidance should include references to the corresponding sections of the rule. The association further recommended that the documents incorporated by reference in § 37.4 should be moved to the Guidance to facilitate efficient updates as new standards are published. A State noted that the Guidance was not available at the website specified in § 37.10(c).

TSA Response: TSA agrees that the Guidance would be more helpful if it references the applicable provisions in the final rule to which the Guidance applies. The Guidance has been revised to specifically include the corresponding regulatory provisions where possible. TSA appreciates the commenter's perspective and this opportunity to provide clarity to the public and stakeholders.

Regarding the recommendation to move the standards from § 37.4 to the Guidance to reflect updated or newly-published standards, TSA notes that the Guidance is non-binding and does not establish any legally enforceable requirements. All security measures, practices, and metrics set forth are simply illustrative, non-exclusive examples for States to consider as part of their overall strategy to address the requirements under § 37.10(a). Any legally enforceable requirements must be set forth in regulatory text. Moreover, as provided in § 37.10(c), TSA may update this Guidance as necessary to provide additional information or address evolving threats to security, privacy, or data integrity.

TSA also clarifies that the Guidance was available during the comment period at the public rulemaking docket at www.regulations.gov, and continues to be available. The website specified in § 37.10(c), and throughout the rule, was under development at the time of the NPRM but is now live.

E. General Concerns About mDLs

Comments: Some public interest organizations posited that public demand for mDLs is “non-existent” and “conjectural.” However, some States disagreed. One State commented that it has issued more than 200,000 mDLs to residents following a pilot in 2017 and more recent expansion in 2022 and 2023. Another State commented that in the 3 months since it began offering its mDL app, it has been downloaded more than 7,000 times. Other commenters questioned the claimed mDL benefits concerning security, privacy, consumer protection, contact-free hygiene, among others, with one commenter opining that any such benefits would be realized only by those with the financial and technical means to purchase mobile devices that meet the specifications in the proposed rule. Some commenters further noted that mDLs would increase the vulnerability of driver's licensing agency databases to cyberattacks.

However, other commenters believe mDLs provide potential security and privacy benefits. One industry vendor commented that the rule would strengthen mDL integrity and security, which the commenter believes is critical to mDL holders and verifying entities. The commenter specifically noted that unlike physical cards, which require an agency's verifying officer to have specialized knowledge of potentially “hundreds” of different card designs of 56 issuing jurisdictions, the electronic safeguards built into mDLs obviate the need for such knowledge. The commenter further opined that mDLs provide privacy protections by empowering the mDL holder to control precisely what information is shared and with whom.

TSA Response: TSA disagrees that public demand for mDLs is weak. As discussed in Part II.C.2., above, TSA understands that more than half of all 56 issuing jurisdictions are considering or issuing mDLs, and this number continues to increase. Indeed, TSA notes that some States submitted comments disagreeing about the purported lack of demand for mDLs.

Regarding potential benefits of mDLs, TSA continues to believe that mDLs provide potential benefits, including security, privacy, efficiency, and contact-free hygiene, as discussed further in the NPRM.^[70] TSA has directly observed some of these benefits through its ongoing mDL testing at airport checkpoints (discussed in Part II.C.2, above). In addition, as discussed above, some commenters agreed with TSA's view that mDLs provide potential security and privacy benefits.

TSA disagrees that the rule effectively requires the purchase of smartphones that are costly or technologically complex, which commenters contend would limit potential mDL benefits only to those with financial and technical means. The potential benefits of mDLs can be realized using nearly any smartphone available today. The only technical requirements for such devices, as a result of this final rule, are a smartphone that employs Bluetooth Low Energy and has secure hardware capability to protect the device key associated with the mDL. These technologies are widely available on most smartphones.

With respect to concerns that mDLs introduce new cyber vulnerabilities, TSA continues to believe that the minimum security requirements set forth in this rule would minimize the potential for harm resulting from such threats. As discussed in Part III.C.4.iii above, cyber threats are diverse and evolving, and TSA intends to address them by updating its Waiver Application Guidance as necessary. Some commenters agreed that this rulemaking would improve mDL security and the ability to resist cyber threats. An advocacy group shared that some States and industry today are using non-standardized technological approaches with wide substantive variances in security methodologies, thereby making some mDLs susceptible to fraud and privacy intrusions. The commenter noted that the proposed rule would overcome those concerns by providing standardized approaches to protect security and privacy.

F. Scope of Rulemaking and mDL Acceptance

Comments: An association opined that mDLs could provide benefits to Federal agencies beyond the uses discussed in the proposed rule. Specifically, the association noted that the Departments of State and Transportation could accept mDLs to improve issuance of passports and commercial driver's licenses, respectively. The commenter also sought clarification on how mDL acceptance, and REAL ID broadly, will be operationalized at TSA, both today and when enforcement of the REAL ID Act begins.

One State recommended that the definition of mDLs in the proposed rule be expanded to include Enhanced Driver's Licenses and Enhanced Identification Cards (collectively “Enhanced Driver's Licenses” or “EDLs”).

TSA Response: TSA reiterates that the final rule applies only to Federal acceptance of mDLs for official purposes, defined by the REAL ID Act regulations as accessing Federal facilities, entering nuclear power plants, ( print page 85358) and boarding Federally regulated commercial aircraft. Any other purpose is beyond the scope of this rulemaking.

TSA further notes that each Federal agency that chooses to accept mDLs for official purposes must build its infrastructure, train its workforce, and operationalize mDL acceptance. Each Federal agency has the discretion to determine its own policies concerning acceptable IDs for access to their facilities, and for communicating this information to the public. TSA advises that questions concerning individual Federal agency identification policies and operational details should be directed to the appropriate program offices of individual agencies.

Regarding EDLs, the definition of “mDL” does not require modification because EDLs comply with REAL ID standards (despite that they are not governed by the REAL ID Act).^[71] For that reason, this rule makes clear that mDLs issued based on EDLs will be accepted by Federal agencies under the waiver process. Indeed, the AAMVA Guidelines (incorporated by reference; see § 37.4) similarly treat EDLs as synonymous with REAL ID-compliant driver's licenses, requiring that States encode EDL-based mDLs as REAL ID-compliant. To confirm that States properly encode an EDL as REAL ID-compliant, § 37.10(a)(1)(vii)(A) of this final rule requires States to populate the “DHS_compliance” data element with “F,” indicating REAL ID-compliant, as required by the AAMVA Guidelines ( see Part IV.A., above). This ensures that a Federal officer verifying an EDL-based mDL will correctly identify the REAL ID compliance status of the underlying EDL. TSA appreciates the commenter's perspective and this opportunity to provide clarity to stakeholders.

G. Privacy

Comments: Several public interest organizations expressed concerns that this rulemaking would establish a national digital ID that Federal agencies could use in wide ranging circumstances and purposes. They suggested that this type of ID could lead to sharing of data between State driver's licensing agencies and Federal agencies, producing serious harms to privacy and security, particularly for immigrant communities. Immigrants, the commenters argue, could suffer because many States are issuing non-compliant cards to them, and this rule could influence States to share with Federal agencies information provided in immigrant applications, potentially resulting in deportation.

Other public interest organizations noted that the proposed rule would facilitate tracking and surveillance because the rule requires “installation of a government app on a mobile device of a certain type.” An organization further suggested that it be allowed to view source code for these apps in order to learn their true intent. Commenters recommended that the rule should not go forward without additional privacy safeguards, noting that standard ISO/IEC 18013-5:2021(E) is not sufficient.

TSA Response: In the REAL ID Act, Congress established minimum standards for the issuance of State-issued driver's licenses and identification cards acceptable for official Federal purposes. Neither the Act nor implementing regulations, 6 CFR part 37, contemplate the creation of a sole national identification card or Federal database of driver's license information. Under the statute, the official purposes for Federal agency acceptance of mDLs relate to identity verification, and Congress neither created nor authorized a national identification card. Each individual licensing jurisdiction continues to issue its own unique licenses, maintain its own records, and control access to those records and the circumstances under which access may be provided. In addition, States continue to have full discretion to issue driver's licenses that are non-REAL ID compliant, or to issue dual classes of compliant and non-compliant cards, which some States are doing. States also have full discretion to choose not to issue mDLs at all. The REAL ID Act does not prevent compliant States from issuing driver's licenses and identification cards where the identity of the applicant cannot be assured or for whom lawful presence is not determined. This rule does not intend to interfere with existing State laws that are designed to protect driver's licensing agency data from being shared and used to enforce Federal immigration laws.

Nothing in this final rule requires a Federal agency to accept mDLs. Agencies that choose to do so will receive mDL user information only with the individual's consent, and individuals will control access and use of the mDL in their mobile devices. For example, in TSA mDL testing at airport security checkpoints, passengers present their mDLs to TSA, which uses an mDL reader to establish a secure communications channel with the passenger's mobile device to receive the passenger's mDL data. TSA's mDL readers are programmed to request access only to the relevant data needed for identity verification, which TSA cannot receive unless the passenger provides consent. Upon consent, the passenger's mobile device releases the mDL data to TSA, which automatically validates the authenticity of the information by confirming the digital signature of the issuing State driver's licensing agency ( see discussion in Part II.C.1., above). TSA emphasizes that it receives passenger data only from the passenger's mobile device, and not from the issuing State driver's licensing agency. Although TSA does communicate with a driver's licensing agency, this is solely to receive the agency's private key for data validation purposes—not identity verification. TSA further emphasizes that it never communicates with driver's licensing agencies information regarding the locations or instances of passengers' mDL use. The passenger's PII is used in the same manner that biographic information from physical IDs is used. The PII that is collected from the mDL, along with the live photo taken by TSA, is overwritten when the next passenger scan occurs or when TSA switches off its ID scanner, whichever occurs first.

An mDL offers additional privacy and security benefits over physical IDs. An mDL transmits only the necessary information requested by TSA, rather than sharing all data elements found on a physical ID, and requires user's consent. All mDL data is encrypted at rest, during transfer, and during all transactions through secure channels. Nothing in this rule mandates that individuals must install a “government” app or any type of app at all. Nothing in this rule requires individuals to use a mobile device of any type, or to choose to receive an mDL at all. TSA appreciates the opportunity to provide a detailed explanation of the privacy protections conferred by mDLs. Additional information can be found in DHS's Privacy Impact Assessment ^[72] concerning privacy risks in the use of digital IDs in the identity verification process at TSA airport security checkpoints.

H. Waiver Validity Period and Renewals

Comments: An industry vendor sought clarification on whether a waiver is valid until revoked or for a defined period. An association urged that the ( print page 85359) validity period of a waiver should be long enough such that States are not frequently submitting applications for renewals and awaiting determinations, and that the period should cover both waiver applications and State re-certifications. The association further submitted that TSA should consider a grace period to allow a waiver to remain valid for some period after the Phase 2 rule is effective. A State sought clarification of requirements for renewing a waiver if the subsequent Phase 2 rulemaking does not commence within 3 years of publication of this final rule in order to assess the resources required to prepare the renewal application. A vendor sought clarification regarding whether a new audit report is required for renewal applications if a State uses the same issuance vendors for both the initial and renewal applications.

TSA Response: Under § 37.9(e)(1), a waiver will be valid for three years from date of issuance unless suspended or terminated under §§ 37.9(e)(4) or (5). As discussed in Part III.C.6., above, this rule specifies a three-year waiver validity period because it aligns with the frequency for States to re-certify compliance with § 37.55(b). TSA believes this period is sufficient given the expedient timeframes specified in § 37.9(b) for TSA to respond to applications. As set forth therein, TSA will provide: an initial decision on applications within 60-90 calendar days, replies to States responses to notices of insufficiency within 30 calendar days, and determinations on petitions for reconsideration within 60 calendar days. These timeframes resist the commenter's concern about potentially being trapped in an enduring cycle of submitting renewal applications and waiting extensive period for TSA responses. Moreover, the three-year waiver validity period equals the three-year frequency of States to recertify compliance required by § 37.55(b), as the commenter notes.

Regarding the timing of the Phase 2 rulemaking and the need for a grace period, § 37.9(e)(6) specifies requirements for States that seek to renew waivers beyond the validity period. Renewal provides a mechanism for waivers to persist independent of the timing of future rulemakings, which obviates the need for a grace period.

With respect to audit reports for renewal applications, TSA confirms that States must submit an audit report for renewals, regardless of a State's mDL issuance vendors or system changes. Regarding the resources required for renewal applications, TSA assumes such audit costs for subsequent waiver applications will remain the same as the audit for the initial application, but TSA does estimate a 25 percent to 70 percent reduction in the renewal application cost because the State would have gained experience and collected evidence from the previously approved waiver application.^[73] The processes to renew a waiver are identical to those set forth in § 37.9 for initial applications.

I. Vendor and Technology “Lock-in” Effects

Comments: Some public interest organizations commented that the NPRM would promote a “lock-in” effect, in which certain technologies and vendors would gain a durable competitive advantage that would be difficult for competitors to overcome. In particular, the commenters expressed concern that markets for digital wallets and mDL readers are likely to be harmed because of the rule's reliance on standards such as ISO/IEC 18013-5:2021(E), which the commenters believe create security, privacy, and interoperability risks. According to the commenters, digital wallets and other necessary mDL technology should be based on open standards.

TSA Response: TSA is currently testing mDLs issued by seven States who are partnering with multiple providers of digital wallets. One provider, SpruceID, is based on an open-source toolkit for developing decentralized IDs.^[74] Additional digital wallet providers are expected to enter the market in the near-term, and States are expected to partner with them and seek to test their mDLs with TSA. The rule provides States broad discretion to select technology vendors of their choice, and does not prescribe any specific type of technology. This absence of prescriptive requirements is intentional, as it accommodates innovation and organic demand from consumers to facilitate technological diversity.

The final rule resists technology lock-in by providing minimum standards for security, privacy, and interoperability, while remaining technology-agnostic. The ISO/IEC 18013-5:2021(E) standard enables the required interoperability for REAL ID use cases where mDL holders present their mDLs in person to an mDL reader. Adhering to this standard for interoperability does not harm the developers of digital wallets or readers because the standard does not prohibit other standards or technologies from working alongside the ISO/IEC 18013-5:2021(E) standard. Indeed, California is pursuing this approach with SpruceID. The California mDL digital wallet, built on the open-source SpruceID toolkit, supports both ISO/IEC 18013-5:2021(E) requirements and an alternative technology, known as TruAge®, which allows the mDL to be used in broader transactions, such as age-verified purchases.^[75] TSA recognizes that in a broad sense, there may be a false “lock-in” effect of certain types of mDLs, namely, those that meet the waiver application criteria set forth in the rule. However, this is not a true lock-in in the traditional sense of economic path dependence, in which barriers prevent innovation and deployment of equal or potentially superior alternatives. The rule requires States to demonstrate that they issue mDLs that provide security, privacy, and interoperability necessary for Federal acceptance for official purposes, but also allows States and industry wide latitude to innovate as necessary to meet the regulatory requirements.

As structured, this rule does not create dependencies on specific vendors, systems, or technologies. Instead, the rule facilitates development of more secure, privacy enhancing, and interoperable mDLs using technology-agnostic solutions. Accordingly, this rule resists the risk of true technology lock-in that otherwise may have occurred if market participants select technologies, developed by first-movers, that lack the protections necessary for Federal acceptance for official purposes.

J. Pseudonymous Validation and On-Device Biometric Matching

Comments: An individual urged that it is critical to support “pseudonymous validation” under standard ETSI TR 119 476. In addition, the commenter argued that mDL transactions should support biometric matching on the mobile device itself to avoid sharing biometric data. The commenter claimed these recommendations are necessary to avoid becoming “an autocratic state.”

TSA Response: “Pseudonymous validation” is the concept of using a pseudonym or alias to identify an ( print page 85360) individual without revealing that person's true identity. Although this may provide valuable privacy protection in some uses, it also enables an individual to operate under a consistent—but false—identity. This is contrary to the REAL ID Act and regulations' purpose of improving the security of State-issued identity cards.

On-device biometric sharing is the subject of standards ISO/IEC 23220-5 and ISO/IEC 23220-6, which are currently in development. TSA is not aware of any currently published standards enabling the establishment of trusted on-device biometric matching in the mDL ecosystem, which makes it premature to require such functionality in the final rule.

K. Access to Standards

Comments: A public interest organization contended that the NPRM failed to provide adequate access to the 19 standards incorporated by reference in the proposed rule. Specifically, the commenter noted that under the NPRM, “the only way” for the public to gain access was to email a request to the address specified in the rule. The commenter noted that it sent multiple emails to this address, but never received a response. The commenter also noted that the NPRM directed individuals to visit “DHS headquarters in Washington DC” but did not provide a specific address.

Other public interest organizations asserted that NPRM failed to provide reasonable access to ISO/IEC 18013-5:2021(E) without a substantial fee. A commenter noted that the ANSI link providing free access to the standard was not helpful, and that attempts “to even load the standards on a modern computer failed completely.” Further, the commenter stated that ANSI required “an unnecessarily onerous process,” which required signing up for an account and completing an online license agreement form, and that access was on a view-only basis.

TSA Response: TSA regrets that the commenter's multiple emails seeking access were not answered. However, TSA notes that the NPRM specified multiple mechanisms for the public to access the standards, consistent with IBR requirements specified by the OFR.^[76] All but one of the 19 standards incorporated by reference in § 37.4 are available to the public for free download, and the NPRM provided the website addresses to access each of these documents. In addition, the NPRM provided detailed information for the publisher of each of these standards, including most, if not all, of the following: publisher name, address, phone, email, and website. For the sole standard that is not publicly available for free, ISO/IEC 18013-5:2021(E), the NPRM facilitated free access via ANSI, a private organization with whom TSA has no affiliation. The NPRM specifically noted that ANSI's policy required individuals to complete an online license agreement form asking for only name, professional affiliation, and email address. The NPRM also stated that access would be available on a view-only basis, and provided publisher information for individuals who sought a greater level of access. TSA received many comments discussing the 19 standards, demonstrating that the NPRM provided sufficient notice regarding access to these standards.

Although the NPRM provided sufficient notice to access the standards, the final rule modifies access instructions in existing § 37.4 to clarify and provide additional means for access. Specifically, the final rule replaces DHS with TSA as a location where IBR material is available for inspection and provides additional points of contact at TSA. The final rule also specifies that certain IBR material is available in the Federal Docket Management System at https://www.regulations.gov, docket number TSA-2023-0002.

L. Standards and Standards Development Generally

Comments: Several commenters sought clarification on how TSA would update the final rule to reflect evolving industry standards and government guidelines. Commenters suggested that instead of incorporating by reference a specific version of a document, the rule should require compliance with the “most recent version.” Some commenters requested specificity regarding the process and timeframes given to States to conform to any updated standards.

Other commenters questioned the validity of the standards-development processes followed by ISO/IEC, AAMVA, and others. Commenters asserted that these bodies are secretive, unaccountable to the public, have onerous membership criteria, are influenced by foreign authoritarian governments, among other deficiencies.

Some commenters asserted that the documents incorporated by reference in § 37.4 of the proposed rule were insufficient because they provided only partial requirements to address security and operational issues. Commenters also criticized some of the references for their absence of protections to address: emerging threats from quantum computing, evolving risks from digital identification, outdated encryption algorithms, and digital wallet design, user experience, among other deficiencies.

TSA Response: Under applicable legal requirements, Federal agencies must seek approval from the OFR for a specific version, edition, or date of a publication that an agency seeks to IBR in a final rule.^[77] Revisions or updates to a publication already IBR'd in a final rule require re-approval from the OFR, and rules therefore do not update “dynamically” to reflect future versions.^[78] Therefore, the rule cannot exclude publication version or date information, or update dynamically to reflect future versions. States will be expected to comply with the standards as published in the final rule. TSA actively monitors evolving standards and guidelines, and may consider whether to IBR those publications (pending review of the final documents) through subsequent rulemaking.

Regarding criticisms of standards-development bodies and their deliberations generally, the standards development process for international technology standards, particularly those intended to be interoperable globally, is developed by membership-based bodies comprised of interested parties representing participants from international governmental entities, educational organizations, research groups, non-profit organizations, commercial entities, and the public at large. Each standards-development organization sets its own criteria for membership, fees, standards development processes, and publication structure.

With respect to the criticism that the chosen standards and guidelines provide insufficient protections and lack future-proofing to address unknown threats, TSA notes that due to the nature of innovation and evolving technology, and legal constraints of Federal rulemaking, it is not possible to develop “future-proofed” regulations. TSA acknowledged in the NPRM that this is a nascent market experiencing rapid innovation, and that many key standards and guidelines are currently being developed. Although imperfect, the chosen standards reflect industry ( print page 85361) state-of-the-art ahead of publication of emerging standards that likely will support the subsequent Phase 2 rulemaking. TSA made a risk-based determination that the 19 standards provide the key security, privacy, and interoperability requirements necessary for trusted Federal acceptance, and are commensurate with existing REAL ID standards for physical cards. The two-phased rulemaking approach is intended to address the near-term need for established security, privacy, and interoperability requirements, while accommodating the medium-term evolution of technology and standardization.

With respect to comments regarding specific deficiencies in some of the chosen standards, TSA offers the following responses. TSA acknowledges that ISO/IEC 18013-5:2021(E) was developed broadly for international consumption and does not fully address the needs for REAL ID use cases in the U.S. The waiver application criteria set forth in § 37.10(a), therefore, adapt ISO/IEC 18013-5:2021(E) for REAL ID use cases by supplementing this standard with requirements from other references as set forth in this rule. For example, §§ 37.10(a)(1) and (a)(3) address the provisioning and privacy requirements not covered by ISO/IEC 18013-5:2021(E). Other issues relevant to mDL transactions that are not addressed in ISO/IEC 18013-5:2021(E), such as device user experience and digital wallet design are beyond the scope of this rule and intentionally omitted.

M. TSA's Identity Verification Policies

Comments: A public interest organization raised questions regarding TSA's identity verification policies at the screening checkpoint.

TSA Response: This rulemaking is focused on allowing Federal agencies to accept mDLs for Federal official purposes as defined by the REAL ID Act. Issues regarding TSA's identify verification processes unrelated to mDLs are beyond the scope of this rulemaking.:

N. Paperwork Reduction Act

Comments: A public interest organization argued that every mDL transaction with a Federal agency is a collection of information subject to the Paperwork Reduction Act (PRA), and that no exemptions apply. The organization further contended that because neither TSA nor any other Federal agency has sought approval from the Office of Management and Budget (OMB) for these collections, any use of mDLs violates the PRA. Without an approved information collection, the commenter noted that it is not able to determine the costs or purposes of this information collection.

TSA Response: TSA disagrees with the commenter's assertion that every mDL transaction with a Federal agency is a collection of information subject to the PRA because a request for identify verification is not the “soliciting . . . of facts or opinions . . . calling for . . . answers to identical questions.” 44 U.S.C. 3502(3) (defining “collection of information”); cf.5 CFR 1320.3(h)(1) (excepting from the definition information affirmations or certifications that “entail no burden other than that necessary to identify the respondent”). This final rule establishes a process for States to apply to TSA for a temporary waiver that enables Federal agencies to accept mDLs issued by those States when REAL ID enforcement begins on May 7, 2025. This rule does not, however, require any mDL transactions with a Federal agency or set requirements for the use of mDL information. Therefore, this comment is beyond the scope of this rulemaking.

O. Legal Authority

Comments: A public interest organization questioned the legality of DHS's delegation of authority to TSA to administer the REAL ID program because the public was deprived of an opportunity to comment on it. The commenter further argued that it is improper for TSA, a transportation-focused agency, to regulate use of mDLs by other Federal agencies for non-transportation uses.

Other public interest organizations posited that neither the REAL ID Act, nor subsequent amendments in the REAL ID Modernization Act, authorize issuance of the waiver as set forth in the NPRM. The commenters argued that DHS is statutorily authorized only to prescribe standards, certify State compliance, and extend time to facilitate compliance, and the implementing regulations prevent DHS from waiving any mandatory minimum standards.

TSA Response: Generally, Federal agencies' delegations of duties and authority are exempt from notice-and-comment requirements of the Administrative Procedure Act because they are matters of “agency management” and “rules of agency organization, procedure or practice.” ^[79] Matters involving internal agency organization, procedure, practice, and delegations of duties and authority are directed primarily towards improving the efficiency and effectiveness of agency operations, and therefore are not required to be posted for public comment. DHS's delegation of authority to TSA to administer the REAL ID program falls within this exemption, obviating the need for public comment.

TSA further clarifies that the REAL ID Act, as amended, authorizes the Secretary to promulgate regulations to implement the requirements under the REAL ID Act.^[80] And the REAL ID Modernization Act amended the definitions of “driver's license” and “identification card” to specifically include mDLs that have been issued in accordance with regulations prescribed by the Secretary of Homeland Security.^[81] TSA is adopting the waiver process established in this final rule pursuant to its authority to implement the requirements of the REAL ID Act as amended, and the final rule is consistent with all statutory requirements.” The waiver application criteria specify issuance-related security and privacy requirements that are commensurate with requirements for physical cards. The final rule further provides that these are temporary requirements that will be superseded by a subsequent rulemaking setting forth more comprehensive requirements after emerging industry standards are published over the next few years.

P. Economic Impact Analysis

1. Alternatives

Comments: Several commenters, including a State, associations, and an individual, commented on various aspects of the assessment regarding the costs and benefits of available regulatory alternatives.^[82] Some commenters recommended that TSA should accept Alternatives 1, 3, or 4 compared to the proposed rule. The commenter recommending acceptance of Alternative 1 stated the proposed rule does not address the market failures associated with a lack of common standards, such as increased complexity of mDL use across States, and may result in larger costs in the long run when formal mDL standards are finalized. The commenter supporting Alternative 3 recommended that TSA promulgate comprehensive mDL regulations that enable States to develop and issue REAL ID-compliant mDLs, as well as a process for Federal agencies to accept them. The commenter recommending acceptance of Alternative 4 stated it would eliminate the time and expense required to ( print page 85362) prepare and submit a waiver application and audit report, and another commenter sought clarification on how the scope of Alternative 4 differs from the proposed rule.

TSA Response: Regarding Alternative 1, TSA reiterates that this rule establishes requirements for States to issue mDLs that provide specified levels of security, privacy, and interoperability, which provides guidance and direction for State mDL issuance systems and reduces the complexity of mDL use across different jurisdictions. The mDL waiver application criteria would likely form the foundation of the more comprehensive requirements in the Phase 2 rulemaking. While States may have to incur cost to alter their mDL programs when more comprehensive requirements are issued, they are less likely to have to make significant changes and incur larger costs under this rule than under Alternative 1.

The final rule provides benefits to States and mDL users. The waiver process will allow the continued use of mDLs for official purposes when REAL ID enforcement begins on May 7, 2025. An mDL is more secure than a physical card, affords users privacy controls over the information transmitted to the relying party, and enables contact-free transactions. TSA does not believe the waiver process delays development of industry standards and Federal guidelines. Many such standards and guidelines are in development that would inform requirements in the Phase 2 rulemaking, and this final rule will facilitate, not impede, this process. For these reasons, TSA recommends the final rule over Alternative 1.

Regarding Alternative 3, TSA believes it is premature to promulgate comprehensive mDL regulations, given that several important industry standards and Federal guidelines are in development and would likely inform future requirements in the Phase 2 rulemaking, such as requirements related to mDL provisioning. Until the subsequent rulemaking is published, this final rule sets requirements based on current, available industry standards and guidelines that serve as a basis for, and bridge towards, more comprehensive requirements.

Alternative 4 would establish interim minimum requirements, similar to the waiver application criteria, for States to issue REAL ID compliant mDLs instead of a wavier process that enables Federal agencies to accept mDLs from States that meet the waiver criteria. TSA clarifies that Alternative 4 would largely convert the waiver application criteria to requirements for the issuance of REAL ID-compliant mDLs. If States could meet those requirements, under Alternative 4, States' mDLs would be deemed REAL ID compliant. In contrast, the final rule, through the waiver process, enables Federal agencies to accept for official purposes States' mDLs that meet the waiver criteria.

As discussed further in Part VI.A.4., below, TSA rejects this alternative because it effectively would codify standards that may become obsolete in the near future, thereby implying a degree of certainty that TSA believes is premature given emerging standards that are still in development. Although Alternative 4 eliminates the waiver process, TSA would continue to require a mechanism to validate that a State's mDLs complies with the established standards under Alternative 4. Thus, States would still need to provide information to TSA similar to the waiver process, including audit reports, to demonstrate compliance with the requirements. TSA believes the time and expense to provide such information under Alternative 4 would be similar to the waiver process under the final rule, and a waiver process provides more flexibility and allows States and TSA to gain insight and experience in the mDL environment.

2. Familiarization and Training Costs

Comments: A vendor recommended inclusion in Table 2 of the NPRM (Total Costs of the Rule to States) of States' Familiarization Cost in years 2-5 to reflect evolving standards, and a similar inclusion in Table 3 (Total Cost of the Rule to DHS) for DHS, but did not provide any cost estimates.^[83] The vendor further recommended inclusion of States' training or continuing education costs in Table 2, which the vendor believes should be similar to DHS's training costs set forth in Table 3 ($5 million over 10 years). The commenter also requested clarification of the definition of training costs in Table 3, and whether it includes State training related to certificate systems and record maintenance.

An association posited that the economic analysis did not address TSA's costs, training requirements, and process changes to adapt to an mDL system.

TSA Response: TSA does not believe a State's familiarization or training cost estimates require modification. The familiarization cost estimate represents the cost and time burden for States to review the final rule. All State driver's licensing agencies would incur this cost in the first year after the publication of the rule. Although familiarization costs do not include time spent reviewing new standards, the NPRM does discuss, qualitatively, potential State costs to monitor and study mDL technology as it evolves including standards development and other relevant factors. TSA did not receive any cost estimates related to reviewing new standards.

The training costs in Table 3 relate to costs TSA would incur to train Transportation Security Officers (TSOs) to verify mDLs for identification purposes at airport security checkpoints. As such, States would not incur similar costs of roughly $5 million for such training. TSA is unclear as to the type of or specific training or continuing education the commenter refers and what may be needed in the future. However, for clarification, any such training and certifications have been added to the qualitative discussion of potential additional State costs (section 3.1.5 of the RIA).

TSA believes the costs related to training and process changes to adapt to an mDL system are accounted for and quantified where available. TSA quantifies the costs for TSOs to undertake training to verify mDLs for identification purposes at the security checkpoint, and for additional clarity, TSA has also added the cost to TSA to provide such training for TSOs. TSA also quantifies the costs related to the equipment that must be acquired to integrate the use of mDLs for identity verification in section 2.6 of the RIA. In addition, TSA added a qualitative discussion in the economic analysis (section 3.2.5) regarding costs TSA may incur related to process changes to adapt to an mDL system, such as changes to standard operating procedures and informational campaigns.

3. Estimated Time To Complete Waiver Applications; Estimated Costs for mDL Readers

Comments: An industry vendor recommended increasing the estimated time to complete waiver applications from 20 hours, as set forth in the NPRM, to 80 hours, and increasing the estimated cost for mDL readers by 35 percent, for both DHS and other Relying Parties.

TSA Response: TSA clarifies that the total time burden to complete a waiver application does not require modification because the estimate includes two components: (1) the time to complete the application and provide the information required under § 37.10(a), and (2) the time to gather all supporting documentation. TSA estimates completing the application ( print page 85363) will require an average of 20 hours. Separately, the time burden estimate for gathering supporting documentation can range from 40 to 120 hours. TSA estimates States with existing mDL solutions (15 States) will require a total of 40 hours, while States considering mDLs but lacking mDL solutions (25 States) will require a total 120 hours for their initial waiver application submission. Thus, TSA estimates an average time burden of 110 hours to complete a waiver application, by adding the time to complete application materials (20 hours) and a weighted average time to gather supporting documentation (90 hours).^[84] TSA also estimates States will incur an average time burden of 47.5 hours to complete a waiver resubmission, which is separate from the initial waiver application. See Section 2.4 of the Regulatory Impact Analysis (RIA) for additional details.

The cost of mDL readers is uncertain given evolving technology, and could vary up or down by 35 percent compared to TSA's current estimate. For example, within TSA specifically, TSA may integrate mDL readers in existing infrastructure, and TSA's costs are different than other relying parties (other Federal agencies that choose to accept mDLs for official purposes). For TSA mDL reader costs, TSA structures its estimate around internal data on actual procurement to quantify the cost of its mDL reader equipment, which also includes the cost of quarterly updates. Given the uncertainty of mDL reader costs, the final rule expands the range of possible reader costs for relying parties up and down by the comment suggested 35 percent of the TSA internal estimate which results in a range of about $260 to $540 with a midpoint of $400. While TSA does not change its primary estimate based on the estimated cost of a smartphone which is assumed to be used in combination with an application to serve as the mDL reader, it does recognize that such costs could range from $2.1 million to $4.4 million over 10 years.^[85]

4. Cost-Benefit Analysis Generally

Comments: A public interest organization suggested that the cost-benefit analysis was hastily prepared and speculative.

TSA Response: TSA recognizes mDLs are an emerging market with uncertain costs and benefits. Nonetheless, TSA quantifies costs where it is able to with the best available data along with assumptions, proxies, and subject matter expert estimates, and TSA discusses potential additional costs qualitatively where TSA was unable to quantify the costs. TSA observes that the commenter did not offer specific recommendations to improve estimates of future costs, urging only that TSA should delay this rulemaking in light of the uncertainty. However, TSA believes there may be additional costs to stakeholders by delaying the rule. For example, mDL users would not be able to use mDLs for official purposes when full enforcement of REAL ID begins on May 7, 2025, which would delay or deny realization of the security, privacy, convenience, and contact-free hygiene benefits mDLs. States and industry would risk continued investments based on non-standardized processes that lack the security, privacy, and interoperability necessary for Federal acceptance for official purposes. Federal agencies would be delayed in realizing the security and privacy benefits conferred by mDLs compared to physical cards. In addition, through continued and increased mDL usage enabled by this final rule, TSA will gain insight and data that could better inform costs and benefits of the Phase 2 rulemaking.

Q. Communicating Status of Waiver; System Disruptions

Comments: Some commenters sought clarification on how the status of a waiver, specifically, suspensions and terminations, would be communicated to Federal agencies. Another commenter asked whether TSA would provide support mechanisms to communicate information about system disruptions that could impact mDL acceptance by Federal agencies.

TSA Response: As provided in §§ 37.9(b)(1), (e)(4)(iii), and (e)(5)(iii), TSA will publish, at www.tsa.gov/​real-id/​mDL, a list of States that hold valid waivers, including updates to note any final suspensions and terminations. As required by § 37.8, any Federal agency that elects to accept, for REAL ID official purposes, mDLs issued by States with a waiver must regularly review the specified website to confirm that a State holds a valid waiver. Suspensions and terminations will occur only for the violations specified in § 37.9(e), which TSA anticipates will be rare instances.

Regarding support mechanisms for system outages and other disruptions to mDL acceptance, each Federal agency that elects to accept mDLs for official purposes will be responsible for maintaining and supporting its mDL acceptance infrastructure. With respect to Federal agency access to the State mDL waiver list at www.tsa.gov/​real-id/​mDL, DHS and TSA IT systems already provide the necessary level of support to reduce the risk of widespread impacts from a temporary system outage. To further reduce risk of potential disruptions, TSA strongly encourages all mDL holders to carry their physical REAL ID cards in addition to their mDLs.

R. Impact of Waiver on States Currently Testing mDLs With TSA

Comments: A State that is currently testing mDLs with TSA sought clarification regarding the extent to which the waiver application criteria align with or differ from terms in the TSA-State testing agreement. The State sought this comparison to assess the amount of additional resources that the State may require to meet the waiver criteria.

TSA Response: Due to confidentiality provisions in TSA's contracts with States, TSA cannot publicly disclose the terms of such agreements or compare any differences with the waiver application criteria. However, to assist any States who have entered into such agreements with TSA, the agency encourages such States to contact TSA for further discussions. All States are subject to the requirements of this rule to obtain a waiver, and TSA intends to work with States that are testing mDLs with TSA to help ensure a smooth transition.

Regarding concerns about the time and resources necessary to successfully apply for a waiver, TSA estimates the 10-year cost to all States seeking a waiver is approximately $814 million. On a per-State basis, TSA estimates the average cost to complete a waiver application is approximately $40,000 (this includes the cost to complete the initial application and resubmission; see Table 2-8 in the RIA), and the average cost to comply with the application criteria $3.13 million in the initial year of a State's application (as discussed in Section 2.5 of the RIA).

S. Notice for Changes to mDL Issuance Processes

Comments: A State requested clarification regarding whether § 37.9(e)(2) requires States to provide 60 calendar days' advance notice before adding a new digital wallet provider.

TSA Response: In some circumstances, the addition of a new digital wallet provider may trigger the ( print page 85364) requirement under § 37.9(e)(2) to provide notice to TSA, depending on the extent of the changes required to the State's mDL issuance processes. This is especially true as more standards are developed in the area of mDL provisioning. Although States are responsible for assessing if any changes are significant and trigger the reporting requirements, TSA recognizes that it is not possible to define precise circumstances that require, or do not require, reporting. To assist States in determining whether changes in their specific circumstances warrant notification under § 37.9(e)(2), the final rule revises this section by adding the following sentence at the end: “If a State is uncertain whether its particular changes require reporting, the State should contact TSA as directed at www.tsa.gov/​real-id/​mDL.” TSA will collaborate with States to facilitate a determination of whether reporting is required. TSA appreciates this opportunity to provide clarity and reduce potential burdens on the entities directly regulated by this final rule.

T. Clarification Regarding “Days”

Comments: A vendor requested clarification whether § 37.9(b) of the NPRM, under which TSA would provide decisions on waiver applications “within 60 days” and “in no event longer than 90 days,” means “calendar days” or “business days.”

TSA Response: TSA clarifies that all references in this rulemaking to “days” means calendar days, not business days. The final rule revises the following NPRM provisions to implement this clarification: §§ 37.9(b), (c) & (e), and Appendix A, paragraph 6.3.

U. Audit Requirements

1. Questionable Necessity; Excessive Costs; Alternatives to Independent Auditor

Comments: An association recommended that the requirement for an independent, third-party audit was unnecessary and should be optional, not mandatory, and further suggested that an audit could be a substantiating element together with any self-certification that a State already presents to TSA under REAL ID requirements. Another commenter posited that an audit (and the waiver application process) is extraneous for States that have invested in mDLs and entered into testing agreements with TSA. Several States and an association expressed concerns about the costs of, and need for, an independent evaluator, noting the timing of budgetary requests and varying ability among States to afford the costs.

Some commenters recommended alternatives to independent auditors, including internal State-conducted audits, an audit conducted in conformity with the AAMVA Digital Trust Service (DTS), and processes in lieu of audits entirely. Another commenter recommended specifying detailed criteria, based on a set of established industry requirements and/or guidelines, along with relevant Root Program or industry policies, against which auditors would perform an assessment.

TSA Response: TSA clarifies that the term “independent entity” in § 37.10(b)(1) is intended to include entities that are employed or contracted by a State and independent of the State's driver's licensing agency. This final rule revises the proposed § 37.10(b)(1) to include this clarification.

TSA disagrees that an independent audit is unnecessary or of questionable importance. The purpose of the audit is to validate the accuracy of the information that a State provides to TSA in support of its application for a waiver. This validation ensures TSA has correct information to efficiently evaluate the sufficiency of a State's application. TSA believes an independent auditor that meets the requirements of § 37.10(b) can provide a defensible level of accuracy that cannot be achieved via other means, such as a self-certification.

TSA also disagrees that costs for independent audits will be excessive. As discussed in section 2.4.1 of the RIA, TSA estimates the audit cost range is between $5,000 and $60,000 on a per-State basis.

TSA disagrees that an audit conducted in conformity with requirements for a State to participate in AAMVA's DTS is an acceptable alternative to the audit requirements specified in this rule. The requirements imposed on States to participate in the AAMVA DTS are not identical to the requirements imposed in this rule. In particular, the AAMVA DTS requirements lack the specific cybersecurity risk control requirements addressed in § 37.10(a)(2) to establish public trust in States' mDL issuance systems. Finally, establishing specific audit criteria may be the subject of the upcoming Phase 2 rulemaking that will set forth detailed requirements that would enable States to issue mDLs that comply with the REAL ID Act.

2. Auditor Qualifications

Comments: One association recommended that the rule should allow an auditor with credentials that are more closely aligned to certification of systems management, ethics, and business practice. Alternatively, the commenter recommended that instead of requiring any specific license, the rule should only require that the name of the auditor be listed.

TSA Response: Regarding auditor qualifications, the requirement in § 37.10(b) that auditor must hold a Certified Public Accountant (CPA) license provides the necessary duty of care to report accurately and truthfully in the State in which the audit occurs, and TSA has not identified any suitable alternatives. TSA understands that auditors experienced in certification of systems management, ethics, and business practice are not an equivalent substitute to auditors who are CPAs, who possess additional qualifications as specified through their Certified Information Technology Professional credential. Similarly, merely listing the name of the auditor is not sufficient. The certification requirements in § 37.10(b) are common in auditing technical and information systems and provide proof of expertise.

V. Appendix A to Subpart A: mDL Issuance Requirements

1. Compliance With Full Reference or Specific Provisions

Comments: An association noted that some Appendix A provisions require full compliance with the cited references instead of specific parts of those references. For illustration, the association provided some non-exhaustive examples, including the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates and Network and Certificate System Security Requirements. The association and another commenter requested specifying pertinent parts of the cited references that are applicable to compliance with requirements in this rule.

TSA Response: TSA agrees that the agency can provide paragraph or section numbers for some of the references cited in Appendix A to aid in understanding which parts of the references require compliance. TSA made the following technical corrections in the final rule:

• In Appendix A, paragraph 1.1, the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates were qualified with the addition of the following identifiers: sections 2, 4.3, 4.9, 5, and 6. TSA also qualified ISO/IEC 18013-5:2021(E) with the addition of Annex B to provide guidance on requirements for a certificate policy and to clarify its ( print page 85365) applicability. Compliance with ISO/IEC 18013-5:2021(E) Annex B is already required by § 37.10(a)(4), and inclusion here reduces burden by providing States greater specificity on certificate profiles to include in their mDL certificate policy. For NIST SP 800-57, Part 1, Rev. 5, the final rule adds qualifications for sections 3 and 5-8. For NIST SP 800-57, Part 3, Rev. 1, the final rule adds qualifications for sections 2-4 and 8-9.
• In Appendix A, paragraph 2.13, the final rule adds a qualification to section 4.2 of NIST SP 800-63B to provide further clarity on the specific requirements for AAL2 authenticators.

Regarding the CA/Browser Forum Network and Certificate System Security Requirements document, the final rule requires full compliance with this document because these requirements define a minimum set of security controls to establish publicly trusted certificate systems. This model has proven successful as the basis for securing the certificate systems used to secure the global internet.

2. Paragraph 2.2: Changing Authentication Keys and Passwords

Comments: An association commented that the terms “privileged account” and “service account” in this paragraph are undefined.

TSA Response: The terms “privileged account” and “service account” fall under the definition of “trusted role” in § 37.3. Accordingly, the final rule has revised proposed Appendix A, paragraph 2.2, to replace “privileged account” and “service account” with “trusted role.” TSA appreciates the feedback and the opportunity to provide this clarification.

3. Paragraphs 2.11-2.14: Multifactor Authentication

Comments: An association requested clarification as to whether the Multifactor Authentication (MFA) required by paragraphs 2.11-2.14 of Appendix A is PKI-based or crypto-based phishing-resistant MFA.

TSA Response: Appendix A, paragraphs 2.11-2.14, do not require PKI-based or crypto-based phishing resistant MFA. While phishing resistant cryptographic authenticators are a best practice to achieve the highest level of assurance for multi-factor authentication, for the purposes of demonstrating compliance with Appendix A requirements in paragraphs 2.11-2.14, MFA is achievable through a combination of technologies and methods covered by NIST SP 800-63B section 4.2. TSA believes this approach optimally balances mitigation of risks associated with access to certificate systems with costs of implementation.

4. Paragraph 3: Facility, Management, and Operational Controls

Comments: An industry vendor questioned whether the requirements in paragraph 3 of Appendix A mean that only U.S. citizens or lawful permanent residents are qualified to be authorized personnel who can access such systems. The commenter sought further clarification on whether the specified controls apply to “as a service” offerings on www.GovCloud.com.

TSA Response: TSA clarifies that Appendix A, paragraph 3.3, does not require that only U.S. citizens or lawful permanent residents can serve as personnel authorized to access state certificate systems. This provision requires States to specify the controls for employees, contractors, and delegated third parties, including any cloud service providers, necessary to prevent risks posed by foreign ownership, control, or influence. Regarding applicability to other cloud-based services, this provision also requires States to specify the security controls for all “as-a-service” providers, who are considered to be delegated third parties.

5. Paragraph 4: Personnel Security

a. Background Checks

Comments: A commenter sought clarification regarding whether this section requires a Federal fingerprint background check, State fingerprint background check, or other non-fingerprint based background check.

TSA Response: Appendix A, paragraph 4, does not specify any particular types of screening procedures. Instead, States are responsible for specifying screening procedures for employees, contractors, and delegated third parties in trusted roles. Title 6 CFR 37.45 specifies requirements for background checks and applies to covered employees, and this final rule does not alter those requirements.

b. Paragraph 4.1: Coordination Among States; Applicable Laws

Comments: A commenter sought clarification regarding how “coordination among State entities” applies to a policy to control security risks from insider threats. The commenter sought further clarification of the requirement in this paragraph that a State's policy must comply with “all applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.”

TSA Response: TSA clarifies that under Appendix A, paragraph 4.1, the term “State entities” refers to the agencies and offices that comprise the State's governmental operations. Coordination among State entities is intrastate for the purposes of State-run insider threat programs, not interstate coordination among different States. TSA believes that States are likely familiar, from decades of experience issuing physical driver's licenses under the requirements of § 37.45, as well as familiarity with other State-specific information and security laws, with the applicable legal requirements governing policies to address risks from insider threats, many of which are State-specific.

c. Timeframe To Disable System Access; Cybersecurity Incident Reporting

Comments: A State commented that Appendix A, paragraph 4.5, which requires a State to disable an employee's system access within 4 hours of the employee's termination, conflicts with Appendix A, paragraph 8.6, which requires States to provide notice to TSA within 72 hours after discovery of a cyber incident. The State recommends that time periods in both sections be amended to 24 hours, urging that disabling an employee's system access within 4 hours of termination is overly aggressive in situations where termination is amicable, such as retirements or transfers.

TSA Response: TSA maintains that a 4-hour requirement to disable system access, as set forth in Appendix A, paragraph 4.5, is essential in all termination situations. A coordinated and prompt surrender of logical and physical access for all departing employees is a critical component of a program to address insider threats. It is highly unlikely that a State would allow employees to have physical access to buildings or other infrastructure after termination. Disabling access to logical systems is as critical as requiring the surrender of keys and media providing physical access. When an employee is terminated for misconduct or other exigent circumstances that could compromise security, timely denial of system access is critical. Although amicable termination situations may present fewer security risks, States have sufficient time, in these circumstances, to pre-plan for the prompt disabling of system access before the employee's final day, similar to how States pre-plan the recovery of any physical keys or key cards for building access.

TSA further maintains that the proposed requirement for States to report cybersecurity incidents within 72 ( print page 85366) hours of discovery, as set forth in Appendix A, paragraph 8.6, is appropriate, and TSA therefore declines the recommendation to shorten the timeframe to 24 hours. While TSA has established in other contexts outside of this rulemaking a shorter timeframe for reporting by certain transportation owners or operators, that timeframe reflects the potential impact of cybersecurity incidents that could jeopardize the safety of individuals and property. In that context, early reporting is critical to ensure the ongoing availability of critical operational capabilities. Here, in contrast, the requirement for reports to be made within no more than 72 hours is appropriate given TSA's assessment of the operational impact of a cybersecurity incident on a State's mDL issuance infrastructure. In addition, the 72-hour requirement is consistent with the timeframe required for the rulemaking by CISA under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.^[86] The 72-hour reporting requirement supports the policy objective of regulatory harmonization, to the greatest extent possible.

In light of the comments, TSA also seeks to provide greater clarity regarding the types of incidents that must be reported, and the mechanics of reporting. Accordingly, this final rule makes several clarifying edits to Appendix A, paragraph 8.6. First, the final rule modifies the requirement for reporting “a significant cyber incident or breach” to “any reportable cybersecurity incident, as defined in the TSA Cybersecurity Lexicon available at www.tsa.gov.” This modification provides greater certainty and assurance regarding events that would trigger reporting. Second, the final rule modifies the requirement for reporting “within 72 hours” to “within no more than 72 hours” to encourage more timely reporting, as recommended by a commenter. Third, the final rule modifies the requirement that regulated entities “provide written notice to TSA” at the specified website, to requiring that “[r]eports must be made as directed” at that website, which clarifies that the website will include information concerning the format or content of the report. Finally, the final rule adds a provision that reports may contain SSI, and if so, would be subject to requirements of 49 CFR part 1520. TSA made similar edits to a requirement concerning Federal agency reporting, § 37.8(d), to add that reports must be made to TSA “as directed” at the specified website, and that reports may be subject to the requirements of 49 CFR part 1520 if they contain SSI. The SSI protection provisions were not proposed in the NPRM and were added in response to public comments, discussed below in Part IV.W., below.

d. Paragraph 4.7: Training for Personnel Performing Certificate Systems Duties

Comments: A commenter sought clarification on whether training item 2 in paragraph 4.7 of Appendix A, which concerns authentication and vetting, applies to States that issue certificates to other entities as described in the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The commenter believes that this training is not applicable because in the mDL context, States do not issue document signer certificates to anyone beyond the State.

TSA Response: TSA appreciates the commenter's perspective, but notes that the training required under Appendix A, paragraph 4.7, is essential for State personnel in executing their duties regarding certificate systems. Although it is correct that States do not issue document signer certificates to other States, States issue document signer certificates to support their own mDLs, namely, to sign and establish public trust. In particular, training on authentication and vetting processes for employees, contractors, and other delegated third parties is a critical component of a well-developed insider threat program because each employee will be aware of the processes for employment and will be aided in identifying potential suspicious activity.

6. Paragraph 5.4: Hardware Security Modules (HSMs)

Comments: A commenter sought clarification as to whether the term “dedicated hardware security modules” in paragraph 5.4 of Appendix A requires HSMs to be dedicated to root certificate private keys and/or dedicated only to the issuing State. The commenter also asked whether this requirement excludes the use of an HSM that physically supports multiple States, but is partitioned into segments controlled by individual States.

TSA Response: Under Appendix A, paragraph 5.4, the term “dedicated” means that a State must use one HSM solely for IACA root private key functions and no other functions within the State's certificate system. TSA clarifies that Appendix A, paragraph 5.6, requires a State to use a separate HSM for document signer private key functions, but this HSM does not have to be “dedicated” solely to that function and may be used to support additional functions within the State's certificate system. TSA further clarifies that Appendix A, paragraphs 5.4 and 5.6, require “sole control” (as defined in § 37.3) of an HSM, which does not permit multiple States to share a single HSM, but States are permitted to use multi-tenant cloud-based HSMs, where each tenant-State is separated with logical and physical controls.

In an effort to further enable the availability of cloud HSMs, TSA is revising related NPRM Appendix A, paragraphs 5.13 and 5.14, which are related to Appendix A, paragraphs 5.4 and 5.6. Paragraphs 5.13 and 5.14 set forth requirements to generate IACA root certificate key pairs, and document signer key pairs, respectively. NPRM Appendix A, paragraph 5.13 proposed requiring two administrators (hereinafter “multi-administrator split knowledge key generation”) and one witness to perform this function, and paragraph 5.14 proposed requiring at least two administrators. However, TSA understands that although States have strong competitive procurement options for local HSMs that support multi-administrator split knowledge key generation, suitable options for multi-tenant cloud HSMs may not exist for many States. States that are unable to procure such devices potentially would have been forced by the NPRM requirement to purchase local HSMs, which are not only costlier than cloud HSMs, but potentially less secure for States that lack HSM management capabilities. TSA understands that generally, security provided by cloud HSM services exceeds the capabilities that most States can afford to provide for local HSMs. After carefully considering a number of factors, including potential security and privacy risks, TSA believes that proposed Appendix A, paragraphs 5.13 and 5.14, imposed unnecessarily restrictive requirements concerning the minimum personnel required to perform multi-administrator split knowledge key generation. Accordingly, the final rule declines to adopt those proposals, and revises the requirement in the proposed Appendix A, paragraph 5.13, to reduce the number of administrators required to generate IACA root key pairs from two to one. The final rule similarly revises the proposed Appendix A, paragraph 5.14, to allow for the generation of document signer key pairs using one administrator and one witness as an alternate to using two administrators with split knowledge key ( print page 85367) generation. TSA believes this reduction in personnel maximizes States' competitive procurement options, reflects current industry state-of-the-art, reduces burdens on regulated stakeholders, and does not compromise security, privacy, or interoperability.

7. Certificate Policies and Practices

Comments: A vendor noted that standard ISO/IEC 18013-5:2021(E) defines profiles for online certificate status protocol (OCSP) and certificate revocation list (CRL), but the standard does not mandate their implementation. The vendor recommended that the rule should specify which of the methods is required, including implementation requirements for certificate type. According to the vendor, it is important to immediately revoke a certificate when the issuing State's private key shows signs of compromise.

The vendor also recommended that the rule should require States to maintain a Certificate Practice Statement (CPS), in addition to the requirement in the NPRM to maintain a certificate policy. A CPS, the vendor explained, should follow a format specified by standard IETF RFC 3647 format, which covers certificate issuance, revocation, and renewal.

TSA Response: Although both OCSP and CRL are methods for validating the revocation status of a certificate, OCSP is out-of-scope for the IACA root and document signer certificates for mDLs, as that protocol is not part of a certificate validation process because mDLs must work in an offline environment. In addition, standard ISO/IEC 18013-5:2021(E) specifies that CRL is mandatory, not optional, and the standard fully defines the profiles and implementation requirements. Section 37.10(a)(2) of this rule requires States to explain the means used for revocation of their certificate systems in compliance with applicable requirements of Appendix A. Paragraphs 1, 5, and 8 of the Appendix set forth requirements applicable to certificate revocation. As discussed in Part IV.V.1, above, the final rule revised Appendix A, paragraph 1.1, as proposed in the NPRM, by adding specific provisions of the cited references with which States must comply. This addition provides greater clarity to States regarding requirements for a certificate policy.

Regarding the recommendation to require States to maintain a CPS following standard IETF RFC 3647,^[87] paragraph 1.1 of Appendix A of this final rule already specifies that requirement. The provision requires a State to adopt certificate policies that meet the requirements in CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates section 2. In addition, the provision requires a State to develop a CPS based on requirements set forth in standard IETF RFC 3647.

8. mDL Lifecycle Management

Comments: A commenter recommended that the rule implement requirements on States to manage the lifecycle of issued mDLs. Examples of such lifecycle management practices include validity periods, refresh periods, push-based updates, harmonized expiration dates of mDL and physical cards, and limitations on the numbers of devices to which a given mDL can be provisioned.

TSA Response: Because mDL issuance and Federal agency experience are still in their infancies, together with an absence of standardized mechanisms to implement certain lifecycle management tasks and minimal data to support specific requirements, TSA believes it is premature to prescribe requirements that the commenter recommends. Imposing such requirements now, while technologies are unsettled and evolving, risks upsetting this rule's equilibrium between security and privacy on the one hand, and innovation on the other. TSA also notes that mDL lifecycle management is addressed in the AAMVA mDL Implementation Guidelines.

W. Protection of Sensitive Security Information in Waiver Applications

Comments: A commenter sought clarification on procedures for protecting any SSI that may be included in waiver applications.

TSA Response: TSA has comprehensively re-evaluated the need to protect SSI that may be included in response to requirements throughout this rule. TSA believes that SSI protection is warranted not only for information included in waiver applications, but also in response to other requirements in this rule (§§ 37.9(b)(2), (c), (e)(2), (e)(4)(ii) & (e)(5)(ii), and Appendix A, paragraph 8.6). Accordingly, this final rule revises NPRM § 37.9 to add new paragraph (g), which provides that information provided in response to §§ 37.9(a), (b)(2), (c), (e)(2), (e)(4)(ii), and (e)(5)(ii), and Appendix A, paragraph 8.6, may contain SSI and therefore must be handled and protected in accordance with 49 CFR part 1520.

V. Consultation With States and the Department of Transportation

Under section 205 of the REAL ID Act, issuance of REAL ID regulations must be done in consultation with the Secretary of Transportation and the States. During the development of this final rule, DHS and TSA consulted with the Department of Transportation and other Federal agencies with an interest in this rulemaking via regular meetings. DHS and TSA also consulted with State officials through meetings with their representatives to AAMVA.

VI. Regulatory Analyses

A. Economic Impact Analyses

1. Regulatory Impact Analysis Summary

Changes to Federal regulations must undergo several economic analyses. First, E.O. 12866 (Regulatory Planning and Review),^[88] as affirmed by E.O. 13563 (Improving Regulation and Regulatory Review),^[89] and as amended by E.O. 14094 (Modernizing Regulatory Review),^[90] directs Federal agencies to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (RFA) ^[91] requires agencies to consider the economic impact of regulatory changes on small entities. Third, the Trade Agreement Act of 1979 ^[92] prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 ^[93] (UMRA) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted for inflation) in any one year.

2. Assessments Required by E.O. 12866 and E.O. 13563

Executive Order 12866 (Regulatory Planning and Review), as affirmed by Executive Order 13563 (Improving Regulation and Regulatory Review) and ( print page 85368) amended by Executive Order 14094 (Modernizing Regulatory Review), directs agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying costs and benefits, reducing costs, harmonizing rules, and promoting flexibility.

The OMB has designated this rule a “significant regulatory action” as defined under section 3(f) of E.O. 12866, as amended by Executive Order 14094. Accordingly, OMB has reviewed this rule.

In conducting these analyses, TSA has made the following determinations:

(a) While TSA attempts to quantify costs where available, TSA primarily discusses the costs and benefits of this rulemaking in qualitative terms. At present, mDLs are part of an emerging and evolving industry with an elevated level of uncertainty surrounding costs and benefits. Nonetheless, TSA anticipates the final rule will not result in an effect on the economy of $200 million or more in any year of the analysis. The rulemaking will not adversely affect the economy, interfere with actions taken or planned by other agencies, or generally alter the budgetary impact of any entitlements.

(b) In accordance with the RFA, and pursuant to 5 U.S.C. 605(b), TSA certifies that the rule will not have a significant economic impact on a substantial number of small entities, including small governmental jurisdictions. The rule will only directly regulate the 50 States, the District of Columbia, and the five U.S. territories who voluntarily participate in the mDL waiver process, who under the RFA are not considered small entities.

(c) TSA has determined that the final rule imposes no significant barriers to international trade as defined by the Trade Agreement Act of 1979; and

(d) TSA has determined that the final rule does not impose an unfunded mandate on State, local, or tribal governments, such that a written statement will be required under the UMRA, as its annual effect on the economy does not exceed the $100 million threshold (adjusted for inflation) in any year of the analysis.

TSA has prepared an analysis of its estimated costs and benefits, summarized in the following paragraphs, and in the OMB Circular A-4 Accounting Statement. When estimating the cost of a rulemaking, agencies typically estimate future expected costs imposed by a regulation over a period of analysis. For this final rule's period of analysis, TSA uses a 10-year period of analysis to estimate costs.

This final rule establishes a temporary waiver process that permits Federal agencies to accept mDLs, on an interim basis, for official purposes, as defined in the REAL ID Act, when full enforcement of the REAL ID Act and regulations begins on May 7, 2025. Federal agencies that opt to accept mDLs for official purposes must also procure an mDL reader in order to validate the identity of the mDL holder. As part of the application process for the mDL waiver, States are required to submit to TSA an application, including supporting data, and other documentation necessary to establish that their mDLs meet specified criteria concerning security, privacy, and interoperability. When REAL ID Act and regulations enforcement begins on May 7, 2025, Federal agencies will be prohibited from accepting non-compliant driver's licenses and identification cards, including both physical cards and mDLs, for official purposes.

In the following paragraph TSA summarizes the estimated costs of the rule on the affected parties: States, TSA, mDL users, and relying parties (Federal agencies that voluntarily choose to accept mDLs for official purposes). TSA has also identified other non-quantified impacts to affected parties. As Table 2 displays, TSA estimates the 10-year total cost of the rule to be $829.8 million undiscounted, $698.1 million discounted at 3 percent, and $563.9 million discounted at 7 percent. The total cost to States comprises approximately 98 percent of the total quantified costs of the rule.

States incur costs to familiarize themselves with the requirements of the rule, purchase access to an industry standard, submit their mDL waiver application, submit an mDL waiver reapplication, and comply with waiver application criteria requirements. As displayed in Table 3, the 10-year cost to States is $813.1 million undiscounted, ( print page 85369) $683.7 million discounted at 3 percent, and $552.0 million discounted at 7 percent.

TSA incurs costs associated with reviewing mDL waiver applications and mDL waiver renewals, purchasing access to industry standards, procuring mDL readers, and mDL training. As displayed in Table 4, the 10-year cost to TSA is $0.131 million undiscounted, $8.87 million discounted at 3 percent, and $7.56 million discounted at 7 percent.

Relying parties represent Federal agencies that elect to accept mDLs for official purposes. Per the final rule, relying parties are required to use an mDL reader to retrieve and validate mDL data. As a result, relying parties will incur costs to procure mDL readers should they voluntarily choose to accept mDLs for official purposes. TSA is also considered a relying party, but due to the particular impact to TSA related to the requirement for REAL ID related to boarding Federally regulated commercial aircraft, those impacts are discussed separately. As displayed in Table 5, the 10-year cost to relying parties is $6.58 million undiscounted, $5.48 million discounted at 3 percent, and $4.38 million discounted at 7 percent.

TSA has also identified other non-quantified impacts to the affected entities. States may incur costs to: monitor and study mDL technology as it evolves; resolve the underlying issues that could lead to a suspension or termination of an mDL waiver; report serious threats to security, privacy, or data integrity; report material changes to mDL issuance processes; remove conflicts of interest with independent auditor; and request reconsideration of a denied mDL waiver application. TSA may incur costs to: investigate circumstances that could lead to suspension or termination of a State's mDL waiver; provide notice to States, relying parties, and the public related to mDL waiver suspensions or terminations; develop an information technology (IT) solution that maintains an up-to-date list of States with valid mDL waivers; develop materials related to the process changes to adapt to mDL systems; and resolve a request for reconsideration of a denied mDL waiver application. mDL users may incur costs with additional application requirements to obtain an mDL. Relying parties may incur costs to resolve any security or privacy issue with the mDL reader; report serious threats to security, privacy, or data integrity; verifying the list of States with valid mDL waivers; train personnel to verify mDLs; and update the public on identification policies.

TSA believes that States implementing an mDL, absent the rulemaking, would still comply with the AAMVA Guidelines. Many of the requirements of the waiver application criteria are already contained within the AAMVA Guidelines. This includes waiver application criteria concerning: data encryption; authentication; device identification keys; user identity verification; applicant presentation; REAL ID compliant physical card; data record; records retention; privacy; and interoperability. Only the waiver application criteria related to escalated review and infrastructure security/issuance are not contained with the AAMVA Guidelines. Operating under the assumption that States interested in mDLs would comply with the AAMVA Guidelines, TSA assumes the application criteria that overlap with the AAMVA Guidelines would otherwise be incurred and thus not included as a cost of the rule.

This final rule establishes waiver application criteria that serves as interim requirements regarding security, privacy, and interoperability for those States choosing to issue mDLs that can be accepted for official purposes. The waiver application criteria may help guide States in their development of mDL technologies which will provide a shared standard that could potentially improve efficiency while also promoting higher security, privacy, and interoperability safeguards.

The application criteria set requirements establishing security and privacy protections to safeguard an mDL holder's identity data. They also set interoperability requirements to ensure secure transactions with Federal agencies. States, via their mDL waiver application, must establish that their mDLs meet the application criteria thus helping to ensure adequate security and privacy protections are in place. Absent the rule, individual States may choose insufficient security and privacy safeguards for mDL technologies that fail to meet the intended security purposes of REAL ID and the privacy needs of users.

An mDL may provide additional security benefits by offering a more secure verification of an individual's identity and authentication of an individual's credential compared to physical cards. In general, mDLs use a cryptographic protocol that ensures the mDL was obtained through a trusted authority, such as a State's Department of Motor Vehicles.^[94] This same protocol may prevent the alteration of mDLs and reduce the threat of counterfeit credentials.^[95] An mDL also offers increased protection of personal identifiers by preventing over-collection of information. An mDL may enable the ability to share only those attributes necessary to validate the user identity with the relying party.^[96] When using a physical card, the user has no ability to limit the information that is shared, regardless of the amount of information required for verification.

The waiver application criteria can help guide State development and investment in mDLs. The waiver application criteria will foster a level of standardization that would potentially reduce complexity by limiting individual State nuances while also ensuring interoperability across States and with the Federal Government. This increased interoperability reduces implementation costs by limiting the need for different protocols or ( print page 85371) mechanisms to accept mDLs from individual States.

Identification of waiver application criteria that can be used across States will result in efficiency gains through multiple States pursuing similar objectives, goals, and solutions. Establishing application criteria early in the technology development process has the potential to align development activities across disparate efforts. Early guidance might also reduce re-work or modifications required in future regulations thus saving time and resources redesigning systems and functionality to adhere to subsequent Federal guidelines.

Furthermore, the waiver application criteria may potentially encourage investment in mDLs and the pooling of resources to develop mDL technology capabilities across States and address common concerns or issues. Such collaboration, or unity of effort, can help spread research and development risk and reduce inefficiencies that may arise from States working independently. Greater clarity over mDL regulations, with the rule part of an incremental, multi-phased rulemaking approach, may spur new entrants (States and technology companies) into the mDL ecosystem.

The rule allows Federal agencies to continue to accept mDLs for official purposes when REAL ID enforcement begins. This will avoid the sudden halting of mDL acceptance when REAL ID enforcement begins which will reverse trends in providing for a more customer-friendly screening experience. The experience and insight learned through the mDL waiver process could also be used to inform future standards and rulemaking.

3. OMB A-4 Statement

The OMB A-4 Accounting Statement presents annualized costs and qualitative benefits of the rule.

4. Alternatives Considered

In addition to the rule, or the “preferred alternative,” TSA also considered four alternative regulatory options.

The first alternative (Alternative 1) represents the status quo, or no change relative to the creation of an mDL waiver. This represents a scenario without a rulemaking or a waiver process to enable mDL acceptance for official Federal purposes. Under this alternative, States would continue to develop mDLs in a less structured manner while waiting for relevant guiding standards to be published which would likely result in dissimilar ( print page 85372) mDL implementation and technology characteristics. This alternative was not selected because it does not address the market failures associated with a lack of common standards, such as increased complexity of mDL use across States, and may result in larger costs in the long run when formal mDL standards are finalized.

The second alternative (Alternative 2) features the same requirements of the rule, including an mDL waiver process, but would allow Federal agencies to accept mDLs issued by certain States whose mDLs TSA has deemed to be “low-risk,” and therefore presumptively eligible to be granted a waiver. TSA would identify mDLs from States who have fulfilled the rule's minimum requirements prior to applying for the waiver and have sufficiently demonstrated ( e.g., via TSA initiative or recent evaluation by a trusted party) to TSA that their mDL systems present adequate interoperability and low security and privacy risk. The presumptive eligibility provision would allow Federal agencies to immediately (or conditionally) accept those “low-risk” mDLs for official purposes pending final approval of the respective State mDL waiver applications. However, TSA rejects this alternative because TSA believes the emerging technology underlying mDLs is insufficiently established to accept the security, privacy, and interoperability of States' mDL systems without an evaluation by TSA or another trusted party. In addition, a similar presumptive eligibility process is not available for other aspects of REAL ID and such an action would not reduce the burden on States to comply with any framework TSA develops.

Under the third alternative (Alternative 3), TSA would establish more comprehensive requirements than those in the rule to ensure mDLs comply with the REAL ID Act. States would be required to adopt the more comprehensive requirements to issue valid mDLs that can be accepted for official purposes. These technical requirements could include specific standards related to mDL issuance, provisioning, verification, readers, privacy, and other security measures. TSA rejects this alternative because promulgating more comprehensive requirements for mDLs is premature, as both industry standards and technology used by States are still evolving. Restrictive requirements could stifle innovation by forcing all stakeholders to pivot toward compliance. This could impede TSA from identifying and implementing a more efficient regulatory approach in the future.

Finally, under the fourth alternative (Alternative 4), instead of a waiver process, TSA would first establish minimum requirements for issuing REAL ID compliant mDLs before TSA later sets more comprehensive requirements as additional guidance and standards become available in the mid- and long-term. The interim minimum requirements would consist of similar requirements for security, privacy, and interoperability, based on 19 industry and government standards and guidelines, described in the rule regarding waiver applications. Alternative 4 effectively would codify standards that may become obsolete in the near future, as existing standards are revised, emerging standards publish, and new cyber threats proliferate. TSA rejects this alternative because establishing minimum requirements that may become obsolete in the near future may limit the ability for TSA to revise standards quickly and would increase the security and privacy risks of accepting mDLs. In addition, this alternative implies a degree of certainty that TSA believes is premature given emerging standards that are still in development. Also, costs under Alternative 4 would roughly be similar to costs under the rule, as both options would require audits and other compliance costs.

5. Regulatory Flexibility Act Assessment

The Regulatory Flexibility Act (RFA) of 1980, as amended,^[97] was enacted by Congress to ensure that small entities (small businesses, small not-for-profit organizations, and small governmental jurisdictions) will not be unnecessarily or disproportionately burdened by Federal regulations. Section 605 of the RFA allows an agency to certify a rule in lieu of preparing an analysis if the regulations are not expected to have a significant economic impact on a substantial number of small entities.

In accordance with the RFA, pursuant to 5 U.S.C. 605(b), TSA certifies that the rule will not have a significant economic impact on a substantial number of small entities. The rule will directly impact States that voluntarily choose to apply for a waiver that will permit mDLs issued by those States to be accepted for official Federal purposes.

6. International Trade Impact Assessment

The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. The Trade Agreement Act does not consider legitimate domestic objectives, such as essential security, as unnecessary obstacles. The statute also requires that international standards be considered and, where appropriate, that they be the basis for U.S. standards. TSA has assessed the potential effect of this rule and has determined this rule will not have an adverse impact on international trade.

7. Unfunded Mandates Reform Act Assessment

Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4, establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, local, and tribal governments and the private sector. Under section 202 of the UMRA, TSA generally must prepare a written Statement, including a cost-benefit analysis, for and final rules with “Federal mandates” that may result in expenditures by State, local, and tribal governments in the aggregate or by the private sector of $100 million or more (adjusted for inflation) in any one year.

Before TSA promulgates a rule for which a written statement is required, section 205 of the UMRA generally requires TSA to identify and consider a reasonable number of regulatory alternatives and adopt the least costly, most cost-effective, or least burdensome alternative that achieves the objectives of the rulemaking. The provisions of section 205 do not apply when they are inconsistent with applicable law. Moreover, section 205 allows TSA to adopt an alternative other than the least costly, most cost-effective, or least burdensome alternative if the final rule provides an explanation why that alternative was not adopted. Before TSA establishes any regulatory requirements that may significantly or uniquely affect small governments, including tribal governments, it must develop under section 203 of the UMRA a small government agency plan. The plan must provide for notifying potentially affected small governments, enabling officials of affected small governments to have meaningful and timely input in the development of TSA regulatory proposals with significant Federal intergovernmental mandates, and informing, educating, and advising small governments on compliance with the regulatory requirements.

When adjusted for inflation, the threshold for expenditures becomes $177.1 million in 2022 dollars. TSA has ( print page 85373) determined that this rule does not contain a Federal mandate as it is voluntary. Furthermore, estimated expenditures for State, local, and tribal governments do not exceed that amount in the aggregate in any one year.

B. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public. Under the provisions of PRA section 3507(d), TSA must obtain approval from the Office of Management and Budget (OMB) for each collection of information it conducts, sponsors, or requires through regulations. This rule calls for a collection of information under the PRA. Accordingly, TSA has submitted to OMB for review the information collections that follow below and is pending approval. See5 CFR 1320.11(a). TSA has published a separate notice in the Federal Register soliciting comment on the PRA collection included in this final rule. As defined in 5 CFR 1320.3(c), “collection of information” includes reporting, recordkeeping, monitoring, posting, labeling, and other similar actions. This section provides the description of the information collection and of those who must collect the information as well as an estimate of the total annual time burden. TSA cannot request submission of waiver applications under this rule until OMB has approved the information collection.

The rule establishes a process for States to apply to TSA for a temporary waiver. Such a request is voluntary but will require the submission of an mDL waiver application, resubmission of an mDL waiver application deemed insufficient or denied, and reapplication for an mDL waiver when the term of the mDL waiver expires. All of these items are considered new information collections.

TSA uses the current State of mDL implementation to inform its estimate on how many State entities will request an mDL waiver during the period of analysis.^[98] All 50 States, the District of Columbia, and five territories (collectively referred to as “States” hereafter) are eligible to apply for an mDL waiver as discussed in the rule. However, TSA assumes that not all States will apply for the mDL waiver. TSA assumes 15 States will apply for an mDL waiver in Year 1 of the analysis, 10 States in Year 2, and five States in Year 3.^[99]

Following the State submission of its mDL waiver application, TSA determines if the application is approved, insufficient, or denied. States are allowed to amend an insufficient or denied mDL waiver application and resubmit to TSA review.

TSA assumes that all submissions will initially be deemed insufficient due to the mDL waiver criteria being new and with mDLs an emerging technology. Nonetheless, TSA intends to work individually with interested States to meet the mDL criteria to maximize the likelihood of receiving a waiver. Based on these assumptions, TSA estimates all initial mDL waiver applications will be deemed insufficient and that 90 percent of States will resubmit their mDL waiver applications.^[100]

A State's mDL waivers will be valid for three years. Therefore, States granted an mDL waiver in Year 1 will need to reapply in Year 4 which is beyond the scope of this particular information collection.

TSA technology subject matter experts estimate that the mDL waiver application will take, on average, 20 hours to complete. TSA also estimates that mDL waiver resubmissions will take 25 percent of the initial mDL waiver application time which equates to 5 hours.^[101] Finally, TSA estimates that mDL waiver reapplications will take 75 percent of the initial mDL waiver application time which equates to 15 hours.^[102]

These hour burden estimates are combined with the number of collection activities to calculate the total and average time burden associated with the rule. TSA estimates the rule's total three-year burden for mDL waiver applications, mDL waiver resubmissions, and mDL waiver reapplications is 57 responses and 735 hours. TSA estimates an average yearly burden of 19 responses and 245 hours. Details of the calculation can be found in Table 7.

In addition, States will incur costs associated with audits of their mDL infrastructure. TSA estimates an average cost of $26,974 per submission. States will incur this cost for the initial mDL waiver application and mDL waiver reapplication. As there are no reapplications anticipated for this information collection request, TSA multiplies the annual average number of mDL waiver applications from Table 7 above (10) and the audit cost of $26,974 for a total mDL waiver application cost of $269,742.

C. Federalism (E.O. 13132)

A rule has implications for federalism under E.O. 13132 of August 6, 1999 (Federalism) if it has a substantial direct effect on State or local governments and would either preempt State law or impose a substantial direct cost of compliance on them. TSA analyzed this rule under this order and determined that although this rule affects the States, it does not preempt State law or impose substantial direct compliance costs.

This final rule establishes a process for States to request a temporary waiver that enables Federal agencies to accept mDLs issued by those States when REAL ID enforcement begins on May 7, 2025. The rule does not, however, require States to apply for a waiver, and does not impact States who elect not to do so.

States that elect to apply for a waiver under this rule must submit an application, supporting data, and other documentation to establish that its mDLs meet the specified criteria concerning security, privacy, and interoperability. TSA intends to work with each State a case-by-case basis to ensure that its mDLs meet the minimum requirements necessary to obtain a waiver. This rule does not impact the broad policymaking discretion that States currently exercise regarding other aspects of driver's license issuance.

DHS recognizes that States seeking a waiver will incur compliance costs for which Federal funds are generally not available. However, TSA emphasizes again that this rule does not require States to apply for a waiver, and TSA is promulgating this rule in response to States' concerns regarding mDL acceptance when REAL ID enforcement begins. To minimize States' costs, this rule affords States the maximum possible discretion consistent with the purposes of the REAL ID Act and regulations. Although the rule prescribes baseline requirements, it allows States broad discretion to implement technology decisions, tailored to each State's unique situation, that meet the requirements.

TSA therefore has determined that the rule is consistent with Executive Order 13132 and does not have these implications for federalism.

D. Customer Service (E.O. 14058)

E.O. 14058 of December 13, 2021 (Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government), is focused on enhancing the of technology “to modernize Government and implement services that are simple to use, accessible, equitable, protective, transparent, and responsive for all people of the United States.” The Secretary of Homeland Security has specifically committed to testing the use of innovative technologies at airport security checkpoints to reduce passenger wait times. This rule supports this commitment. Using mDLs to establish identity at airport security checkpoints is intended to provide the public with increased convenience, security, privacy, and health benefits from “contact-free” identity verification. In 2022, DHS and TSA began a collaboration with States and industry to test the use of mDLs issued by participating States at select TSA airport security checkpoints (see Part II.B.2., above). As of the date of this final rule, TSA is currently testing mDLs issued by 11 States (Arizona, California, Colorado, Georgia, Hawaii, Iowa, Louisiana, Maryland, New York, Ohio, Utah) at 27 airports.^[103]

E. Energy Impact Analysis (E.O. 13211)

TSA analyzed this rule under E.O. 13211 of May 18, 2001 (Actions Concerning Regulations That Significantly Affected Energy Supply, Distribution or Use), and determined that it is not a “significant energy action” under that E.O. and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Therefore, this rulemaking does not require a Statement of Energy Effects.

F. Environmental Analysis

DHS and its components review actions to determine whether the National Environmental Policy Act ^[104] (NEPA) applies to them and, if so, what degree of analysis is required. DHS Directive 023-01, Rev. 01 (Directive) and Instruction Manual 023-01-001-01,^[105] Rev. 01 (Instruction Manual) establish the procedures that DHS and its components use to comply with NEPA and the Council on Environmental Quality (CEQ) regulations ^[106] for implementing NEPA. The CEQ regulations allow Federal agencies to establish in their NEPA implementing procedures categories of actions (“categorical exclusions”) which experience has shown normally do not individually or cumulatively have a significant effect on the human environment and, therefore, do not require an Environmental Assessment (EA) or Environmental Impact Statement (EIS).^[107]

Under DHS NEPA implementing procedures, for an action to be categorically excluded, it must satisfy each of the following three conditions: (1) the entire action clearly fits within one or more of the categorical exclusions; (2) the action is not a piece of a larger action; and (3) no extraordinary circumstances exist that create the potential for a significant environmental effect.^[108]

As discussed throughout this preamble, this final rule amends existing REAL ID regulations to add definitions and establish a process enabling States to apply to TSA for a temporary waiver, which would allow Federal agencies to accept, for official purposes when REAL ID enforcement begins in May 2025, mDLs issued by States to whom TSA has issued a waiver. These requirements interpret or amend an existing regulation without changing its environmental effect.

TSA therefore has determined that this final rule clearly fits within by categorical exclusion number A3 in Appendix A of the Instruction Manual. Categorical exclusion A3 applies to promulgation of rules, issuance of rulings or interpretations, and the development and publication of policies, orders, directives, notices, procedures, manuals, advisory circulars, and other guidance documents of the following nature: (a) Those of a strictly administrative or procedural nature; (b) those that implement, without substantive change, statutory or regulatory requirements; (c) those that implement, without substantive change, procedures, manuals, and other guidance documents; (d) those that interpret or amend an existing regulation without changing its ( print page 85375) environmental effect; (e) technical guidance on safety and security matters; or (f) guidance for the preparation of security plans.

This final rule is not a piece of a larger action. Under section V.B(2)(b) of the Instruction Manual, and as informed by the scoping requirements of 40 CFR 1501.9(e), actions must be considered in the same review if the actions are connected, meaning that an action may trigger another action, an action cannot or will not proceed unless another action is taken, or an action depends on a larger action for its justification. While TSA anticipates future rulemaking efforts to further amend REAL ID regulations and create requirements enabling States to issue REAL ID-compliant mDLs, any subsequent final rule, as well as this final rule, are each stand-alone regulatory actions. Thus, this final rule is not connected to any other action for purposes of the NEPA categorical exclusion analysis.

In accordance with the Instruction Manual's NEPA implementing procedures, TSA has completed an evaluation of this rule to determine whether it involves one or more of the ten identified extraordinary circumstances that present the potential for significant environmental impacts. TSA concludes from its analysis that no extraordinary circumstances are present requiring further environmental analysis and documentation. Therefore, this action is categorically excluded and no further NEPA analysis is required.

Regulatory Amendments

For the reasons set forth in the preamble, the Department of Homeland Security amends 6 CFR part 37 to read as follows:

1. The authority citation for part 37 continues to read as follows:

Authority: 49 U.S.C. 30301 note; 6 U.S.C. 111, 112.

2. Amend § 37.3 by adding the definitions for “Administration”, “Certificate authority”, “Certificate management system”, “Certificate policy”, “Certificate system”, “Critical security event”, “Delegated third party”, “Delegated third party system”, “Denial of service”, “Digital certificates”, “Digital signatures”, “Distributed denial of service”, “Execution environment”, “Front end system”, “Hardware security module”, “High security zone”, “Identity proofing”, “Identity verification”, “Internal support system”, “Issuing authority”, “Issuing authority certificate authority”, “Issuing system”, “mDL”, “Mobile driver's license”, “Mobile identification card”, “Multi-Factor authentication”, “Online certificate status protocol”, “Penetration test”, “Provisioning”, “Public key infrastructure”, “Rich execution environment”, “Root certificate authority”, “Root certificate authority system”, “Secure element”, “Secure hardware”, “Secure key storage device”, “Secure zone”, “Security support system”, “Sole control”, “State root certificate”, “System”, “Trusted execution environment”, “Trusted role”, “Virtual local area network”, “Vulnerability”, “Vulnerability scanning”, and “Zone” in alphabetical order to read as follows:

3. Revise § 37.4 to read as follows:

4. Add §§ 37.7 through 37.10 to read as follows:

5. Add appendix A to subpart A to read as follows: