Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Waiver for Mobile Driver's Licenses

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Document

You can find an electronic copy of this rulemaking using the internet by accessing the Government Publishing Office's web page at https://www.govinfo.gov/app/collection/FR/ to view the daily published Federal Register edition or accessing the Office of the Federal Register's web page at https://www.federalregister.gov. Copies are also available by contacting the individual identified for “Technical Questions” in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking.

Abbreviations and Terms Used in This Document

AAMVA—American Association of Motor Vehicle Administrators

CA/Browser Forum—Certification Authority Browser Forum

CISA—Cybersecurity and Infrastructure Security Agency

DHS—U.S. Department of Homeland Security

EDL—Enhanced driver's license and identification card

FIPS—Federal Information Processing Standards

HSM—Hardware security module

IBR—Incorporation by reference or Incorporate by reference

IEC—International Electrotechnical Commission

ISO—International Organization for Standardization

IT—Information technology

mDL—Mobile driver's license and mobile identification card

NIST—National Institute for Standards and Technology

NPRM—Notice of proposed rulemaking

OFR—Office of Federal Register

OMB—Office of Management and Budget

PUB—Publication

RFI—Request for information

SP—Special publication

TSA—Transportation Security Administration

Table of Contents

I. Executive Summary

A. Purpose of this Rulemaking

B. Summary of the Major Provisions

C. Need for a Multi-Phased Rulemaking

D. Costs and Benefits

II. Background

A. REAL ID Act, Regulations, and Applicability to mDLs

B. Rulemaking History

C. mDL Overview

D. Industry Standards and Government Guidelines for mDLs

III. General Discussion of the Rulemaking

A. Changes Between NPRM and Final Rule

B. Summary of Regulatory Provisions

C. Specific Provisions

D. Impacted Stakeholders

E. Use Cases Affected by This Rule

F. Severability

IV. Discussion of Comments

A. Waiver Eligibility

B. Conditions on Federal Agencies Accepting mDLs

C. Waiver Application Criteria

D. TSA Waiver Application Guidance

E. General Concerns About mDLs

F. Scope of Rulemaking and mDL Acceptance

G. Privacy

H. Waiver Validity Period and Renewals

I. Vendor and Technology “Lock-in” Effects

J. Pseudonymous Validation and On-Device Biometric Matching

K. Access to Standards

L. Standards and Standards Development Generally

M. TSA's Identity Verification Policies

N. Paperwork Reduction Act

O. Legal Authority

P. Economic Impact Analysis

Q. Communicating Status of Waiver; System Disruptions

R. Impact of Waiver on States Currently Testing mDLs With TSA

S. Notice for Changes to State mDL Issuance Processes

T. Clarification Regarding “Days”

U. Audit Requirements

V. Appendix A to Subpart A: mDL Issuance Requirements

W. Protection of Sensitive Security Information in Waiver Applications

V. Consultation With States and the Department of Transportation

VI. Regulatory Analyses

A. Economic Impact Analyses

B. Paperwork Reduction Act

C. Federalism (E.O. 13132)

D. Customer Service (E.O. 14058)

E. Energy Impact Analysis (E.O. 13211)

F. Environmental Analysis

I. Executive Summary

A. Purpose of This Rulemaking

This rule is part of an incremental, multi-phased rulemaking that will culminate in the promulgation of comprehensive requirements that enable States to issue mobile driver's licenses and mobile identification cards (collectively “mDLs”) that comply with the REAL ID Act of 2005 (“REAL ID Act” or “Act”) and regulations [hereinafter “REAL ID-Compliant”]. In this first phase, the Transportation Security Administration (TSA) is making two changes to the current regulations in 6 CFR part 37, “REAL ID Driver's Licenses and Identification Cards.” First, TSA is adding definitions for, among others, mobile driver's licenses and mobile identification cards. These definitions provide a precise explanation of those terms as referenced in the REAL ID Act, which applies to only State-issued driver's licenses and State-issued identification cards. Any other types of identification cards, such as those issued by a Federal agency, or commercial, educational, or non-profit entity, are beyond the scope of the REAL ID Act and regulations, and hence this rulemaking, because they do not meet the definition of driver's license or identification card as defined by the REAL ID Act. The definition of “mDL” as used in this rulemaking is limited strictly to the REAL ID Act and regulations and does not include “mDLs” as defined by other entities.

Second, TSA is establishing a temporary waiver process that permits Federal agencies to accept mDLs for official purposes, as defined in the REAL ID Act and regulations, on an interim basis when full enforcement begins on May 7, 2025, but only if TSA has issued a waiver to the State. To qualify for the waiver, this final rule requires States to (1) be in full compliance with all applicable REAL ID requirements as defined in subpart E of this part, and (2) submit an application demonstrating that they meet the requirements specified in this rule, which are drawn from 19 industry standards and government guidelines. The rulemaking incorporates by reference (IBRs) those standards and guidelines, which cover technical areas such as mDL communication, digital identity, encryption, cybersecurity, and network/information system security and privacy.

As noted above, this final rule is part of an incremental rulemaking that temporarily permits Federal agencies to accept mDLs for official purposes until TSA issues a subsequent rule that would set comprehensive requirements for mDLs. TSA believes it is premature to issue such requirements before the May 7, 2025 deadline due to the need for emerging industry standards and government guidelines to be finalized.

The need for this rulemaking arises from TSA's desire to accommodate and foster the rapid pace of mDL innovation, while ensuring the intent of the REAL ID Act and regulations are met. Secure driver's licenses and identification cards are a vital component of our national security framework. In the REAL ID Act, Congress acted to implement the 9/11 Commission's recommendation that the Federal Government “set standards for the issuance of sources of identification, such as driver's licenses.” Under the REAL ID Act and regulations, a Federal agency may not accept for any official purpose a State-issued driver's license or identification card, either physical or an mDL, that does not meet specified requirements, as detailed in the REAL ID regulations ( see Part II.A., below, for more discussion on these requirements).

This final rule will result in the development of mDLs with a higher level of security, privacy, and interoperability features necessary for Federal acceptance for official purposes. Because the current regulatory provisions do not include requirements that would enable States to issue REAL ID-compliant mDLs, several States are investing significant resources to develop mDLs based on varying and often proprietary standards, many of which may lack security and privacy safeguards commensurate with REAL ID requirements and the privacy needs of users. Without timely regulatory guidance concerning potential requirements for developing a REAL ID-compliant mDL, States risk investing in mDLs that are not aligned with emerging industry standards and government guidelines that may be IBR'd in a future rulemaking. States, therefore, may become locked-in to existing solutions and could face a substantial burden to redevelop products acceptable to Federal agencies under this future rulemaking.

This final rule addresses these concerns by enabling TSA to grant a temporary waiver to States whose mDLs TSA determines provide sufficient safeguards for security and privacy, pending finalization of emerging standards. Although this rule does not set standards for the issuance of REAL ID-compliant mDLs, it does establish minimum requirements that States must meet to be granted a waiver so that mDLs can be accepted by Federal agencies for official purposes. These minimum standards and requirements ensure that States' investments in mDLs provide minimum privacy and security safeguards consistent with information currently known to the TSA.

B. Summary of the Major Provisions

As further discussed in Part II.A., below, mDLs cannot be accepted by Federal agencies for official purposes when REAL ID full enforcement begins on May 7, 2025, unless 6 CFR part 37 is amended to address mDLs. This final rule establishes a process for waiving, on a temporary and State-by-State basis, the current prohibition on Federal acceptance of mDLs for official purposes, and enables Federal agencies to accept mDLs on an interim basis while the industry matures to a point sufficient to enable TSA to develop more comprehensive mDL regulatory requirements.

The current regulations prohibit Federal agencies from accepting non-compliant driver's licenses and identification cards, including both physical cards and mDLs, when REAL ID enforcement begins on May 7, 2025. Any modification of this regulatory provision must occur through rulemaking (or legislation). Until and unless TSA promulgates comprehensive mDL regulations that enable States to issue REAL ID-compliant mDLs, mDLs cannot be developed to comply with REAL ID, and Federal agencies therefore cannot accept mDLs for official purposes after REAL ID enforcement begins on May 7, 2025. The rule allows the Federal government to accept mDLs on an interim basis, but only if TSA has issued a waiver to such State based on that State's compliance with all applicable REAL ID requirements as defined in subpart E of this part, and with the minimum privacy, safety, and interoperability requirements in this rulemaking. Please see Part II.A., below, for an explanation of the REAL ID requirement that both cards and issuing States must be REAL ID compliant.

C. Need for a Multi-Phased Rulemaking

TSA recognizes both that regulations can influence long-term industry research and investment decisions, and that premature regulations can distort the choices of technologies, which could harm competition and innovation. As noted above, there are clear reasons for TSA to issue requirements for mDLs in the context of REAL ID. Simultaneously, however, TSA observes that this is a rapidly innovating market, with multiple industry and government standards and guidelines necessary to ensure mDL privacy and security still in development. Accordingly, TSA has concluded that it is premature to promulgate comprehensive requirements for mDLs while key standards are being finalized because of the risk of unintended consequences, such as chilling innovation and competition in the marketplace, and “locking-in” stakeholders to certain technologies. TSA is therefore establishing a temporary waiver process with clear standards and requirements to facilitate the acceptance of mDLs while the industry matures and moves to accepted standards.

TSA is proceeding with a multi-phased rulemaking approach. This “Phase 1” rule establishes a temporary waiver process that enables continuing Federal acceptance of mDLs for official purposes when REAL ID enforcement begins on May 7, 2025, and affords Federal agencies additional operational experience and data that would inform comprehensive regulations in the upcoming “Phase 2” rulemaking. The Phase 1 rule is intended to serve as a regulatory bridge until the emerging standards are finalized and a comprehensive Phase 2 rulemaking is effective.

TSA anticipates the future Phase 2 rulemaking would repeal the temporary waiver provisions established in Phase 1 and establish comprehensive requirements enabling States to issue mDLs that comply with REAL ID requirements. TSA envisions the Phase 2 rulemaking would draw heavily from pertinent parts of the emerging standards (pending review of those final, published documents) to set specific requirements for security, privacy, and interoperability. In addition, the Phase 2 rule would distinguish between existing regulatory requirements that apply only to mDLs versus physical cards. As one commenter to a previously-issued Request for Information (RFI) urged (discussed in Part II.B., below), DHS is taking “a slow and careful approach” to regulation in order to fully understand the implications of mDLs.

This multi-phased rulemaking approach supports Executive Order (E.O.) 14058 of December 13, 2021 (Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government), by using “technology to modernize Government and implement services that are simple to use, accessible, equitable, protective, transparent, and responsive for all people of the United States.” As highlighted above and discussed in more detail below, allowing acceptance of mDLs issued by States that meet the waiver requirements enables the public to more immediately realize potential benefits of mDLs, including greater convenience, security, and privacy.

D. Costs and Benefits

TSA estimates the 10-year total cost of the rule to be $829.8 million undiscounted, $698.1 million discounted at 3 percent ($81.8 million annualized), and $563.9 million discounted at 7 percent ($80.3 million annualized). Affected entities include States, TSA, and relying parties (Federal agencies that voluntarily choose to accept mDLs for official purposes).

States incur costs to familiarize themselves with the requirements of the final rule, purchase access to an industry standard, submit an mDL waiver application, submit mDL waiver reapplications, and comply with waiver application requirements. TSA estimates that 40 States will seek an mDL waiver over the next 10 years at a 10-year State cost of $813.1 million undiscounted, $683.7 million discounted at 3 percent, and $552.0 million discounted at 7 percent.

TSA incurs costs associated with purchasing access to industry standards, reviewing mDL waiver applications and mDL waiver reapplications, acquiring, installing, and operating mDL readers, and training transportation security officers. TSA estimates the 10-year cost to TSA is $10.13 million undiscounted, $8.87 million discounted at 3 percent, and $7.56 million discounted at 7 percent.

Relying parties will incur costs to procure mDL readers should they voluntarily choose to accept mDLs for official purposes. TSA estimates the 10-year cost to relying parties is $6.57 million undiscounted, $5.48 million discounted at 3 percent, and $4.38 million discounted at 7 percent.

TSA also identifies other non-quantified costs that affected parties may incur. States may incur incremental costs to: monitor and study mDL technology as it evolves; resolve underlying issues that could lead to a suspension or termination of an mDL waiver; report serious threats to security, privacy, or data integrity; report material changes to mDL issuance processes; remove conflicts of interest with an independent auditor; and request reconsideration of a denied mDL waiver application. TSA may incur costs to: investigate circumstances that could lead to suspension or termination of a State's mDL waiver; provide notice to States, relying parties, and the public related to mDL waiver suspensions or terminations; develop an IT solution that maintains an up-to-date list of States with valid mDL waivers; develop materials related to process changes to adapt to mDL systems; and resolve requests for reconsideration of a denied mDL waiver application. An mDL user may incur costs with additional application requirements to obtain an mDL. States may also pass on mDL related costs to the public. Relying parties may incur costs to resolve any security or privacy issue with the mDL reader; report serious threats to security, privacy, or data integrity; verify the list of States with valid mDL waivers; train personnel to verify mDLs; and update the public on identification policies.

The final rule provides benefits to affected parties which include, but are not limited to: promoting higher security, privacy, and interoperability safeguards; reducing uncertainty in the mDL technology environment by helping to foster a minimum level of security, privacy and interoperability; and allowing Federal agencies to continue to accept mDLs for official purposes when REAL ID enforcement begins. Also, mDLs themselves may provide additional security benefits by offering a more secure verification of an individual's identity and authentication of an individual's credential compared to usage of physical cards.

II. Background

A. REAL ID Act, Regulations, and Applicability to mDLs

This rulemaking is authorized by the REAL ID Act of 2005 and REAL ID Modernization Act. The REAL ID Act authorizes the Secretary of Homeland Security, in consultation with the States and the Secretary of Transportation, to promulgate regulations to implement the requirements under the REAL Act. The REAL ID Modernization Act amended the definitions of “driver's license” and “identification card” to specifically include mDLs that have been issued in accordance with regulations prescribed by the Secretary of Homeland Security.

The REAL ID Act and implementing regulations, 6 CFR part 37, set minimum requirements for State-issued driver's licenses and identification cards accepted by Federal agencies for official purposes, including accessing Federal facilities, boarding Federally regulated commercial aircraft, entering nuclear power plants, and any other purposes that the Secretary shall determine. The Act defines “driver's licenses” and “identification cards” strictly as State-issued documents, and the regulations further refine the definition of “identification card” as “a document made or issued by or under the authority of a State Department of Motor Vehicles or State office with equivalent function.” The REAL ID Act and regulations do not apply to identification cards that are not made or issued under a State authority, such as cards issued by a Federal agency or any commercial, educational, or non-profit entity.

The regulations include a schedule describing when individuals must obtain a REAL ID-compliant driver's license or identification card intended for use for official purposes, known as “card-based” enforcement. Card-based enforcement begins on May 7, 2025. On this date, Federal agencies will be prohibited from accepting a State- or territory-issued driver's license or identification card for official purposes unless the card is compliant with the REAL ID Act and regulations.

On December 21, 2020, Congress passed the REAL ID Modernization Act, which amended the REAL ID Act to update the definitions of “driver's license” and “identification card” to specifically include mDLs that have been issued in accordance with regulations prescribed by the Secretary, among other updates. Accordingly, mDLs must be REAL ID-compliant to be accepted by Federal agencies for official purposes when card-based enforcement begins on May 7, 2025. However, States cannot issue REAL ID-compliant mDLs until the regulations are updated to include requirements to ensure that mDLs meet equivalent levels of security currently imposed on REAL ID-compliant physical cards.

B. Rulemaking History

In April 2021, DHS issued an RFI announcing DHS's intent to commence future rulemaking to set the minimum technical requirements and security standards for mDLs to enable Federal agencies to accept mDLs for official purposes. The RFI requested comments and information to inform DHS's rulemaking. In response, DHS received 63 comments through a twice-extended comment period of 180 days, which closed on October 18, 2021.

In August 2023, TSA published a Notice of Proposed Rulemaking (NPRM) drawing on comments to the RFI, which are summarized at 88 FR 60056, 60071-72. The NPRM comment period closed on October 16, 2023, and TSA received 31 comments. NPRM comments are discussed in detail in Part IV, below.

C. mDL Overview

1. mDLs Generally

An mDL is generally recognized as the digital representation of an individual's identity information contained on a State-issued physical driver's license or identification card. An mDL may be stored on a diverse range of portable or mobile electronic devices, such as smartphones, smartwatches, and storage devices containing memory. Like a physical card, mDL data originates from identity information about an individual that is maintained in the database of a State driver's licensing agency. An mDL has potential benefits for all stakeholders. For Federal agencies, mDLs may provide security and efficiency enhancements compared to physical cards, because mDLs rely on digital security features that are immune to many vulnerabilities of physical security features. For individuals, mDLs may provide a more secure, convenient, privacy-enhancing, and “touchless” method of identity verification compared to physical IDs.

Unlike physical cards that employ physical security features to deter fraud and tampering, mDLs combat fraud through the use of digital security features that are not recognizable through human inspection, such as asymmetric cryptography/public key infrastructure (PKI). As discussed in the NPRM, asymmetric cryptography generates a pair of encryption “keys” to encrypt and decrypt protected data. One key, a “public key,” is distributed publicly, while the other key, a “private key,” is held by the State driver's licensing agency ( e.g., a Department of Motor Vehicles). When the driver's licensing agency issues an mDL to an individual, the agency uses its private key to digitally “sign” the mDL data. A Federal agency accepting an mDL validates the integrity of the mDL data by obtaining the State driver's licensing agency's public key to verify the digital signature. Private keys and digital signatures are elements of data encryption that protect against unauthorized access, tampering, and fraud. Generally, mDL-based identity verification under REAL ID involves a triad of secure communications between a State driver's licensing agency, an mDL holder, and a Federal agency. Standardized communication interfaces are necessary to enable Federal agencies to exchange information with all U.S. States and territories that issue mDLs. Please see the NPRM for a more detailed discussion.

In contrast to physical driver's licenses that are read and verified visually through human inspection of physical security features, an mDL is read and verified electronically using a device known simply as a “reader. Any Federal agency that accepts mDLs for official purposes must use readers to validate an mDL holder's identity data from their mobile device and establish trust that the mDL is secure by using private-public key data encryption. An mDL reader compliant with this requirement can take multiple forms, such as an app installed on a mobile device, or a dedicated device. Although reader development is evolving, some companies already offer reader apps for free, and TSA therefore expects readers will be offered in a wide range capabilities and associated price points.

2. State mDL Issuance and TSA Testing

As noted above, mDL issuance is proliferating rapidly among States, with at least half of all States believed to be preparing for or issuing mDLs. Although detailed mDL adoption statistics are unavailable, anecdotal information and media reports indicates that mDLs are rapidly gaining public acceptance. For example, Maryland commented that it has issued more than 200,000 mDLs to residents following a pilot in 2017 and more recent expansion in 2022 and 2023. Iowa commented that in the 3 months since it began offering its mDL app, it has been downloaded by more than 7,000 users.

TSA understands that States are issuing mDLs using widely varying technology solutions, raising concerns whether such technological diversity provides the safeguards and interoperability necessary for Federal acceptance. Since 2022, TSA has been collaborating with States and industry to test the use of mDLs issued by participating States at select TSA airport security checkpoints. As of the date of this final rule, TSA is currently testing mDLs issued by 11 States (Arizona, California, Colorado, Georgia, Hawaii, Iowa, Louisiana, Maryland, New York, Ohio, Utah) at 27 airports.

D. Industry Standards and Government Guidelines for mDLs

The nascence of mDLs and absence of standardized mDL-specific requirements provide an opportunity for industry and government to develop standards and guidelines to close this void. TSA is aware of multiple such documents, published and under development, from both Federal and non-government sources. As discussed in Part III.C.8, below, this final rule amends § 37.4 by IBR'g into part 37 19 standards and guidelines that form the basis of many of the requirements in this final rule. TSA understands that these standards and guidelines discussed are the most comprehensive and relevant references governing mDLs today. TSA also acknowledges that many additional standards and guidelines are in development and may provide additional standardized mechanisms for mDLs.

III. General Discussion of the Rulemaking

A. Changes Between NPRM and Final Rule

After carefully considering all comments received to the NPRM (see detailed discussion of comments and TSA's responses in Part IV, below), TSA finalizes the NPRM with several revisions in response to public comments. Table 1 summarizes the changes made in the final rule compared to the NPRM.