• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

National Conference of State Legislatures

Real ID Final Regulations: Brief #8

State Security Plans and Reporting Requirements

February 13, 2008

This is the eighth brief in a series summarizing the final regulations for implementation of the Real ID Act of 2005.  This brief relates to sections of subpart B, D and E of the regulations, which focus on state security plans and other reporting requirements as outlined in final regulations.  A copy of the regulations and other NCSL resources on the Real ID, including other briefs, are available at http://www.ncsl.org/realid.

Under the Real ID Act, the Secretary of the Department of Homeland Security may prescribe the requirements of a state’s self-certification request to comply with the Real ID. (see Brief #1)

The final regulations require states to submit a security plan in conjunction with a state’s certification. At a minimum, state security plans must address:

• the physical security of the facilities used in the production and storage of Real ID cards;
• the security of personally identifiable information collected, stored, accessed or disseminated by DMV, including a privacy policy regarding personally identifiable information;
• the document and security features of a Real ID compliant card, including the state’s use of biometrics and standards utilized;
• access controls for employee credentialing, employee background checks and controlled access to various systems utilized in the production of a Real ID;
• state training programs for fraudulent document recognition, threat identification and the handling of sensitive security information;
• a state’s emergency and incident response plan;
• a state’s internal audit controls; and
• a state’s affirmation to protect the confidentiality of card holder information issued in support of federal, state and local criminal justice activities or protection of the identity of persons serving in an official capacity.   

A state security plan must be handled and protected in accordance with federal standards for sensitive security information as determined by the Department of Transportation (see  49 CFR 1520).

State Reporting Requirements
If applicable, states must also provide the Department of Homeland Security (DHS) with the following:

• state request for an extension of the Real ID requirements deadline (see Brief #1);
• state certification documentation (see Brief #1);
• documentation of any exceptions and waiver procedures (see Brief #1); and
• state report(s) on a state’s card security evaluation (updated with any security feature modification change)(see Brief #4).

If applicable, a state may also reply to a preliminary DHS finding of non-compliance under the state certification process. The state reply must include an explanation of any corrective action to remedy non-compliance or provide a detailed analysis of why a finding of non-compliance was incorrect. A state’s reply must be filed within 30 days of a DHS finding of non-compliance.   

For more information contact NCSL staff Jeremy Meadows (Jeremy.Meadows@ncsl.org, 202-624-8664) or Garner Girthoffer (Garner.Girthoffer@ncsl.org, 202-624-7753).