Governance & Risk Management
,
Identity Governance & Administration
‘TSA Is Not the Right Agency to Lead’ REAL ID Implementation, Security Experts Say
Security and identity management experts urged Congress to direct the National Institute of Standards and Technology to play a bigger role in developing standards for digital identity management ahead of a looming 2025 deadline for domestic air travelers to comply with security requirements outlined in the REAL ID Act.
See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM
All domestic air travelers and visitors to certain federal facilities will be required to present REAL ID-compliant driver’s licenses or identification cards beginning May 7, 2025. Congress approved the REAL ID Act in the wake of the attacks on Sept. 11, 2001, although the deadline for compliance has been delayed three times in a bid to avoid major travel disruptions in parts of the country where the security-enhanced IDs are less accessible.
While all 50 states now offer REAL ID-compliant licenses, only 52% of U.S. citizens possess identification compliant with the legislation, and only four states currently require REAL ID compliance, according to Rep. Carlos Gimenez, R-Fla., chairman of the House Homeland Security Subcommittee on Transportation and Maritime Security.
“Suffice it to say that on May 7, 2025, we’re going to encounter utter mayhem at our airports,” Gimenez said Tuesday during a hearing on identity management innovation. “There is more work to be done to raise awareness and REAL ID adoption.”
Experts urged lawmakers not to wait for the International Standards Organization or other foreign entities to develop their own standards and best practices for digital identity management. Instead, the panelists pointed to NIST as an example of a U.S. agency with the capabilities required to promote and assist in nationwide compliance around enhanced security measures for digital identity management.
Jeremy Grant – coordinator for The Better Identity Coalition, a former senior executive adviser for identity management at NIST, and an Information Security Media Group contributor -said the agency has funded and spearheaded initial pilot projects in the U.S. to test mobile driver’s licenses starting in 2012.
Rather than tasking NIST with determining how mobile driver’s licenses can help prevent identity theft and cybercrimes, Grant said the Department of Homeland Security in 2020 assigned implementation of the REAL ID Modernization Act to the Transportation Security Administration.
“While DHS does not create standards, DHS – or even better, the White House or Congress – should request that NIST lead a timeboxed, one-year effort to create the standards and guidance needed to accelerate the deployment of secure, privacy-protecting mDL apps that Americans can use to protect and assert their identity online,” Grant testified.
Jay Stanley, a senior policy analyst with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, warned that the TSA has proposed to adopt the ISO standards, which he said were “created behind closed doors by a secretive committee” and are “inadequate and incomplete when it comes to the protection of our privacy.”
“TSA is not the right agency to lead” the REAL ID implementation, Stanley testified.
NIST has a digital identity division and privacy engineering team that could help develop secure apps on U.S. mobile devices to host digital IDs, Grant said.
“We actually know how to do this,” Grant said. “We know how to build robust and privacy-preserving digital identity systems.”