Governance & Risk Management , Identity Governance & Administration
Experts Urge Lawmakers to Task NIST With Expanding mDLs
Real ID Deadline is May 2025Security and identity management experts urged Congress to direct the National Institute of Standards and Technology to play a bigger role in developing standards for digital identity management ahead of a looming 2025 deadline for domestic air travelers to comply with security requirements outlined in the REAL ID Act.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
All domestic air travelers and visitors to certain federal facilities will be required to present REAL ID-compliant driver's licenses or identification cards beginning May 7, 2025. Congress approved the REAL ID Act in the wake of the attacks on Sept. 11, 2001, although the deadline for compliance has been delayed three times in a bid to avoid major travel disruptions in parts of the country where the security-enhanced IDs are less accessible.
While all 50 states now offer REAL ID-compliant licenses, only 52% of U.S. citizens possess identification compliant with the legislation, and only four states currently require REAL ID compliance, according to Rep. Carlos Gimenez, R-Fla., chairman of the House Homeland Security Subcommittee on Transportation and Maritime Security.
"Suffice it to say that on May 7, 2025, we're going to encounter utter mayhem at our airports," Gimenez said Tuesday during a hearing on identity management innovation. "There is more work to be done to raise awareness and REAL ID adoption."
Experts urged lawmakers not to let the federal government wait for the International Standards Organization or other foreign entities to develop their own standards and best practices before expanding the use case for mobile driver's licenses beyond REAL ID compliance. Panelists pointed to NIST as an example of a U.S. agency with the capabilities required to promote and assist in nationwide rollout of enhanced identity technologies.
Jeremy Grant - coordinator for The Better Identity Coalition, a former senior executive adviser for identity management at NIST, and an Information Security Media Group contributor - said the agency has funded and spearheaded initial pilot projects in the U.S. to test mobile driver's licenses starting in 2012.
Grant said the Department of Homeland Security in 2020 missed an opportunity to focus on how mobile driver's licenses can help prevent identity theft and cybercrimes when it decided to enact the REAL ID Modernization Act by delegating the law's implementation to the Transportation Security Administration, which largely focuses on using mDLs at airport security checkpoints.
"While DHS does not create standards, DHS - or even better, the White House or Congress - should request that NIST lead a timeboxed, one-year effort to create the standards and guidance needed to accelerate the deployment of secure, privacy-protecting mDL apps that Americans can use to protect and assert their identity online," Grant testified.
Jay Stanley, a senior policy analyst with the American Civil Liberties Union's Speech, Privacy, and Technology Project, warned that the TSA has proposed to adopt the ISO standards, which he said were "created behind closed doors by a secretive committee" and are "inadequate and incomplete when it comes to the protection of our privacy."
"TSA is not the right agency to lead" the REAL ID implementation, Stanley testified.
NIST has a digital identity division and privacy engineering team that could help develop secure apps on U.S. mobile devices to host digital IDs, Grant said.
"We actually know how to do this," Grant said. "We know how to build robust and privacy-preserving digital identity systems."
Correction Dec. 8, 2023, 14:37 UTC: This story has been modified throughout to clarify that Jeremy Grant is not asking NIST to be in charge of REAL ID, but rather asking the U.S. government to elevate its focus on mobile driver's licenses beyond the narrow scope of complying with the REAL ID Act.