Department of Homeland Security REAL ID Security Plan Guidance Handbook. Version 1.0 February 2009

Transcription

1 Department f Hmeland Security REAL ID Security Plan Guidance Handbk Versin 1.0 February 2009

2 Fr U.S. State and Territry Department f Mtr Vehicle Office Use Only REAL ID Security Plan Guidance Handbk Executive Summary This REAL ID Security Plan Guidance Handbk prvides security plan guidance and recmmendatins fr States seeking t implement REAL ID. The Handbk prvides guidance n tpics such as hw t secure facilities invlved in the enrllment, prductin, and issuance f REAL ID driver s licenses and identificatin cards, card design and security, privacy, persnnel security, and the cntents f the security plan that States shuld submit as part f their REAL ID full cmpliance certificatin packages. 2 2 This dcument will hencefrth use the term States t refer t the 56 jurisdictins cvered by the REAL ID Act f This number includes the 50 States, the District f Clumbia, and five territries f the United States. February 2009 Page i

3 Fr U.S. State and Territry Department f Mtr Vehicle Office Use Only REAL ID Security Plan Guidance Handbk TABLE OF CONTENTS 1 Intrductin Purpse Scpe Intended Audience References Security Matrix Theft f sensitive cmpnents Theft f manufacturing r prductin equipment Unauthrized access t Persnally Identifiable Infrmatin Best Practices Physical Security Facility Access Strage f Sensitive Cmpnents Security f Prductin Equipment Cntractr Facilities Access Cntrl Emplyee Badges and Credentials Guards Cntrl by Staff Autmated Systems Cntrlled Access t Terminals and Data Strage Visitr Cntrl Security f Persnally Identifiable Infrmatin Infrmatin Technlgy Systems and Data Strage Security Laptps and Prtable Strage Media Destructin f Media Cntaining Persnally Identifiable Infrmatin Privacy Plicy and the Fair Infrmatin Practice Principles February 2009 Page i

4 Fr U.S. State and Territry Department f Mtr Vehicle Office Use Only REAL ID Security Plan Guidance Handbk Privacy Impact Assessment REAL ID DL/ID Design and Security Chsing Security Features Serialized Card Bdies Handling f Sensitive Cmpnents Mnitring Dcument Security and Integrity Markings fr Cmpliant DL/IDs Marking Temprary r Limited Term REAL ID DL/IDs Marking f Nn Cmpliant DL/IDs Encryptin f the 2D Barcde Persnnel Security Backgrund Checks Training Emergency/Incident Respnse Audit Cntrls Security Plan Plan Cntents Physical Security and Access Cntrl Methds (Handle as Sensitive Security Infrmatin) Security f Persnally Identifiable Infrmatin Card Security Features (Handle as Sensitive Security Infrmatin) Bimetrics Usage Persnnel Security Training Emergency/Incident Respnse Plans Internal Audit Cntrls (Handle as Sensitive Security Infrmatin) Handling f Sensitive Security Infrmatin Infrmatin Designated as Sensitive Security Infrmatin Access t Sensitive Security Infrmatin Prtectin f Sensitive Security Infrmatin February 2009 Page ii

5 Fr U.S. State and Territry Department f Mtr Vehicle Office Use Only REAL ID Security Plan Guidance Handbk 5.4 Strage Marking Dcuments SSI Destructin APPENDIX A: Acrnyms APPENDIX B: Terms and Definitins APPENDIX C: SSI Training Guidance APPENDIX D: SSI Guidance Brchure February 2009 Page iii

6 1 INTRODUCTION 1.1 Purpse The REAL ID regulatin requires that States submit t the Department f Hmeland Security (DHS), fr REAL ID full cmpliance certificatin, a REAL ID security plan. The security plan which the State prepares and submits as part f its certificatin package will be reviewed by DHS in making the determinatin that the State cmplies with the requirements f the REAL ID regulatin. This REAL ID Security Plan Guidance Handbk prvides States Department f Mtr Vehicle (DMV) agencies with infrmatin, guidance and recmmended best practices that can be used t meet the REAL ID regulatin security plan requirements. The requirements fr a REAL ID security plan are lcated in Subpart D, f the REAL ID regulatin. At a minimum, the plan s cntent shuld address: The physical security f facilities used t prduce r stre materials used fr REAL ID driver s licenses and identificatin cards (DL/IDs), The security f persnally identifiable infrmatin (PII) maintained at DMV lcatins, The physical security features n the cards, Access cntrl fr facilities and systems, Fraudulent dcument recgnitin and security awareness training, Emergency/incident respnse, Internal audit cntrls, and An affirmatin that it has the authrity t prduce, revise, expunge and prtect the cnfidentiality f REAL ID DL/IDs fr prgrams that require special licensing r identificatin. Sectin 2 f this dcument prvides a matrix identifying pssible threats t the security f REAL ID DL/IDs and the sectins f this dcument that discuss hw best t apprach and remedy thse threats. Sectin 3 f this dcument prvides best practice recmmendatins t address several ptential REAL ID DL/ID security threats. Sectin 3 includes guidance n physical security, access cntrl, the security f PII, REAL ID DL/ID design and security, persnnel security, emergency/incident respnse and audit cntrls. Sectin 4 f this dcument prvides a check list that explains the cntents f the plan as listed in f the REAL ID regulatin. The State s plan shuld address each f these questins in this sectin t ensure that all items are adequately cvered by the plan. Sectin 5 f the dcument prvides guidance n handling the Sensitive Security Infrmatin (SSI) generated and used in the REAL ID security planning prcess. February 2009 Page 1 1

7 1.2 Scpe The REAL ID regulatin requires that each State submit a single security plan t address DMV facilities invlved in the enrllment, issuance, manufacturing and prductin f drivers licenses and identificatin card. 3 This may include the: Enrllment f individual applicants in facilities that handle and stre PII. Issuance f persnalized cards t individuals via mail, in persn ver the cunter (OTC), r ther means. Manufacturing f the materials used t prduce cards. This includes substrates, card blanks, laminates, security devices, and ther physical cmpnents f the cards. Prductin r persnalizatin f individualized DL/IDs in central issuance, ver thecunter, r hybrid facilities. The term facilities will be used hereafter t cver any facility where REAL ID DL/IDs are manufactured, prduced, issued r where applicants are enrlled. With the exceptin f sectin f this dcument which addresses the marking f cards prduced in accrdance with f the REAL ID regulatin, the guidance prvided in this dcument applies nly t REAL ID DL/IDs. Hwever, a State may apply this guidance t its entire DL/ID prductin if it chses t d s. 1.3 Intended Audience The intended audience fr this dcument is a State that is seeking t meet the requirements f the REAL ID regulatin. 1.4 References 1. Minimum Standards fr Driver s Licenses and Identificatin Cards Acceptable by Federal Agencies fr Official Purpses; Final Rule, 73 FR 5272 (Jan. 29, 2008), cdified at 6 Cde f Federal Regulatins (CFR) Part 37. Yu can find a cpy f the regulatin at 2. The REAL ID Act f 2005, Public Law , 119 Stat. 231, 302 (May 11, 2005) (cdified at 49 U.S.C nte). 3. American Assciatin f Mtr Vehicle Administratrs (AAMVA) Persnal Identificatin AAMVA Internatinal Specificatin DL/ID Card Design Specificatins. Versin 2.0 (2005). 4 Yu can btain a cpy f this standard frm AAMVA n line at r by cntact AAVMA at 4301 Wilsn Bulevard, Suite 400, Arlingtn, VA Yu may inspect a cpy f this standard at the Department f Hmeland Security, 1621 Kent Street, 9 th flr, 3 73 FR This dcument is currently being revised. The updated versin will replace the current reference f Versin 2.0 (2005) nce finalized, and is expected t be labeled Versin 1.0 (2009). February 2009 Page 1 2

8 Rsslyn, VA (please call t make an appintment) r at the Natinal Archives and Recrds Administratin (NARA). 4. AAMVA DL/ID Security Framewrk; American Assciatin f Mtr Vehicle Administratrs; February Yu can btain a cpy f this standard frm AAMVA by cntacting AAVMA at 4301 Wilsn Bulevard, Suite 400, Arlingtn, VA American Natinal Standards Institute (ANSI)/Nrth American Security Prducts Organizatin (NASPO) SA v3.0p 2005; Security Assurance Standards fr the Dcument and Prduct Security Industry. Yu can btain a cpy f this standard at 6. CFR Title 49 Transprtatin, Part 1520 Prtectin f Sensitive Security Infrmatin. Yu can btain a cpy f this standard at 7. Federal Specificatin FF L 2740A; January 12; Yu can btain a cpy f this specificatin at lcks/ddlck_fedspecs. 8. Federal Infrmatin Prcessing Standard (FIPS) Publicatin (PUB) 199; Standards fr Security Categrizatin f Federal Infrmatin and Infrmatin Systems; February Yu can btain a cpy f this standard at 9. FIPS PUB 200; Minimum Security Requirements fr Federal Infrmatin and Infrmatin Systems; March Yu can btain a cpy f this standard at NIST Special Publicatin ; Revisin 2; Infrmatin Security ; December Privacy Impact Assessment (PIA) fr the REAL ID regulatin; January 11, The PIA can be fund at Internatinal Civil Aviatin Organizatin (ICAO) 9303, Machine Readable Travel Dcuments, Vlume 1, Part 1, Sixth Editin, Yu may btain a cpy f ICAO 9303 frm the ICAO, Dcument Sales Unit, 999 University Street, Mntreal, Quebec, Canada, H3C 5H7, r thrugh at sales@ica.int. Yu may inspect a cpy f this standard at the Department f Hmeland Security, 1621 Kent Street, 9 th flr, Rsslyn, VA (please call t make an appintment) r at the Natinal Archives and Recrds Administratin (NARA). The DHS REAL ID Office will make these dcuments and standards available upn request. Please als refer t the definitin sectin at the end f this dcument, Appendix B. February 2009 Page 1 3

9 2 SECURITY MATRIX Threat Vulnerability Reslutin 2.1 Theft f sensitive cmpnents Unauthrized persns may break in while facilities are clsed and steal sensitive cmpnents. Unauthrized persns may surreptitiusly enter while facilities are pen and steal sensitive cmpnents. Prvide physical security fr the facility. See sectin 3.1. Stre sensitive cmpnents in secure cntainers r rms. See sectin Prvide Security Awareness Training. See sectin Prvide access cntrl t secure areas. See sectin 3.2. Stre sensitive cmpnents in secure cntainers r rms. See sectin Prvide security awareness training. See sectin Emplyees may pilfer sensitive cmpnents. Perfrm emplyee backgrund checks. See sectin Prvide access cntrl t secure areas. See sectin 3.2. Maintain gd inventry cntrl. See sectin Visitrs may pilfer sensitive cmpnents. Maintain visitr cntrl. See sectin Prvide access cntrl t secure areas. See sectin 3.2. Use emplyee badges. See sectin Prvide security awareness training. See sectin Maintain gd inventry cntrl. See February 2009 Page 2 1

10 2.2 Theft f manufacturing r prductin equipment Sensitive cmpnents may be pilfered during manufacture and shipping. Sensitive materials may be illegitimately recvered frm prductin waste and spilage. Unauthrized persns may break in while facilities are clsed and steal equipment. Unauthrized persns may surreptitiusly enter while facilities are pen and steal equipment. sectin Maintain a secure supply chain. See sectin Destry waste and spilage. See sectin Prvide physical security fr the facility. See sectin 3.1. Prtect equipment. See sectin Prvide security awareness training. See sectin Prvide access cntrl t secure areas. See sectin 3.2. Prtect equipment. See sectin Emplyees may steal equipment. Perfrm emplyee backgrund checks. See sectin Prtect equipment. See sectin Visitrs may steal equipment. Maintain visitr cntrl. See sectin Use emplyee badges. See sectin Equipment may be stlen during manufacture, shipping and strage. Prvide security awareness training. See sectin Prtect equipment. See sectin Maintain a secure supply chain. See sectin February 2009 Page 2 2

11 2.3 Unauthrized access t Persnally Identifiable Infrmatin Emplyees may access recrds cntaining PII fr ther than fficial business. Perfrm emplyee backgrund checks. See sectin Prvide security awareness training. See sectin Ensure IT Systems and Data Strage Security. See sectin Maintain internal audit cntrls. See sectin 3.7. Visitrs may gain access t PII. Ensure IT Systems and Data Strage Security. See sectin Maintain visitr cntrl. See sectin Prvide security awareness training. See sectin PII may be recvered frm waste and spilage. Destry waste and spilage. See sectin PII may be recvered frm media used in the issuance prcess but n lnger needed. Destry media when n lnger needed. See sectin February 2009 Page 2 3

12 3 BEST PRACTICES The sectin prvides best practice recmmendatins fr the security f REAL ID DL/IDs manufacturing, prductin, enrllment and issuance activities. Tpics cvered include the physical security f manufacturing, prductin and strage facilities; access cntrl; security f PII; card design and security; persnnel security; emergency/incident respnse planning; and audit cntrls. Befre beginning security upgrades t its security, DHS strngly recmmends that a State cnduct a thrugh gap analysis cmparing its current security psture t these best practice recmmendatins prir t cmpleting their REAL ID security plan. These best practices are prvided as guidance (r ptential recmmended slutins) t meet REAL ID security plan requirements. A State may chse a different methd, practice, r apprach. If a State chses an alternative apprach t meet the security requirements, the selected alternative shuld be as gd as r better than the apprach described in this dcument. DHS will examine the alternative prcedure as part f the certificatin review. States shuld cnduct due diligence reviews fr all service prviders and cntractrs assciated with these security services. 3.1 Physical Security The best practices in this dcument will prvide the States with suggestins fr hw t meet the needs f different types f facilities, due t the wide variety f envirnments in which card prductin facilities may be lcated. These best practices are a baseline suggestin, and will assist a State in determining hw best t secure a particular facility. A State may use an alternative t the practices described in this handbk prvided DHS deems that the alternative prvides a level f security at least as gd as r better than what is described in this dcument. A State wishing t use an alternative prcedure t secure its facilities may wish t cnsult with DHS prir t the actual mdificatin r cnstructin f thse facilities Facility Access Unescrted access t facilities invlved in the enrllment, issuance, manufacturing and prductin f REAL ID DL/IDs shuld be limited t cvered emplyees. 5 [The REAL ID regulatin uses the term cvered emplyees t describe all persns wh are invlved in the manufacture r prductin f REAL ID driver s licenses and identificatin cards, r wh have the ability t affect the identity infrmatin that appears n the driver s license r identificatin card, r current emplyees wh will be assigned t such psitins.] Mtr vehicle administratin staff, that are nt cvered emplyees, shuld nt have unescrted access t areas where REAL ID DL/IDs are manufactured, prduced, r issued r t where custmer PII is accessible. 5 The term issuance with respect t unescrted access refers thrughut this dcument t areas where the ability t affect identity infrmatin n a DL/ID culd be cmprmised. This des nt refer t a sitting area, where individuals applying fr a DL/ID might be waiting. February 2009 Page 3 1

13 During perating hurs, an access cntrl system shuld be used, and the facility shuld be staffed by at least tw cvered emplyees at all times. During hurs when the facility is nt in peratin, it shuld be secured using high security lcks, intrusin detectin alarms, surveillance cameras, and/r ther barriers, as needed. The actual physical security measures implemented at each facility may differ frm lcatin t lcatin, as sme facilities may be free standing, and thers may be lcated in the ffice buildings, shpping malls r industrial parks fr example. Each facility shuld be surveyed and the physical security measures fitted t its specific peratins and envirnment Perimeter walls The survey f the facility shuld begin by determining the perimeter f the area. The perimeter walls culd be walls that are either exterir r interir walls f the building in which the facility is lcated. A perimeter wall f the facility shuld extend frm the true flr t the true ceiling. If it des nt, then security bars r anther similar barrier shuld be installed t clse any pening large enugh fr a persn t pass thrugh. As an alternative, the space belw a raised flr r abve a false ceiling may be secured using mtin sensing, infrared intrusin detectin sensrs r ther secure methds. Perimeter walls shuld preferably be cnstructed f a material that is difficult t break thrugh, such as cncrete r masnry. If they are made f a less substantial material such as dry wall, then they shuld be strengthened with steel mesh r ther similar material. As an alternative, cvering the interir f the facility with mtin sensing r infrared intrusin detectin sensrs greatly reduces cncerns abut the type f material used t cnstruct the walls Drs Perimeter drs shuld be f heavy metal, slid wd r ther reinfrced secure materials. In many cases, fire safety regulatins will require these drs t swing utward, meaning the hinge pins will be n the utside f the secure area. If this is the case, the dr shuld have high security hinges s the hinge pins cannt be remved Entry/Exit Drs These are the drs rutinely used t enter and exit the facility. During the hurs when the facility is clsed, these drs shuld be lcked. When the facility is in peratin, these drs shuld be cntrlled using ne f the access cntrl methds described in Sectin 3.2. Each f these drs shuld include a mechanism t ensure the dr autmatically clses and maintains a tight, lcked seal until accessed Lading Dcks Sme larger facilities may have a lading dck r similar entrance used t bring supplies int the facility. These entrances shuld als be fitted with security drs. Except when actively engaged in the transfer f material int r ut f the facility, these drs shuld be kept clsed and lcked. Whenever the dr is pen, a cvered emplyee member r a guard shuld maintain cnstant surveillance f the drway t assure access cntrl is maintained. February 2009 Page 3 2

14 Emergency Exits Emergency exits shuld always g frm inside the secure facility t utside. The inside (the side facing int the secure facility) f an emergency exit shuld have a panic bar r similar hardware. The utside f an emergency exit shuld have n dr pening hardware. Emergency exit drs shuld be armed with an audible alarm that can be heard thrughut the secure facility whenever the dr is pened Lcks Lcks are used t secure the facility when it is nt in use. All entry/exit drs shuld have high security lcks that are mderately resistant t skilled manipulatin. One way t ensure the adequacy f lcks used n entry/exit drs is t use lcks that either meet the requirements f Federal Specificatin FF L 2740A r are Underwriters Labratries (UL) apprved Grup 2M lcks. It is imprtant nt nly t use secure lcks but als t ensure they are prperly installed. The standard lcking mechanism used n many lading dck drs may need t be replaced with a mre secure ne. The lading dck dr shuld nly be capable f being unlcked frm inside the secure area Windws Any windw that is large enugh fr a persn t pass thrugh shuld be secured. One ptin is t secure the pening using security bars. Anther ptin is t alarm the windws using intrusin detectin sensrs. A third alternative is t use glass blcks r ther specially designed high security glass. In sme cases, the simplest slutin may be t enclse the windw pening with masnry material, i.e., cncrete r security bars. As a final alternative, a well designed intrusin detectin system using mtin sensing, infrared intrusin detectin sensrs r ther secure alternatives may prvide adequate prtectin Air Ducts and Other Openings The perimeter walls, flrs, and ceilings f the secure facility shuld be checked fr any air duct r ther pening large enugh fr a persn t pass thrugh. Any such pening shuld be secured. One way t d this is t secure the pening using security bars. An alternative is t use intrusin detectin sensrs Intrusin Detectin Systems A gd intrusin detectin system depends as much n what happens when the alarm activates as it des n the quality f the cmpnents f which it is cmprised. Careful selectin and installatin f the cmpnents shuld be matched with effective prcedures fr the mnitring f the system Sensrs A large variety f sensrs are available fr use in securing a facility. The actual chice f the best sensrs fr a given facility will depend n the use and cnstructin f the facility. In general, sensrs fall int ne f tw types. One type f sensr is t detect an attempt t enter an pening thrugh the perimeter f the facility, such as a dr r windw. Examples f this type include magnetic dr switches r glass break sensrs. The ther type f sensr is meant t detect the presence r mvement f a persn thrugh space. An example f this type is the February 2009 Page 3 3

15 infrared sensr. A cmbinatin f these tw types f sensrs usually prvides the best prtectin. Intrusin detectin sensrs shuld have battery back up t keep functining fr at least 24 hurs during a pwer utage. The intrusin detectin system shuld recgnize if a sensr cmpletely lses all pwer and shuld activate an alarm. Each sensr shuld als have antitampering capability such that any attempt t pen r disable the sensr activates the alarm Cntrl Panels and Keypads An intrusin detectin system typically perates frm a cntrl panel. Cntrl panels shuld be installed within the secure facility. The cntrl panel itself shuld be equipped with a sensr s that it activates whenever the panel is pened. The cntrl panel shuld be prvided with battery back up t allw it t remain in service fr at least 24 hurs during a pwer utage. The cntrl panel shuld als have the capability t recgnize if any sensr is n lnger active and register an alarm. Keypads fr activating and deactivating the alarms shuld be lcated inside the prtected area they cntrl. These keypads shuld have anti tampering sensrs t detect any attempt t tamper with them and activate an alarm Mnitring The intrusin detectin system shuld have a mnitring service that prvides cnstant mnitring twenty fur hurs a day, seven days a week. This mnitring service may be perfrmed either by a gvernment entity r a cmmercial service. DHS recmmends that, if a cmmercial service is used, the State shuld exercise due diligence t ensure that the selected service prvider has a prven track recrd f dependability and reliability Respnse Frce What happens when an alarm is activated is ne f the mst imprtant aspects f an effective intrusin detectin system. Ideally, when the mnitring service recgnizes the alarm has activated, it shuld immediately ntify the respnse frce. This respnse frce may be either state r lcal law enfrcement r a cmmercial service. Once the respnse frce is ntified, the mnitring service shuld then cntact a cvered emplyee using a cntact list prvided by the rganizatin that manages the secure facility Cameras The use f vide cameras can be an effective security measure, and even mre effective when used in cmbinatin with mtin sensing capability. Cameras are effective fr mnitring perimeter walls, secure strage and prductin areas n a daily basis. Vide cameras shuld always be cnnected t a recrding device fr replay. Nte: The replay functin shuld never displace the live picture n the screens rutinely used fr mnitring. Vide cameras can als be used in a recrd nly mde fr areas that are nt high traffic areas r when the facility is clsed. Cameras that are used in a recrd nly mde shuld have sufficient recrding capacity t cver the lngest perid f time that the facility will be nt be staffed. Fr example, if the facility is nly pen n Tuesdays and Thursday, the recrding February 2009 Page 3 4

16 capacity shuld be sufficient t cver the perid frm the clse f the facility n Thursday until it is repened n Tuesday. Ideally, recrdings shuld be stred fr a perid f time and nt immediately recrded ver. This will allw fr recrdings t be reviewed when a pssible incident is nt discvered immediately. It is up t the State t determine hw lng such recrdings shuld be kept Additinal Infrmatin Regarding Over the Cunter Facilities The perimeter f an ver the cunter facility may be different during the time when it is pen fr business than it is when the facility is clsed. During business hurs, parts f the DL/ID ffice may be pen t the public and just the area used fr card prductin, issuance, and strage f PII may be a secure area. When the facility is clsed, hwever, it may prve mre ecnmic t secure the entire ffice rather than just the area where card prductin ccurs r PII is stred. This wuld allw the use f less substantial walls and drs t separate the general ffice area frm the secure area. If this apprach is used, whenever the ffice is pen the card prductin and PII strage areas shuld be under the cnstant bservatin and cntrl f cvered emplyees. 6 There shuld never be a time when the ffice is ccupied, withut a cvered emplyee present, even by ther emplyees, t bserve and cntrl the secure area. This apprach strngly relies n the cvered emplyees t deter and detect any attempt at unauthrized entry int the secure area. In additin, it recmmends that cvered emplyees escrt and bserve any authrized visitrs t areas where cards are prduced r PII is stred Additinal Infrmatin Regarding Cntinuus Prductin Operatins Sme large prductin facilities may perate n a cntinuus basis, meaning cvered emplyees are always present in the facility. In sme cases, perimeter security and intrusin detectin systems are less needed in a cntinuus peratins facility. The mst thrugh apprach wuld utilize a variety f the security mnitring techniques (cameras, peple, sensrs, etc.) in a cmpatible manner fr the entire peratin. The determining factr is the number f cvered emplyees present in cmparisn t the size and layut f the facility. If a sufficient number f cvered emplyees are always present t maintain effective bservatin and cntrl f the entire secure prductin facility, then the cnstructin material used fr the perimeter f the drs and walls need nt be as substantial. A methd f prviding access cntrl will still be needed. Fr facility areas under cntinuus effective bservatin and cntrl, mtin sensing r infrared intrusin detectin sensrs are nt necessary at all times and may be limited. In a cntinuus peratin facility, the cvered emplyees shuld escrt and bserve any authrized visitrs thrugh the facility. This means that if visitrs are present, enugh cvered emplyees shuld be available t handle card prductin activities and t prvide escrts. 6 Effective bservatin and cntrl means that it is highly unlikely that an unauthrized persn culd enter r remain in the secure area withut being prmptly detected. February 2009 Page 3 5

17 In cases where cvered emplyees are nly able t effectively bserve and cntrl ne part f a prductin facility at a time, it is best t utilize a variety f techniques (such as cameras and sensrs) fr the prtins f the facility nt under cnstant bservatin by the cvered emplyees. Fr example a cvered emplyee may have respnsibility t mnitr the prductin area during a perid f time and therefre wuld nt be able t bserve the lading dck and strage rm at the same time. In such a case, ther security techniques shuld be emplyed t mnitr the lading dcks and strage rm Fire Safety Cnsideratins The design f the facility shuld cmply with all applicable fire and safety laws and regulatins. Hwever, fire and safety prvisins shuld be cmplementary and nt cntradictry t the gal f prviding security. Fr example, if the facility is lcated in a building that als has nn secure areas, the spaces shuld nt be laid ut s that peple in the nn secure area need t pass thrugh the secure area t exit the building during an emergency. If a State encunters a situatin in which it appears that fire and safety requirements cannt be harmnized with physical security requirements, then it shuld cntact the REAL ID Prgram Office at the Department f Hmeland Security at (202) r address, REALID@HQ.dhs.gv, fr additinal guidance and assistance Strage f Sensitive Cmpnents The sensitive cmpnents used t manufacture r prduce REAL ID DL/IDs shuld be prtected at all times. These sensitive cmpnents shuld be stred in secure cntainers r in a specially cnstructed secure strage rm. Only as much f the sensitive cmpnent as is needed fr current prductin and issuance activities shuld be taken frm the secure strage rm at any given time. An accurate and up t date inventry f materials shuld be maintained. Fr example, facilities may chse t maintain a chain f custdy lg fr sensitive cmpnents remved frm secure strage areas fr purpses f prductin r distributin. When the facility is clsed, all sensitive materials shuld be remved frm prductin equipment and stred in secure cntainers r rms Secure Strage Cntainers Security cntainers fr the strage f sensitive cmpnents shuld prvide at least ten minutes f prtectin against frced entry and have a lck that is mderately resistant t skilled manipulatin. One way t ensure the adequacy f the security is t use security cntainers that either have an UL TL 15x6 rating and a UL class 2M lck r are U.S. General Services Administratin (GSA) apprved Class 5, r equivalent. These cntainers shuld be kept lcked except while materials are being placed int them r remved frm them. Recmmend these cntainers be prtected with intrusin detectin sensrs that are activated when the prductin facility is clsed Cnstructin f Secure Strage Rms Secure strage rms shuld be cnstructed f slid cncrete, steel plate, hardened steel mesh, r ther material that wuld ffer a similar level f prtectin. The walls shuld run frm the flr t the ceiling f the secure rm. This secure strage rm shuld have a dr at least as substantial as the walls and be fitted with a high security lck that is mderately February 2009 Page 3 6

18 resistant t skilled manipulatin, such as a lck that either meets the requirements f Federal Specificatin FF L 2740A r is UL apprved Grup 2M. A better alternative is t use a GSA apprved Class 5 vault dr r equivalent. If this primary dr is unlcked fr any extended perid f time, access t the area shuld be cntrlled with an entry/exit dr as described in sectin , including the prvisin f access cntrl. The primary dr f the secure strage shuld have a dr pening sensr cnnected t the intrusin detectin system and the inside f the secure area shuld be cvered with mtin sensing r infrared intrusin detectin sensrs. Any pening thrugh the perimeter, such as an air duct, shuld be secured using hardened steel bars, mesh r alternatives methds that prvide at least the same r greater level f prtectins. Recmmend large secure strage rms nt cntain windws. The design f the secure strage rm shuld cnsider the safety f the peple using it, such as fire safety cdes. In additin, prvisin shuld be made fr a persn inadvertently lcked inside t be able t pen the dr frm the inside Over the Cunter Prductin Facilities Smaller amunts f sensitive cmpnents, such as might be fund in ver the cunter facilities, can best be stred in a security cntainer lcated within the secure areas f a facility Central Issuance Prductin Facilities The larger amunts f sensitive cmpnents kept n hand at a central issuance prductin facility may best be stred in a secure strage rm. Hwever, if the amunt f sensitive cmpnents stred at the central issuance prductin facility is relatively small, it may be mre efficient t stre them in a number f secure cntainers. If a State uses central issuance prductin, it shuld d an alternative f analyses t determine the mst cst effective apprach Centralized Receiving and Shipping States with multiple prductin facilities (at different lcatins) may perate a central facility fr receiving large shipments f sensitive cmpnents frm vendrs and breaking them dwn int smaller quantities fr distributin t the prductin sites. One alternative is t align/cnstruct a facility t the same standards as a prductin r issuance facility, including a prvisin fr secure strage cntainers. With this alternative, all f the sensitive material shuld be secured when cvered emplyees are nt present. Anther alternative is t cnduct this activity entirely within a vault like strage rm as described in sectin Security f Prductin Equipment Specialized equipment used in the manufacturing and prductin f REAL ID DL/IDs shuld be prtected frm theft. Several ways are available t prvide effective theft prtectin fr specialized equipment. One way is fr the firmware in the equipment t have a cnnectin t the State s prductin system in rder fr the equipment t functin. Anther methd is the February 2009 Page 3 7

19 use f a hardware key that shuld be inserted fr the equipment t wrk. 7 When nt in peratin, these hardware keys shuld be stred separately in a secure place. Finally, the equipment can be securely fastened in place and cvered by alarm systems. Whenever the facility husing the equipment is nt ccupied, the alarm system shuld be activated. Especially if this last apprach is used, care is necessary t ensure that spare equipment (e.g., equipment that is intended t be used as a backup in case the primary equipment fails) is stred securely. When equipment f this type is n lnger needed, care shuld be exercised in arranging fr its remval and r destructin. In situatins where the State is mving t a new card design, cards f the ld design may still be in circulatin fr sme time. Fr this reasn, equipment used t prduce the ld card design will still be f value t cunterfeiters. Therefre this equipment shuld be destryed r at least permanently disabled prir t dispsal Cntractr Facilities The State may pt t have its REAL ID DL/IDs manufactured r prduced in a facility perated by a cntractr. If the State chses t have its cards prduced in a cntractr perated and r wned facility, this facility shuld cmply with the same REAL ID regulatin minimum security requirements as des the State. A cntractr may use the same facility t manufacture r prduce REAL ID DL/IDs fr mre than ne State. Hwever, each State shuld maintain versight f the cntractr s manufacture r prductin f its wn REAL ID DL/IDs. If the cntractr s facility is accredited at Level II f ANSI/NASPO SA v3.0p 2005, DHS will deem that it prvides all necessary physical security as lng as that accreditatin remains current. Hwever, DHS des nt require an ANSI/NASPO accreditatin. As an alternative, the State may establish its wn prcedures fr insuring the cntractr s facilities are secured. In this case, the State s cmprehensive security plan shuld include the same infrmatin fr the cntractr facility as it wuld if the facility was perated by the State. 3.2 Access Cntrl Emplyee Badges and Credentials Badges r similar credentials shuld be used t differentiate cvered emplyees frm ther persnnel wh d nt have authrized access int the facility. The use f badges can serve nt nly as an effective part f the access cntrl system, but als as a way fr cvered emplyees t identify smene wh shuld nt be in the secure area. If emplyee badges are used fr cvered emplyees, they shuld be distinctive frm the badges f ther persnnel in the area enugh t allw discernment frm several feet away. The badge fr a cvered emplyee culd either be a variatin f the regular emplyee badge r a cmpletely separate badge. This allws fr the immediate recgnitin that smene wh is nt authrized r has unescrted access is in the secure area. These badges shuld never be used 7 These hardware keys are smetimes called dngles. These must be inserted in rder fr certain sftware r firmware t wrk. Since the assciated equipment is rendered inperable withut the hardware key, equipment prtected this way is f little value if stlen. February 2009 Page 3 8

20 fr making a decisin t permit entry int the secure area withut a clse up examinatin f the badge Guards The use f guards t cntrl access t the secure facility can be very effective. If guards are used, the guard shuld be psitined s that he r she can maintain visual cntrl f the entry/exit dr, r a vide camera can be used t prvide the guard the ability t maintain visual cntrl f the entry/exit. There shuld be a dr r turnstile cntrlled by the guard t allw entry int the facility. If a badge system is used, the guard shuld be able t clsely examine the badge and cmpare it t the badge hlder befre permitting access. If badges are nt used, the guard shuld check anther frm f identificatin Cntrl by Staff In very small facilities, such as may be fund in ver the cunter peratins, entry int the secure facility can be cntrlled by the cvered emplyees. In this case, a persn wishing t enter the facility culd, fr example, use a buzzer r sme ther means t alert the cvered emplyees within the secure facility t cme t the dr. In this arrangement, the entry/exit dr shuld nly be pened frm the inside f the secure facility during the hurs the facility is pen fr peratin Autmated Systems A variety f autmated devices are available fr cntrlling access t the secure facility. These range frm cipher lcks t bimetrics systems. The use f key card readers by themselves is nt recmmended since a lst r stlen card can be used by anyne t gain access t the secure facility. Hwever, the use f a card reader in cnjunctin with a cipher r bimetric can be very effective Cipher Lcks Cipher lcks may be either mechanical r electric. The cmbinatin shuld be changed whenever a persn wh knws the cipher lck is remved frm authrized access t the facility. Even when n ne has been remved frm access, the cipher lck cmbinatin shuld be changed peridically. The cipher lck s cmbinatin shuld never be given t a persn wh is nt authrized access t the secure facility Cntrlled Access t Terminals and Data Strage Physical access t the terminals used t enter data int the REAL ID custmer enrllment and card issuance prcess and the electrnic devices used fr data strage f PII shuld be cntrlled. In many cases, the terminals and data strage will be lcated utside any secure prductin r strage facility and the access cntrl need nt be as rigrus. Hwever, unescrted physical access t these areas shuld be limited t thse whse duties necessitate them t have access. Please refer t sectin fr mre guidance n Infrmatin Technlgy systems and data security. February 2009 Page 3 9

21 3.2.6 Visitr Cntrl All visitrs t the secure facility shuld be escrted by cvered emplyees at all times while in the secure facility. A written lg bk shuld be kept f the visitrs and the dates and times f their visits. Maintenance and janitrial persnnel, including vendrs, wh have unescrted access t secure facilities where REAL ID DL/IDs are manufactured, prduced, r issued, will require a similar check as cvered emplyees, including the backgrund check, in rder t have such access. Withut the backgrund check, they shuld be cnsidered as visitrs. 3.3 Security f Persnally Identifiable Infrmatin The Best Practices fr the Prtectin f Persnally Identifiable Infrmatin Assciated with State Implementatin f the REAL ID Act, was riginally included as an attachment t the Privacy Impact Assessment fr the REAL ID regulatin which DHS published n January 11, The State shuld refer t this dcument fr guidance in develping a set f safeguards fr the PII it cllects, prcesses, and stres as part f its REAL ID cmpliance. The State shuld cnsider these best practices as minimum requirements t prtect persnally identifiable infrmatin Infrmatin Technlgy Systems and Data Strage Security The infrmatin technlgy (IT) systems used t supprt the issuance f REAL ID DL/IDs includes all applicatin prcessing, dcument verificatin, card prductin, and strage f PII and digital images f applicants and their dcuments. Based n the categrizatins fund in FIPS 199, the ptential impact f these IT systems is cnsidered t be mderate. Suitable cntrls as defined fr the mderate impact baseline f NIST Special Publicatin , Revisin 1 shuld be used t secure these systems. Als nte that persns wh have access t these systems and its assciated data strage are cnsidered cvered persns as defined by f the REAL ID regulatin, and will need a backgrund check Laptps and Prtable Strage Media Preferably, laptp cmputers used t stre r prcess PII and digital images f applicants and their dcuments shuld nt be taken frm State cntrlled wrkspaces. Data files cntaining PII and digital images that are stred n laptp cmputers shuld be encrypted. If any PII r digital images f applicants r their dcuments are stred n any prtable media, that media shuld be carefully cntrlled and detailed inventry recrds maintained. Additinally, the PII shuld be encrypted n the prtable media device Destructin f Media Cntaining Persnally Identifiable Infrmatin When n lnger needed, media cntaining PII shuld be destryed. 8 This includes nt nly waste paper but als electrnic media such as disk drives and cmpact discs (CD). Paper prducts can be shredded r pulped. A number f different methds are available fr cleansing magnetic media, including verwriting, degaussing, and mechanical destructin. The best 8 State laws, rules, regulatins, and peratins shuld be used t determine when media cntaining persnally identifiable infrmatin are n lnger needed. February 2009 Page 3 10

22 methd is ften dependent n the type f media. The imprtant thing is t ensure that the PII cannt be recvered Privacy Plicy and the Fair Infrmatin Practice Principles The State shuld develp and publicize a privacy plicy that explains its cmmitment t meeting the fllwing Fair Infrmatin Practice Principles: Principle f Transparency This principle requires that the State nt be secretive abut its use f PII and take the initiative t disclse its plicies regarding its cllectin, use, disseminatin, and maintenance Principle f Individual Participatin This principle requires the State, t the extent practical, allw the individual t determine what PII the State has cncerning them, t access the data, and t seek crrectin f infrmatin the individual believes is errneus Principle f Purpse Specificatin This principle requires the State t specify the authrity which permits it t cllect PII and the purpse fr which it will be used. It als requires a cmmitment nt t use the infrmatin fr reasns ther than thse stated at the time f cllectin Principle f Minimizatin This principle requires the State nly t cllect the minimum PII necessary t accmplish the specified purpse Principle f Use Limitatin This principle requires the State nly t use the PII cllected fr the specified purpse unless the individual agrees r the use is therwise authrized by law Principle f Data Quality and Integrity This principle calls n the State t ensure, t the extent practical, that PII is accurate, relevant, timely, and cmplete, within the cntext f each use Principle f Security This principle requires the State t ensure that the PII it cllects and uses is prtected by reasnable security safeguards against lss r unauthrized access, destructin, misuse, mdificatin, r disclsure Principle f Accuntability and Auditing This principle requires the State t make itself accuntable fr cmplying with all f the Fair Infrmatin Practice Principles, the privacy plicies related t the implementatin f the REAL ID Act f 2005 and its implementing regulatin, and t prvide training fr its emplyees and cntractrs wh use PII. It als requires the State t audit the actual use f PII Privacy Impact Assessment The Best Practices fr the Prtectin f Persnally Identifiable Infrmatin Assciated with State Implementatin f the REAL ID Act recmmends the State develp a Privacy Impact Assessment that addresses the fllwing: February 2009 Page 3 11

23 What infrmatin is t be cllected Why the infrmatin is being cllected Hw the DMV intends t use the infrmatin it cllects With whm the DMV will share the infrmatin it cllects What ntice r pprtunities fr cnsent will be prvided t individuals regarding what infrmatin is cllected and hw that infrmatin is shared Hw the infrmatin will be secured 3.4 REAL ID DL/ID Design and Security Chsing Security Features In the REAL ID regulatin requires the use f an integrated set f security features t prvide security fr REAL ID DL/IDs. This means that the design shuld use a suite f Level 1, Level 2, and Level 3 security features that wrk tgether t prtect against effrts t d the fllwing: Cunterfeit, alter, simulate, r reprduce a genuine dcument Alter, delete, mdify, mask, r tamper with data cncerning the riginal r lawful card hlder Substitute r alter the riginal r lawful card hlder s phtgraph and/r signature by any means Create a fraudulent dcument using cmpnents frm legitimate driver s licenses r identificatin cards Annex C f the AAMVA Card Design specificatins prvides an excellent list and descriptin f card security features available fr use. Hwever, it is difficult t keep such a list current as new features enter the market. Althugh it is nt definitive, it is a gd starting pint resurce fr States t use when investigating the subject. It is strngly recmmended that when prcuring card security features, a State require the bidders t develp and present well integrated designs that prtect against ptential threats and have security features at all three levels. (Nte: Nte that full descriptins f the card design and its security features are cnsidered SSI and treatment f such infrmatin in accrdance with sectin 5, Handling f Sensitive Security Infrmatin, shuld begin at the prcurement phase. In additin, infrmatin abut Level 3 features shuld always be handled n a strict need t knw basis.) Sme card security features, if used tgether n the same card, have the effect f canceling ut the intended security benefits. Therefre, bidders shuld be able t indicate that the integrated design avids that pitfall Level 3 Physical Security Features The fllwing infrmatin shuld be cnsidered at a minimum when chsing a Level 3 physical security feature. Tls t discern the feature are expensive /nt widely available equipment. As examples: high reslutin micrscpe/scanning electrn micrscpe, high pwered February 2009 Page 3 12

24 cmpund micrscpe, r chemical analysis equipment. Examples are nt limited t thse listed. Frensic Analysis by an expert is necessary. The feature requires smene trained in that feature t discern r identify it this is t thwart peple wanting t duplicate the dcument versus simulate it. The lcatin f the feature is unknwn t all but a few key fficials, n a need t knw basis. In rder t lcate the feature, smene wuld need t tell yu where t lk. The feature cannt be verified when smene presents a card fr visual verificatin. Please nte that ver time, sme physical security features made be re classified frm a Level 3 t a Level 2 feature, as technlgies becme mre widely available t the public. Fr example, the frensic ink taggant was previusly cnsidered by experts in the field f fraudulent dcument recgnitin t be a Level 3 feature. It is nw is cnsidered t be a Level 2, as handheld readers were develped t read the feature and are mre easily available t the public Serialized Card Bdies REAL ID DL/IDs shuld be prduced frm serialized card stck with preprinted inventry cntrl numbers. The use f serialized card stck means that the card bdies will always be cnsidered as sensitive cmpnents Handling f Sensitive Cmpnents Inventry Cntrl Fr items with individual inventry cntrl numbers, rutine inventry recrds shuld indicate the numbers f each item received, n hand, used, wasted, and destryed. If any items are fund t be missing, the recrds shuld allw a determinatin f at least the range f numbers int which the missing items fall. Items such as ink shuld be cntrlled by the apprpriate unit f measures (e.g., liters) used fr shipment and strage. The inventry recrds shuld be sufficiently detailed t determine the amunt f the material received, n hand, used, wasted, and destryed. If sensitive cmpnents are unaccunted fr then a reprt shuld be made t the apprpriate law enfrcement entity Secure Supply Chain The State shuld ensure that sensitive cmpnents are prvided via a secure supply chain. Sensitive cmpnents shuld nly be btained frm reliable surces. The State shuld ensure that sensitive cmpnents are stred and handled by suppliers with the same care as exercised by the State itself. One recmmended apprach that States can use is t ensure its suppliers cmply with the Level II requirements f the ANSI/NASPO SA v3.0p 2005 standard. Hwever, DHS des nt require that suppliers have an ANSI/NASPO accreditatin. As an alternative, the State may establish its wn prcedures fr ensuring the supplier prvided adequate security Destructin f Waste and Spilage frm the Prductin Prcess The waste and spilage material, which card prductin inevitably generates, prvides a duble barreled risk. First, it culd be pssible fr smene t illegitimately recver sensitive cmpnents frm the waste and spilage. Secnd, it als culd be pssible fr smene t February 2009 Page 3 13

25 btain unauthrized access t PII frm the waste and spilage. Fr this reasn, the waste and spilage material shuld be safeguarded. Waste and spilage material shuld always be stred in a secure area while it awaits destructin. Gd inventry recrds shuld be kept t indicate hw much waste and spilage has been generated, hw much is in strage, and when, hw, and by whm it was destryed. Waste and spilage material shuld be destryed t a sufficient degree that sensitive cmpnents r PII cannt be recvered frm the remnants. In many cases, a gd quality crss cut shredder will suffice. Hwever, in sme cases alternative methds may wrk better. States shuld cnsult with the vendr wh designed the card abut the best way t destry the waste and spilage resulting frm the prductin prcess Mnitring Dcument Security and Integrity Initial Review and Reprting The State shuld cnduct a review f its REAL ID DL/ID design and submit a reprt t DHS with its certificatin fr Full Cmpliance. 9 The review shuld evaluate the ability f the design t resist cmprmise and dcument fraud attempts. The reprt develped by this review shuld be handled as Sensitive Security Infrmatin Subsequent Review and Reprting The initial reprt f the design review shuld be updated and submitted t DHS whenever a security feature is mdified, added, r deleted. 11 The State may want t cnduct peridic reviews even if the design has nt changed since cunterfeiters may have devised new ways t defeat a security feature. Updated reprts n the card design shuld be handled as Sensitive Security Infrmatin Labratry Testing Based n the reprt f the card design review submitted, DHS may request a State t prvide DHS with examinatin results frm a recgnized independent labratry experienced with adversarial analysis f identificatin dcuments. The reprt f these results shuld be handled as Sensitive Security Infrmatin Markings fr Cmpliant DL/IDs Pursuant t (n) f the REAL ID regulatin, States are required t mark REAL ID DL/IDs with a DHS apprved marking t indicate its level f cmpliance with the REAL ID regulatin. This means that there will be different markings fr cards issued during material cmpliance and full cmpliance. In this dcument, these cards are referred t as cmpliant cards. 9 6 CFR 37.15(d), pg See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin CFR 37.15(d), pg See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. 13 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 3 14

26 General Design The symbl fr a Materially Cmpliant card is a.25 inch square Pantne 117 (r CMYK equivalent) clred.25 inch by.25 inch star using regular ink (apprximately 6.35 mm by 6.35 mm). [CMYK = cyan, magenta, yellw, and key (r black).] The same ink and size f the indicatr will be used fr bth the Materially Cmpliant and the Fully Cmpliant cards, but the art wrk will be different. The size f the indicatr will be.25 inch by.25 inch (apprximately 6.35 mm by 6.35 mm). The symbl fr a Fully Cmpliant card is a.25 inch square Pantne 117 (r CMYK equivalent) clred.25 inch by.25 inch (apprximately 6.35mm by 6.35mm) circle with a star cut ut t reveal the backgrund using regular ink Lcatin The cmpliant markings f the star r star cut ut shuld appear n the face and the tp third f a landscape r prtrait card Security The markings n bth cmpliant and nn cmpliant cards shuld be secured in the same way that ther persnalizatin data n the card shuld be secured. Fr example, if the name, pht, etc. are secured using a high security verlay, then the marking shuld als be secured by the security verlay. Similarly, if the persnalizatin data is printed using laser printing, then the marking shuld be laser printed n the card Marking Temprary r Limited Term REAL ID DL/IDs Pursuant t f the REAL ID regulatin, States may nly issue a temprary r limited term REAL ID DL/ID t an individual wh has temprary lawful status in the United States and the State has verified that status with DHS. These cards shuld clearly indicate n their face and in the machine readable zne that they are temprary r limited term REAL ID DL/IDs. The temprary r limited term REAL ID DL/ID shuld be marked n the frnt with the phrase Temprary r Limited Term within the tp third f the card. The specified fnt is Helvetica Bld with a recmmended fnt size f 9 pints, hwever nt less than a 7 pints fnt in regular black ink. This phrase shuld be secured in the same way that ther persnalizatin data n the card is secured Marking f Nn Cmpliant DL/IDs Pursuant t States wishing t cmply with REAL ID may als chse t issue driver s licenses and identificatin cards that are nt acceptable by Federal agencies fr fficial purpses. These cards shuld be marked n their face and in the machine readable zne (MRZ) t indicate they are nt acceptable fr any fficial purpse as defined in 37.3 f the REAL ID February 2009 Page 3 15

27 regulatin. 14 Fr simplicity s sake, this dcument refers t such cards as nn cmpliant cards. Nn cmpliant cards shuld state in the tp third f the face f the card, being the same side with pht and printed data elements, NOT FOR REAL ID PURPOSES. The specified fnt is Helvetica Bld with a recmmended fnt size f 9 pints, hwever nt less than a 7 pints fnt in regular black ink. This phrase shuld be secured in the same way that ther persnalizatin data n the card is secured Encryptin f the 2D Barcde The minimum infrmatin required in the 2D barcde is discussed in f the REAL ID regulatin, and there is n requirement in the regulatin t encrypt this infrmatin. Hwever, a state may chse t encrypt any additinal data (e.g. bimetrics) it adds t the 2D barcde beynd the minimum infrmatin required by REAL ID, prvided the State ensures all law enfrcement persnnel have the ability t easily access the data included in the MRZ Persnnel Security Backgrund Checks Wh Needs a Backgrund Check? Pursuant t 37.45, States must cnduct a backgrund check fr all cvered emplyees. As stated earlier in the dcument, the term cvered emplyees are all persns wh are invlved in the manufacture r prductin f REAL ID driver s licenses and identificatin cards, r wh have the ability t affect the identity infrmatin that appears n the driver s license r identificatin card, r current emplyees wh will be assigned t such psitins. A cvered psitin is a staff psitin that has duties assigned that are cnducted by a cvered emplyee. Any persn (including a cntractr r an emplyee assigned t anther department within the State) wh des any f the fllwing activities wuld be cnsidered a cvered emplyee: Invlved in the manufacturing r prductin f REAL ID DL/IDs Has unescrted access t secure facilities where REAL ID DL/IDs are manufactured, prduced, r issued Handles sensitive cmpnents r has access t secure strage fr sensitive cmpnents used in REAL ID DL/IDs Accepts r reviews REAL ID DL/ID applicatins r surce dcuments Takes phts fr REAL ID DL/IDs Inputs data frm REAL ID DL/ID applicatins r surce dcuments int the IT systems Is invlved in the decisin making prcess t determine if a REAL ID DL/ID is issued r the infrmatin that will appear n the card 14 MRZ in this dcument refers t the 2D PDF 417 barcde. States shuld cnsult the AMVA DL/ID Card Design Specificatins Versin 4.0 fr the frmatting f data in the MRZ. 15 The infrmatin stred n the barcde enables law enfrcement fficers t cmpare the infrmatin n the barcde with the infrmatin n the frnt f the card t determine whether any infrmatin n the frnt f the card has been altered and t autmatically ppulate law enfrcement reprts. February 2009 Page 3 16

28 Has the ability t review, alter, r add any f the data items listed in f the REAL ID regulatin in the IT systems used t prcess and stre data related t REAL ID DL/IDs Supervises r manages a cvered persn wh perfrms any f these tasks This list shuld nt be cnsidered exhaustive; States may determine additinal staff psitins as cvered psitins When Shuld the Backgrund Checks Be Cmpleted? The prgram and prcedures fr cnducting backgrund checks shuld be develped and backgrund checks underway by the time a State begins issuing REAL ID DL/IDs under Material Cmpliance. The backgrund checks fr all emplyees and cntractrs wrking in cvered psitins must be cmpleted by the time a State enters Full Cmpliance. Befre issuing REAL ID DL/IDs under Material Cmpliance, a State shuld reassign, temprarily, any persn in a cvered psitin whse backgrund check has nt been successfully cmpleted What is Included in a Backgrund Check? A backgrund check, at a minimum, includes the fllwing: Emplyment references fr any emplyee wh has nt been emplyed by the DMV fr at least tw cnsecutive years since May 11, Name based and fingerprint based criminal histry recrds check using the Federal Bureau f Investigatin s (FBI) Natinal Crime Infrmatin Center (NCIC), and the Integrated Autmated Fingerprint Identificatin System (IAFIS) and State repsitry recrds. Emplyment eligibility verificatin t ensure cmpliance with the requirements f sectin 274A f the Immigratin and Natinality Act (8 U.S.C. 1324a) and it s implementing regulatins (8 CFR part 274A) Disqualificatin The REAL ID regulatin, (b) (1) (i), explains the situatins under which a persn may be permanently disqualified frm serving in a cvered psitin. Anyne wh is permanently disqualified may never serve in a cvered psitin and shuld nt be invlved in the manufacture r prductin f REAL ID DL/IDs r be able t affect the infrmatin that appears n a REAL ID DL/ID. The REAL ID regulatin, (b) (1) (ii), explains the situatins under which a persn may be disqualified frm serving in a cvered psitin n an interim basis. A persn wh is disqualified n an interim basis shuld nt be invlved in the manufacture r prductin f REAL ID DL/IDs r be able t affect the infrmatin that appears n a REAL ID DL/ID until the perid f interim disqualificatin has been cmpleted. 16 While it is desirable t determine ther infrmatin, such as why the emplyee left the previus psitin, many emplyers will prvide nly verificatin f the dates f emplyment. February 2009 Page 3 17

29 Als pursuant t f the regulatin, the State may establish prcedures t allw fr a waiver f the regulatry requirements prhibiting placement f an emplyee in a cvered psitin fr an interim disqualifying ffense. This prcedure shuld be dcumented as part f the State s security plan. The REAL ID regulatin (b) (1) (iii) explains that a persn wh is wanted r under indictment fr a felny is disqualified until the want r warrant is released. This persn may nt be invlved in the manufacture r prductin f REAL ID DL/IDs r be able t affect the infrmatin that appears n a REAL ID DL/ID as lng as the want r warrant is in effect. If the criminal backgrund check reveals an arrest withut dispsitin, the State shuld make a diligent effrt t determine the dispsitin. The State may establish a prcedure t waive the requirement fr disqualificatin if it cannt determine the dispsitin f the arrest after having made a diligent effrt. This prcedure shuld be dcumented as part f the State s security plan Emplyee Rights States shuld infrm current and prspective emplyees wh will serve in cvered psitins that they will underg a backgrund check and prvide a descriptin f what the backgrund check will cver. If as a result f the backgrund check an emplyee is disqualified, he r she shuld be infrmed and given a chance t appeal t the apprpriate State r Federal gvernment r therwise challenge the findings f the backgrund check Training When Shuld Training Occur? The Fraudulent Dcument Recgnitin (FDR) and security awareness training prgrams shuld be peratinal befre the State begins issuing REAL ID DL/IDs under Material Cmpliance. All cvered emplyees shuld cmplete training befre the State begins issuing REAL ID DL/IDs under Full Cmpliance. Thereafter, all cvered emplyees shuld receive refresher training n a recurring basis, at least nce every three years. After full cmpliance is reached, new cvered emplyees shuld receive all security training befre r shrtly after assuming their new duties Fraudulent Dcument Recgnitin Training Pursuant t 37.41, all cvered emplyees engaged in the handling f surce dcuments r engaged in the issuance f REAL ID DL/IDs shuld receive FDR training. The REAL ID regulatin states that the AAMVA FDR Training prgram is apprved fr this requirement. If the State wishes t use an alternative FDR training prgram it shuld cntact the REAL ID Office at the Department f Hmeland Security t btain apprval f that prgram. Emplyees wh are nt invlved in the issuance decisin making prcess, such as thse wh wrk in a central card prductin facility r in a data prcessing center, are nt required t have FDR training Security Awareness All cvered emplyees shuld receive security awareness training. All cvered emplyees shuld receive training that cvers the threats t the security f the REAL ID DL/ID. This shuld include recgnitin f the threat, what actins they shuld take if they discver a security threat, and hw t reprt it. Prtins f this training may vary depending n the duties f the February 2009 Page 3 18

30 emplyee. Cvered emplyees shuld als be trained in the security measures, such as access cntrl prcedures, lcks, intrusin detectin alarms and emergency/incident plans, fr the secure facility where they wrk. Emplyees wh handle Sensitive Security Infrmatin shuld receive training in the handling f Sensitive Security Infrmatin Emergency/Incident Respnse Each secure facility shuld develp a respnse plan fr emergencies r incidents that may ccur at its lcatin. At a minimum, these plans shuld cver fire, medical emergencies, bmb/bmb threat, and severe weather. Other incidents that the State may want t cver include earthquakes, terrrist incidents, and disgruntled emplyees. In the develpment f these plans, the safety f persnnel is paramunt. The security interest in these plans is, t the extent pssible, preventing lss f cntrl f sensitive materials and equipment, r, in the aftermath, recvering cntrl at the earliest practical time. Fr example, a gd plan fr a medical emergency wuld call fr a cvered emplyee t meet the emergency medics at the entry/exit dr, escrt them t the patient, bserve withut interfering, and then escrt them back ut f the facility. If sensitive cmpnents r specialized prductin equipment is fund t be unaccunted fr after an emergency r incident is cmplete, the senir persn in charge f the facility shuld make a reprt t the apprpriate state level plice agency, the AAMVA Fraud Early Warning System and the DHS REAL ID Prgram Office. 3.7 Audit Cntrls The State shuld maintain adequate audit trails. The ability t determine wh perfrmed a given actin may be determined thrugh the use f user accunts within the systems. An emplyee shuld nly wrk n a wrkstatin that he r she lgged nt with his r her wn user accunt. At a minimum, audit cntrls shuld d the fllwing: Keep a recrd f when, where, and by whm the determinatin was made t issue the REAL ID DL/ID Each time persnally identifiable data is accessed, keep a recrd f wh made the access, when it was made, and frm where it was made Each time persnally identifiable data is changed, keep a recrd f wh made the change, when it was made, and frm where it was made, and what was changed Fr each REAL ID DL/ID prduced, keep a recrd f where and when it was made and wh was in charge f the prcess at that time 17 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 3 19

31 4 SECURITY PLAN This sectin delineates the infrmatin that the State shuld include in the security plan pursuant t f the REAL ID regulatin. The security plan des nt need t be a single, unified dcument. Instead, it can be made up f several plans, plices, and prcedures that, taken as a whle, address all f the issues identified in this handbk. The parts f the plan that shuld be handled as Sensitive Security Infrmatin are indicated. 18 Fr additinal reference, the REAL ID Privacy Impact Assessment can be fund at Plan Cntents Physical Security and Access Cntrl Methds (Handle as Sensitive Security Infrmatin) Infrmatin abut Card Prductin Facility Fr each secure facility used fr the prductin f REAL ID DL/IDs r as a centralized shipping and receiving facility, prvide the fllwing infrmatin: Lcatin f the facility Type f peratin: central prductin r ver the cunter peratin Frequency f card prductin Facility perating hurs 20 Authrity that wns and perates the facility: State, lcal gvernment entity, cntractr, etc. If the facility is accredited under ANSI/NASPO SA v3.0p 2005 standard Level II, prvide dcumentatin shwing prf f the accreditatin and skip the remaining items 21 A statement that the facility fllws the guidelines in this handbk fr prviding adequate physical security and that fr each secure prductin facility the fllwing dcumentatin is maintained n file fr review: Descriptin f the cnstructin f perimeter walls, true ceiling, and true flr, including whether the perimeter walls cnnect t the true flr and true ceiling. If they d nt, explain hw the gap is secured Descriptin f the cnstructin f the entry/exit drs, including the type f lck and the methd f securing hinge pins Descriptin f all lading dck drs, including the type f cnstructin and the lcking mechanism used Descriptin f all emergency exits, including the type f material frm which they are cnstructed, hw the hinges are secured, and the type f lcking mechanism used, and if an alarm activates when they are pened 18 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. 19 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. 20 The Facility Operating Hurs des nt need t be handled as Sensitive Security Infrmatin. 21 DHS des nt require ANSI/NASPO certificatin. Hwever, if the facility has been certified, DHS deems the facility is secure and the State need nt prvide any infrmatin listed in paragraph beynd prf f the certificatin. February 2009 Page 4 1

32 Descriptin f hw any windws, air ducts, r ther pening in perimeter walls are secured Descriptin f all access cntrl methds and prcedures Descriptin f all the intrusin detectin systems, including the lcatin f the cntrl panel, lcatin f keypads, and the type and lcatin f each type f sensr A drawing (need nt be t scale) shwing the lcatin f the fllwing: All drs, windws and ther penings thrugh the perimeter walls Lcatin f intrusin detectin system cmpnents Lcatin f sensitive cmpnent strage If the secure facility has strage cntainers fr the strage f sensitive cmpnents, give the number f cntainers and the GSA rating f the cntainers. Explanatin f hw any sensitive equipment is secured Infrmatin abut Handling and Strage f Sensitive Cmpnents The fllwing infrmatin abut the handling and strage f sensitive cmpnents shuld be included: Prvide a list f the sensitive cmpnents used in the prductin f REAL ID DL/IDs. Prvide a list f sensitive equipment used in the prductin f REAL ID DL/IDs. Dcument whether the sensitive cmpnents are stred in secure cntainers r in a secure strage rm. If a secure strage rm is used, prvide the infrmatin frm Sectin Infrmatin abut Secure Strage Rms The fllwing infrmatin abut secure strage rms shuld be included: Lcatin f the facility Frequency f card prductin Facility perating hurs Authrity that wns and perates the facility: State, lcal gvernment entity, cntractr, etc. If the facility is accredited under ANSI/NASPO SA v3.0p 2005 standard Level II, prvide dcumentatin shwing prf f the accreditatin and skip the remaining items. 22 A statement that the facility fllws the guidelines in this handbk fr prviding adequate physical security and that fr each secure prductin facility the fllwing dcumentatin is maintained n file fr review: Descriptin f the cnstructin f perimeter walls, true ceiling, and true flr, including whether the perimeter walls cnnect t flr and ceiling f the secure rm 22 DHS des nt require ANSI/NASPO certificatin. Hwever, if the facility has been certified, DHS deems the facility is secure and the State need nt prvide any infrmatin listed in Sectin beynd prf f the certificatin. February 2009 Page 4 2

33 Descriptin f the cnstructin f the dr, including hw the hinges are prtected and the type f lck Descriptin f access cntrl methds and prcedures Descriptin f the intrusin detectin system, including the lcatin f the cntrl panel, lcatin f keypads, and the type and lcatin f each type f sensr A drawing (need nt be t scale) shwing the lcatin f the fllwing: All drs, windws and ther penings thrugh the perimeter walls Lcatin f intrusin detectin system cmpnents Lcatin f sensitive cmpnent strage Security f Persnally Identifiable Infrmatin The fllwing infrmatin n the security f PII shuld be included: A descriptin f the administrative, technical, and physical safeguards t prtect the security, cnfidentiality, and integrity f the PII cllected, stred, and maintained in DMV recrds and infrmatin systems fr purpses f cmplying with the REAL ID Act, including the fllwing infrmatin: (Handle as Sensitive Security Infrmatin) 23 Explanatin f hw the State prevents the unauthrized access, use, r disseminatin f applicant infrmatin and images f surce dcuments Descriptin f the standards and prcedures fr dcument retentin and destructin. Pursuant t f the REAL ID Final, prvide a cpy f the State s Privacy Plicy that cvers the PII used in cmplying with the REAL ID Act. As recmmended in the Best Practices, the Privacy Plicy may address each f the fllwing Fair Infrmatin Practice Principles: Principle f Transparency Principle f Individual Participatin Principle f Purpse Specificatin Principle f Minimizatin Principle f Use Limitatin Principle f Data Quality and Integrity Principle f Security Principle f Accuntability and Auditing Prvide a cpy f the State s Privacy Impact Assessment fr its DMV recrds and infrmatin systems, if the State chses t cnduct ne. After cnfirmatin, the State must prvide a statement indicating that the DMV has cmplied with the requirements f the Driver s Privacy Prtectin Act, 18 U.S.C et seq regarding the release and use f PII cllected and maintained by the DMV pursuant t the REAL ID Act. 23 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 4 3

34 4.1.3 Card Security Features (Handle as Sensitive Security Infrmatin) Descriptin f Card Prvide a cmplete descriptin f the design f the REAL ID DL/ID, including the security features Mnitring Dcument Security and Integrity Prvide a cpy f the reprt that determined the REAL ID DL/ID design is resistant t cmprmise and dcument fraud attempts Bimetrics Usage If bimetrics are used in cnjunctin with the issuance f REAL ID DL/IDs, then the fllwing infrmatin shuld be prvided: State the type f bimetric used (e.g., 2 d face, 3 d face, fingerprint, iris scan) If a bimetric is stred n the card, prvide infrmatin abut the technlgy used fr strage and the frmat f the bimetric If a bimetric is stred in a database, prvide infrmatin abut the frmat in which it is stred and hw the bimetric is linked t the rest f the data related t the individual Describe hw the bimetric is used (e.g., identity verificatin, search fr duplicates) List any technical standards used in develpment r peratin f the system Persnnel Security Emplyee Credentials r Identificatin Badges Describe what kind f credentials r identificatin badges are issued t: Cvered emplyees, including hw these badges differ frm emplyees that are nt cvered, and Other staff Emplyee Backgrund Checks Prvide a cpy f plicy, prcedure, rule, r regulatin dcuments that establishes a prgram f emplyees backgrund checks pursuant t f the REAL ID regulatin Training Fraudulent Dcument Recgnitin Training Prvide a cpy f the plicy, prcedure, rule, r regulatin that establishes the fllwing: Requirement fr the training Amunt f time between refresher training sessins The training prgram used (either the AAMVA prgram r a DHS apprved alternative) The percentage f cvered emplyees wh have received training in the last three years 24 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 4 4

35 Security Awareness Prvide a cpy f the plicy, prcedure, rule, r regulatin that establishes the fllwing: Requirement fr the training Amunt f time between refresher training sessins An utline f the tpics cvered by the training The percentage f cvered emplyees wh have received training in the last three years Emergency/Incident Respnse Plans Prvide cnfirmatin that fr each secure facility there are emergency/incident respnse plans that cver, at a minimum, fire, medical emergency, bmb/bmb threat, and severe weather at the State s secure facilities. Additinally, prvide cnfirmatin that cpies f these plans are available fr inspectin upn request Internal Audit Cntrls (Handle as Sensitive Security Infrmatin 25 ) Describe hw an audit trail is maintained and what data items are recrded fr each f the fllwing : The determinatin t issue the REAL ID DL/ID Each time PII is accessed Each time PII is changed Each REAL ID DL/ID prduced 25 See sectin 5, Handling f Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 4 5

36 5 HANDLING OF SENSITIVE SECURITY INFORMATION The REAL ID regulatin calls fr States t handle certain infrmatin in accrdance with the Cde f Federal Regulatins, Title 49 Transprtatin, Part 1520 Prtectin f Sensitive Security Infrmatin. 26 Please refer t the appendices fr guidance n training and additinal infrmatin related t the handling f SSI, in additin t the infrmatin included in this sectin. The REAL ID Prgram ffice encurages yu t fllw the best practices fr successfully handling Sensitive Security Infrmatin and maintain an apprpriate level f security fr the Security Plans that will be generated as a result f this dcument. 5.1 Infrmatin Designated as Sensitive Security Infrmatin Per Sectin (C), the security plan required as a result f the regulatin cntains Sensitive Security Infrmatin and must be handled and prtected in accrdance with 49 CFR Part Sensitive Security Infrmatin is an infrmatin prtectin prgram prviding strage and disseminatin cntrls intended t prevent malefactrs frm btaining infrmatin that wuld allw them t defeat r avid security measures and equipment. In the cntext f REAL ID, Sensitive Security Infrmatin is infrmatin that deals with the physical security f the card prductin facilities and the security f the IT systems used t issue REAL ID DL/IDs, and the descriptin and analysis f card security features, as determined by the State. The sectins f the security plan that deal with the physical security f the card prductin facilities and the security f the IT systems used t issue REAL ID DL/IDs, and the descriptin and analysis f card security features shuld be designated as Sensitive Security Infrmatin. 5.2 Access t Sensitive Security Infrmatin Access t this infrmatin shuld be limited t cvered emplyees whse duties result in a need t knw and t their supervisrs r managers. 27 An emplyee s need t knw r be able t access Sensitive Security Infrmatin is a clear indicatin that the emplyee is filling a cvered psitin. 5.3 Prtectin f Sensitive Security Infrmatin When handling r discussing Sensitive Security Infrmatin, emplyees shuld be cnscius f their surrundings. Sensitive Security Infrmatin shuld nly be discussed r shared with cvered emplyees wh have a need t knw. Dcuments cntaining Sensitive Security Infrmatin shuld never be left unattended and shuld always be prtected frm unauthrized viewing. Apprpriate security measures shuld be emplyed t ensure Sensitive Security Infrmatin sent via , r ther means, is nly shared with authrized cvered persnnel wh have a need t knw. Such measures may include passwrd prtectin f electrnic files, limited netwrk access, r encryptin. 26 This dcument is ften referred t as 49 CFR Part The need t knw has a brad applicatin and persnnel with a need t knw may include a supervisr, manager, legal cunsel, cntractr and/r netwrk administratr. February 2009 Page 5 1

37 5.4 Strage When nt in use, Sensitive Security Infrmatin shuld be stred in a secure cntainer, such as a lcked desk r file cabinet r in a lcked rm. T prevent unauthrized access, users f cmputers which cntain Sensitive Security Infrmatin shuld lg ut r turn ff the cmputer when they are nt in the immediate vicinity. 5.5 Marking Dcuments SSI Dcuments that cntain Sensitive Security Infrmatin, such as the REAL ID Security Plan, shuld pssess a header n every page, including cver pages, reading SENSITIVE SECURITY INFORMATION. Each dcument shuld als pssess a fter n every page reading WARNING: This recrd is cntrlled under 49 CFR Unauthrized release may result in a civil penalty. 5.6 Destructin When papers r media cntaining Sensitive Security Infrmatin are n lnger needed, a Cvered Emplyee shuld destry them t the extent that the infrmatin cannt be recnstituted r recvered. February 2009 Page 5 2

38 6 APPENDIX A: ACRONYMS Acrnym Definitin AAMVA American Assciatin f Mtr Vehicle Administratrs ANSI American Natinal Standards Institute CFR Cde f Federal Regulatins CMYK Cyan, Magenta, Yellw r Key (black) DHS Department f Hmeland Security DMV Department f Mtr Vehicle DL/ID Driver s licenses and identificatin cards FBI Federal Bureau f Investigatin FDR Fraudulent Dcument Recgnitin FIPS Federal Infrmatin Prcessing Standard GSA General Services Administratin IAFIS Integrated Autmated Fingerprint Infrmatin System ICAO Internatinal Civil Aviatin Organizatin IT Infrmatin Technlgy MRZ Machine Readable Zne NASPO Nrth American Security Prducts Organizatin NCIC Natinal Crime Infrmatin Center NIST Natinal Institute f Standards and Technlgy OTC Over the cunter PIA Privacy Impact Assessment PII Persnally Identifiable Infrmatin SSI Sensitive Security Infrmatin February 2009 Page 6 1

39 7 APPENDIX B: TERMS AND DEFINITIONS Term Cmpliant Card Cntinuus Operatins Cvered Emplyee Cvered Psitin DL/ID DMV Enrllment Facilities Issuance Level 1 physical security feature Level 2 physical security feature Level 3 physical security feature Manufacturing Nn cmpliant Card Definitin A card issued in cmpliance with the requirements f the REAL ID Act and the final REAL ID regulatins issued by DHS. A facility is in cntinuus peratins if it is always ccupied by cvered emplyees, including evenings, weekends, and hlidays. An emplyee r cntractr whse duties invlve the manufacture r prductin f REAL ID DL/IDs, r wh has the ability t affect the identity infrmatin that appears n a REAL ID DL/ID. A staff psitin which requires a Cvered Emplyee. Driver s license and/r identificatin card. The Department f Mtr Vehicles (DMV) is an agency respnsible fr the issuance f driver s licenses and identificatin cards within a given jurisdictin. Enrllment is the prcess f accepting, recrding, and string custmer PII in a DMV facility. The lcatins where REAL ID DL/IDs are manufactured, prduced, r issued; where applicants are enrlled and staff have access t custmer PII. The delivery f persnalized cards r credentials t individual custmers via mail, ver the cunter, r by ther means. Cursry examinatin, withut tls r aids invlving easily identifiable visual r tactile features, fr rapid inspectin at pint f usage. Examinatin by trained inspectrs with simple equipment. Inspectin by frensic specialists. Prductin f the materials used t prduce r persnalize cards. This includes substrates, card blanks, laminates, security devices, and ther physical cmpnents f the cards. A DL/ID issued by a REAL ID cmpliant State t a persn that has nt met the requirements fr issuance f a REAL ID DL/ID. Such a card is nt acceptable by Federal agencies fr fficial purpses as defined in 37.3 f the REAL ID regulatin. February 2009 Page 7 1

40 Persnally Identifiable Infrmatin Prductin REAL ID DL/ID REAL ID Regulatins Sensitive Cmpnent Sensitive Security Infrmatin Any infrmatin which can be used t distinguish r trace an individual s identity, such as their name; driver s license r identificatin card number; scial security number; bimetric recrd, including a digital phtgraph r signature; alne, r when cmbined with ther persnal r identifying infrmatin, which is linked r linkable t a specific individual, such as a date and place f birth r address, whether it is stred in a database, n a driver s license r identificatin card, r in the machine readable technlgy n a license r identificatin card. The physical prductin r persnalizatin f individual cards in central issuance, ver the cunter (OTC) r hybrid facilities. Prductin takes the manufactured cmpnents f a card and prduces an individualized credential. A driver s license r identificatin card prduced in cmpliance with the REAL ID Act and the final REAL ID regulatins issued by DHS. Federal Register, Part II; Department f Hmeland Security; 6 CFR Part 37; Minimum Standards fr Driver s Licenses and Identificatin Cards Acceptable by Federal Agencies fr Official Purpses; Final Rule; Federal Register / Vl. 73, N. 19 / Tuesday, January 29, 2008 / Rules and Regulatins; pp A cmpnent used in the prductin f a REAL ID DL/ID that cntains special features that differentiate frm similar cmpnents cmmnly available n the pen market. The test fr deciding if a cmpnent is sensitive is the determinatin that a persn culd make a better fraudulent dcument if he r she had the cmpnent. Since blank REAL ID DL/ID bdies must cntain inventry cntrl numbers, these blank card bdies are sensitive cmpnents. Sensitive Security Infrmatin is an infrmatin prtectin prgram prviding strage and disseminatin cntrls intended t prevent malefactrs frm btaining infrmatin that wuld allw them t defeat r avid security measures and equipment. In the cntext f REAL ID, Sensitive Security Infrmatin is infrmatin that deals with the physical security f the card prductin facilities and the security f the IT systems used t issue REAL ID DL/IDs, and the descriptin and analysis f card security features, as determined by the State. February 2009 Page 7 2

41 8 APPENDIX C: SSI TRAINING GUIDANCE Refer t the DHS SSI Basic Training fr U.S. Department f Hmeland Security Stakehlders fr guidance n hw t handle Sensitive Security Infrmatin. February 2009 Page 8 1

42 February 2009 Page 8 2

43 February 2009 Page 8 3

44 February 2009 Page 8 4

45 *Surce: DHS Management Directive Example: Security guard staffing schedules fr prductin facilities. February 2009 Page 8 5

46 February 2009 Page 8 6

47 February 2009 Page 8 7

48 February 2009 Page 8 8

49 February 2009 Page 8 9

50 February 2009 Page 8 10

51 February 2009 Page 8 11

52 February 2009 Page 8 12

53 February 2009 Page 8 13

54 February 2009 Page 8 14

55 February 2009 Page 8 15

56 February 2009 Page 8 16

57 February 2009 Page 8 17

58 February 2009 Page 8 18

59 February 2009 Page 8 19

60 February 2009 Page 8 20

61 February 2009 Page 8 21

62 February 2009 Page 8 22

63 February 2009 Page 8 23

64 February 2009 Page 8 24

65 9 APPENDIX D: SSI GUIDANCE BROCHURE Please refer t the Department f Hmeland Security s brchure n Sensitive Security Infrmatin fr additinal infrmatin. February 2009 Page 9 1

66 FOR QUESTION OR COMMENTS REGARDING THIS DOCUMENT CONTACT THE REAL ID PROGRAM OFFICEE AT (202) OR VIA AT February 2009 Page 9 2