Which states have documented cybersecurity protocols or audits for their motor vehicle databases handling Real ID records?

1. What the reporting actually documents: state privacy laws that impose cybersecurity audits

State-level privacy and cybersecurity laws coming into force at the start of 2026 create a demonstrable baseline for documented security obligations in some jurisdictions: reporting from the International Association of Privacy Professionals (IAPP) identifies California, Indiana, Kentucky and Rhode Island as states where new or strengthened privacy frameworks include cybersecurity-audit rules that could extend to state-held personal information — which encompasses DMV records in many instances — though the coverage does not list DMVs individually as audited parties ^[1].

2. Industry guidance and federal rules that compel documentation, even if states’ public lists don’t exist

The American Association of Motor Vehicle Administrators (AAMVA) publishes best-practice guidance for state motor vehicle departments — including recommendations such as encrypting data at rest and in transit — which many DMVs reference when building documented controls even if they do not publicly post full audits ^[3]. Separately, a federal rulemaking tied to mobile driver’s license waivers requires states seeking the waiver to show compliance with a suite of 19 industry standards (including NIST frameworks and CA/Browser Forum requirements), effectively obliging states to document cybersecurity measures and logging controls if they pursue that path ^[2].

3. Concrete state examples in reporting are sparse; Maryland and Maine illustrate opposite poles

Public reporting and vendor commentary provide only a handful of named examples: Maryland’s motor vehicle administrator has publicly spoken to building robust digital identity infrastructure and security for mobile IDs, suggesting documented protocols at least for mobile credential projects in that state ^[4]. Conversely, Maine’s statutory refusal to comply with certain REAL ID requirements — and its related prohibitions on technologies such as facial recognition in DMV operations — means Maine has not followed the same path toward integrated REAL ID systems and thus has not adopted the same kinds of centralized sharing or associated protocols described elsewhere ^[5].

4. The missing ledger: why there is no neat list of audited states

Reporting repeatedly notes structural reasons for the absence of a transparent list: the REAL ID data-sharing architecture was built through a combination of AAMVA and private contractors with complex subcontracting that limits public visibility into operational controls, and federal certification language historically omitted explicit public audit requirements for the interstate pointer service ^{[6] [7]}. Journalistic and advocacy pieces therefore urge direct inquiries to state DMVs about participation in SPEXS and S2S and about limits on data sharing — a practical admission that public inventories of documented DMV cybersecurity audits are incomplete ^[6].

5. What can reliably be said right now

It is accurate to state that (a) specific states — California, Indiana, Kentucky and Rhode Island — have laws that include cybersecurity/audit provisions which could encompass DMV systems ^[1]; (b) AAMVA guidance and federal waiver requirements create a de facto expectation that states document cryptographic, logging and system-security controls if they pursue certain REAL ID or mobile-ID options ^{[3] [2]}; and (c) public reporting does not yet supply a comprehensive, state-by-state disclosure of completed cybersecurity audits or published DMV system controls for REAL ID databases, so any definitive list must be produced by state DMVs or through public-records requests ^{[6] [7]}.

6. Practical next steps and where accountability lives

Because the available sources advise that the most reliable way to confirm whether a state has documented protocols or completed audits is to ask the state motor vehicle administrator directly — and because DHS and AAMVA development paths have limited transparency — accountability and verification depend on state-level disclosure, public-records work, and scrutiny of waiver applications that reference NIST or CA/Browser standards ^{[6] [2]}. Advocacy groups and privacy researchers who have tracked REAL ID recommend precisely that course: query state DMVs about participation in SPEXS/S2S and about what information-sharing and security documentation exists ^[6].