Governance, Risk and Compliance

AAMVA’s Governance, Risk, and Compliance (GRC) program operates under the Enterprise Architecture and Security Department, led by the Chief Information Security Officer (CISO). The GRC program serves as the foundational pillar of our commitment to protecting customer data and maintaining operational excellence. Through structured governance, continuous risk management and adherence to industry recognized frameworks, our GRC program ensures that our policies, controls, and processes align with trusted security standards and regulatory expectations. 

Enterprise Risk Management

The GRC program plays a key role in driving AAMVA's Enterprise Risk Management processes. By staying ahead of emerging risks and evolving compliance requirements, we make it a commitment to refine our strategies and frameworks to strengthen our overall risk posture. We work closely with leadership to assess potential threats, prioritize mitigation efforts and ensure timely completion.  This proactive approach enables us to meet industry expectations, ensuring the security and reliability of the services we deliver.

For valued customers and partners of AAMVA, collaboration is at the heart of our GRC efforts. We work closely with various internal departments and stakeholders to conduct comprehensive risk assessments. These assessments cover a wide spectrum, from evaluating third-party organizations, vendors and suppliers, and partners  accessing AAMVA’s critical data. Our goal is to maintain robust relationships and ensure that everyone within our network operates in alignment with our compliance and security standards.

Commitment To Protecting Your Data

At the core of our program is our unwavering dedication to protecting your data. We recognize the critical role our services play for our customers and partners, and we uphold the highest standards to maintain your trust. We operate with a security-first culture supported by layered control, strong governance and continuous oversight. We reinforce this commitment through annual independent audits, internal assessments, and a continuous compliance approach that ensures our controls remain effective and operating as intended. 

Audit and Compliance 

aicpa.org/soc4so
We maintain a structured audit and compliance program designed to validate the effectiveness of our controls. Our approach combines independent assurance, internal oversight and alignment with trusted security frameworks to support and secure and reliable environment: These activities include:

  • Annual Independent Audits: We undergo yearly System and Organization Controls (SOC) 2 Type II Audits to validate the design and operating effectiveness of our internal controls   
  • Internal Risk and Security Control Assessments: We perform scheduled internal assessments aligned with NIST 800-53 Rev. 5 to evaluate risks and confirm control performance.  
  • Continuous Compliance Monitoring: We maintain annual oversight of through policy reviews, evidence collection and routine control validation. 

We align with multiple industry standards and frameworks, including: 

  • NIST SP 800-53 Rev 5
  • The Payment Card Industry Data Security Standard (PCI DSS)
  • System and Organization Controls (SOC) 2 Trust Services Criteria 
  • Center for Internet Security (CIS) Critical Security Controls
  • Microsoft Security Best Practices

Requesting Security Documentation

SOC 2 Type II reports are available to customers and prospective customers upon request and released under a signed NDA. 

For more information about the GRC program or to request a copy of our SOC 2 Type II report, please contact GRC Support and Questions.