Header Image

US Department of Transportation - Cloud Security

Realizing a major public service initiative through a secure Cloud application

The United States Department of Transportation (DOT) was established by an act of Congress and signed into law by President Johnson in 1966. Since then, the mission of the DOT has been to serve the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets the nation’s vital interests and enhances quality of life for the American people.

The Department of Transportation is composed of a number of different agencies, including the Office of the Secretary of Transportation (OST) and the National Highway Traffic and Safety Administration (NHTSA), but also encompasses aviation, rail, maritime and even pipeline administrations.

On June 24, 2009, President Obama signed the Consumer Assistance to Recycle and Save (CARS) Act, which directed the Secretary of Transportation (acting through NHTSA) to establish and administer what would come to be popularly known as the "cash for clunkers" program.

 


DOT by the Numbers

  • 12 agencies
  • 60,000 employees
  • 100’s of citizen, business and government services managed

CARS:

  • 18,000+ car dealers enrolled
  • 680,000 older vehicles traded in for new, fuel-efficient cars
  • Billions of dollars in rebates awarded

The Challenge

NHTSA was called on to lead the CARS program at the implementation level. Given the sheer size and scope – and just a 30 day timeline – everyone who could be spared within the DOT was pulled onto the project. That meant leveraging as many existing resources and services as possible, as well as working closely with DOT partners, systems and networks to make this mandate happen.

Cloud computing was one obvious way to realize the kind of scale and speed that was required. However, at the time, cloud computing seemed to offer more problems than it solved, presenting security challenges that appeared to be incompatible with the government’s certification and accreditation process. To allow for efficient schedule execution, NHTSA broke the project into multiple stages, forging ahead with the cloud computing effort while planning to tackle the process to handle destruction and re-cycling of trade-ins post launch.

On July 24, NHTSA opened the CARS system for car dealer registration, meeting the project deadline. This was the opportune time to address the security issues of cloud computing.

While each of the cloud vendors NHTSA contacted offered security services (either as part of a standard offering or as a value add), they were all implemented, managed and controlled by the cloud providers themselves. Customers are given access to a console-based reporting system that offered them a way to track key performance indicators. Following the time honored tradition of “trust, but verify,” NHTSA was uncomfortable with the fact that there was no way to independently validate the console’s metrics. And without the ability to accurately assess risk, the government’s Authorizing Official would not be able to sign off on a comprehensive cloud-based deployment.

What NHTSA required was the ability to install Government Furnished Equipment (GFE) in the cloud provider’s data center, thereby gaining a measure of control over their deployment and effectively creating a verifiable trust model. However, all of the larger cloud providers NHTSA contacted at the time were unwilling to install GFE in their datacenters with the sole exception of Terremark.

NHTSA co-located a number of security controls, including the Layer 7 CloudSpan Gateway, at their local Terremark datacenter in order to monitor, measure and ensure that security controls were being properly implemented. With GFE-based continuous monitoring in place, NHTSA was able to proceed with certifying and accrediting Terremark as a third-party network - something almost unheard of in the US government.

The Solution
On July 27, dealers across all 50 states, as well as the District of Columbia, the Virgin Islands, Puerto Rico, the Northern Mariana Islands, and Guam logged into the CARS application over the internet via a local point of presence and entered the details for each clunker to be traded in. Akamai, one of the world’s largest Web-based, content distribution providers established multiple points of presence for the Oracle on Demand-based CARS application, providing failover and enhancing performance. Public data releases are processed centrally in an Oracle database routed through the Terremark cloud, which could scale up on demand to handle the workload.

Layer 7, located within the Terremark datacenter, provided access control, validated the XML data stream coming from the CARS applications and ensured consistency, an also provided message-level threat protection. All interactions were logged to facilitate follow-up for forensic auditing, as required by the government.

Layer 7 US Deporatment of Transportation Solution

The Results
With three billion dollars rebated in just over three weeks, and nearly 680,000 clunkers traded in for more fuel-efficient vehicles, CARS is considered one of the biggest successes of the Obama administration. Taking place as it did during the middle of the 2009 recession, CARS had a large impact on the economic recovery by saving or creating tens of thousands of jobs, as well as by increasing GDP by an estimated $3.8 to $6.8 billion. Going forward, the program will also result in a reduction of fuel consumption (~33M gallons annually) and CO2 emissions (~360K metric tons annually) over the lifetime of the newly purchased vehicles (1).

CARS marked a significant step forward for the U.S. government into public cloud computing, just in time to support a new Obama administration initiative: the Open Government Directive (OGD). OGD is designed to open up vast amounts of U.S. government information stores to the general public, allowing developers to create applications, mashups, and visualizations of the machine readable data to benefit their local communities. Every federal agency is mandated to participate in OGD and publish information to data.gov, which will leverage NHTSA’s experience with public clouds (and Layer 7) in order to accommodate the scale of the initiative.

 


(1) Consumer Assistance to Recycle and Save Act of 2009; Report to Congress, December 2009