8/2/2019 US Department of Transportation - Cloud Security

1/2

The United States Department of Transportation (DOT) was established by an act of

Congress and signed into law by President Johnson in 1966. Since then, the mission of

the DOT has been to serve the United States by ensuring a fast, safe, efficient,

accessible and convenient transportation system that meets the nations vital

interests and enhances quality of life for the American people.

The Department of Transportation is composed of a number of different agencies,

including the Office of the Secretary of Transportation (OST) and the National

Highway Traffic and Safety Administration (NHTSA), but also encompasses aviation,

rail, maritime and even pipeline administrations.

On June 24, 2009, President Obama signed the Consumer Assistance to Recycle and

Save (CARS) Act, which directed the Secretary of Transportation (acting through

NHTSA) to establish and administer what would come to be popularly known as the

cash for clunkers program.

The Challenge

NHTSA was called on to lead the CARS program at the implementation level. Given the sheer size and scope and

just a 30 day timeline everyone who could be spared within the DOT was pulled onto the project. That meant

leveraging as many existing resources and services as possible, as well as working closely with DOT partners,

systems and networks to make this mandate happen.

Cloud computing was one obvious way to realize the kind of scale and speed that was required. However, at the

time, cloud computing seemed to offer more problems than it solved, presenting security challenges that

appeared to be incompatible with the governments certification and accreditation process. To allow for efficient

schedule execution, NHTSA broke the project into multiple stages, forging ahead with the cloud computing effort

while planning to tackle the process to handle destruction and re-cycling of trade-ins post launch.

On July 24, NHTSA opened the CARS system for car dealer registration, meeting the project deadline. This was the

opportune time to address the security issues of cloud computing.

While each of the cloud vendors NHTSA contacted offered security services (either as part of a standard offering or

as a value add), they were all implemented, managed and controlled by the cloud providers themselves.

Customers are given access to a console-based reporting system that offered them a way to track key performance

indicators. Following the time honored tradition of trust, but verify, NHTSA was uncomfortable with the fact that

there was no way to independently validate the consoles metrics. And without the ability to accurately assess risk,

the governments Authorizing Official would not be able to sign off on a comprehensive cloud-based deployment.

What NHTSA required was the ability to install Government Furnished Equipment (GFE) in the cloud providers

data center, thereby gaining a measure of control over their deployment and effectively creating a verifiable trust

model. However, all of the larger cloud providers NHTSA contacted at the time were unwilling to install GFE in

their datacenters with the sole exception of Terremark.

NHTSA co-located a number of security controls, including the Layer 7 CloudSpan Gateway, at their local Terremark

datacenter in order to monitor, measure and ensure that security controls were being properly implemented. With

GFE-based continuous monitoring in place, NHTSA was able to proceed with certifying and accrediting Terremark

as a third-party network something almost unheard of in the US government.

DOT by the Numbers

12 agencies

60,000 employees

100s of citizen, business and

government services managed

CARS:

18,000+ car dealers enrolled

680,000 older vehicles traded

in for new, fuel-efficient cars

Billions of dollars in rebates

awarded

U.S. Department of TransportationCash for Clunkers and the Cloud

8/2/2019 US Department of Transportation - Cloud Security

2/2