U.S. Department of Transportation
Cash for Clunkers and the Cloud
The United States Department of Transportation (DOT) was established by an act of
DOT by the Numbers Congress and signed into law by President Johnson in 1966. Since then, the mission of
• 12 agencies the DOT has been to serve the United States by ensuring a fast, safe, efficient,
accessible and convenient transportation system that meets the nation’s vital
• 60,000 employees
interests and enhances quality of life for the American people.
• 100’s of citizen, business and
government services managed The Department of Transportation is composed of a number of different agencies,
CARS: including the Office of the Secretary of Transportation (OST) and the National
• 18,000+ car dealers enrolled
Highway Traffic and Safety Administration (NHTSA), but also encompasses aviation,
rail, maritime and even pipeline administrations.
• 680,000 older vehicles traded
in for new, fuel-efficient cars On June 24, 2009, President Obama signed the Consumer Assistance to Recycle and
• Billions of dollars in rebates Save (CARS) Act, which directed the Secretary of Transportation (acting through
awarded NHTSA) to establish and administer what would come to be popularly known as the
“cash for clunkers” program.
NHTSA was called on to lead the CARS program at the implementation level. Given the sheer size and scope – and
just a 30 day timeline – everyone who could be spared within the DOT was pulled onto the project. That meant
leveraging as many existing resources and services as possible, as well as working closely with DOT partners,
systems and networks to make this mandate happen.
Cloud computing was one obvious way to realize the kind of scale and speed that was required. However, at the
time, cloud computing seemed to offer more problems than it solved, presenting security challenges that
appeared to be incompatible with the government’s certification and accreditation process. To allow for efficient
schedule execution, NHTSA broke the project into multiple stages, forging ahead with the cloud computing effort
while planning to tackle the process to handle destruction and re-cycling of trade-ins post launch.
On July 24, NHTSA opened the CARS system for car dealer registration, meeting the project deadline. This was the
opportune time to address the security issues of cloud computing.
While each of the cloud vendors NHTSA contacted offered security services (either as part of a standard offering or
as a value add), they were all implemented, managed and controlled by the cloud providers themselves.
Customers are given access to a console-based reporting system that offered them a way to track key performance
indicators. Following the time honored tradition of “trust, but verify,” NHTSA was uncomfortable with the fact that
there was no way to independently validate the console’s metrics. And without the ability to accurately assess risk,
the government’s Authorizing Official would not be able to sign off on a comprehensive cloud-based deployment.
What NHTSA required was the ability to install Government Furnished Equipment (GFE) in the cloud provider’s
data center, thereby gaining a measure of control over their deployment and effectively creating a verifiable trust
model. However, all of the larger cloud providers NHTSA contacted at the time were unwilling to install GFE in
their datacenters with the sole exception of Terremark.
NHTSA co-located a number of security controls, including the Layer 7 CloudSpan Gateway, at their local Terremark
datacenter in order to monitor, measure and ensure that security controls were being properly implemented. With
GFE-based continuous monitoring in place, NHTSA was able to proceed with certifying and accrediting Terremark
as a third-party network – something almost unheard of in the US government.
Department of Transportation Case Study
On July 27, dealers across all 50 states, as well as the District of Columbia, the Virgin Islands, Puerto Rico, the
Northern Mariana Islands, and Guam logged into the CARS application over the internet via a local point of
presence and entered the details for each clunker to be traded in. Akamai, one of the world’s largest Web-based,
content distribution providers established multiple points of presence for the Oracle on Demand-based CARS
application, providing failover and enhancing performance. Public data releases are processed centrally in an
Oracle database routed through the Terremark cloud, which could scale up on demand to handle the workload.
Layer 7, located within the Terremark datacenter, provided access control, validated the XML data stream coming
from the CARS applications and ensured consistency, an also provided message-level threat protection. All
interactions were logged to facilitate follow-up for forensic auditing, as required by the government.
With three billion dollars rebated in just over three weeks, and nearly 680,000 clunkers traded in for more fuel-
efficient vehicles, CARS is considered one of the biggest successes of the Obama administration. Taking place as it
did during the middle of the 2009 recession, CARS had a large impact on the economic recovery by saving or
creating tens of thousands of jobs, as well as by increasing GDP by an estimated $3.8 to $6.8 billion. Going forward,
the program will also result in a reduction of fuel consumption (~33M gallons annually) and CO2 emissions (~360K
metric tons annually) over the lifetime of the newly purchased vehicles .
CARS marked a significant step forward for the U.S. government into public cloud computing, just in time to
support a new Obama administration initiative: the Open Government Directive (OGD). OGD is designed to open
up vast amounts of U.S. government information stores to the general public, allowing developers to create
applications, mashups, and visualizations of the machine readable data to benefit their local communities. Every
federal agency is mandated to participate in OGD and publish information to data.gov, which will leverage NHTSA’s
experience with public clouds (and Layer 7) in order to accommodate the scale of the initiative.
Consumer Assistance to Recycle and Save Act of 2009; Report to Congress, December 2009
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.