DHS Science and Technology Directorate and Dot Volpe Center have developed a telematic cybersecurity primer for fleet managers.
The managers of federal vehicle fleets were charged with implementing telematics systems for all their vehicles as part of Executive Order (EO) 13693, “Planning for Federal Sustainability in the Next Decade,” issued in March 2015.
The EO called for government vehicle fleet managers to “collect and utilize as a fleet efficiency tool… agency fleet operational data (i.e., fuel consumption, emissions, maintenance, utilization, idling, speed and location data) through deployment of vehicle telematics as a vehicle asset level for all new passenger and light duty vehicle acquisitions and for medium duty vehicles where appropriate.”
Vehicle telematics refers to embedded systems on a vehicle that tracks the vehicle and combines wireless and internet communications to send, receive and store vehicle information. As the use of vehicle telematics technologies rapidly grow, so do the cybersecurity security vulnerabilities and the need to safeguard the vehicle telematics data from cyberattack.
As part of an interagency joint project, DHS S&T’s cybersecurity team contracted the DOT’s Volpe Center to develop a vehicle telematics cybersecurity primer for fleet managers, who as a group had little practical experience with cybersecurity.
“DHS has one of the largest civilian vehicle fleets, with primarily law enforcement vehicles, and this project has provided a great opportunity to help improve our cybersecurity posture and safety of our officers and agents in the field,” said Cyber Physical Systems Security Program Manager Chase Garwood. “We are working closely to support DHS Fleet and with our counterparts in other federal, defense and state, local, tribal and territorial fleet and cybersecurity organizations and value our ongoing relationships.”
Specifically, the primer’s purpose is to guide fleet managers and the General Services Administration (GSA) in securing telematics systems by implementing applicable security controls as outlined in the National Institute of Standards and Technology Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” These security controls are included in the primer, which also provides cybersecurity procurement language that GSA and fleet managers can adopt for future agency telematics acquisitions.
“The main user of the primer to date has been GSA Fleet, which has leveraged the telematics cybersecurity procurement language and is using it in a Request for Quote for telematics within GSA Fleet’s leased vehicles,” said Kevin Harnett, the Volpe Center project manager who led the development of the primer.
Among the topics covered in the primer are fleet management office responsibility for Federal Information Security Management Act requirements and security controls such as access control, penetration testing, security assessment and authorization, system and information integrity as well as telematics security considerations. The primer, which is not available publicly because of security sensitivity, addresses the core concerns for an agency in the protection of their vehicle fleets.