When discussing the growing complexity of information security standards, Ron Ross likes to draw an analogy to cars. Specifically, he says that just as speed and efficiency improve on race cars, safety does as well – and that means more mechanisms, more tools, more rules.
More expansive technologies and more pervasive use of mobile devices and cloud services mean more standards and more rules are necessary to guide government agencies in how to protect their security and manage the risk to their systems.
“Risk management is becoming fairly complicated because of the reliance we have on information technology,” Ross, a fellow at the National Institute of Standards and Technology (NIST), says. “A lot of organizations have become more complicated with regard to information technology. It has become a commodity. Information technology is so much cheaper and more powerful [than years ago] and with that comes complexity and increasing problems with regard to information security.”
Occupation: fellow at the National Institute of Standards and Technology (NIST); leader of the FISMA Implementation Project; leader of the Joint Task Force Transformation Initiative Working Group
College: undergraduate appointment, West Point Academy, 1973; graduate of Defense Systems Management College; M.S. and Ph.D. from U.S. Naval Postgraduate School in computer science, specializing in artificial intelligence and robotics
Accomplishments: Scientific Achievement Award at NSA for inter-agency national security project; Defense Superior Service Medal; three-time recipient of the Federal 100 Award for leadership and technical contributions; Department of Commerce Gold and Silver Medal Awards; inductee to ISSA Hall of Fame and ISSA distinguished fellow
As leader of the Federal Information Security Management Act (FISMA) Implementation Project, Ross is the point person in helping to alleviate those problems by developing better security standards and guidelines for the federal government, contractors and the critical information infrastructure of the United States. In this role, he has led the development and update of a number of critical standards, including most recently, a major update to NIST Special Publication 800-53, the security controls guideline. NIST received more than 4,000 comments from the public and private sector after posting a public draft of the new guideline in February, says Ross (a final draft is due out at the end of next month).
With this roadmap, Ross is trying to broaden the concept of security controls to take into account the changing nature of IT and risk management. “We're rebranding the notion of assurance,” he says. “Assurance doesn't deal with authentication and encryption. Assurance talks about what developers do to build better products and systems.”
This year has also seen Ross and his team lead the updates of guidelines for security authorization (Special Publication 800-37) and risk assessment (SP 800-30). In regard to the latter, he says risk assessment plays an important role in the risk management process. “There's been a vast increase in the threat space and more challenges in closing down vulnerabilities,” he says. “We just want to give people the right tools to be successful.”
Ross' leadership and vision have made a huge impact on creating the “foundation for cyber security across the government,” says one of his supervisors, Donna Dodson, division chief of computer security for NIST. “He really has conceived many of the really critical premises that underline cyber security today,” she says. Dodson points out that while there were people performing risk assessment at a topical level before Ross became involved, it's through his vision and leadership that risk management has become more a part of the whole lifecycle. “There are strong measurement capabilities to articulate threat and vulnerabilities,” she says.
For his part, Ross sees the principle tenets of his job as building off the basic best practices while being mindful that systems are becoming more complex. “The good thing is that the fundamentals of risk management haven't changed,” he says. “It's always about assessing the risk. It's about responding to that risk and monitoring it over time.”
What has changed, he adds, is that smartphones and tablets have contributed to a more complex infrastructure. “All these great new devices that increased the digital footprint, all that complexity keeps building,” he says. “And if you don't understand it, you can't protect it.”
His drive and dedication to these initaives have not gone unnoticed. Dodson says he often will fly to the West Coast to deliver a speech, only to quickly return to deliver two more speeches on the East Coast and then send edits on a work in progress. Further, his knowledge and supportive professional demeanor have made him instrumental in helping draw together various government agencies and private sector entities to collaborate on common standards and practices for information technology.
“He takes the time to really work with people,” Dodson says. And he combines that with a deep understanding of the cyber security challenges the nation is facing. These qualities, Dodson says, helps Ross bring together people across boundaries.
Ed Roback, Ross' former boss at NIST and currently the chief information security officer for the U.S. Department of the Treasury, agrees: “Where Ron has made his biggest impact in recent years is his work bringing together the stovepipe communities of government, which all have their own slightly different specifications.”
As leader of the Joint Task Force Transformation Initiative – a partnership of NIST, the Department of Defense, the Office of the Director National Intelligence, the Committee on National Security Systems, and the intelligence community – Ross oversees the development of a unified information security framework for the federal government. Working together with the task force, these federal and intelligence agencies have found a lot of common ground in their ongoing efforts to improve information security, especially critical in an environment where enemies the world over are becoming increasingly sophisticated in their attacks, Ross says.
By developing a security plan that helps unite the commonalities of all these groups, Roback says taxpayers will benefit, as well as security developers. “This creates a reduction in the need to learn separate methodologies for each community,” Roback says. “It's foundational.”For Ross, developing that strong foundation is the first important step in establishing strong cyber security. “It gets back to the threats, like APT [advanced persistent threat] – with individuals trying to establish a long-term presence in an organization to steal intellectual property,” he says. “Understanding that those threats exist, that's the common bond that brings us together.”