When discussing the growing complexity of information security standards, Ron Ross likes to draw an analogy to cars. Specifically, he says that just as speed and efficiency improve on race cars, safety does as well – and that means more mechanisms, more tools, more rules.
More expansive technologies and more pervasive use of mobile devices and cloud services mean more standards and more rules are necessary to guide government agencies in how to protect their security and manage the risk to their systems.
“Risk management is becoming fairly complicated because of the reliance we have on information technology,” Ross, a fellow at the National Institute of Standards and Technology (NIST), says. “A lot of organizations have become more complicated with regard to information technology. It has become a commodity. Information technology is so much cheaper and more powerful [than years ago] and with that comes complexity and increasing problems with regard to information security.”
Occupation: fellow at the National Institute of Standards and Technology (NIST); leader of the FISMA Implementation Project; leader of the Joint Task Force Transformation Initiative Working Group
College: undergraduate appointment, West Point Academy, 1973; graduate of Defense Systems Management College; M.S. and Ph.D. from U.S. Naval Postgraduate School in computer science, specializing in artificial intelligence and robotics
Accomplishments: Scientific Achievement Award at NSA for inter-agency national security project; Defense Superior Service Medal; three-time recipient of the Federal 100 Award for leadership and technical contributions; Department of Commerce Gold and Silver Medal Awards; inductee to ISSA Hall of Fame and ISSA distinguished fellow
As leader of the Federal Information Security Management Act (FISMA) Implementation Project, Ross is the point person in helping to alleviate those problems by developing better security standards and guidelines for the federal government, contractors and the critical information infrastructure of the United States. In this role, he has led the development and update of a number of critical standards, including most recently, a major update to NIST Special Publication 800-53, the security controls guideline. NIST received more than 4,000 comments from the public and private sector after posting a public draft of the new guideline in February, says Ross (a final draft is due out at the end of next month).
With this roadmap, Ross is trying to broaden the concept of security controls to take into account the changing nature of IT and risk management. “We're rebranding the notion of assurance,” he says. “Assurance doesn't deal with authentication and encryption. Assurance talks about what developers do to build better products and systems.”
This year has also seen Ross and his team lead the updates of guidelines for security authorization (Special Publication 800-37) and risk assessment (SP 800-30). In regard to the latter, he says risk assessment plays an important role in the risk management process. “There's been a vast increase in the threat space and more challenges in closing down vulnerabilities,” he says. “We just want to give people the right tools to be successful.”
Ross' leadership and vision have made a huge impact on creating the “foundation for cyber security across the government,” says one of his supervisors, Donna Dodson, division chief of computer security for NIST. “He really has conceived many of the really critical premises that underline cyber security today,” she says. Dodson points out that while there were people performing risk assessment at a topical level before Ross became involved, it's through his vision and leadership that risk management has become more a part of the whole lifecycle. “There are strong measurement capabilities to articulate threat and vulnerabilities,” she says.
For his part, Ross sees the principle tenets of his job as building off the basic best practices while being mindful that systems are becoming more complex. “The good thing is that the fundamentals of risk management haven't changed,” he says. “It's always about assessing the risk. It's about responding to that risk and monitoring it over time.”