Ron S. Ross
National Institute of Standards and Technology (NIST)
NIST is developing critically important security guidance that addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization, the International Electrotechnical Commission, and the Institute of Electrical and Electronics Engineers and infuses systems security engineering techniques, methods, and practices into those systems engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established organizational processes to ensure that such requirements and needs are addressed at the correct stages throughout the life cycle of the system.
Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the architectural design and development of our applications, systems, components, and networks—and a fundamental cultural change to the current “business as usual” approach. Introducing a disciplined, structured, and standards-based set of systems security engineering processes can provide an important starting point and forcing function to initiate needed change. The ultimate objective is to obtain more trustworthy secure systems that are fully capable of supporting critical missions and business operations with a level of assurance that is consistent with the risk tolerance of the organization.
Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current focus areas include information security and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) 800-39 (risk management guideline), SP 800-53 (security and privacy controls guideline), SP 800-53A (security assessment guideline), SP 800-37 (security authorization guideline), SP 800-30 (risk assessment guideline), SP 800-160 (systems security engineering guideline), and SP 800-171 (security requirements for contractors and nonfederal organizations). Dr. Ross is the principal architect of the Risk Management Framework (RMF), a multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA-related standards and guidelines into a comprehensive enterprise-wide security program. Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, the Office of the Director National Intelligence, the U.S. Intelligence Community, and the Committee on National Security Systems (CNSS) that developed the Unified Information Security Framework for the federal government and its contractors.