Ron Ross, a cybersecurity expert who has long helped federal agencies develop security standards and guidelines, is leaving the National Institute of Standards and Technology’s Federal Information Security Modernization Act (FISMA) implementation project after 17 years leading it, he tweeted Jan. 20.
Ross will be transitioning to the systems security engineering (SSE) project to “focus on DevSecOps and building security into the [system development life cycle],” he wrote. The project looks to influence and affect trustworthiness and cyber resilience of the services used in day-to-day activities, he said.
“The long-term objective is to work with government, industry and academia to build a world-class set of best practices in this area that can be voluntarily embraced by the public and private sector,” Ross said.
Victoria Pillitteri, who has worked alongside Ross for four years as a senior researcher, will take over FISMA. However, Ross will continue to work on FISMA publications while expanding the SSE project, Pillitteri said.
Ross said his “finale” will be the Security and Privacy Controls for Information Systems and Organizations Fifth Revision (SP 800-53 Rev. 5), which provides the government with new security controls to follow based on threat intelligence.
In August, Ross said many NIST publications with cybersecurity controls depend on the release of SP 800-53, which has been delayed by an Office of Management and Budget review. SP 800-171B, which offers federal agencies security requirements to protect the confidentiality of controlled unclassified information, is waiting final release as it contains provisions linked to provisions in SP 800-53 Rev. 5.
Ross will lead the FISMA project until SP 800-53 is published in its final form. He has been leading the SSE project he is transitioning to since 2012.
“This transition will allow a full-time focus on the SSE work and to explore new and emerging approaches in methodologies such as DevSecOps," said Ross.
Chiara Vercellone is a reporter interning with Defense News, C4ISRNET and Fifth Domain Cyber