NIST’s Ron Ross pivots to DevSecOps
NOTE: This article first appeared on FCW.com.
Cybersecurity’s move “below the waterline” of system access to the internal workings of devices is forcing a new way to look at how agencies develop more agile capabilities, said Ron Ross of the National Institute of Standards and Technology.
“We have to change the fidelity of the process” of developing devices from the very start, Ross said at an Advanced Technology Academic Research Center conference on March 10.
Ross said he thinks the shift is so important that in January, he moved from the position he’s held for 17 years at NIST’s Federal Information Security Modernization Act implementation project to leading NIST’s effort to develop a DevSecOps framework at the organization similar to its Cybersecurity Framework.
His move came as agencies from the Departments of Veterans Affairs to Homeland Security are working DevOps techniques into their capabilities and services.
“I’ve been doing the FISMA stuff for 17 years now. Right now I’m transitioning to the systems security engineering side of the house,” he said. That area, he said, deals with broader issues within systems’ development, which has the potential to inject security into emerging devices and systems earlier in the process.
DevSecOps crosses the entire software development lifecycle, Ross said. Injecting agile capabilities into software development at federal agencies is also key to keeping up with commercial technology innovation.
“You want systems to operate like the human body,” he said, developing defenses based on nimble, virtual defenses as well as built-in security capabilities.
Agencies are adapting to agile DevOps and DevSecOps for security capabilities at different speeds, according to federal agency DevOps managers at the summit.
Chakris Raungtriphop is in the process of replacing traditional waterfall development with DevOps techniques at DHS. The agency is hoping to start DevOps pilots with some of its programs in the coming months.
“The remainder of this year, we’ll identify programs for transformational process. Ideally, those pilots will cover different programs of varying sizes at the agency, Raungtriphop.
Component agency programs such as U.S. Citizenship and Immigration Services systems transformation effort, as well as the efforts to transform the Federal Emergency Management Agency’s grants programs modernization will inform the pilot programs, he said.
The pilots will use standard DevOps tool sets to allow the agency learn how those tools will work and can adapted across the agency’s components. The pilots, he said, will play out over the next year.
VA has been transforming various services, leveraging agile techniques to bring benefits services to heel. It has used agile development for those services, said Patty Craighill, director of DevOps at the agency. VA employees, she said, have had to adapt to a DevOps mindset that includes a more tolerant attitude towards risk in exchange for faster products and services, as well as an intricate understanding of its customers.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.