Resilient Cyber
Resilient Cyber
S2E17: Ron Ross (NIST) - DevSecOps, Resilience and Compliance Innovation

S2E17: Ron Ross (NIST) - DevSecOps, Resilience and Compliance Innovation

Nikki - Can you tell us a little bit about what you're currently working on right now at NIST?

Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices?

Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. 

Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible?

Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption?

Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions?

Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time.  Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO?

Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST?

Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community?

Nikki - What does cyber resiliency mean to you?