Federal computer networks are under a constant barrage, facing daily cyberattacks from foreign governments, malicious hackers and criminal organizations that can jeopardize national security, the economy, personal and business information, and critical government operations.
Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), is a preeminent leader in helping the government better secure its information systems. He developed the first set of unified information security standards and guidelines for all federal agencies, and most recently helped establish the government-wide program for cloud security assessment and authorization.
“Ron Ross has played a critical role in ensuring a higher level of protection for federal information systems, and has significantly strengthened critical infrastructures and created a more secure nation,” said Matt Scholl, chief of NIST’s computer security division. “His risk management framework is fundamentally changing the way federal agencies protect information and information systems, and is reducing the vulnerability of the U.S. critical infrastructures to cyberattacks.”
Before Ross came along, the government was guided by a checklist approach to secure computer networks, often ignoring changing threats and evolving technology, and not always distinguishing what information needed higher security and what data was of lesser importance.
Instead of an inflexible checklist, Ross designed the Risk Management Framework, a way for an organization to decide how critical its various sets of data are and to pick the right level of protection.
“If you have a house, you can choose to protect items in that house differently,” Ross explained. “You can have a lock on the door, but it might not be strong enough to protect some important items in the house. You can then move those items to a safe-deposit box with stronger protections. It’s the same thought about protecting our data.”
For instance, some federal government information such as publicly available tax forms on IRS.gov do not need as many protections as personally sensitive data such as actual tax returns. With the framework developed by Ross, agencies can go through an assessment process and decide where to concentrate resources and tighter security.
“Ron is the rock star of cyber,” said Donna Dodson, NIST’s chief cybersecurity advisor. “He took a field that had no rigor and discipline and developed approaches that are used here and worldwide. The Risk Management Framework he developed is a way of thinking about protecting information from tip to tail.”
James St. Pierre, deputy director of NIST’s Information Technology Laboratory, said that five to 10 years ago, people were not as concerned about security as they are now. “Ron has been in this fight from the beginning and hasn’t let up,” said St. Pierre.
Howard Schmidt, a former cybersecurity advisor to Presidents Bush and Obama, said Ross also brought “a balanced perspective to discussions on cybersecurity at the White House” and “could articulate the technical risks and policy risks in terms of national and economic security.”
“People say we are so far behind on cybersecurity,” said Schmidt. “I dread to think where we would be if Ron wasn’t around.”
Scholl said the impact of Ross’ work includes reduced cost of implementing cybersecurity controls and demonstrated compliance with multiple security requirements, as well as enhanced system interoperability among federal agencies. He said Ross created standards that work for the Smithsonian and the FBI, and for the air traffic control system and email.
“This is now more critical than ever as the exchange of information between the federal civilian agencies, the Department of Defense and the intelligence communities is essential in countering the cyber threats to our nation,” said Scholl. “U.S. industry also now focuses on building and providing cybersecurity capabilities instead of trying to comply with multiple government cybersecurity requirements. In the past, companies had to comply with different standards for national security and non-national security agencies.”
In the decade since first developing the risk framework, Ross has built and led a team across multiple U.S. agencies to implement the system and get agencies to adopt best practices.
Ross and his team worked with the General Services Administration, Department of Defense and Department of Homeland Security to test and validate the risk framework, unveiled earlier this year, that will be used by cloud-computing service providers, allowing them to host some of the federal government’s most sensitive information.
In addition to his work on the Risk Management Framework and key cybersecurity standards, Ross collaborated with the National Security Agency to develop the first-ever network of commercial testing laboratories capable of evaluating the security of IT products.
Two years ago, President Obama asked NIST to develop a method to secure critical infrastructure, such as electricity grids, power plants, traffic signals and water treatment facilities. “NIST would not be doing this work without the groundwork laid by Ron and the folks under his supervision,” said Charles Romine, director of NIST’s Information Technology Laboratory.
As a result of his widely respected work, Ross has become an international cybersecurity ambassador, called on by U.S. industry, academia and governments around the world to help protect information. He has led U.S. cybersecurity teams to Australia, India, Japan, Canada, and the European Union, promoting U.S. information security concepts and best practices.