We sat down with Dr. Ron Ross about his story and how he got to where he is today. He shares what his first job was out of the Army and his health battle while writing publications for NIST. His journey is incredibly inspiring, and we feel such gratitude to be able to share this with all of you.
To hear about the man behind the publications, was something truly special.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello Climbers and welcome back to another episode of Climbing Mount CMMC.
[00:00:12] Thank you so much for your service and your continued service, sir.
[00:00:15] As you, you know, as you've served in the military, I mean, we're just coming off the recording of Veterans was just like Monday, right?
[00:00:22] Veterans Day.
[00:00:24] And, you know, that's one of the things that I've loved about this community and the Dib space is just the absolute passion for our government and our nation as a whole.
[00:00:35] And trying to protect it.
[00:00:37] So let's start walking the journey of, you know, Dr. Ross.
[00:00:44] As you started off in the Army, you served for 20 years and then you got a PhD in, I'm reading this now, artificial intelligence and robotics, which is like such the thing right now.
[00:00:58] And then you had the choice of picking your path that you wanted to go.
[00:01:01] And I think when you were saying you sort of got pushed towards NSA in the direction that you started to go.
[00:01:08] Can you talk about that?
[00:01:10] And then you also quoted saying, I knew nothing about computer security as you were going into the NSA.
[00:01:17] And that just seems like not possible to me.
[00:01:20] But can you talk about that a little bit?
[00:01:22] You know, one of the things that is really important to me is mentoring the next generation.
[00:01:28] And, you know, the story that I did go to school at the Naval Postgraduate School.
[00:01:33] The Army sent me to school to get a PhD in computer science, artificial intelligence and robotics.
[00:01:40] And I was scheduled to be a program manager in the Army's autonomous vehicle program.
[00:01:46] That was back in, I went to school in 1985 and I came out at the end of the night at 89.
[00:01:52] So it was a long PhD program.
[00:01:55] The day that I graduated from the Naval Postgraduate School, I got a call from the Department of Army.
[00:02:02] And they said, the guy that is currently in the job that you are going to rotate into has decided to extend for another year.
[00:02:11] Oh, my gosh.
[00:02:12] I mean, what?
[00:02:12] Like if that didn't happen, like so much of like what I know about would not possibly.
[00:02:19] I don't know.
[00:02:20] It's interesting.
[00:02:21] So it was kind of a stunning thing.
[00:02:22] And they literally told me, go find another job.
[00:02:26] So there are so many life lessons that come out of this.
[00:02:29] And whenever I talk to young people, I say, you know, you have to be flexible in this world.
[00:02:35] And I said, the one thing I've learned is that if you get grounded in the fundamentals, in my case, it was computer science, computer engineering.
[00:02:43] If you get grounded in the fundamentals, that will give you literal license to be flexible.
[00:02:49] And things are always going to happen in your life.
[00:02:52] You're going to lose a job.
[00:02:53] There'll be something that will redirect your career.
[00:02:55] This was my redirection.
[00:02:57] So I called a friend of mine at NSA who was an assignments officer at the agency and said, do you have any jobs for computer scientists?
[00:03:06] They said, we got more jobs than you can shake a stick at.
[00:03:09] So that was where I ended up going is to NSA.
[00:03:14] I literally knew nothing about computer security at that time.
[00:03:18] And by the way, when I was at West Point, the only course that I ever flunked there was in computers.
[00:03:23] So I also I also I'd gone in the hospital for something when I was a plebe and I never recovered.
[00:03:33] So when I was a freshman, a plebe, that was the only course I ever flunked.
[00:03:37] I had to go to summer school, which, you know, that was the only time.
[00:03:40] But again, out of that, out of adversity comes always positive.
[00:03:46] And that's my message to young people.
[00:03:48] You know, you have to go through adversity.
[00:03:50] Adversity and failure actually makes you better because you learn from those things.
[00:03:55] And so it's very ironic that I thought was the one course I flunked at West Point.
[00:04:00] And then I never got to go to do AI and robotics, which ended up being the big thing.
[00:04:06] Now, I said, this is not a big thing.
[00:04:07] Now, that was 40 years ago we were doing AI and robotics.
[00:04:09] Yeah. But so that's how I ended up in SA.
[00:04:13] I knew nothing. And then I couldn't get into the building there for three months because I didn't have a top secret SCI clearance.
[00:04:20] So they they said, go go find yourself someplace to sit for three months.
[00:04:25] And I was lucky enough to have some friends of mine that worked at NIST and also a company called Trusted Information Systems run by Steve Walker.
[00:04:35] And little did I know that TIS had a brain trust of computer security people who had literally the founding fathers of the business were sitting over at that company.
[00:04:47] Some of them had come from NSA.
[00:04:50] Many of the folks are still at NSA at that point in time.
[00:04:53] But I was able to take three months and do a deep dive on cyber security was called computer security back then.
[00:05:00] And I'm telling you, these people were so giving of their time.
[00:05:04] And that's where I learned the importance of mentoring the next generation.
[00:05:07] They spent hours with me, not just going over the fact there's an engine.
[00:05:12] They told me how to take apart the engine and how to rebuild it.
[00:05:15] And that's something that, you know, having the grounding, the fundamentals of computer science, computer engineering, because I was an engineer coming out of West Point.
[00:05:24] That's everybody graduates from West Point 40 or 50 years ago with an engineering degree.
[00:05:29] And so I had the fundamentals, but I had to learn the nuts and bolts of computer security.
[00:05:34] And I was just so fortunate to have the best and the brightest at the time in that business.
[00:05:40] You know, there's a body of knowledge that's been captured.
[00:05:44] And we can talk about that later, what happened to that knowledge.
[00:05:47] But that's how I started.
[00:05:48] And, you know, finally, I got my clearance, went in the building.
[00:05:51] And that's where they said, as they say in NASCAR, gentlemen, start your engines or drivers, start your engines.
[00:05:57] That's where my career started.
[00:05:58] That's where they started.
[00:05:59] That's where they started in 1990.
[00:06:00] Now, when you did that, what kind of lens at that point were you looking at things through?
[00:06:07] Was it more from an engineering perspective for your PhD?
[00:06:10] And you're like, how does this compute?
[00:06:11] Were you having problems trying to reconcile the information that they were sending your way based on your current experience at that time?
[00:06:18] No, there was actually a common nexus.
[00:06:20] And this is something I think a lot of people miss today is that I would say that the overwhelming portion of our problems in cybersecurity today can be solved with good systems and software engineering.
[00:06:34] In other words, when you're building software or putting a system together, that process that you go through, and this is going to be carried forward in some of our engineering work that we're doing now with 800-160.
[00:06:46] It's all about reducing the number of weaknesses and deficiencies in the code.
[00:06:50] And why?
[00:06:51] Because those become vulnerabilities if they're exploited by an adversary.
[00:06:55] There could be a weakness or a deficiency in a piece of code.
[00:07:00] But if the adversary can't exploit that, then it's really not a vulnerability.
[00:07:04] But the problem we're seeing, and this goes even back in those days, as software systems and systems become more complex, that software becomes larger and larger, and the systems have more and more components.
[00:07:16] That complexity becomes your attack surface.
[00:07:20] And so all of that complexity and all of those weaknesses and deficiencies that don't get fixed during development end up being passed off to consumers to deal with.
[00:07:31] And that's a whole other story.
[00:07:32] But I saw that common nexus back at that time, that if we could focus more on developing quality software and hardware and system components and do a better job at integrating those into a more secure system,
[00:07:46] and we could trust that to some degree, that's where the real solutions were going to be.
[00:07:51] And so there was that kind of common nexus between engineering, computer security, of course, mathematics when you get into cryptography.
[00:07:59] And now we're going into a whole new world of crypto, not crypto, quantum computing, which changes the whole computing paradigm, if you will.
[00:08:08] And you've got to be able to adjust.
[00:08:09] So that's kind of where I saw that initial glimmer, where we were going to end up 20 or 30 years later.
[00:08:18] Just through what you're saying, I'm making so many notes, and I hope I have time to ask some of these other questions.
[00:08:25] But I do want to take a pause a little bit longer where we're at in this timeline.
[00:08:30] And it seems like you really got some key mentorship in this journey and you're kind of in your flow.
[00:08:37] Is there any names or people that other than Steve Walker that you felt like really poured into you that really kind of helped solidify or set you in a specific path?
[00:08:47] Well, there were so many.
[00:08:49] I'll probably forget.
[00:08:50] I know Chuck Flieger was one of the people at TIS, worked with Steve Walker.
[00:08:56] Steve Lipner ended up going.
[00:08:59] He was at MITRE.
[00:09:00] There were many, many people within NSA itself who were literally some of the founding fathers.
[00:09:05] Roger Schell, who is still running his company, ASIC, today, one of the founding fathers of the Orange Book.
[00:09:16] And there were just so many people there that were on the ground floor.
[00:09:20] And back in those days, it was based on science.
[00:09:23] Computer security had to have a scientific underpinning.
[00:09:27] That's why the Orange Book, the requirements in the Orange Book, especially when you get up to the level A1, which is where formal methods come into play.
[00:09:36] All of that has a scientific basis.
[00:09:38] And that's why some of those A1 operating systems, there are not many in use today, obviously, because we've come down a different path.
[00:09:47] But those were pretty bulletproof back in the day.
[00:09:50] And, you know, you can make an argument today that when you want to have a highly trusted system, which deals with the concept of assurance.
[00:09:59] You know, we have two aspects, two sides of the coin in security.
[00:10:02] There's functionality, crypto, access control mechanisms, INA mechanisms.
[00:10:08] And there's assurance.
[00:10:09] How good a job did you do at building those components?
[00:10:13] Did you use formal methods, secure coding techniques?
[00:10:16] How can I trust what you built?
[00:10:18] And we have totally lost the notion of assurance today.
[00:10:22] And that's why, you know, we're being asked to buy great commercial products.
[00:10:26] But I call that the big black box problem.
[00:10:28] So I'm buying all these components and I'm putting them into a system.
[00:10:32] Many of these systems are going into critical infrastructure.
[00:10:36] They're, you know, PLCs and power plants, medical devices, pacemakers that are in your chest, braking systems and automobiles.
[00:10:45] And the need to have assurance, understanding how much should I trust the components?
[00:10:50] How much should I trust the systems?
[00:10:53] You know, trustworthiness goes on a continuum from I don't trust it at all, but I have to use it because nothing else is available.
[00:10:59] I have a high degree of trust because I know they use formal methods or they use secure coding techniques, memory safe programming languages.
[00:11:07] There's a whole bunch of things that you can do.
[00:11:10] I call it a bring in the receipts.
[00:11:12] Show me what you did to build the product, the system and earn my trust.
[00:11:17] And today, I don't think that's happening.
[00:11:20] That's what that's kind of some of the things that with the S-Bomb work, the software bill of materials is to try to bring greater transparency and visibility to consumers.
[00:11:30] And we're all consumers of this great technology.
[00:11:32] We love it.
[00:11:33] We use it a lot.
[00:11:34] It's changed the way we do business.
[00:11:37] It's changed the way we fight wars.
[00:11:39] It's changed everything about how society operates.
[00:11:43] And when you have that dramatic an impact on society, you have to have trust in what you're doing.
[00:11:51] And that's one of the whole focus points of our engineering work is to bring back greater assurance and trustworthiness.
[00:11:58] I call it bringing the receipts to the table.
[00:12:00] That is so great, sir.
[00:12:02] Because the challenges and some of the things that you're talking about then and now are still the challenges with vendors and using vendors.
[00:12:13] For us as an MSP, one of the challenges is having discussions with vendors to say, show us the receipts.
[00:12:20] I want to use your product.
[00:12:21] But when I'm talking to an auditor for a CMMC audit, even if you're not FedRAMP and I want to use your product, I need assurances.
[00:12:27] I need to know that that type of software that you're developing, I need to know where you're at.
[00:12:33] And, man, it would be great if everybody had that.
[00:12:35] I mean, it even goes further to now as an MSP trying to help clients along the CMMC journey, the transparency that is needed or that we believe is needed to give so that a client feels assured that we can take them through an assessment and we can help them get into that space.
[00:13:01] It's like, you know, sometimes when you talk about this stuff, it's like MSPs have never heard of that before.
[00:13:07] And it's like, I love it.
[00:13:09] Ron, you're speaking my language when you say, show me the receipts, because I say that all the time.
[00:13:15] And it's like that.
[00:13:16] That's what I believe should be, you know, a common theme nowadays is like to be able to back up what you're saying and not just say whatever you want kind of thing.
[00:13:25] And so I think that's really powerful.
[00:13:27] And you can just see that throughout the whole space in many different areas.
[00:13:31] We have such a great industry out there.
[00:13:34] The amount of innovation that this country produces every year, we literally spend billions with a B dollars in research and development.
[00:13:44] This is across many different types of industries.
[00:13:47] And when you talk about programs like the CMMC or just in general, protecting controlled class information across the federal government and the private sector,
[00:13:56] one well-placed cyber attack can literally exfiltrate billions of dollars of research in a nanosecond.
[00:14:05] Things happen in this world that we've built, for better or for worse.
[00:14:09] And I'm not being crude.
[00:14:10] This is the world that we've built through innovation.
[00:14:12] Powerful computing systems.
[00:14:14] Massive amounts of storage capacity.
[00:14:18] Ubiquitous connectivity.
[00:14:19] High speed, 5G connectivity.
[00:14:22] So you've literally got trillions of lines of code.
[00:14:26] Billions of devices.
[00:14:28] And everything is connected to everything.
[00:14:31] And, you know, you go in with this with your eyes wide open.
[00:14:34] So we never want to roll back innovation.
[00:14:37] That's how this country has always rolled from day one.
[00:14:41] Right.
[00:14:41] But as we start to push this technology into more sensitive areas, especially critical infrastructure,
[00:14:46] we're talking about PLCs and power plants or water distribution systems or in hospitals.
[00:14:52] The assurance part of that equation starts to become more and more important.
[00:14:57] As I learned with the space community in the Air Force, they have a term called putting warheads on foreheads.
[00:15:05] But in order to do that, you've got to make some really tough trade space decisions.
[00:15:09] I've got to pick an operating system.
[00:15:11] You know, do I choose Linux or, you know, iOS or some kind of a small, smaller OS that's more trusted?
[00:15:18] You know, those are real world decisions.
[00:15:21] And there's sometimes there's no right or wrong answers.
[00:15:23] There's just a better answer at this point in the engineering process.
[00:15:27] You know, it's been a real eye opener for me working with the engineers now and seeing what they have to go through.
[00:15:32] And kind of bringing these two communities together because they both add value to the final product.
[00:15:38] At this journey where you're at in the story that we're walking, you're still at the NSA.
[00:15:44] You have now ascended into a division chief.
[00:15:48] Can you walk me through kind of like, you know, Ron walking in the door as the rookie who's pulling cables or doing whatever kind of the low man on the totem pole type activity to now a division chief.
[00:16:01] You're involved in the Rainbow Series.
[00:16:02] You're helping craft some very foundational information.
[00:16:06] Like that's a big difference between those.
[00:16:09] Can you sort of talk through that and what that how that played out?
[00:16:13] Well, I joined the division where the Rainbow Series was created.
[00:16:17] And that started back in the 1980s.
[00:16:19] So by the time I got there, the Orange Book had been written.
[00:16:23] Many of the Rainbow Series documents had been written.
[00:16:25] And I worked for a division chief.
[00:16:28] His name is Blaine Burnham.
[00:16:29] We still are in touch.
[00:16:32] Not quite as often, but I worked for Blaine.
[00:16:34] And then at some point he was transferred to another position within NSA.
[00:16:38] And I had just gotten promoted to lieutenant colonel.
[00:16:42] And my name came up as the candidate for the division chief's job.
[00:16:47] Now, at NSA, there weren't a lot of military division chiefs, but my name was still put up for that job.
[00:16:53] And so it went up to the deputy director's level for approval.
[00:16:57] I remember we used to we were our building.
[00:17:00] Our headquarters building was right next to the BWI airport.
[00:17:03] We were away from the main NSA campus, which was a little bit further south on the BWI Parkway.
[00:17:09] And there used to be a joke.
[00:17:10] Every day we go to the window and look down to the main NSA headquarters and see if there was white smoke coming out of the power to see if I got the job yet.
[00:17:19] So you got the job.
[00:17:20] But finally, the word came down.
[00:17:23] I did get assigned to that position.
[00:17:25] And I was just so grateful to be able to serve in that role because of the people that had been there prior to me.
[00:17:31] And I've always felt you have to stand on the shoulders of those who've come before.
[00:17:36] You honor their work.
[00:17:38] You recognize their work.
[00:17:39] And then you try to push their work forward.
[00:17:41] And that's the way that's their legacy that they stand on.
[00:17:44] And so I was very fortunate to work with some great people in that division.
[00:17:49] And we also had a lot of work with NIST at that point in time, because during those days, there was a move to kind of move away from the Orange Book into more of a federal criteria.
[00:18:02] Or the Orange Book was more focused on the DOD aspects of the problem space.
[00:18:07] OK.
[00:18:08] And so there was a move to develop something called a federal criteria.
[00:18:11] We actually did that document.
[00:18:13] It was a joint project with NIST and NSA.
[00:18:16] And I was on the NSA side, and my NIST colleagues were on the other side.
[00:18:20] And we developed that federal criteria.
[00:18:23] It was only out for a very short period of time because it then transitioned to something called the Common Criteria, which became ISO standard 15408.
[00:18:32] And that was kind of the journey that we kind of pushed that body of work with our Canadian colleagues had their own criteria.
[00:18:40] And we were able to get together with the Canadians, the United States, and then several European countries to produce the first common criteria.
[00:18:48] And that came out toward the latter part of the 1990s.
[00:18:52] And then that was kind of my involvement in the criteria world.
[00:18:58] And right around that time is when I decided to retire from the military.
[00:19:02] And I made the transition from the NSA over to – it's not completely private sector.
[00:19:10] It's an FFRDC.
[00:19:11] It was called the Institute for Defense Analyses.
[00:19:14] It's kind of like MITRE or the Aerospace Corporation or the Jet Propulsion Lab.
[00:19:20] Federally funded research and development centers are special status organizations that support the federal government.
[00:19:27] And they have specific tasks and responsibilities.
[00:19:30] And so I spent almost four years at IDA supporting the NSA.
[00:19:36] And so I was working on the semi-contractor side but supporting some of the work that was going on at NSA at that time.
[00:19:45] And I did that all the way up until the time that I decided it was time to go back into government service.
[00:19:50] And that took me to 1997.
[00:19:52] That's when I decided I would apply for a job at NIST.
[00:19:57] And the rest is kind of history.
[00:19:59] So let's let you set the stage sort of as Ron walks in through the door of NIST.
[00:20:07] So it's late 90s, early 2000s, right, as you're stepping into your start at NIST.
[00:20:16] The common criteria is out now.
[00:20:20] And you're now looking down the barrel of some new challenges that are just around the corner that maybe you know about or don't know about.
[00:20:27] There are some very big ones that you're going to be facing.
[00:20:30] When you walked in that door, what were you thinking as the bright-eyed Ron?
[00:20:35] You know, like what are you expecting in your day one?
[00:20:38] And what was your, you know, what was your expectations as you were stepping in as sort of like what you were thinking you're going to do and then what ended up happening?
[00:20:46] Well, it's like every job, every new organization you come to, you know, you have to come in and learn.
[00:20:52] Take a step back.
[00:20:55] Understand what they do.
[00:20:57] Why they do it.
[00:20:58] Who the people are.
[00:21:00] You're looking around and you're just trying to be like a sponge.
[00:21:03] Absorb everything.
[00:21:04] And so that's what I did.
[00:21:05] I was very fortunate to be put on the Common Criteria Project because that's kind of where I came from at NSA and then at IDA.
[00:21:13] I was still in that same sphere of work.
[00:21:17] And so that's where I started when I was at NIST.
[00:21:21] I was part of the NIAP program, the National Information Insurance Partnership, which was a joint partnership with NIST and NSA that really focused on doing evaluations for the common criteria.
[00:21:34] You know, the testing laboratories that conducted the evaluations of commercial products had to be validated or certified by a government body.
[00:21:42] And that's what NIST and NSA were involved in in the early 19 of the early 2000s.
[00:21:49] So it's like getting newbie.
[00:21:51] You're looking around, you're just trying to learn.
[00:21:53] And then what really changed the game is in 2002, President Bush, there was the FISMA legislation.
[00:22:04] The Federal Information Security Management Act came along.
[00:22:07] Congress passed it in 2002 and President Bush signed it in 2003.
[00:22:12] And I'll never forget the day our division chief called me in his office and said, Ron, we got this new piece of legislation called FISMA.
[00:22:20] We just read it.
[00:22:22] They called out two things in the legislation that NIST is supposed to do.
[00:22:27] And we'd like to know if you're interested in doing them.
[00:22:29] So I hadn't read the legislation.
[00:22:32] I took a little bit of time to read the legislation.
[00:22:34] And there were a couple of standards they called out and another guidance document in the actual legislation.
[00:22:41] And we had responsibility under the Department of Commerce to carry that out.
[00:22:45] So I accepted that new role.
[00:22:48] And that was 2003.
[00:22:51] Right.
[00:22:51] And that was the start of and I didn't realize this at the time, but that was the start of a whole body of work that came out of legislation.
[00:23:00] And it was you just don't you don't have that crystal ball in front of you when it happens.
[00:23:06] All you're looking at is the legislation.
[00:23:09] And then you're trying to get your thoughts together.
[00:23:11] You're looking at what do we have in the inventory now that can be applied to helping the government.
[00:23:17] Let's ask you.
[00:23:18] Let's drill into a little bit more.
[00:23:19] What was in the inventory?
[00:23:21] What was in the quiver at that point as far as in documentation?
[00:23:24] You had the common criteria.
[00:23:25] Was there were there other sources at that moment as you're looking down the barrel of FISMA and the objectives you're trying to do?
[00:23:31] Was there anything else that you were trying to do?
[00:23:34] We had a lot of work in crypto over the years.
[00:23:36] We had the FIPS 140 program, the cryptographic module validation program.
[00:23:41] FIPS 140 is still around today.
[00:23:43] It's gone through generations of iteration and improvements and changes.
[00:23:47] We had there were there was a computer security handbook.
[00:23:52] If you go back and look at the numbering system of the 800 series publications, when I started doing my first publications, it was like 818.
[00:24:03] That was the old.
[00:24:05] Wow.
[00:24:07] And 800-12, the computer security handbook.
[00:24:10] Right.
[00:24:11] I took a leap.
[00:24:12] I went to 837.
[00:24:13] That was a number that was way out there.
[00:24:15] You know, and now we're up in the 800-200s.
[00:24:18] Yeah.
[00:24:18] We had Marianne Swanson had authored a questionnaire.
[00:24:24] It was the publication was 800-26.
[00:24:27] And it was a series of questions that were divided up into different families of security, like access control, incident response, contingency planning.
[00:24:37] And she did a great job in that publication.
[00:24:39] So we had a lot of those type publications in the inventory.
[00:24:43] And now we had this big behemoth staring us down, you know, called FISMA.
[00:24:48] And so we had all those things in the inventory.
[00:24:52] But these were back in the days when, you know, we were just starting out.
[00:24:55] If you look at where we've come from in the past 21 years, where we were then.
[00:25:00] And this is what I tell our customers and the people who are doing this every day.
[00:25:05] It's two steps forward, one step back.
[00:25:08] Two steps forward, one step back.
[00:25:10] It's grinded out.
[00:25:11] And I said, even though it seems like sometimes we're not making a lot of progress, because we tend to be hyper-focused on the latest attack and all the stuff that happens.
[00:25:20] And, you know, it's hard not to focus on that.
[00:25:23] But you also have to look at what we've accomplished over the past two decades and where we were and where we are now.
[00:25:29] In the context of massive innovation and technological revolution and evolution, it's an amazing thing.
[00:25:38] So, yeah, it's rolling the clock back.
[00:25:41] Just look at the numbers on the publications and you can get a sense of the magnitude of what my colleagues have been able to do at NIST.
[00:25:48] And there's been a lot of great success stories there.
[00:25:51] You know, I just I think about like when I first started IT, you know, we started our company in 2002.
[00:25:58] And like there was no remote support.
[00:26:01] You just got in your car and drove to where you needed to to support your client.
[00:26:05] Now everybody does everything from it.
[00:26:06] Like the world has changed from those time frames.
[00:26:10] Right.
[00:26:10] And so now you're looking at, you know, limited pieces on the board for you to try to pull from.
[00:26:16] And at that point, when you're looking at FISMA, you know, we have just around the corner RMF 853 and some other key documents.
[00:26:29] You have FIPS 199-200.
[00:26:33] When do those come in the equation and start popping up on the radar as far as this needs to happen?
[00:26:39] And how does that all start coming into place?
[00:26:41] Well, the legislation gives us general guidelines and kind of a framework on what they would like to see for the federal government.
[00:26:50] Risk management, responsibility, heads of agencies.
[00:26:53] They talked about categorizing information and information systems.
[00:27:00] And of course, this is in the context of the federal government is a huge organization.
[00:27:04] It's an organization of organizations.
[00:27:07] They have lots of diverse missions and responsibilities.
[00:27:12] And so we're looking at that landscape and we're saying, this is an enormous undertaking that we have to pursue here.
[00:27:19] So let's try to take what's in the legislation and start to develop some kind of a vision.
[00:27:24] And let's do it from the top down.
[00:27:26] One of the things that we also recognized is that the government was so large and complex that you couldn't even imagine that you could protect everything in the government to the highest level.
[00:27:38] And so that kind of went back to a concept very early on.
[00:27:42] I call it the triage concept.
[00:27:43] This comes out of a lot of different areas.
[00:27:46] Battlefield medicine is one of the areas where triage is done.
[00:27:50] You know, in a combat operation, when a soldier gets injured, they're looking at do you have a sucking chest wound or a hangnail?
[00:27:57] And they prioritize.
[00:27:58] You go into one of three triage baskets, if you will, and they treat those that are the most serious first.
[00:28:04] So that was the first inclination.
[00:28:05] We needed to have some kind of a standard that would allow organizations to categorize their information into we chose one of three buckets.
[00:28:15] We could have chosen five buckets or ten buckets.
[00:28:17] We figured let's not overcomplicate it.
[00:28:19] And we chose the impact levels, the low, the moderate, and the high impact, where impact was the impact to your mission if you lost the information or your systems were compromised.
[00:28:30] Obviously, low impact were things that were not all that important.
[00:28:33] You'd have limited adverse impact if something bad happened.
[00:28:37] On the other end of that spectrum, we had severe or catastrophic impacts on the mission.
[00:28:42] That's the high impact information in systems.
[00:28:45] And then the moderate was serious, but certainly not severe or catastrophic.
[00:28:49] So that standard was one of the first ones that we built, FIPS 199.
[00:28:54] And the reason we did that is because it gave the organizations a chance to divide up their assets and figure out which things are the most critical so they could focus on those things first.
[00:29:05] At the same time, we...
[00:29:07] And that's a result of the FISMA challenge that you had.
[00:29:10] That was the impetus of...
[00:29:12] Gotcha.
[00:29:12] Right.
[00:29:12] And so at the same time, we said, okay, we have to develop minimum security requirements.
[00:29:17] That came out of the legislation as well.
[00:29:18] So how do you do that for 24 major federal agencies with all these micro-agencies?
[00:29:24] So we said, let's take a higher level approach.
[00:29:26] Let's come up with a set of high level requirements.
[00:29:29] There were only 17 in FIPS 200.
[00:29:31] And where did those requirements come from?
[00:29:34] Well, we built the requirements based on the families that came out of the 826 questionnaire.
[00:29:40] Marianne had already defined those buckets, contingency planning, incident response, identification, authentication, access control, system and communications protection.
[00:29:53] So we had the buckets.
[00:29:55] And so we sat down and we developed 17 minimum requirements.
[00:30:00] And they were very high level requirements.
[00:30:02] You can go back and they're still there today.
[00:30:04] They need updating, but they're still there.
[00:30:06] They're very high level.
[00:30:07] So we said, this is what we'd like to see the vision of the framework was taking shape now.
[00:30:13] High level requirements, FIPS 200, the 199 impact level.
[00:30:18] So you could actually figure out what was most important.
[00:30:20] And then we said, what's missing now is we need to be able to develop a set of security controls that organizations could use.
[00:30:29] Now, the problem is, is that there's lots of serious threats out there at that time.
[00:30:36] Every organization looks different, different missions, different technologies.
[00:30:40] So we set out to develop a set of controls in the catalog.
[00:30:44] And we said, how is an organization going to meet those 17 requirements?
[00:30:49] Department of Education may be a lot different in meeting those 17 requirements than the Defense Department or the Department of Homeland Security or, you know, Department of Commerce.
[00:30:58] So we said, as we developed all the security controls in 853, we said, let's give organizations an initial basket of controls.
[00:31:09] We'll give them a low basket, a moderate basket and a high basket of these are a starting set of controls.
[00:31:16] And then they can choose to tailor that basket.
[00:31:20] They can add controls or they can take them out.
[00:31:22] So in essence, we gave the organizations flexibility in how they meet those 17 requirements.
[00:31:29] So as you apply the controls that end up going into your security plan, after you do all of your tailoring, you end up with a set of controls for that system that's going to support a particular mission in that federal agency.
[00:31:43] And so that solution is going to look a lot different for every organization.
[00:31:48] So you can meet the 17 requirements in 100 different ways based on how you tailor the controls and how you implement those controls based on your mission, the technology, the kinds of tailoring, the things that you did.
[00:32:02] And so that was the flexibility.
[00:32:04] And of course, the RMF came along one or two steps later to give a process to pull all those things together.
[00:32:10] Can I pause you for just a second?
[00:32:12] I mean, I'm just fascinated with that process that's going on.
[00:32:16] Let's back up just a second because you had those specific controls broken out in those buckets.
[00:32:21] Was that an SP document that you guys had standardized or was that more of an evolutionary as it pulled into 53?
[00:32:30] Well, the baselines is their call.
[00:32:33] Those are the starting sets of controls.
[00:32:35] Those came out of our original 853 document.
[00:32:38] That was the security control catalog.
[00:32:41] And in that original document, we identified the three baselines, the low, the moderate and the high baselines.
[00:32:48] And then we provided guidance to our customers.
[00:32:51] If you want to meet the 17 requirements within FIPS 200, the first step that you have to do is categorize your systems.
[00:33:01] In other words, you categorize your information first.
[00:33:04] And then the system took on that categorization.
[00:33:06] And then you could pick one of our three buckets of control.
[00:33:10] So now we're thinking, well, we're telling them what to do.
[00:33:14] But now they need a framework to really lock down the process of how all that works.
[00:33:19] And so now you're seeing the initial kind of vision of what the risk management framework became, that life cycle-like process.
[00:33:28] The pieces are starting to take shape at that point.
[00:33:31] And so we've been doing certification and accreditation for years in the federal government.
[00:33:37] The DOD was doing it under the old DITS cap and DICAP.
[00:33:40] And now we're looking at developing a risk management framework, which would lead to an accreditation or an authorization to operate.
[00:33:48] But now we have to, we physically need to develop a framework so our customers could have some kind of a standard approach to how they would categorize,
[00:33:57] how they would select their controls, how they would implement, assess those controls and authorize for operation.
[00:34:04] And that became what you know today as the risk management framework.
[00:34:08] And it seems like that you, you, you kind of backed your way.
[00:34:12] That's a terrible way of saying it, I guess.
[00:34:13] But you, you, you through the process of, as you develop it, saw the necessities of the next step as you started to evolve.
[00:34:20] And did you find at any point you're like, ooh, this is going to have some real horsepower.
[00:34:27] I mean, like what we're talking about trying to develop is going to be pretty substantial.
[00:34:33] Did you find yourself kind of wondering, am I going in the right direction to do something like building RMF?
[00:34:40] Or am I over, you know, extending myself, you know, getting over your too far in front of your skis, if you will.
[00:34:46] Well, you know, based on your, your mandate and the things that you had to do, did you have any concerns about that?
[00:34:53] Yeah, you always do because, you know, vision is one thing.
[00:34:57] Right.
[00:34:57] But without execution, vision is nothing.
[00:35:01] And so you always worry about the execution.
[00:35:04] Now, luckily for us, part of our DNA at NIST is that we have always worked collaboratively with our customers.
[00:35:12] And that I include our customers or everybody out there, government.
[00:35:17] And that includes state and local governments and tribal governments, industry, the academic community, our international partners.
[00:35:25] Whenever we get comments on our documents, they come in from all over the world.
[00:35:29] Every type of agency, large Fortune 500 company down to small mom and pop businesses, state and local government.
[00:35:37] Everybody feels that through the process we've set up, that they have a voice.
[00:35:41] They have a stake in the outcome.
[00:35:43] And so I like to talk about guardrails.
[00:35:45] We put out a document initially and, you know, we're driving all over the road.
[00:35:50] You know, the guardrails, our customers basically are guardrails.
[00:35:53] They keep us honest in the sense that it's got to be technically correct.
[00:35:59] That's the, that's the going in position for us.
[00:36:01] And then it's got to be implementable.
[00:36:04] Now, sometimes that can be a challenge.
[00:36:05] There are cost issues.
[00:36:06] There are lots of implementation issues that come up.
[00:36:09] And, you know, a lot of those that you're dealing with today with the 171 and the CMMC world.
[00:36:14] But those guardrails allowed us to maneuver down the road.
[00:36:19] And so if you're driving down the road and you may go over to the left a little bit and then you get some comments back, come back to the right a little bit.
[00:36:26] But every document starts out.
[00:36:28] I call it the great convergence triangle.
[00:36:30] It starts out here.
[00:36:32] And in every public draft, after we adjudicate the comments, the path becomes a little bit more narrow if you get toward that convergence point.
[00:36:40] So by the time you get to the final draft and the final publication, it's been through three or four rounds of public comments.
[00:36:47] And while I won't say any documents ever perfect because it's, there is no perfection in our business.
[00:36:53] You want to have good solutions.
[00:36:55] You want to have cost effective solutions, things that work, but always be willing to learn and change.
[00:37:00] And that's we get I call that the sweet spot of a publication.
[00:37:04] When you reach the sweet spot, you pull the trigger and you got to go.
[00:37:07] You can't sit around for perfect solutions.
[00:37:10] That's the way industry has to work.
[00:37:11] That's the way, you know, that's the way everybody has to work if you want to function in today's world.
[00:37:16] So that's kind of how how all of this came about and how we course correct and we learn.
[00:37:21] And I'll tell you, that's one thing you always have to be able to do is learn from the execution of what you've built.
[00:37:28] And, you know, you never want to stand on ceremony just because you built something.
[00:37:32] That's why I say you have broad shoulders in our business, because sometimes you mess up and you do things that didn't quite work out like you thought they would work out.
[00:37:41] But just I just got to say, I just think that's so brave to be able to, like, just create this thing out of thin air and then release it.
[00:37:51] To I mean, to to have that massive impact on the government and start creating those standardizations, because at that point, correct me if I'm wrong, like nothing had really quite like that existed.
[00:38:03] And then it's going to set a path for years for standardization for the government.
[00:38:08] And it's just am I right about that?
[00:38:11] Yeah, you're definitely right.
[00:38:12] I mean, I tell a quick story.
[00:38:14] There's a lot of anecdotes.
[00:38:15] You know, I've been doing this so long.
[00:38:17] There's so many anecdotes and people I've run across.
[00:38:20] Alan Paller, who just was a major contributor to our business over the years, he ran the SANS Institute.
[00:38:28] And in the early days of 853, he used to always call me.
[00:38:32] He came over to NIST many times and said, you know, I love your security control catalog.
[00:38:37] But it's too darn big.
[00:38:40] There are too many controls.
[00:38:41] Nobody can do all these things.
[00:38:43] Why don't you prioritize them and, you know, tell what are the 20 most important controls?
[00:38:49] Right.
[00:38:50] And I fought him tooth and nail.
[00:38:51] We had public debates.
[00:38:53] We were adversaries, you know, good natured adversaries.
[00:38:58] And it was just an amazing.
[00:39:00] And I held my ground.
[00:39:02] And I said, look, even though you think these 20 controls are most important, they're all important.
[00:39:06] Because, you know, if any one of them fails, you can go down the tubes.
[00:39:10] Turns out years later, he was actually right and I was wrong.
[00:39:13] And so he ended up going and developing the 20 critical controls, which were largely based on a lot of the NIST controls.
[00:39:19] But he focused on the top 20.
[00:39:22] And then Tony Sager, another great cybersecurity professional, massive contributor, took that project forward over the years.
[00:39:31] Well, years later, and this is kind of the it's a great story.
[00:39:36] Alan passed away a few years ago.
[00:39:39] It was tragic, you know, way before his time.
[00:39:42] I've been doing my cancer treatments up at Johns Hopkins.
[00:39:46] And one of my doctors up there just happened to talk about Channing Paller, who is a prostate cancer top notch researcher at Johns Hopkins.
[00:39:58] And it turns out that that was Alan's daughter being a leading cancer researcher.
[00:40:04] So I sent him an email one day and said, you know, I ran across your daughter at Johns Hopkins.
[00:40:10] I said, you must be very proud of her because she's one of the leading prostate cancer researchers.
[00:40:15] And he sent back a very nice note and said, I hope you weren't up there for the wrong reasons.
[00:40:19] And then I shared with him that I was going through my second bout with prostate cancer.
[00:40:24] And, you know, it was at that point in time, you know, we that friendship kind of blossomed from that point because we had such mutual respect for each other's work over the years.
[00:40:36] And it kind of all came together.
[00:40:38] And I was just it was such a tragic loss for our community.
[00:40:43] But that goes to show you, you know, sometimes you're right.
[00:40:46] Sometimes you're not right.
[00:40:46] But and that goes for all everybody in this business.
[00:40:49] There's no one that's going to hit out of the park every time the best baseball players in the business, you know, barely bat 300, you know.
[00:40:59] So and you touched on this, the health scare that you had multiple times through your through your journey.
[00:41:06] And around 2003, FISMA is coming out.
[00:41:11] You you now are diagnosed with prostate cancer.
[00:41:17] And so you have this huge responsibility.
[00:41:20] At the same time, you have this very serious life scare.
[00:41:25] Can you maybe walk us through a little bit through that that battle and challenge that you had?
[00:41:30] Because I know that that had to be extremely difficult.
[00:41:32] Well, it's something obviously nobody wants to go through, but it's a very common thing today.
[00:41:37] And that's just cancer.
[00:41:38] There's a lot of, you know, life threatening conditions.
[00:41:40] And it does.
[00:41:41] It really does change your life because, you know, after you go through that and sometimes it's a short battle, sometimes it's a long battle.
[00:41:48] And, you know, unfortunately, sometimes things don't end up the way you'd like them to end up.
[00:41:52] But it does change your life.
[00:41:53] It changes your perspective.
[00:41:54] You you focus on things that you thought were things you thought were important, maybe aren't so important.
[00:42:00] But you also have to keep your focus.
[00:42:01] And this is one of the things that I take my hat off to everybody in our business, these cybersecurity professionals who literally get up every day and have to do the heavy lifting.
[00:42:13] It's incredibly difficult work.
[00:42:15] If you're a CISO, no matter where you work in this business, it's hard.
[00:42:18] And these folks are going through everybody.
[00:42:20] We're all going through our own family stuff.
[00:42:23] At the same time, we're asked to get up and go to work every day and, you know, do our jobs.
[00:42:28] And so you have to kind of keep your focus.
[00:42:30] And there's times when you think about it and then there's times where you have to put it out of your mind.
[00:42:35] And so that's just the way, you know, it's not just me.
[00:42:38] Everybody, you know, deals with their own family situations, you know, in different ways.
[00:42:43] And they're all OK.
[00:42:45] But that was really the way I dealt with it.
[00:42:47] You kind of had to get your focus, get back to what you're doing.
[00:42:51] And then, you know, there'll be time after work to kind of look at what the next steps are.
[00:42:55] And then you just go through it.
[00:42:57] You know, it's one foot at a time, one step at a time.
[00:43:00] And that's really, it's like having a big complicated problem.
[00:43:03] You know, don't look at the big complicated problem.
[00:43:05] Try to break it down into meaningful pieces.
[00:43:07] And some days it's just, hey, I got to get through today.
[00:43:09] If I get through today, there'll be a tomorrow.
[00:43:11] And I get through tomorrow and you keep on pushing forward.
[00:43:14] Did you find yourself during that time frame sort of doubting whether or not you'd be able to get through the life scare challenge at the same time taking on that massive role?
[00:43:26] I mean, because they called you out and said, hey, you know, we're going to hand you this massive deal.
[00:43:32] I mean, I don't think anybody at that time sort of knew what FSMA was going to really evolve into and what necessarily the huge impact it was going to have.
[00:43:39] Or perhaps they did.
[00:43:41] Well, I don't think we knew.
[00:43:43] We didn't know at that point, you know, how massive this project would become.
[00:43:48] But the one thing I will say about people who go through these kind of, you know, life changing episodes is that the one thing I learned is that even though it impacts you directly, the bigger impact is on your family members.
[00:44:00] They start to worry about you much more than you're worrying about yourself.
[00:44:06] And I didn't realize that till later.
[00:44:08] I mean, obviously, you know, your family members worry about you, but that becomes another burden because you don't want them to worry about you because, you know, you're worrying about yourself.
[00:44:15] So, yeah, it's you know, you have all these things to worry about and think about.
[00:44:21] But yet you've got to get up and go to work and do the next thing, you know.
[00:44:26] So, yeah, it's just and I think the big thing that when I say it's a life changing experience, you get a lot of gratitude.
[00:44:34] I mean, you start to appreciate little things in life.
[00:44:36] And I think it makes people nicer people.
[00:44:40] It makes you more thoughtful.
[00:44:41] It makes you more caring.
[00:44:43] I mean, hopefully people are that way to begin with.
[00:44:45] But you certainly you certainly start to focus on those things more than before because, you know, you don't know every day is a gift that you're given no matter what your job is.
[00:44:56] And, you know, I always tell the story about President Kennedy when he when he visited NASA and this was back during the heat of the space race, the space program.
[00:45:07] And he was walking down the hall at NASA and he ran across the custodian pushing a broom.
[00:45:12] And he said, what is your job here at NASA?
[00:45:16] And the gentleman looked up at him and said, Mr. President, I am helping put a man on the moon.
[00:45:22] And I said, wow, that is just that.
[00:45:25] And that resonated with me because in the Army, the Army runs as a team.
[00:45:30] And whether it's a lieutenant or a captain or battalion commander or all the troops, you're all working as a team.
[00:45:35] And everybody on that team is important.
[00:45:39] And, you know, that carries forward even to the world at NIST.
[00:45:43] We have a great team in this.
[00:45:44] But it's not just the people who write the publications.
[00:45:48] There's a whole team behind the scenes who are doing the tech editing.
[00:45:52] They're doing the web preparation work.
[00:45:54] They're getting all the all the CPRT website, the online access.
[00:45:58] That team is working really hard to produce the quality content to the customers.
[00:46:04] How does that content get displayed?
[00:46:06] So all of those things kind of they're, you know, kind of etched on my brain, if you will.
[00:46:13] And so that teamwork has always been part of, you know, my world.
[00:46:16] And it's just it emphasizes how important everybody's contribution is.
[00:46:19] No matter what you do, do the best you can and make make that contribution to the team.
[00:46:24] And I'm a big fan of NASCAR, too.
[00:46:26] And that's another example of how the NASCAR teams, they everybody in that team has a critical role.
[00:46:31] And if one person doesn't step up, that can cause the team to literally go down in flames.
[00:46:36] I was listening.
[00:46:37] I'm so glad you brought that up.
[00:46:39] I hadn't planned on it, but I'm glad you did.
[00:46:42] I was watching an interview where you talked about someone that was looking for career advice and they really appreciated it.
[00:46:48] And they they tapped into your love for NASCAR and had sent you a gift at one time.
[00:46:54] You had to return it, which is so sad.
[00:46:57] But could you maybe share about that?
[00:46:58] Because I thought it was such a great story.
[00:47:00] I did a lot of public speaking back in those days.
[00:47:03] I would go to I would on the road three or four weeks out of the month sometimes.
[00:47:07] And I would speak at conferences and I was coming out of a conference after I gave one of my presentations.
[00:47:11] And some young fellow came up and said, hey, could you mind spending a couple minutes?
[00:47:16] I'm working on my Ph.D.
[00:47:18] I just started out and I'm struggling with a topic.
[00:47:21] I'd like to do it in computer security or cybersecurity.
[00:47:24] So we sat down and we just talked, you know, we talked about a lot of different things.
[00:47:28] I asked him what his interests were and, you know, and then we talked a lot about cybersecurity.
[00:47:33] And then we exchanged cards and he went away.
[00:47:36] And then I get a phone call about a couple months later.
[00:47:39] He said, I think I have a topic.
[00:47:42] Could I run a few ideas by you?
[00:47:43] And I said, sure.
[00:47:44] So, you know, this is, again, part of the mentoring process doesn't need to be formal.
[00:47:49] My philosophy is when anybody has a question and comes to you for advice,
[00:47:53] take the time.
[00:47:54] They wouldn't come to you unless they wanted to hear what you have to say.
[00:47:57] So I gave him, you know, a few tips here and there.
[00:47:59] And he went away for, gosh, it seemed like a year, year and a half.
[00:48:04] And then I got a phone call one day.
[00:48:06] He said, well, I finished my dissertation.
[00:48:09] I'm getting ready to defend it.
[00:48:11] Any advice on how to defend a dissertation?
[00:48:14] And so we talked a little bit more.
[00:48:16] And so there were a series of these phone calls over a couple of years.
[00:48:19] And then he called me up ecstatic after it was all done.
[00:48:22] And he said, gosh, I've just got my PhD.
[00:48:25] He was so proud.
[00:48:26] A lot of hard work.
[00:48:27] Anybody who's gone through that knows it's a lot of work.
[00:48:31] You know, 24 hours a day, seven days a week sometimes.
[00:48:34] And I congratulated him.
[00:48:36] And, you know, we exchanged pleasantries and then hung up.
[00:48:38] And that was it.
[00:48:39] Well, it was about a week later.
[00:48:43] And I hear a knock at the front door.
[00:48:44] And I walk out there.
[00:48:45] And I think it was, I'm not sure it was the Amazon back then or FedEx.
[00:48:49] But there was a big package on my front doorstep.
[00:48:52] And everybody knows I'm a huge NASA and NASCAR fan.
[00:48:56] I love both of those organizations.
[00:48:58] Well, I brought it inside.
[00:48:59] I opened up.
[00:49:00] It was a huge race car set.
[00:49:03] And so I'm a federal employee.
[00:49:06] We have very strict laws and ethics that we have to follow.
[00:49:10] And we take them very seriously.
[00:49:12] You can't, you know, you can't accept lunches or, you know, things like that.
[00:49:15] There's a lot of rules we have to abide by.
[00:49:18] So I knew right off the bat this was a gift that was more than 20 bucks.
[00:49:22] So I called him up and I thanked him for his thought.
[00:49:27] And I said, you know, that was such a touching thing to receive that.
[00:49:29] And I understand the thought that I can't accept it.
[00:49:32] And I had to send it back.
[00:49:33] So, you know, as hard as that was to do that, because I know the spirit in which it was given.
[00:49:40] But it also sent a message to him that, you know, we have really good people in government.
[00:49:46] We like to be played by the rules and ethics and laws mean things to us as federal employees.
[00:49:52] So, yeah, that was a story that I'll never forget.
[00:49:55] And, you know, it was just one of those things that really the bigger message for me is.
[00:50:01] Is that you never know when you talk to a young person or even a not so young person that you're you're planting a seed that's going to grow into a huge tree at some point.
[00:50:10] You just never know when that's going to happen.
[00:50:12] And so that's another thing why I'm so passionate about mentoring.
[00:50:16] In fact, I'm mentoring a young gentleman right now, high school student back in Columbia, Maryland.
[00:50:22] So, yeah, it continues.
[00:50:24] Well, I mean, just look at our organization and where we're at.
[00:50:28] Like we wouldn't be where we are today without, you know, your service as well as so many other people in NIST and how they built the standards that we're operating off of.
[00:50:37] I mean, it's just that giving nature has been so impactful in so many people's lives.
[00:50:44] I mean, just your story is an example of a one on one engagement.
[00:50:48] But I couldn't even begin to calculate, sir, your effect that you've had positively on so many lives and organizations and helping secure them.
[00:51:00] And just hats off.
[00:51:03] That's really cool.
[00:51:04] I think it's amazing.
[00:51:06] I appreciate that.
[00:51:07] It's, you know, it's been a humbling experience for me because just being able to give back, you know, people say, why do you keep doing this for so long?
[00:51:18] And I always come back with one word.
[00:51:19] It's called freedom.
[00:51:21] And I said every morning when I get up and go out my front door and I've used this line before, but it's very true.
[00:51:26] I take a big, deep breath of freedom.
[00:51:28] And it's like, man, we take that for granted.
[00:51:32] Literally, we just we don't think about it.
[00:51:34] And so anything I can do to give back to the country that's done so much for me over, you know, my 73 years, it's hard to believe is is something that I want to do.
[00:51:46] How long will I do it?
[00:51:47] I'll do it as long as I can continue to contribute.
[00:51:49] And I don't know if that'll be another year or whoever, however long the good Lord, you know, lets me do it.
[00:51:55] I hope many, many, many more, sir.
[00:51:59] Have you this month or, you know, this year had those types of conversations that you're like, I'm definitely putting a pin in that, you know, I, I'm, I want to, I want to circle back around or maybe talk with Vicky or someone else in the organization to pass the baton in that conversation.
[00:52:15] Has that happened this year with you that you feel comfortable sharing?
[00:52:19] Well, it always happens.
[00:52:20] That kind of ties into, you know, some of the things that Vicky's doing as far as the, you'll notice now that our content over the past 20 years has been delivered in PDFs on the website.
[00:52:32] As things get bigger and more complicated, I mean, that's a problem sometimes because you want to have documents that people can internalize.
[00:52:40] They can get their arms around.
[00:52:41] So one of the visions that Vicky had, and this started a little bit before she took over and she's, you know, really gone on steroids now is to, to develop what we call the CPRT website.
[00:52:52] That's the online version.
[00:52:54] I love that.
[00:52:54] That is so cool.
[00:52:56] I love that.
[00:52:56] You're seeing all the documents now transition.
[00:52:58] So you can hit that website and go to any control, any assessment procedure, any requirement in 171 and then basically 172.
[00:53:05] And it's online.
[00:53:07] It's there.
[00:53:07] Now, this is good just from a content delivery perspective.
[00:53:11] But the other thing, the other side of that coin is how does the standards organization maintain its relevance in, in the modern era when standards traditionally are very slow and cumbersome processes?
[00:53:26] If you're working on international standard, you got X number of countries and committees and there's time and it takes a long time.
[00:53:33] But how do you react to an ongoing cyber attack where there's a new threat that pops up?
[00:53:39] This happened to us just, I think it was during this last year.
[00:53:44] And there was a problem.
[00:53:47] We developed a, we call it a beta control.
[00:53:50] Vicky put this new control.
[00:53:51] It was in the INA family.
[00:53:53] I think it was either IA 13, if I recall.
[00:53:55] We put a new control, draft control on the website.
[00:54:00] And we let people look at it almost in real time or near real time.
[00:54:03] And you get comments back on that.
[00:54:05] And then when the comments are closed out, it allowed us to go back and lock that control down and do kind of an interim update to 853.
[00:54:13] So instead of waiting five years between Rev.
[00:54:16] Rev. 5 and Rev. 6, you now have the ability to react to ongoing threats or different things that are coming about.
[00:54:24] This is what I would consider a dramatic change in the content delivery mechanisms that NIST is going through.
[00:54:33] And also the reaction time in bringing, I'll call them quasi standards and guidance because it allows you to be flexible and dynamic in bringing content to your customers in a way that can react in almost near real time to those problems.
[00:54:50] So, you know, is that the ideal way to develop a standard where you get everybody, you know, across the globe to comment on it?
[00:54:56] No, but it also it gives you enough time to do a meaningful comment period analysis and reflection and getting, I call it the greatest thing that NIST has is the sunshine that shines from a globe of people that can look at our stuff on the website and provide their perspective.
[00:55:16] This gets back to your original comment in question about sometimes you get that one comment that is so profound and so impactful that it goes right into the document as part of that initial draft.
[00:55:29] It's happened, you know, many times over my career.
[00:55:33] And, you know, when that person ends up seeing that in the document, it's I can just imagine how it is on the other end and say, hey, I just thought that thing went into the black hole, you know, never came out.
[00:55:43] No, it actually went into the black hole and came out in this publication.
[00:55:47] And then also your new venture.
[00:55:48] Is there any of those details you would like to cover?
[00:55:51] I'll be turning my full attention to the world of systems security engineering and working with our NASA partners on the Sunrise Satellite Project, which is a, that's the, that's, that project is so unbelievable.
[00:56:06] And it's, it's, we could, I could spend literally a whole day on that describing that.
[00:56:10] But basically, we're taking the engineering guidance in 160 and volume one and two.
[00:56:18] And we're working with the NASA and the JPL, Jet Propulsion Laboratory engineers who built the Sunrise Satellite System.
[00:56:25] It's now waiting for its launch to go into space.
[00:56:29] And we're working with the same engineers going back through a simulation and rebuilding that system using the security design principles in 800-1-16.
[00:56:38] And we're asking, they're asking some key questions.
[00:56:42] Did it result in a different set of software and hardware modules that would make it more secure?
[00:56:48] How much did it cost to do that?
[00:56:50] How much did it impact the schedule?
[00:56:52] So we're going to learn in that virtualized world of simulation, how that system could have been changed.
[00:56:59] And then there are other partners out there in the DOD and Department of Energy.
[00:57:03] Every federal agency who builds a system.
[00:57:06] We even have a lot of private sector organizations looking over our shoulder.
[00:57:10] How can we learn?
[00:57:12] How can we participate in this?
[00:57:13] Because every engineering group has the same problem.
[00:57:16] We're living in a brave new world of the convergence of cyber and physical systems.
[00:57:22] We're pushing computers into everything that matters from pacemakers to power plants to automobiles controlling your critical braking system.
[00:57:32] And each one of those has to be engineered.
[00:57:34] And so the engineering process is going to help us reduce and manage complexity.
[00:57:41] It's going to allow us to generate a level of assurance, to have greater trustworthiness in the things that we're pushing into critical systems, going into critical infrastructure.
[00:57:52] And that's the future of cybersecurity and computer security.
[00:57:57] It's going to be an exciting time.
[00:57:59] And anybody that's starting out and wants to build a career, man, I'm telling you, I wish I could roll the clock back 50 years because I would be so much with both feet into that world.
[00:58:08] And I hope people, you know, choose that career because it's a wonderful career.
[00:58:13] And what you do in the world of cybersecurity, there's a place for everybody.
[00:58:18] Everybody's got the ability to contribute in some way, whether you're an engineer, building policies, producing firewalls, formal methods.
[00:58:27] There are software engineers, secured engineers.
[00:58:30] There's a place for everybody.
[00:58:32] There's no shortage of we need everybody's hands on deck to solve these difficult and challenging problems.
[00:58:39] Dr. Ross, is there anything that like if someone needs to connect with you on LinkedIn or things like that, is that a good way for them to ask as well as the 172?
[00:58:50] Yeah, anytime you can come directly to the NIST.
[00:58:52] My email at NIST is a good way.
[00:58:54] My cell phone is always on and LinkedIn is a great way to make those connections.
[00:58:59] So anyway, they feel comfortable and hopefully we'll answer questions and, you know, take them to the next step.
[00:59:06] Right.
[00:59:06] Well, thank you guys all for listening, all the people who are listening either on a podcast or on YouTube watching this.
[00:59:13] We appreciate you tuning in and obviously we appreciate Dr. Ron Ross stepping into this space and sharing his journey as well as where he is now and where he's going to be in the future.
[00:59:25] We're thrilled to continue to follow him and his journey as well.
[00:59:29] And we hope you guys enjoy just even just a little bit of a hint of what he's been able to do and what he's going to be doing.
[00:59:37] So thank you again for watching.
[00:59:39] Make sure to follow us so you can stay up to date on all the latest news and tune in next Thursday for our next podcast episode.
[00:59:46] But until then, guys, keep on climbing.
[00:59:49] See ya.
[00:59:51] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:59:57] We hope you guys enjoyed today's episode and listen out for the next one.
[01:00:01] But until then, keep on climbing.