Industry needs to be able to tell government how software was developed and how security measures were integrated into it, a top official at the National Institute of Standards and Technology said March 10.
“Give us some evidence that those security features are actually in place and doing what they’re supposed to do,” said Ron Ross, a fellow at NIST who leads a new DevSecOps project.
Ross, speaking at an Advanced Technology Academic Research Center event on DevOps, said that the future of U.S. national and economic security hinges on industry and government getting the transition to DevOps and DevSecOps, two different software development approaches where collaboration and security considered from the beginning, because they are critical to national and economic security.
“All the work that’s going on now, whether it’s experimental or whether it’s becoming more mature, we need to be able to normalize this type of process so it becomes [something] people would just do routinely — it becomes institutionalized and operationalized across the entire federal government,” Ross said.
Industry, Ross said, is a critical partner in that process. The key is ensuring that customers no longer have to worry about the effectiveness and origin of security controls.
“If we can make this a win-win for industry, where they’re producing stuff at their pace at the speed of commercial industry and we can get the security capabilities built in, as part of that agile process, now it’s a win for them and it’s a win for [government],” Ross said.
Ross said while agencies sought to implement DevSecOps, they need to take a “holistic view.” That approach includes hardening the target, which could stop most cyberattacks, but also includes damage limitation and cyber resiliency. Damage limitation includes using virtualization of computers or zero-trust approach to protect networks. Creating cyber resiliency includes implementing policies inside the organization that are external to a system.
“If we can do that and do it well, everybody’s going to be better off,” Ross said. “We’re going to have a safer, more secure country. We’re going to have a leading technology force in the world. It’s in our DNA to do this, we’ve done this in the past and we can do it again.”
Ross recently led NIST’s information security project, but left that role in January.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.