Software Development

NIST's Ron Ross pivots to DevSecOps

quality assurance (Song_about_summer/ 

Cybersecurity's move "below the waterline" of system access to the internal workings of devices is forcing a new way to look at how agencies develop more agile capabilities, said Ron Ross of the National Institute of Standards and Technology.

"We have to change the fidelity of the process" of developing devices from the very start, Ross said at an Advanced Technology Academic Research Center conference on March 10.

Ross said he thinks the shift is so important that in January, he moved from the position he's held for 17 years at NIST's Federal Information Security Modernization Act implementation project to leading NIST's effort to develop a DevSecOps framework at the organization similar to its Cybersecurity Framework.

His move came as agencies from the Departments of Veterans Affairs to Homeland Security are working DevOps techniques into their capabilities and services.

"I've been doing the FISMA stuff for 17 years now. Right now I'm transitioning to the systems security engineering side of the house," he said. That area, he said, deals with broader issues within systems' development, which has the potential to inject security into emerging devices and systems earlier in the process.

DevSecOps crosses the entire software development lifecycle, Ross said. Injecting agile capabilities into software development at federal agencies is also key to keeping up with commercial technology innovation.

"You want systems to operate like the human body," he said, developing defenses based on nimble, virtual defenses as well as built-in security capabilities.

Agencies are adapting to agile DevOps and DevSecOps for security capabilities at different speeds, according to federal agency DevOps managers at the summit.

Chakris Raungtriphop is in the process of replacing traditional waterfall development with DevOps techniques at DHS. The agency is hoping to start DevOps pilots with some of its programs in the coming months.

"The remainder of this year, we'll identify programs for transformational process. Ideally, those pilots will cover different programs of varying sizes at the agency, Raungtriphop.

Component agency programs such as U.S. Citizenship and Immigration Services systems transformation effort, as well as the efforts to transform the Federal Emergency Management Agency's grants programs modernization will inform the pilot programs, he said.

The pilots will use standard DevOps tool sets to allow the agency learn how those tools will work and can adapted across the agency's components. The pilots, he said, will play out over the next year.

VA has been transforming various services, leveraging agile techniques to bring benefits services to heel. It has used agile development for those services, said Patty Craighill, director of DevOps at the agency. VA employees, she said, have had to adapt to a DevOps mindset that includes a more tolerant attitude towards risk in exchange for faster products and services, as well as an intricate understanding of its customers.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected