Software Development

NIST's Ron Ross pivots to DevSecOps

NOTE: This article first appeared on

Cybersecurity's move "below the waterline" of system access to the internal workings of devices is forcing a new way to look at how agencies develop more agile capabilities, said Ron Ross of the National Institute of Standards and Technology.

"We have to change the fidelity of the process" of developing devices from the very start, Ross said at an Advanced Technology Academic Research Center conference on March 10.

Ross said he thinks the shift is so important that in January, he moved from the position he's held for 17 years at NIST's Federal Information Security Modernization Act implementation project to leading NIST's effort to develop a DevSecOps framework at the organization similar to its Cybersecurity Framework.

His move came as agencies from the Departments of Veterans Affairs to Homeland Security are working DevOps techniques into their capabilities and services.

"I've been doing the FISMA stuff for 17 years now. Right now I'm transitioning to the systems security engineering side of the house," he said. That area, he said, deals with broader issues within systems' development, which has the potential to inject security into emerging devices and systems earlier in the process.

DevSecOps crosses the entire software development lifecycle, Ross said. Injecting agile capabilities into software development at federal agencies is also key to keeping up with commercial technology innovation.

"You want systems to operate like the human body," he said, developing defenses based on nimble, virtual defenses as well as built-in security capabilities.

Agencies are adapting to agile DevOps and DevSecOps for security capabilities at different speeds, according to federal agency DevOps managers at the summit.

Chakris Raungtriphop is in the process of replacing traditional waterfall development with DevOps techniques at DHS. The agency is hoping to start DevOps pilots with some of its programs in the coming months.

"The remainder of this year, we'll identify programs for transformational process. Ideally, those pilots will cover different programs of varying sizes at the agency, Raungtriphop.

Component agency programs such as U.S. Citizenship and Immigration Services systems transformation effort, as well as the efforts to transform the Federal Emergency Management Agency's grants programs modernization will inform the pilot programs, he said.

The pilots will use standard DevOps tool sets to allow the agency learn how those tools will work and can adapted across the agency's components. The pilots, he said, will play out over the next year.

VA has been transforming various services, leveraging agile techniques to bring benefits services to heel. It has used agile development for those services, said Patty Craighill, director of DevOps at the agency. VA employees, she said, have had to adapt to a DevOps mindset that includes a more tolerant attitude towards risk in exchange for faster products and services, as well as an intricate understanding of its customers.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB