ADAPTIVE RESPONSE
  RON ROSS
Fellow, National Institute of Standards and Technology
The NIST computer scientist discusses upcoming guidelines for strengthening the resiliency and privacy protections of agencies’ IT systems
What new NIST guidelines can help agencies develop a more adaptive approach to cyberthreats?
We’ve been working on a new publication, and we’ve moved up the release date by about a month because of the urgency of it. It’s NIST Special Publication 800-
160, Volume 2, and it’s titled “Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.” We plan to release the initial public draft on March 21.
The publication looks at the fact that we’re deploying computers into lots of critical places and talks about how we can deal with advanced persistent threat — those high-level adversaries with lots of resources, lots of capabilities, lots of skills who are constantly attacking our critical systems.
How do we have systems that are cyber resilient, which means they can operate after they’ve been attacked and have the
on is trying to limit the damage they can do once they’re in. One way to do that is by not allowing them to move laterally or making it very di cult for them to move. The other way is to limit their time on target through virtual machine technology, where you’re refreshing the software on a regular basis.
The third thing is you try to make the system what we call survivable or resilient, which means it can operate even while under attack. It may be a little bit degraded at some point, but it’s not catastrophic.
What else is NIST working on?
We want to make sure that we protect
all the data that the citizens expect us to protect, so we’re integrating privacy into our guidance. We’re modernizing  ve publications that have been around since the original Federal Information Security Management Act — including 800-53, the
EXECUTIVE VIEWPOINT
A Conversation with
RON ROSS
 How do we have systems that can continue to support critical missions and business operations after they’ve been attacked?
resilience to continue to support critical missions and business operations? That’s probably one of the most important questions that we’re going to deal with in the next couple of years.
When we try to protect systems today, there are three major objectives we try to do. We harden the target. That would be doing some basic things like two-factor authentication, encryption, access control mechanisms. Most of these things are re ected in the NIST security controls.
We know that even if an agency is doing everything right, sometimes adversaries still get in. So the second thing we focus
security and privacy controls catalog, and 800-37, the Risk Management Framework. That framework traditionally focused
only on security risk management. The new 800-37 Revision 2 is going to focus on managing risks for security and privacy.
Over the next year, you’ll see a full integration of privacy into all our FISMA pubs. It’s going to stand side-by-side with security as an equal partner, every bit as important as security.
This interview continues at Carahsoft.com/Ross-NIST
  S-28 | SPONSORED CONTENT