FFIEC BankInfoSecurity.com

NIST's Ron Ross will be quite busy at RSA Conference 2012, not only promoting revised guidance on security and privacy controls to be unveiled at the securing conclave, but also participating in a panel on one of his favorite topics: continuous monitoring.

Ross, in an interview with Information Security Media Group, says National Institute of Standards and Technology will use the assemblage of information security experts in San Francisco later this month to release one of NIST's most important pieces of guidance: Special Publication 800-53 Rev. 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations.

"The update is very important because we've gone through the entire catalogue (of controls) and we looked at all of the gap areas where we didn't think we were getting sufficient coverage," says Ross, the senior computer scientist who leads the NIST team that is revising SP 800-32.

New to the revised guidance are controls on advanced persistent threat, cloud and mobile computing, insider threat and privacy, which was barely addressed in the previous version of the publication [see NIST Guidance: More Emphasis on Privacy].

In the interview, Ross:

• Previews what he'll say at the RSA panel entitled Continuous Monitoring for Federal Agencies: Challenges and Opportunities, which is relevant for those working in the private sector and other levels of government, too.
• Explains how continuous monitoring jibes with the Federal Risk and Authorization Management Program known as FedRAMP, which vets cloud computing service providers [see Feds Explain How FedRAMP Will Work.].
• Defines continuous monitoring.

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.