20 Years of Supporting NIST

This month is my 20-year anniversary of supporting NIST. I still can’t believe it. It’s been an incredible honor to work with some of the greatest minds--and people--in the world. NIST's cybersecurity research and publications have been game-changing for the past 50 years and I'm lucky to have played a small role in that. (I'm even more fortunate that NIST generously credits the people who write and edit NIST's work, otherwise no one would ever have heard of me!)

My first major project for NIST was writing SP 800-61, Computer Security Incident Handling Guide at a time when most organizations didn't have any incident response capability. Soon I was co-authoring NIST pubs on log management, Windows XP, IPsec, malware prevention and handling, intrusion detection, and wireless network security. My next area of focus was researching vulnerability metrics, including co-authoring CVSS v2, helping establish SCAP, training and overseeing the original analysts for the National Vulnerability Database (NVD), and helping create new specs for software configuration vulnerability metrics and software feature misuse metrics.

I left the federal government in 2010 so I could work from home full-time and take on additional writing projects. I've continued supporting NIST on projects like the Cybersecurity Framework and the Secure Software Development Framework (SSDF) while also writing for security vendors, media outlets, and Fortune 500 companies. Having such a diverse range of clients has made me a better writer because I can readily think about a topic from several points of view.

At this point my life is a constant blur of publications (and Lego sets), and that's perfect. I wonder what will be in my inbox tomorrow...