Stephen most recently served as the technical expert and community leader for NIST’s Open Security Controls Assessment Language (OSCAL) Project, which streamlines and automates security checklists and profiles in the cloud and is being adopted in the Federal Information Security Management Act (FISMA) ecosystem. In addition to managing community meetings and leading technical discussions, Stephen authored the Profile Resolution Specification, a highly technical standard that is core to the OSCAL Project.
Stephen previously led NIST’s Security Content Automation Protocol Version 2 (SCAPv2) project. SCAPv2 was a community-driven effort to enhance and upgrade the standardized components of SCAP, a long-standing NIST project that enables automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization. After becoming project lead, Stephen guided the community to produce an update for the Extensible Configuration Checklist Description Format (XCCDF), a new security automation architecture and proof of concept that was utilized by the Open Cybersecurity Alliance (OCA). Under his leadership, the team also produced white papers and presentations, as well as a wide-reaching use-case survey that continues to inform work in the space.
Stephen’s responsibilities at NIST included extensive outreach and engagement activities. He attended global conferences as a representative of NIST and was invited to conduct training and presentations on a variety of topics, including software identification (SWID), SCAP, and the Internet Engineering Task Force (IETF). He also represented NIST before International standards bodies, which produce some of the most important and widely adopted computer security standards in the world.