The cybersecurity world can be divided into two halves--one above the waterline and one below it, says NIST’s Ron Ross. Whereas certification & accreditations (C&As) and assessment & authorizations (A&As) have focused on the former, more needs to be done below the surface to better safeguard hardware, software, and firmware. In this special episode, Ross explains the role of security systems engineering in that effort while taking host Pam Kubiatowski and CISO - Americas Brad Moldenhauer on an insider journey across the origins of standards, including SP 800-37, SP 800-53, FIPS 200, and FedRAMP.