The Department of Homeland Security is developing a new security evaluation methodology for fifth-generation wireless technologies, partnering with the Defense Department and the National Institute of Standards and Technology on a process officials say can readily apply to a broad range of federal use cases.
The Cybersecurity and Infrastructure Security Agency along with DoD’s 5G Initiative program are spearheading the effort. CISA is charged with leading 5G risk management efforts for the federal government. Meanwhile, DoD has been deploying 5G networks and testing various use cases at military bases across the country.
“This partnership really looks to address that demand, the need to assess 5G technologies and incorporate it into our operational environment,” Vincent Sritapan, section chief of CISA’s Cybersecurity Quality Services Management Office, said during a conference hosted by Palo Alto Networks last week.
The project has yielded a five-step process agencies and other organizations can use to determine their security requirements for a given project:
Step Four: Map Security Requirements to Federal Policies in Assessment and Authorization
Step Five: Assess Assessment and Authorization Policy Gaps and Alternatives
Sritapan conceded it won’t be simple to put a boundary around use cases given the complexities of 5G technologies and their interdependencies.
“Who owns what? Is it on the base? Do we own it? Is it the federal government, state, local, tribal, territorial government?” he said. “Or is this something where the carrier owns this? So you have to be cognizant of the actual deployment environment, and that really matters. CONUS or OCONUS? All those are really good aspects to consider.”
Agencies can base their security requirements on existing processes like NIST’s Risk Management Framework or MITRE’s ATT&CK framework, Sritapan said. Similarly, agencies can also map those requirements to existing federal policies ranging from DoD’s Cybersecurity Maturity Model Certification to FedRAMP.
Sritapan said the methodology also incorporates the telecommunications standards, like those developed by the 3rd Generation Partnership Project (3GPP).
“We are looking to develop a repeatable process here,” he said. “How do I incorporate this into the security of all the other things I have to operate for my environment?”
Daniel Massey, program lead for the “Operate Through” effort under DoD’s “5G to NextG Initiative,” says the methodology can be used across multiple use cases and agencies.
“We don’t say, ‘The use case is I require absolute confidentiality for HIPAA rules in the hospital or key communications in the military setting, or I require critical resilience or critical availability,’ or whatever the challenge might be,” Massey said. “We start with the use case.”
He said the process will allow security tradeoffs once the use case and assessment boundary are defined.
“Confidentiality may be a critical requirement, or it may be less important than availability and resilience,” Massey said. “Integrity may be important, but not as important as, say, confidentiality. So we identify the requirements, map them to the policies, identify the gaps. If we can follow that process, we can more quickly roll out 5G solutions into a variety of problems.”
The Federal Mobility Group, which includes CISA and DoD, has also released a framework to support 5G testing across the government. The framework includes a section on different types of security testing agencies can use for 5G testbeds, as well as security measures they can collect.
“As everybody in the security field knows, we can throw around, ‘I want a secure laptop, I want a secure system, I want a secure, whatever it is,’ and all that sounds great,” Massey said. “Nobody opposes that until we start talking about what do we mean by secure? We have to turn that into requirements. And that’s where the evaluation process that DHS has started, and DOD and NIST are excited to be part of, really helped kind of move that forward and hopefully help clarify the thinking in that direction.”