DHS partners with DoD to draft 5G security evaluation methodology

The Department of Homeland Security is developing a new security evaluation methodology for fifth-generation wireless technologies, partnering with the Defense Department and the National Institute of Standards and Technology on a process officials say can readily apply to a broad range of federal use cases.

The Cybersecurity and Infrastructure Security Agency along with DoD’s 5G Initiative program are spearheading the effort. CISA is charged with leading 5G risk management efforts for the federal government. Meanwhile, DoD has been deploying 5G networks and testing various use cases at military bases across the country.

“This partnership really looks to address that demand, the need to assess 5G technologies and incorporate it into our operational environment,” Vincent Sritapan, section chief of CISA’s Cybersecurity Quality Services Management Office, said during a conference hosted by Palo Alto Networks last week.

The project has yielded a five-step process agencies and other organizations can use to determine their security requirements for a given project:

  • Step One: Define the Federal 5G Use Case
  • Step Two: Identify the Assessment Boundary
  • Step Three: Identify Security Requirements
  • Step Four: Map Security Requirements to Federal Policies in Assessment and Authorization
  • Step Five: Assess Assessment and Authorization Policy Gaps and Alternatives

Sritapan conceded it won’t be simple to put a boundary around use cases given the complexities of 5G technologies and their interdependencies.

“Who owns what? Is it on the base? Do we own it? Is it the federal government, state, local, tribal, territorial government?” he said. “Or is this something where the carrier owns this? So you have to be cognizant of the actual deployment environment, and that really matters. CONUS or OCONUS? All those are really good aspects to consider.”

Agencies can base their security requirements on existing processes like NIST’s Risk Management Framework or MITRE’s ATT&CK framework, Sritapan said. Similarly, agencies can also map those requirements to existing federal policies ranging from DoD’s Cybersecurity Maturity Model Certification to FedRAMP.

Sritapan said the methodology also incorporates the telecommunications standards, like those developed by the 3rd Generation Partnership Project (3GPP).

“We are looking to develop a repeatable process here,” he said. “How do I incorporate this into the security of all the other things I have to operate for my environment?”

Daniel Massey, program lead for the “Operate Through” effort under DoD’s “5G to NextG Initiative,” says the methodology can be used across multiple use cases and agencies.

“We don’t say, ‘The use case is I require absolute confidentiality for HIPAA rules in the hospital or key communications in the military setting, or I require critical resilience or critical availability,’ or whatever the challenge might be,” Massey said. “We start with the use case.”

He said the process will allow security tradeoffs once the use case and assessment boundary are defined.

“Confidentiality may be a critical requirement, or it may be less important than availability and resilience,” Massey said. “Integrity may be important, but not as important as, say, confidentiality. So we identify the requirements, map them to the policies, identify the gaps. If we can follow that process, we can more quickly roll out 5G solutions into a variety of problems.”

The Federal Mobility Group, which includes CISA and DoD, has also released a framework to support 5G testing across the government. The framework includes a section on different types of security testing agencies can use for 5G testbeds, as well as security measures they can collect.

“As everybody in the security field knows, we can throw around, ‘I want a secure laptop, I want a secure system, I want a secure, whatever it is,’ and all that sounds great,” Massey said. “Nobody opposes that until we start talking about what do we mean by secure? We have to turn that into requirements. And that’s where the evaluation process that DHS has started, and DOD and NIST are excited to be part of, really helped kind of move that forward and hopefully help clarify the thinking in that direction.”

Related Stories

    AP/Manu FernandezFILE - This Feb. 25, 2019 file photo shows a banner of the 5G network is displayed during the Mobile World Congress wireless show, in Barcelona, Spain.  The U.S. communications regulator will hold a massive auction to bolster 5G service, the next generation of mobile networks, and will spend $20 billion for rural internet.  5G will mean faster wireless speeds and has implications for technologies like self-driving cars and augmented reality.   The Federal Communications Commission said Friday, April 12,  that it would hold the largest auction in U.S. history, of 3,400 megahertz, to boost wireless companies’ networks.  (AP Photo/Manu Fernandez, File)

    NTIA, FCC need updated spectrum agreements for 5G, GAO says

    Read more
    (AP Photo/John Locher)FILE- In this Jan. 9, 2019, file photo a sign advertises 5G at the Qualcomm booth at CES International in Las Vegas. 5G is a new technical standard for wireless networks that promises faster speeds; less lag, or “latency,” when connecting to the network; and the ability to connect many devices to the internet without bogging it down. (AP Photo/John Locher, File)

    Federal Mobility Working Group’s timely framework for 5G testing, security

    Read more

Comments