Officials looking to kick-start fifth-generation wireless projects at their agencies now have new security guidance, to help them think through the all-important “authority to operate” process.
The “5G Security Evaluation” was developed by a study team led by the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s Science and Technology division and the Defense Department’s Research and Engineering division.
“It is important for the government to employ a flexible, adaptive, and repeatable approach to evaluating the security and resiliency of any 5G network deployment,” the document states. “Further, the approach may need to extend beyond assessing the system’s compliance with existing federal cybersecurity policies, regulations, and best practices to address known attack vectors, yet-to-be-discovered threats, and implementation-specific vulnerabilities.”
Officials who put together the evaluation are quick to point out that it doesn’t represent a new security requirement or framework. Instead, it lays out a five-step process for how agencies can assess a 5G system and identify potential security requirements necessary to move it into production, tying back to existing assessments like the National Institute of Standards and Technology Risk Management Framework.
“You have all types of applications that are out there: AR/VR for training, smart warehouse, you name it,” Vincent Sritapan, section chief of the cyber quality services management office at CISA, said in an interview. “But the key thing is, there has to be a common way to look at this and understand the policies. And we’re not talking about new ones, but existing things like the risk management framework.”
The evaluation will be key as agencies look to move 5G systems beyond prototyping in the coming years. A 2020 paper published by the Federal Mobility Group identified more than 60 5G-related initiatives across government, including dozens of research and development programs.
But as with any technology, before they move into a production environment, teams will have to receive an ATO. The evaluation considers how the 5G technologies will specifically test and stress the government’s traditional ATO processes.
“A lot of times people just work on functionality,” Sritapan said. “And they’re like, ‘Great, I want to adopt it, and I want to sell like hotcakes and implement it.’ But you can’t do that until you understand what is that risk? And what risk acceptance are you taking in order to enable the 5G use case for your mission?”
Five stages of 5G security
The evaluation’s five steps start by defining the 5G use case, including key parameters like the 5G system, subsystems and attributes.
The process will help agencies think through the complexity of a 5G system, including end user equipment, radio access networks, 5G core networks, and edge computing systems, according to Dan Massey, program lead for the Operate Through portion of the DoD’s 5G to NextG Initiative, said as part of the interview.
“That use case will help you determine the level of risk the components of your system, the boundaries of your system, what guidance is already out there, so that you’re not doing this from scratch,” Massey said.
The second step involves defining the boundary of the security assessment, a process that can be particularly challenging given the complexity and interconnected nature of 5G technologies.
“Is this using a private network? Is a cloud-based system out there? What are the endpoints and technologies applications interface used as a part of that boundary?” Sritapan explained.
The third step in the evaluation centers on conducting a “high-level threat analysis” of each 5G subsystem and identifying security requirements, like Identity, Credential and Access Management controls or network security controls.
The fourth step maps requirements to federal guidance and industry specifications, including the NIST RMF, Federal Information Process Standards and a host of other guidance.
The fifth step is assessing gaps in security guidance. In the event that a gap in federal guidance does exist, the document states program managers may be able to turn to “industry certifications, security assurance programs created by commercial or trade groups, or other best practice assessment frameworks.” But it also clarifies that they should “carefully” weigh those approaches before turning to them.
“We’re not introducing brand new processes or brand new instructions,” Massey said. “We’re instead saying, ‘Hey, there’s a lot out there.’ And a big, key part is mapping over to that existing guidance. And of course in doing that, sometimes we’ll find there’s a gap. But a lot of times, you’re going to find that on, once I fully understand my security requirements, I can then map it into existing guidance. I want to just sort of reassure folks out there who are thinking about deploying this, that you shouldn’t think of this as huge and intimidating and something brand new. If you follow the process here, this really gives you the ability to say like, ‘Ah, I’ve done this, before. I understand how this works.’”