By Eric Goldstein, Executive Assistant Director for Cybersecurity
Federal agencies, along with many other organizations across the public and private sectors, are expected to adopt 5G technology that will provide new features, capabilities and services to transform their mission and business operations. These new benefits will be achieved from the numerous 5G usage scenarios delivered through the technology’s low-, mid- and high-band radio spectrum, network slicing and edge computing. However, a security assessment is required before any agency 5G technology adoptions can be granted authorization to operate.
Today, CISA – along with its partners from the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) – is excited to introduce a proposed five-step 5G Security Evaluation Process that is derived from research and security analyses. This process allows agencies to conduct the Prepare step of the National Institute of Standards and Technology’s Risk Management Framework (RMF) for system authorization.
Figure 1. Proposed 5G Security Evaluation Process
The jointly proposed process, “5G Security Evaluation Process Investigation,” was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies. It identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant methodologies to conduct cybersecurity assessments of 5G systems.
In addition, the proposed process calls for flexibility in the federal government’s 5G cybersecurity assessment approach to account for the continual introduction of new 5G standards, deployment features and policies, and the constant identification of new threat vectors.
The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies. As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.
Agencies and organizations are encouraged to review and provide comment on the “5G Security Evaluation Process Investigation.” This feedback will be used to assess need for additional security recommendations and guidance publications for federal agency adoptions of 5G technologies.
The deadline for providing comment is June 27, 2022, and comments should be submitted to: QSMO@CISA.dhs.gov. We look forward to receiving and reviewing your feedback on this important 5G security effort.