CISA, DoD, DHS’ S&T provide overview of proposed 5G Security Evaluation Process for federal agencies

CISA, DoD, DHS’ S&T provide overview of proposed 5G Security Evaluation Process for federal agencies

The Cybersecurity and Infrastructure Security Agency (CISA), DHS Science and Technology Directorate (S&T), and the Department of Defense (DoD) Under Secretary of Defense for Research and Engineering announced the results of the assessment of the 5G Security Evaluation Process. The study analyzes how 5G may introduce unique challenges to the traditional ATO (authorization to operate) process defined in security assessment processes and frameworks, such as the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF). 

The 5G Security Evaluation Process Investigation Study for federal agencies provides new features, capabilities, and services offered by fifth-generation (5G) cellular network technology. It can be used to transform mission and business operations, and federal agencies will eventually be applying different 5G usage scenarios across low-, mid-, and high-band spectrum, network slicing, and edge computing. The study also identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant organizations and methodologies for cyber assessment of 5G systems.

“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post. As the nation’s cyber defense agency, CISA views “repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology,” he added. 

Agencies and organizations are encouraged to review and provide comments on the ‘5G Security Evaluation Process Investigation,’ Goldstein said. “This feedback will be used to assess need for additional security recommendations and guidance publications for federal agency adoptions of 5G technologies,” he added.

The deadline for providing comments is Jun. 27, and comments should be submitted to [email protected].

The study team developed the proposed five-step 5G Security Evaluation Process to conduct its investigation. The process identifies essential threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant organizations and methodologies for cyber assessment of 5G systems. It also identifies potential gaps in existing security guidance for some new 5G features and services.

“From its investigation, the study team concluded that, as stated in the NIST RMF, the RMF is technology-neutral and does not need to be modified for 5G,” the 5G Security study said. The proposed 5G security evaluation process can support government agency activities during the RMF system-level ‘Prepare’ step for 5G-enabled systems. The proposed five-step process is intended to be repeatable and can be applied to a wide array of 5G system architectures, deployment scenarios/use cases, and operational environments. 

Step 1 calls for a use case definition to identify 5G subsystems that are part of the system, component configurations, applications, and interfaces involved in the operation of the system. The complexity of 5G technology makes the process of defining the security assessment boundary for a federal ATO challenging. 

Consequently, Step 2 involves defining the boundary to identify the technologies and systems requiring assessment and authorization (A&A), taking into consideration the ownership and deployment of the products and services that comprise the use case. 

After defining the assessment boundary, Step 3 includes conducting a high-level threat analysis of each 5G subsystem to identify the mitigating cybersecurity capabilities, such as identity, credential and access management, network security, and communication and interface security, which need to be addressed by A&A activities, the 5G Security study said. 

Step 4 involves creating a catalog of federal security guidance that includes the RMF, NIST’s Cybersecurity Framework, supply chain risk management, the Federal Risk and Authorization Management Program (FedRAMP), other NIST, and federal cybersecurity guidance relevant to the security capabilities, as well as applicable industry specifications. 

The 5G Security document said that Step 5 examines the alignment between security requirements and federal security guidance and assessment programs. “Where a security requirement exists, but no assessment guidance is available to guide A&A activities, a gap is identified and alternatives to remediating assessment deficiencies can be addressed. For example, if no federal assessment guidance exists for the Open Radio Access Network (O-RAN), an international or commercial program such as the O-RAN Alliance’s test and integration center certification may be considered,” it added.

“In the absence of a U.S. government assessment program or cognizable government standard, risk managers may be able to identify alternative assessment regimes, such as industry certifications, security assurance programs created by commercial or trade groups, or other best practice assessment frameworks,” the document identified. However, before attempting to use an assessment substitute, risk managers should carefully evaluate the suitability and comprehensiveness of any such approach, it added. 

From its investigation, the study team concluded that the NIST RMF is technology-neutral and does not need to be modified for 5G. “The proposed 5G Security Evaluation Process described in this document is a repeatable methodology that federal program/project managers can use as they conduct the Preparestep of the NIST RMF for a 5G-enabled system. It can be applied to a wide array of 5G system architectures, deployment scenarios/use cases, and operational environments,” it added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related