Home SecurityNetwork Security U.S. government proposals spell out 5G security advancements

U.S. government proposals spell out 5G security advancements

Source Link

Last week the U.S. federal government introduced a proposed five-step 5G Security Evaluation Process Investigation. “[It] was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies,” Eric Goldstein, executive assistant director for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said. CISA and its partners from the U.S. Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) developed the evaluation process.

“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” Goldstein said. “As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”

The goal of the evaluation process is to allow the federal government to better understand and prepare for the security and resilience of any 5G network deployment before. Specifically, the agencies seek to get ahead of the curve before any federal office conducts a security assessment to obtain authorization to operate (ATO).

A study group across CISA, the National Institute of Standards and Technology (NIST), and the MITRE Corporation was assembled to “investigate how 5G may introduce unique challenges to the traditional ATO process defined in security assessment processes and frameworks such as [NIST’s] Risk Management Framework (RMF).”

The 5G investigation entails five steps

The five steps recommended by the group are:

  1. Define the federal 5G use case. This step calls for a “use case definition to identify 5G subsystems that are part of the system, component configurations, applications, and interfaces involved in the operation of the system.” Examples of use cases could be enhanced mobile broadband, ultra-reliable low-latency communications, and massive machine-type communications.
  2. Identify the assessment boundary. This step is essential given the complexity of 5G technology, which makes defining the security assessment boundary difficult for a federal ATO. It involves “defining the boundary to identify the technologies and systems requiring assessment and authorization (A&A), taking into consideration the ownership and deployment of the products and services that comprise the use case.”
  3. Identify security requirements. Identifying security requirements is “a multi-phase step that includes conducting a high-level threat analysis of each 5G subsystem and identifying cybersecurity requirements to be addressed by A&A activities.” This step seeks to identify the mitigating cybersecurity capabilities such as identity, credential, and access management, network security, and communication and interface security that need to be addressed by A&A activities.
  4. Map security requirements to federal guidance. This step calls for the creation of a new catalog of federal guidance. That guidance would encompass the RMF, NIST’s Cybersecurity Framework, supply chain risk management, the Federal Risk and Authorization Management Program (FedRAMP), other NIST and federal cybersecurity guidance relevant to the security capabilities, and applicable industry specifications.
  5. Assess security guidance gaps and alternatives. This fifth step entails identifying where a security requirement exists, but no assessment guidance is available to guide A&A activities. A gap can also occur when a security requirement is believed to exist to mitigate a threat, but no formal requirement has been established.

CISA’s effort dovetails with NIST’s 5G practice guide

CISA’s 5G security evaluation process release follows NIST’s National Cybersecurity Center of Excellence (NCCoE) publication of portions of a preliminary draft practice guide, “5G Cybersecurity.” The NCCoE says that its “proposed solution contains approaches that organizations can use to better secure 5G networks through a combination of 5G security features and third-party security controls.” NIST vetted the approaches with a wide range of industry partners in a consortium that included AT&T, Intel, Nokia, T-Mobile, and Palo Alto Networks, among other leading telecom and security contributors.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment