U.S. government proposals spell out 5G security advancements

Last week the U.S. federal government introduced a proposed five-step 5G Security Evaluation Process Investigation. “[It] was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies,” Eric Goldstein, executive assistant director for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said. CISA and its partners from the U.S. Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) developed the evaluation process.

“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” Goldstein said. “As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”

The goal of the evaluation process is to allow the federal government to better understand and prepare for the security and resilience of any 5G network deployment before. Specifically, the agencies seek to get ahead of the curve before any federal office conducts a security assessment to obtain authorization to operate (ATO).

A study group across CISA, the National Institute of Standards and Technology (NIST), and the MITRE Corporation was assembled to “investigate how 5G may introduce unique challenges to the traditional ATO process defined in security assessment processes and frameworks such as [NIST’s] Risk Management Framework (RMF).”

The 5G investigation entails five steps

The five steps recommended by the group are:

1. Define the federal 5G use case. This step calls for a “use case definition to identify 5G subsystems that are part of the system, component configurations, applications, and interfaces involved in the operation of the system.” Examples of use cases could be enhanced mobile broadband, ultra-reliable low-latency communications, and massive machine-type communications.
2. Identify the assessment boundary. This step is essential given the complexity of 5G technology, which makes defining the security assessment boundary difficult for a federal ATO. It involves “defining the boundary to identify the technologies and systems requiring assessment and authorization (A&A), taking into consideration the ownership and deployment of the products and services that comprise the use case.”
3. Identify security requirements. Identifying security requirements is “a multi-phase step that includes conducting a high-level threat analysis of each 5G subsystem and identifying cybersecurity requirements to be addressed by A&A activities.” This step seeks to identify the mitigating cybersecurity capabilities such as identity, credential, and access management, network security, and communication and interface security that need to be addressed by A&A activities.
4. Map security requirements to federal guidance. This step calls for the creation of a new catalog of federal guidance. That guidance would encompass the RMF, NIST’s Cybersecurity Framework, supply chain risk management, the Federal Risk and Authorization Management Program (FedRAMP), other NIST and federal cybersecurity guidance relevant to the security capabilities, and applicable industry specifications.
5. Assess security guidance gaps and alternatives. This fifth step entails identifying where a security requirement exists, but no assessment guidance is available to guide A&A activities. A gap can also occur when a security requirement is believed to exist to mitigate a threat, but no formal requirement has been established.

CISA’s effort dovetails with NIST’s 5G practice guide

CISA’s 5G security evaluation process release follows NIST’s National Cybersecurity Center of Excellence (NCCoE) publication of portions of a preliminary draft practice guide, “5G Cybersecurity.” The NCCoE says that its “proposed solution contains approaches that organizations can use to better secure 5G networks through a combination of 5G security features and third-party security controls.” NIST vetted the approaches with a wide range of industry partners in a consortium that included AT&T, Intel, Nokia, T-Mobile, and Palo Alto Networks, among other leading telecom and security contributors.

Like CISA’s Evaluation Process Investigation, the NCCoE publication stresses the challenges inherent in the new and evolving nature of 5G technologies. “5G is at a transition point where the technologies are simultaneously being specified in standards bodies, implemented by equipment vendors, deployed by network operators, and adopted by consumers,” NIST’s preliminary draft practice guide states.

The real challenge from NIST’s perspective is that while prevailing 5G standards address interoperable interfaces between 5G components, they do not address the underlying information technology components that support and operate the 5G system. This absence makes it difficult for organizations that plan to leverage 5G to feel confident in their security approaches.

For this reason, the NCCoE is collaborating with 5G and cybersecurity technology providers to develop an example solution that leverages a trusted and secure cloud-native hosting infrastructure. The project’s first phase will also showcase how 5G security features can address known security challenges found in previous generations of cellular networks such as Long-Term Evolution (LTE).

Focus is on typical 4G standalone deployment

The NCCoE project focuses on a typical implementation of a secure 5G standalone deployment designed around two focus areas:

1. The infrastructure security focus area, which would “provide a trusted platform and holistic security reference architecture for a complete 5G network.”
2. The 5G standalone security focus area, which would “enable the foundational configuration of the 5G Core’s security features in a manner that demonstrates the cybersecurity capabilities available in a 5G SA deployment.”

Future phases of the project would include “an expanded focus on security for 5G-specific use cases. Possible examples of these focus areas are network slicing security, roaming security, and 5G edge computing.” Both CISA and NIST are inviting public comments on their proposals. The deadline for submitting comments to either agency is June 27.