The US government's Cybersecurity and Infrastructure Security Agency (CISA) this week released its "5G Security Evaluation Process Investigation Study." The 44-page document is designed to be a security guide for federal agencies wishing to make use of 5G technologies ranging from standalone (SA) to multi-access edge computing (MEC) to network slicing.
The release is important considering US government officials have generally argued that 5G technologies will grow into a key element in the country's overall digital position. Further, cybersecurity has emerged as a major issue for all federal agencies and, more broadly, most governments and businesses in general.
And in 5G specifically, there have been years of debate over exactly how to ensure security and exactly which government agency should do so.
"The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies," wrote Eric Goldstein, executive assistant director for cybersecurity, on CISA's blog. "Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology."
CISA said it conducted its assessment with the Department of Homeland Security's Science and Technology Directorate and the Department of Defense's (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E).
The agency's document essentially works to fit 5G technologies into the broader cybersecurity evaluation system outlined in the Risk Management Framework (RMF) developed by the National Institute of Standards and Technology (NIST). Importantly, CISA wrote that the RMF "is technology-neutral and does not need to be modified for 5G."
The new 5G document released by CISA provides a detailed description of 5G technologies and how they might be implemented by federal agencies. For example: "Network slicing to create multiple virtual networks that provide different quality of service levels over shared physical infrastructure."
The document also highlights some of the many threats that agencies may face as they work to implement 5G: "Threats to virtual machine (VM) and container service platforms impact the 5G Core, RAN, MEC, Network Slicing, Virtualization, and Orchestration and Management. Threats include DoS, VM/container escape, side-channel attacks, and cloud service consumer misconfigurations."
The agency also warned of supply chain concerns: "Threats can occur during provisioning, acquisition, and incorporation of software, firmware, and hardware components into UE, RAN, 5G Core, and Virtualization subsystems. Threats include vulnerable or malicious component insertion, vulnerable or malicious open-source components, and attacks on vulnerable hardware, firmware, or operating systems."
The document then outlines some specific 5G configurations that federal agencies may pursue, including private 5G networks and neutral host networks.
The document also includes recommendations on select federal security guidelines that might apply to 5G services and networks.
And it ends with a suggestion to keep tabs on the commercial 5G industry, including the 3GPP and the O-RAN Alliance: "In the absence of a US government assessment program or cognizable government standard, risk managers may be able to identify alternative assessment regimes, such as industry certifications, security assurance programs created by commercial or trade groups, or other best practice assessment frameworks. However, before attempting to use an assessment substitute, risk managers should carefully evaluate the suitability and comprehensiveness of any such approach."