By Cynthia Brumfield
Last week the U.S. federal government introduced a proposed five-step 5G Security Evaluation Process Investigation. “[It] was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies,” Eric Goldstein, executive assistant director for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said. CISA and its partners from the U.S. Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) developed the evaluation process.
“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” Goldstein said. “As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”
The goal of the evaluation process is to allow the federal government to better understand and prepare for the security and resilience of any 5G network deployment before. Specifically, the agencies seek to get ahead of the curve before any federal office conducts a security assessment to obtain authorization to operate (ATO).
A study group across CISA, the National Institute of Standards and Technology (NIST), and the MITRE Corporation was assembled to “investigate how 5G may introduce unique challenges to the traditional ATO process defined in security assessment processes and frameworks such as [NIST’s] Risk Management Framework (RMF).”
The five steps recommended by the group are:
CISA’s 5G security evaluation process release follows NIST’s National Cybersecurity Center of Excellence (NCCoE) publication of portions of a preliminary draft practice guide, “5G Cybersecurity.” The NCCoE says that its “proposed solution contains approaches that organizations can use to better secure 5G networks through a combination of 5G security features and third-party security controls.” NIST vetted the approaches with a wide range of industry partners in a consortium that included AT&T, Intel, Nokia, T-Mobile, and Palo Alto Networks, among other leading telecom and security contributors.
Like CISA’s Evaluation Process Investigation, the NCCoE publication stresses the challenges inherent in the new and evolving nature of 5G technologies. “5G is at a transition point where the technologies are simultaneously being specified in standards bodies, implemented by equipment vendors, deployed by network operators, and adopted by consumers,” NIST’s preliminary draft practice guide states.
The real challenge from NIST’s perspective is that while prevailing 5G standards address interoperable interfaces between 5G components, they do not address the underlying information technology components that support and operate the 5G system. This absence makes it difficult for organizations that plan to leverage 5G to feel confident in their security approaches.
For this reason, the NCCoE is collaborating with 5G and cybersecurity technology providers to develop an example solution that leverages a trusted and secure cloud-native hosting infrastructure. The project’s first phase will also showcase how 5G security features can address known security challenges found in previous generations of cellular networks such as Long-Term Evolution (LTE).
The NCCoE project focuses on a typical implementation of a secure 5G standalone deployment designed around two focus areas:
Future phases of the project would include “an expanded focus on security for 5G-specific use cases. Possible examples of these focus areas are network slicing security, roaming security, and 5G edge computing.” Both CISA and NIST are inviting public comments on their proposals. The deadline for submitting comments to either agency is June 27.
[ Learn the must-have features in a modern network security architecture and the 7 tenets of zero trust. | Get the latest from CSO by signing up for our newsletters. ]
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.
Network engineers, software developers, cloud specialists, data analysts and test engineers are in high demand to support 5G deployment NEW DELHI : Hiring for tech