CISA, DHS, DoD Release 5G Security Evaluation Process
The Cybersecurity and Infrastructure Security Agency (CISA) released a proposed five-step 5G Security Evaluation Process.
The document is designed to help agencies looking to adopt 5G technology conduct the preparation for the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) for system authorization.
Derived from research and security analyses, the five-step process identifies threat frameworks and 5G system security considerations.
Five Steps to 5G Security
It was drafted in coordination with the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E),
The first step calls for a use case definition to identify 5G subsystems that are part of the system, component configurations, applications and interfaces involved in the operation of the system.
Step two involves defining the boundary to identify the technologies and systems requiring assessment and authorization (A&A), taking into consideration the ownership and deployment of the products and services that comprise the use case.
The third step includes conducting a high-level threat analysis of each 5G subsystem to identify the mitigating cybersecurity capabilities, including identity, credential and access management and network security that must be addressed by A&A activities.
Step four involves creating a catalog of federal security guidance that includes the RMF, NIST’s Cybersecurity Framework and the Federal Risk and Authorization Management Program (FedRAMP).
This step also includes other NIST and federal cybersecurity guidance relevant to the security capabilities as well as supply chain risk management guidance.
The final step examines the alignment between security requirements and federal security guidance and assessment programs.
The document also details industry security specifications and includes federal security guidance documents, as well as relevant methodologies to conduct cybersecurity assessments of 5G systems.
The draft identifies potential gaps in existing security guidance for some new 5G features and services, and noted additional threats may be identified as 3GPP, the European Telecommunications Standards Institute.
As the document states, to move an unclassified federal system from prototype to production, a security assessment is required to receive authorization to operate (ATO).
The agencies said the joint security evaluation process is designed to be flexible but uniform and encouraged agencies and organizations to review the proposal and provide comment—the deadline for providing comments is June 27, 2022.
A Repeatable Process
“CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations,” the draft stated. “Such a process will provide assurance that the government enterprise system is protected, and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”
Prior to 5G, agencies tended to treat the cellular network solely as a pipe for transport layer communications, but with 5G, agencies want to take advantage of different 5G usage scenarios: Low-, mid- and high-band spectrum.
“The chief security difference in 5G applications is that almost everything we know about network security no longer applies,” noted John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company. “There is no IDS tool I can buy for 5G networks because it’s straight to the internet. It’s been said the traditional network security perimeter is dissolving. 5G networks raze it to the ground and salt the earth behind it.”
He pointed out that every new technology and new technology deployment carries with it new risks: Federal agencies, in particular, have a very high risk of national security threats.
“Most people use their devices to play Candy Crush,” he said, and the risks, while severe, are not at the same scale. “The risks of bad or compromised law enforcement, emergency services or national security decisions can be measured in dead bodies.”
He faulted the CISA’s process as being so generic and high-level that it is “virtually unactionable” and added it’s naive to think anyone can envision all the potential use cases, much less all the risks.
“More specific guidance needs to be developed for each step so that it’s clear to federal CIOs what to do instead of being a thoughtless checklist on the way to branding themselves transformational CIOs,” Bambenek said.
The CISA has been issuing a flurry of announcements in the past weeks, including the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
The agency had previously issued a joint cybersecurity advisory identifying commonly exploited controls and practices and included best practices to mitigate top cybersecurity issues, as well as an advisory to help managed service providers (MSPs) and customers secure sensitive data.
