The Cybersecurity and Infrastructure Security Agency (CISA) – along with the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s Office of the Under Secretary of Defense for Research and Engineering – has released a proposed five-step 5G Security Evaluation Process today for Federal agencies to receive authorization to operate (ATO).
All agency 5G technology adoptions require a security assessment before they can be granted an ATO. The jointly proposed process, “5G Security Evaluation Process Investigation,” will allow agencies to conduct the “Prepare” step of the National Institute of Standards and Technology’s Risk Management Framework (RMF) for system authorization.
“The intent of this joint security evaluation process is to provide a uniform and flexible approach that Federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post.
“As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new Federal 5G implementations,” Goldstein added. “Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”
The proposed process provides for more flexibility in the Federal government’s 5G cybersecurity assessment approach, allowing for the introduction of more 5G standards over time and constant identification of new threats.
CISA said Federal program and project managers should use the investigation’s repeatable methodology in their required evaluations, and review Goldstein’s blog post for more information on the process.
The agency also encouraged feedback on the process, which CISA will use to determine if additional security recommendations and guidance documents are needed.
Those who wish to provide comments will need to submit them to QSMO@CISA.dhs.gov by June 27.