The complexity and flexibility of emerging fifth-generation (5G) wireless technologies make the process of defining a security assessment boundary complex, thus it’s crucial to maintain a wide aperture concerning 5G cybersecurity, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said during a Palo Alto Network webinar on Nov 18.
“Unlike 4G LTE, securing 5G may involve recurring or continuous assessments for cloud platforms, the use of AI algorithms, open-source software elements, licensed and host-nation spectrum emanations, and even device-to-device communication. There is a lot to think about in respect to securing 5G,” said Vincent Sritapan, Cybersecurity Quality Services Management Office (QSMO) section chief at CISA.
The CISA QSMO acts as a shared-service office for managing cybersecurity solutions across the government, and provides integration and adoption support to Federal agencies. The Office of Management and Budget designated CISA as the Cyber QSMO in April 2020.
To address the need to assess 5G technologies and incorporate them into operational environments, CISA has partnered with other Federal agencies to draft a “5G Security Evaluation Methodology.” The evaluation process consists of five steps applicable to various use cases.
- Step one: Define the Federal 5G Use Case;
- Step Two: Identify the Assessment Boundary;
- Step Three: Identify Security Requirements;
- Step Four: Map Security Requirements to Federal Policies in Assessment and Authorization; and
- Step Five: Assess Assessment and Authorization Policy Gaps & Alternatives
“It is a flexible model-based approach, which is adaptive to emerging 5G standards and new technological features,” Sritapan said. “The model can be aligned with any agency priority, policy, and threat model.”
The model is currently only available internally and not available for public release. Sritapan said CISA will continue to add to the model as 5G standards evolve.