Officials from the Cybersecurity and Infrastructure Security Agency and the Defense Department are pointing to a path for agencies’ authorization of fifth-generation networking projects while reporting blindspots for assessing the security risks associated with certain ways of incorporating the technology into government systems.
The agencies demonstrated, in a sample “5G Security Evaluation Process Investigation,” released Thursday, how agencies can use the National Institute of Standards and Technology’s Risk Management Framework in conjunction with various tools, including those crafted by industry, toward authorizing 5G projects as security standards for the technology are still being developed.
In a blog post accompanying the release, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agencies are “excited to introduce a proposed five-step 5G security evaluation process that is derived from research and security analyses.”
“This process allows agencies to conduct the Prepare step of the National Institute of Standards and Technology’s Risk Management Framework (RMF) for system authorization,” he said, noting, “The jointly proposed process, was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies. It identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant methodologies to conduct cybersecurity assessments of 5G systems.”
A gap, as defined in the document, occurs “where a security requirement exists without assessment guidance, policy, or organization to verify its effectiveness for government operations.” A gap can also occur when a security requirement is believed to exist for mitigating a threat,