The U.S. government’s cybersecurity agency issued a new five-step evaluation process Thursday to assist other agencies as they look to securely adopt 5G technologies.
With the “5G Security Evaluation Process,” the Cybersecurity and Infrastructure Security Agency wants to give federal agencies a blueprint on how to begin and navigate the risk management process as they authorize 5G systems.
CISA teamed up with the Department of Homeland Security’s Science and Technology Directorate and the Pentagon’s Office of the Undersecretary of Defense for Research and Engineering to conduct the study and issue the evaluation process.
“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,” wrote Eric Goldstein, CISA’s executive assistant director for cybersecurity, in a blog post. “As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.”
That flexibility is especially key as new 5G standards, deployment features and policies are introduced and additional threat vectors emerge.
The evaluation process, which is not a requirements or policy document, is meant to address gaps in existing cybersecurity and risk management guidance, Goldstein wrote. “It identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant methodologies to conduct cybersecurity assessments of 5G systems.”
CISA requests that agencies review the process and provide feedback by June 27.