Federal Mobility Group (FMG) 5G Security Framework

To guide governmentwide adoption of 5G and related technologies, the Federal Mobility Group’s (FMG) 5G and Mobile Network Infrastructure Working Group (WG) over the past year has undertaken an extensive evaluation of 5G testing approaches. Their work has culminated in establishing a framework to support federal agency use-case testing. Listen to this interview with Mr. Nick Ward and Ms. Serena Reynolds about the framework development process, importance and agency applications.​

Interview: Federal Mobility Group (FMG) 5G Security Framework

January 14, 2021

Nicholous Ward, Chief Information Security Officer, U.S. Department of Justice, and FMG Executive Sponsor

Serena Reynolds, CISA Initiatives Manager and 5G Campaign Lead for CISA

 

Tom Suder, ATARC: Hello everyone. My name is Tom Suder. I’m the CEO of the Advanced Technology Academic Research Center and we’re pleased today to bring a couple of individuals that are really working in in 5G.

First of all, I’d like to introduce Nick Ward who’s the Department of Justice CISO [Chief Information Security Officer] and the executive sponsor from the FMG [Federal Mobility Group]. How are you doing today, Nick?

Nick Ward, DOJ: I’m doing well, thanks for having me here today.

Suder: And we also have with us Serena Reynolds, who works at the National Risk Management Center over at CISA inside of DHS and happy to have you today, Serena. How are you and where are you working out of today?

Serena Reynolds, CISA: Doing great. I’m actually working outside of the DC area and thanks for having me here.

Suder: Great. Well, maybe, Nick, you can give us a little background on what it means to be the executive sponsor of the FMG and give us a little bit about your background.

Ward: Sure. So, I’m the Chief Information Security Officer for the Department of Justice. And as a CISO for a major agency, I am a member of the federal CIO and Federal CISO councils. And they sponsor various groups to really work on the hard problems of federal government. And so federal mobility is one of those hard problems. And so they created the Federal Mobility Group that I’m the executive sponsor for and we have a number of different working groups in that group to help really try to address all the different mobility problems that we have in the federal government. 5G is one of them is where it’s a problem of opportunity. How do we look at the best ways to achieve the value of 5G as quickly as possible to really get down to the crux of – how do we support the mission of the various departments and agencies across our government. We have a lot of different use cases that we need to be able to cover and this working group is really intended to help make sure that we can achieve those – the value of 5G

Suder: Fantastic. And I know, Serena, you really do outreach outside of your own agency and liaise back to the White House and into the public. How are you approaching 5G, you know, just in your job?

Reynolds: Sure. So, I actually head up the initiative management group within the national Risk Management Center. I think a lot of what we do is kind of centered around three core competencies, one being risk management and looking at those risk capabilities, threats and vulnerabilities – and really solving and creating mitigation strategies for those. The other stakeholder engagement. CISA has a lot of really unique and great partnerships and relationships with critical infrastructure owners and operators, public safety, cybersecurity professionals, federal, state, and local. So we’ve got a lot of really great partnership mechanisms within the organization that we leverage, as well as a regional field force that looks at everything from physical security, cyber security and emergency communications interoperability. So, we leverage a lot of regional relationships as well. And then lastly, technical assistance – really being able to provide technical assistance engagements that really drive and help support cyber best practices and promoting security and resilience, and 5G is one of the portfolios we’re really looking at.

We are looking at several different strategic initiatives from a 5G perspective, looking at everything from policy and standards development to situational awareness of supply chain risks, be able to promote security measures at partnership peace with stakeholders, encouraging innovation in the 5G marketplace and then also looking at potential 5G use cases and risk management strategies.

So all these areas are kind of strategic initiatives that we are focused on for 5G within CISA and R&D is kind of cross pollinated across all those different strategic initiatives and that’s kind of where we work with the federal mobility group to work with the interagency

Suder: Thank you for that, Serena, and if I can go right into the questions.

I know that you all are working on this. Can you please speak to the importance of having a standardized 5G security testing framework to implement across agencies? And maybe you can start off with that, Nick, and then we’ll go to Serena.

Ward: Sure. The FMG developed a framework for a few reasons. The first reason is – it’s designed to be able to help inform agencies about existing 5G efforts across the federal government. So that was an important aspect because many different agencies could be working in silos and may not even be aware what other agencies are doing. The second part of our framework that the FMG worked on was – they wanted to help guide agencies through the process of identifying five use cases, and standard ways to test those use cases in both technical and non-technical considerations, when testing those cases. So there’s a lot of different things that are necessary for that.

But being able to have consistent testing that can be done rapidly was a big thing. So how can we realize the value of 5G quickly? One of the important aspects was can we thoroughly and comprehensively test use cases and in a consistent way, making sure that we can capture the appropriate lessons learned?

We also recognize that security is definitely an important aspect to 5G testing as well. And output can vary a lot, based on the use case and how 5G will be utilized. So we do actually see some value in even if going further than what the FMG did, with more of an operational testing of 5G into actually creating a similar framework for testing the security of 5G use cases as well.

Suder: Fantastic. Serena, you want to add anything to Nick’s comments?

Reynolds: Yeah, tagging on to Nick’s comments… we know that the Mobility Group’s framework to conduct 5G testing is kind of aimed at guiding 5G test planning and execution. There’s a portion that actually covers security testing based on specific use cases. Looking at, you know, augmented reality, virtual reality for training drones – your field mission use – and this question is kind of in line with what CISA believes is next on the list.

So for example, if you’re using the framework and developing and executing a 5G test bed based on your defined use case for your respective agency, it’ll be important to kind of figure out how to complete security compliance or security evaluation to ensure that 5G technology and testing is safe to deploy for operations. And, so, we’re currently in initial discussions with DOD and NIST to look at 5G security compliance evaluation, as well as processes that would also expedite and support secure adoption of 5G technology, especially after 5G tests were completed. And we also note that NIST and some others may consider this 5G security compliance process to be cybersecurity framework 5G profile, and others who may more directly relate to this from a 5G cybersecurity maturity model certificate perspective.

So I think everyone is kind of aiming at the same collective goal and that’s ultimately helping to ensure secure deployment and adoption of 5G technologies for our missions.

Suder: That’s fantastic. And that leads into my next question. What are some of the findings worth highlighting from this national tour that you all have done visiting 5G labs around the country in in their testing capabilities? Serena, maybe we’ll start off with you on that one.

Reynolds: I think I’ll refer to the Executive Sponsor on this. I think that Nick will be able to  answer this.

Suder: Back to you, Nick.

Ward: Yeah. So, the FMG, like you mentioned, did visit a lot of different Labs and visiting these labs helped us understand a lot of the different options for testing. For instance, we found that federal labs are a good option for open field outdoor testing as well as specific testing for sensitive types of use cases. If it’s overly specific or sensitive, we really need to have federal test beds for those sorts of scenarios. Most of the federal labs right now still utilize 4G, but they have plans in progress to be able to upgrade to 5G and really present a straightforward approach for federal agency use.

And then you got the manufacturing labs like Ericsson and Nokia. They’re a pretty good option because they align with the 3GPP [3rd Generation Partnership Project] standards, and they also offer flexible options to rent a lab, or you can lease equipment or even purchase the equipment and have them really build dedicated labs for you if you have that need as an agency.

And then there’s the third type of lab that we saw – was academic or university labs and these are good labs. If you wanted to conceptualize a different type of use case or you had some more of the mid to long term research that you needed to do and development that you needed to do – they have campus testing which can be outdoor; they can even do city scale types of test beds at a university. They typically do leverage open source technologies at these types of labs.

And then finally, we saw that there are the carrier labs. Their approach is – they had the ability to be able to test application development and innovation straight from the carriers and they are pretty good option for carriers that want to be able to demonstrate different usage scenarios for agencies.

Suder: Yes, very interesting. My next question is – are most federal agencies at comparable levels across the federal space in terms of progress in 5G, and what are the major differences, and kind of where are we in this life cycle? Maybe we’ll start with you, Nick.

Ward: Sure. So, agencies are definitely at different stages in their evolution of 5G, as we indicated in the framework document. Almost one third of the current federal initiatives are in R&D right now. That reflects the current state of the technologies and the development by carriers, as it is today. And more than half of the initiatives reviewed by the framework, were really led by DOD and Commerce – NIST, particularly – in the National Science Foundation. So there’s definitely different stages for different federal agencies and how they’re testing and adopting, based on their mission needs.

Suder: And Serena, I’d love to get your perspective on the outreach that you’ve done, what have you seen in your experience?

Reynolds: Yeah, so I think I can speak a little bit to the state, local, tribal and territorial level. We’ve done a lot of SLTT [state, local, tribal, and territorial] engagement in the last year and a half. We’ve also done engagement with, you know, rural telecom carriers and providers through our rural engagement initiative and then we did a series of free pilot workshops with the SLTT community: one in Washington, DC, one in Utah, one in Minnesota. And it was just a really fascinating opportunity to kind of look holistically across the Community and where states are with adoption. Many of them are kind of in the beginning stages of just learning, you know, cyber security best practices and kind of where they are on the spectrum of cyber security understanding and really being able to prioritize security and resilience in their practices and processes.

And one of the things that we were able to do was provide a bit of an education on that piece and what 5G means as far as use cases, what it is, deployment. And two of those workshops, you know, had just all SLTT engagement. The last one that we did in Minnesota actually had industry members. So it was a great opportunity to have a couple of vendors in there, who were able to talk about some of the deployment considerations for the state and local government. We also had members of the Inter-agency participate from FCC to talk about spectrum, NTIA on vendor diversity, Department of State to talk about international considerations and forward leanings sort of nations that are kind of looking at things like open RAN [Radio Access Network] and other more progressive elements, and then FBI to talk about threats.

So a lot of really good conversations from the different areas of folks that are kind of looking at the space. And we’ve seen that, you know, a lot of states are in just different places, there are folks that from a governance perspective, have IT shops that are kind of embedded way within the state. So, don’t often have ties from a governance perspective with some of the decision makers funding as another issue.

Another issue that came up was the digital divide. There are a lot of code considerations as well some where very interested in kind of talking about some of the areas that may not have coverage. So it was just a really great opportunity for us to not only leverage our field forces that also participate in this. But really kind of collectively, bring the Interagency to have those conversations and really kind of see the unique challenges of say you know, Minnesota that has some travel in there or Utah that has rural considerations, or Washington DC, that has the federal government space and international considerations as well within their jurisdiction.

So, great opportunity for us to engage.

Suder: Oh, wow. Yeah, sounds like it. And I know when 4G came around, we didn’t know what the killer app is going to be. It ended up being watching Netflix. So, what are the more interesting or common 5G use cases in the government? And maybe we’ll start off with you, Nick.

Ward: I think that’s still hard to predict. And there’s so many out there that people are discussing but common ones in the federal space are where we have mission critical communications that need to have very high reliability and low latency. We can take advantage of network slicing and where we can – really have differentiate a QoS [quality of service] priority and security for these mission critical communications. I think that’s probably one of the more important ones for the federal government.

Suder: Yes. And Serena, I think you mentioned earlier VR. What other things – maybe go into that a little bit more in some other ideas that you had.

Reynolds: Yeah, some of the areas that we’ve looked at – is last mile connectivity drones with high definition.  We also think that multi or mobile edge computing or mobile access edge computing is going to be another more interesting 5G use case and just the application to bring more processing power to the edge and still have that benefit from 5G, And that will really change how the government will look at things like how first responders communicate, how folks do business, and so we’ll really see the true impact of, you know, mobile edge computing when we see 5G non standalone technology combined with IoT to government applications.

Suder: Yeah, that’s fantastic. And that’s what we can think of, there’s going to be other things we don’t know yet. You know, I can imagine that. So what is the testing framework’s modular approach and its benefits, Nick?

Ward: Yeah, so the model approach is that it’s an organized architecture that really aligns to different aspects like spectrum, application traffic, network, and other 5G specific innovations like network slicing, and edge compute. And what the modular framework, really, the real value of it – is that it allows agencies to selectively test the elements that applied to a particular use case without really requiring all the unnecessary testing or equipment for that matter, essentially the test bed can be tailored to the aspects needed to support the specific agency use case.

And then at the end of the day what they get is, they can speed up the testing and reduce the cost of the test beds to be able to test the specific use cases. So, they really can just pop in the specific modules they need to support their specific use case.

Suder: Serena, you want to add anything to that?

Reynolds: Yeah, I think, I think Mr. Ward covered that well.

Suder: Great. Well, we’ll get on to the next question then, and we’ll start off again with you, Nick. Is there certain recommendations how an agency can best put this framework to use, how multiple agencies can coordinate and collaborate on their 5G testing initiatives?

Ward: Yeah, so I mean I think we’ve kind of covered some of these things. I mean, they definitely need to review the FMG framework guide. It will define a lot of use cases that they might be thinking about. It might actually help agencies start to understand what use cases might apply to their agency. And that’ll help them understand where to start. In terms of where they want to go in for testing, but I’d really defer to CISA on some of the cross agency collaboration that’s going on.

Reynolds: Yeah, so we have a lot of plans to leverage the support collaboration and testing of 5G technology in the United States. I know just from a state and local perspective, just sharing best practices and leveraging a lot of what’s outlined in the federal mobility groups work is going to be really key.

We’ve also got a lot of really unique partnerships with the communication sector through our Sector Coordinating Council, as well as our Information Technology Sector Coordinating Council. So a lot of really good partnerships with industry and just collaborative conversations around the things that are kind of highlighted in this framework and some of the best practices that we can share. I think are going to be really key.

So I think from that perspective, I think, you know, states, private industry and all of our partners can really benefit from 5G testing guidance and it really helps us to kind of frame out what those use cases are, the testing process, and other elements for 5G.

Suder: I think you’re right. Okay, so 2020 was COVID – things moved along… I’m going to use football terms (we’re in playoff season) – the chains kept moving, Nick, what are we going to see in 2021 and beyond?

Ward: We’ll definitely continue to support 5G testing collaboration and you’ll see this with our partnerships with the advanced wireless testing platform group and we hope to host virtual 5G collaboration and testing workshops across federal government, industry and academia.

And then we also have other efforts, such as international travel guidance and mobile device use, FISMA and mobility metrics, and things like that – not just focused on 5G, of course. But we really want to make sure we’re making mobility a mission. It’s already a mission critical requirement. We want to make sure we have good guidance in and capabilities out there to do it safely and to really support mission needs.

Suder:  Great and Serena, you want to add anything else?

Reynolds: Sure, yeah. I think kind of next on the horizon – we released our CISA 5G strategy in August, we completed our three 5G pilots and you know the FMG has done a lot of really great work. I think one of the big pieces is kind of focusing on supply chain and some of the work that we’re doing with our ICP supply chain risk management task force. We just released our year two report, so kind of looking to the future of what we want to do to partnership with industry, as it relates to supply chain. I think another area that we’re definitely looking at increasing engagement with, is in the world of standards and then certainly coordinating with our partners and other international partners around – that would be great. And then sharing that with our state and local partners, I think will also be great. Pivoting our workshops from, you know, we’ve done these pilots – how do we implement them internationally and how do we share information with our international partners on some of the themes and trends that we saw in SLTT community, because a lot of the International community is kind of sharing a lot of the same goals and challenges. So just being able to kind of cross pollinate in that community. I think would be really great.

And we’re certainly working with the Department of State on their clean path network and their engagement internationally as well as USAID, supporting NTIA and the work that they’re doing. They just completed their USTTI training and then they’ll be doing vendor diversity listening sessions pretty soon – in January and February. So that’ll be another really great opportunity for us – to kind of leverage some of the work that we’ve done in the SLTT community and support them and their efforts.

We’re also getting ready to release a risk characterization document that we worked on with our industry partners within R&D in security framework. And that’s kind of a partnership that we have with ODNI [Office of the Director of National Intelligence] and NSA – we work with industry on specific areas. There are three different working groups, one being standards, one being cloud, one being the threats working group. So we’ve done a lot of really great work since September and we’re getting ready to have our meeting along with all of our leadership on the 28th [of January, 2021] to kind of talk about some of our final deliverables, one of which will be this risk characterization document as it relates to 5G. So I think it’ll also, you know, answer some of the requests from the National Strategy to secure 5G as well.

So a lot of really good work that we’ve done over the last year, the National Strategy was just signed by the President and it’s preparing to be sent over to Congress. So now it’s really just kind of starting to see where the rubber meets the road and move about on our simplified the strategy.

Suder: Great. Well, thank you, Serena. And thank you, Nick – for your leadership in this area and the rest of the FMG. This 5G is important not just to the federal government, but to state and local and the rest of the United States and the world so thank you for your efforts.

We’ve had Nick Ward, Department of Justice CISO, and Serena Reynolds over at CISA. And we will be in touch with you later. Thank you.