Professional Documents
Culture Documents
GSA Acquisition Guidance For Procuring 5G Technology 508 - 0
GSA Acquisition Guidance For Procuring 5G Technology 508 - 0
Acquisition Guidance
for Procuring
5G Technology
Executive Summary
1 2 3 4 5
6 7 8 9
3
Purpose and Scope
Fifth generation (5G) wireless technology will By following these best practices, incorporating
improve mission delivery and business operations for them where appropriate into the procurement
government agencies. 5G brings new applications process, and effectively managing trusted vendors,
and services to the federal workforce that older the U.S. government can strengthen the security and
technology did not support. resilience of its 5G networks and endpoints.
5G offers faster performance and more capabilities, This document gives agencies the information and
particularly for data-driven applications and machine- guidance they need to procure 5G technology with
to-machine communication. These capabilities form appropriate security for government use cases.
the foundation for large networks that use sensors
According to the Secure 5G and Beyond Act of
and machines, expanding the mobile networks’
2020, Pub. L. 116-129 (03/23/2020), the executive
size and reliability. Compared to earlier generations
branch developed a comprehensive implementation
of wireless technology, 5G’s features are highly
plan associated with the National Strategy to Secure
customizable for specific applications.
5G. Program offices and contracting activities must
Acquiring secure 5G solutions is key to ensuring look for new approaches for communication
federal networks stay safe and resilient. systems, including advanced 5G features, to use to
assess the acquisition risk. As new technologies and
Delivering 5G’s capabilities requires significant
approaches arise, agencies need to judge whether
changes to mobile communication systems. These
they are good fits for their needs.
changes can introduce security vulnerabilities
and expand the attack surface. They also provide This guidance also gives agency leaders the
opportunities for malicious actors who seek to: strategies and tools to:
• Illicitly obtain and use federal information • Improve their security posture
• Defraud government programs • Reduce overall risk
• Disrupt operations • Support rapid delivery of 5G solutions
Such actions threaten how government agencies Given this broad scope and rapidly advancing
deliver essential services to the American people. technology, this document will not provide
Agencies considering buying 5G must also consider comprehensive guidance concerning requirement
5G’s security risks when: development but will rather serve as a common
foundation and reference for a wide audience.
• Developing procurement packages
• Issuing solicitations
• Evaluating vendors
• Issuing awards
What is 5G?
This section explains the historical factors and 5G is a global standard set by the 3rd Generation Most U.S. nationwide carriers currently use
technical components that enable 5G capabilities. Partnership Project (3GPP), a consortium of Release-15 but are expected to deploy Release-16
To help the reader, certain terms are accompanied organizations that develop mobile telecommunications features into their networks.
by URLs to their definitions in the glossary that the protocols structured as numbered releases.
5G networks are digital cellular networks composed of
Computer Security Resource Center of the National
• The first 5G standard was Release-15 in mid-2018. a patchwork of cells within a larger service area
Institute of Standards and Technology (NIST)
• 3GPP completed Release-16 specifications in 2020 covered by one or more providers. Mobile devices in a
maintains.
to accommodate early commercial deployment. cell communicate by radio waves with a local antenna
“5G” is a shorthand term referring to the 5th • Release-17 was completed in late 2022. array containing a low-power automated transceiver.
generation cellular mobile network. It succeeds the • Release-18 is also in development. The transceiver assigns channels from a common
4G (LTE-A, WiMax), 3G (UMTS, LTE), and 2G (GSM) pool of frequencies reused in geographically
systems. 5G performance targets include: Release-16 was adopted by the International separated cells. The local antennas are connected
Telecommunication Union (ITU) as a candidate with the telephone network and the internet by a high
• High data rate for its 5G standard, IMT-2020. The ITU IMT-2020 bandwidth optical fiber or a wireless backhaul
• Reduced latency specification demands speeds up to 20 Gbps connection. When a user crosses from one cell to
• Energy saving achievable with wide channel bandwidths and massive another, their mobile device is automatically handed
• Cost reduction multiple input, multiple output (MIMO) architectures. off seamlessly to the antenna in the new cell.
• Higher system capacity
• Massive device connectivity within a specific
coverage area
5
Advantages of 5G
One of the major advantages of 5G is that 5G Similarly, 5G may also complement or replace Wi-Fi modulation is used, in which multiple carrier waves
networks have: in some scenarios. are transmitted in the frequency channel, so multiple
• Much higher specified peak data rates than bits of information are transferred at the same time.
previous cellular networks Higher Frequency Radio Waves
Gasses absorb millimeter waves in the atmosphere,
• Multiple Gbps, which is faster than current cable 5G networks achieve these higher data rates by using
are less tolerant of diffraction and deflection, and
internet and many times faster than earlier cellular higher-frequency radio waves in or near the
have a shorter range than microwaves. Therefore,
technology millimeter wave band around 28 and 39 GHz.
the size of the cells is smaller.
Previous cellular networks used frequencies in the
Because of the higher data rates, 5G networks will microwave band between 700 MHz and 3 GHz. 5G cells will be the size of a city block, unlike the
serve not just cellphones but could also provide cells of previous cellular networks, which could be
a general home and office networking solution, 5G providers also use a second lower frequency
many miles across. Due to their shorter
competing with wired internet providers. Previous range in the microwave band, below 6 GHz, but this
wavelengths, millimeter waves also have trouble
cellular networks provided low data rate internet will not have the high speeds of the new frequencies.
passing through solid objects such as the walls of
access suitable for cell phones, but a cell tower could Orthogonal frequency division multiplexing (OFDM)
buildings, requiring multiple antennas to cover a cell.
not economically provide enough bandwidth to serve
as a general internet provider for home computers.
7
Securing 5G
1
While the deployment of 5G presents new opportunities for better services, agencies need to consider several risks.
Threat actors may try to influence 5G
Secure 5G implementation requires planning for resilience at the design phase and mitigating network exposure
networks’ design and architectures.
to untrustworthy elements.
The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency 5G will use more information and communication
(NSA) and the Office of the Director of National Intelligence, sees five dangers: technology components than previous generations
of wireless networks. Municipalities, companies, and
organizations building their PCNs will at the same
time increase their own network vulnerabilities.
9
5G: The Basics
■ ■ ■ What is 5G? ■ ■ ■
.
Standards
As noted in Section II, the 3GPP establishes standards that provide a complete
system description for mobile telecommunications. A list of all 5G-related 3GPP
specifications (including core network and system aspects) is provided in Specification
3GPP TR 21.205 or by searching the 5G Specification Set at the 3GPP website.
IoT
13
Contracting for 5G: Tools and Strategies
Acquisition Process
Determine Application Requirements,
Purpose, and Connectivity
Before you take any action, determine your
requirements. Pay particular attention to:
• Bandwidth
• Application-specific security
• Latency, the time delay in processing data packets
• Jitter, the amount of inconsistency in latency
across the network
• Location or locations where the application needs
to run
Does the application need to work locally on the
private network, or must it be able to roam and work
domestically and abroad? Private networks allow a
device to work only while on the LAN. They will not
permit roaming outside their cellular network unless
an agreement is in place with one or more public
mobile network operators.
Use Cases
5G technologies will power a wide ecosystem of devices
and services. Once you have identified your requirements,
review the use cases you want to address next.
A “use case” is any instance in which the enhanced
capabilities of 5G will be used to support a given
need and the circumstances surrounding that
deployment. As with requirements, the location of a
use case will determine its ultimate architecture.
First, decide whether the 5G will reside on a private
network, a public network, or both.
15
Encryption Use the categorization and terminologies developed Your agency can also evaluate contractors on
Encryption is a common way of securing data. You by industry-recognized standards bodies, particularly whether they provide more protection beyond the
can apply it at the device level for data “at rest” those associated with cybersecurity and safety, as minimum contract requirements. Include security
and “in transit” when data is being communicated much as possible. as a separate evaluation factor or as part of a larger
over networks. Depending on the device’s risk evaluation factor.
Explain your expectations to the vendor and make
profile and the data’s sensitivity, your agency’s it easy for the vendor to respond correctly and
requirements developer may need to include Evaluation Factors
completely. The procurement must at least identify
encryption requirements. Evaluation factors must assess the contractor on
the requirements for each of the following topics:
how they address questions related to the risk and
Lastly, include an up-to-date device registry or log • Type and control of connectivity mission impact of the acquired product or service.
the requirements package. Such a resource must • Third-party service and data management
include devices’ firmware and software, as well as • Patching Ask the vendor to describe aspects and answer the
their types and versions. This will help your agency • General vendor cybersecurity practices sample open-ended questions in this list:
rapidly and appropriately respond to a security • Security of device and communications • Describe the secure development life cycle used
incident. Procurements that feature devices, and document it in your processes.
• More considerations
such as an IoT deployment, must include these. • Describe the vulnerability reporting and response
Specifications for devices must also include physical If your agency does not require a specific category program being used.
security controls per applicable policy. or topic, the Statement of Work (SOW) must state • Describe the program using metrics, such as the
so clearly. The requirements language must clearly time between a bug being reported and a fix/patch
Solicitation Development and Contract Award define whether a security practice or standard is a release.
Your agency’s solicitation documents must include requirement or a suggestion. It should also define • Describe patch and version updates of software
the requirements and source-selection criteria in your agency’s factors to evaluate offers. libraries, open-source software, or copyrighted
the solicitation. software in the public domain that your program
The solicitation must establish deliverables the
vendor must provide. These can be pre-award, uses.
Solicitation • Describe your SCRM program. Does it meet the
post-award, or both. Agencies often ask vendors to
Your solicitation must include relevant security and deliver product specifications and documentation of requirements of NIST SP 800-161?
privacy requirements according to NIST, CISA, and the the vendor’s cybersecurity practices. The solicitation • Do you have any alternate sources for critical
agency’s guidelines. The solicitation must also ensure must only require a pre-award deliverable if the components? If yes, please describe.
the vendor is compliant with these requirements agency needs to evaluate whether an offeror can • Describe your quality standards for suppliers, such
and outline the agency’s approach to ensure they are meet the minimum requirements. as their response to bugs and defects.
evaluated as part of the selection process. • Describe how you will comply with the security
Your agency’s contracting office may wish to apply Complex Acquisitions Evaluation Criteria requirements of the solicitation. Do you provide
your standard practices, such as using boilerplate For complex acquisitions, structure the evaluation protection beyond the minimum requirements of
language. If doing so changes the wording of the criteria so the agency can evaluate vendors based the contract?
requirements or selection criteria, the developer on their compliance with the specified security
must also approve the new language. Even small requirements in the solicitation.
changes in requirements descriptions can have
significant unintended consequences.
17
Technical Requirement
Considerations
Radio Performance
• Baseline radio performance
O Coverage area: rooms, common areas, indoor/
Communications Performance
19
National Institute of Standards and Technology (NIST) Publications
The following table lists NIST publications related to 5G security, Supply Chain Risk Management, and the security of mobile applications.
Agencies can procure 5G technology through The authority to enter OTAs is specified by law for the following 11 agencies:
Other Transaction Authorities (OTAs), commercial
contracts (FAR Part 12), or non-commercial
Advanced U.S. Department U.S. Department U.S. Department
negotiated acquisitions (FAR Part 15), depending on
Research of Defense of Energy of Health and
their specific requirements.
Projects Agency– (DOD) (DOE) Human Services
OTAs are acquisition transactions (other than a Energy (HHS)
contract, grant, or cooperative agreement) for (ARPA-E)
prototype projects that generally are not subject
to the federal laws and regulations governing
procurement contracts. As such, they are not required
to comply with the Federal Acquisition Regulation
(FAR), its supplements, or laws limited in applicability
to procurement contracts. Specific agencies have U.S. Department U.S. Department Domestic Nuclear Federal Aviation
limitations on OTA scope. Those typically limit OTAs of Homeland of Transportation Detection Office Administration
to research and development, prototype Security (DOT) (DNDO) (FAA)
development, and limited-production projects. (DHS)
For most production uses of 5G technology, you must follow more-traditional FAR-based contracting.
Commercially available 5G must consider security and prohibited sources. Several FAR considerations for
5G technology are detailed on pages 22, 23, and 24.
21
Cybersecurity Executive Order 14028
On May 12, 2021, President Biden issued the Budget (OMB) directed agencies to better secure Among other important issues, Section 2(a) of
executive order (EO) on improving the nation’s federal systems and achieve an optimal Zero Trust EO 14028 required a review of contract
cybersecurity. The scope of the EO spans environment. requirements and language for contracting with
information technology (IT) and operational IT and OT service providers. It also detailed
The EO also directs NIST to define critical software.
technology (OT) systems, recommendations for such requirements and
no matter the type of operating environment: on It assigns the CISA the responsibility of creating a list language updates to the FAR Council and other
premises, off premises, or hybrid. of software categories that meet the definition of appropriate agencies. As of July 12, 2021, the DHS
critical software. For example, Mobile Device Chief Procurement Officer submitted draft clause
It also calls for agencies to adopt Zero Trust
Management (MDM) solutions meets the definition of language and a business case to the FAR Council,
cybersecurity principles. Through a series of EO-
“EO Critical Software” as detailed in OMB M-21-30. pursuant to EO Subsection 2(i).
related memoranda, the Office of Management and
23
Security and Supply Chain Risk Management
As the federal government continues to move closer They infiltrate trusted suppliers and vendors to
to proactive threat management, federal agencies target equipment, systems, and information that the
must use risk management to achieve their objectives. government, businesses, and individuals use daily.
In cases where the adversary plays a key role in
Effective risk management requires knowing the
the manufacturing process, no active infiltration
organization’s assets – tangible and intangible (e.g.,
is necessary – the equipment is compromised from
data) – to manage risks properly.
the start.
NIST develops standards and guidance to manage
Therefore, the government prohibits certain sources
information security risks to an organization’s
outlined in Section 889.
assets, mission, systems, and personnel.
The following NIST publications show the You need to develop an SCRM plan for 5G
foundational approaches to risk management: technology as an important element of your
• Cybersecurity Framework acquisition life cycle. Make it align with the overall
• Developing Cyber Resilient Systems: A Systems agency business strategy.
Security Engineering Approach Guide for Consider whether to implement standards for
Conducting Risk Assessments supply chain more stringent than the applicable
• Managing Information Security Risk: Organization, NIST standards made obligatory by OMB and CISA.
Mission, and Information System View The standards must, at a minimum, contain those
• Risk Management Framework baseline standards and be consistent with agency
• Security and Privacy Controls for Information policies and guidelines.
Systems and Organizations
Suggested SCRM practices include but are not
Supply Chain Risk Management (SCRM) is limited to:
particularly important for 5G technology. SCRM is • NIST SP 800-161, Supply Chain Risk Management
the process of assessing and mitigating the activities Practices for Federal Information Systems and
of foreign intelligence entities and other adversaries Organizations
who attempt to compromise government and • NIST SP 800-171, Protecting Controlled
industrial supply chains. Unclassified Information in Nonfederal Systems
These adversaries exploit supply chain vulnerabilities to and Organizations
• Defense IT Standards for Business Systems of the
• Steal intellectual property
DOD Supply Chain
• Corrupt software
• Monitor critical infrastructure
• Carry out other malicious activities
25
www.gsa.gov
March 2023
05-23-00283