ATIS I-0000090 PDF

As the deployment of 5G continues to expand in North America and across the globe, it is critical to secure 5G infrastructure. The scale of 5G is rapidly expanding across new vertical markets, broader industry sectors, and a massive number of new devices and applications. This new ATIS standard addresses the 5G supply chain (5G/SC) as a critical function in the design, build, deployment, and operation of 5G assured networks. We define the network to be the interconnecting fabric that enables endpoints (devices and clients) to exchange information with other endpoints or servers. The supply chain aspects associated with the endpoint (devices, clients, and servers) are not within the scope of this document.
This document focuses on the requirements and controls necessary to operationalize a set of agreeable levels of assurance associated with the lifecycle functions of high assurance 5G/SCs. This work is based on a flexible reference model and component flow through the complex 5G/SC to identify specific controls that can mitigate the identified threats and associated attacks. Attack classes are identified by using defined attributes. These attributes represent a defining quality of an asset (hardware component, module, system, software) and consequently reflects the asset's attackable characteristics.
Designating specific system components as "critical" as part of a 5G cybersecurity risk management effort is essential for managing supply chain risks within available or assigned resource constraints. Network operators and enterprises must select, shape, and scale their risk mitigation strategy according to business, operational and security needs. They also must prioritize a subset of "critical components" that warrants "extra attention" in the assurance assessment, testing, and monitoring activities.
The approach taken in this document is to leverage where possible techniques that can link back to a component's source to verify the authenticity and integrity of that component. The use of Software Bill of Materials (SBOM) and Hardware Root of Trust (HRoT) represents two methods that can effectively accomplish this goal. In addition, the application of security best practices helps secure each of the supply chain lifecycle functions identified.
The entity responsible for attesting the level of supply chain assurance for a network can use this specification with suppliers by providing:
- An assurance level that the supplier must comply with.
- A list of the identified critical components that apply to the supplier.
- This document and the set of requirements as listed in Section 8 as part of the purchase agreement, along with any desired exceptions and/or additions.