GSA Publishes Acquisition Guidance for Secure 5G

Fifth generation (5G) wireless technology increases the rate of data transfer, optimizes network performance, and delivers both energy and cost-savings. Given these capabilities, 5G is key to introducing and enhancing a range of applications, emerging technologies, and services within the federal sector. Nonetheless, the acquisition of 5G technologies introduces a new set of security vulnerabilities for agencies. Accordingly, GSA issued a guidance for federal agencies on the acquisition of secure 5G. The document provides examples of 5G use cases, the do’s and don’ts of acquiring 5G technologies, and suggested procurement strategies.

According to the guidance, dangers associated with 5G include improperly deployed 5G systems leading to increased vulnerability; increased components leading to complex supply chain risks; inheriting security risks when integrated with legacy infrastructure; limited competition in the marketplace; and an increase in threat attack surface. Initiatives are already underway among federal agencies to combat the threat of 5G systems:

DOE Idaho National Lab Test Network. Late last year, the Department of Energy’s Idaho National Laboratory unveiled a new 5G commercial scale testing range. The article describes it as “A live, open air network that could support a small city or region with high-capacity service.” The testing range provides the opportunity to research vulnerabilities, test mitigation mechanisms, educate on the risks of 5G, and reveal the impact of 5G on other technologies.

DOD FiGHT Model. DOD, in conjunction with MITRE, launched the 5G Hierarchy of Threats (FiGHT) model to help inform cyber investments at agencies needed to achieve resilient and secure 5G networks. The model provides 5G security research, with functionalities allowing for threat assessments, attack simulation, and identification of coverage gaps.

Given the benefits and risks of 5G, the new GSA guidance provides the following list of requirements for procurement professionals, after agency developers have determined application and network connectivity needs:

• Request a detailed description of requirements such as who, what, when, where and why and how the device meets the use case and location conditions
• Develop appropriate security and privacy requirements and include any required services and security compliance requirements
• Providing vendor must have the ability to patch devices against identified vulnerabilities and specify estimated timespan of patching services needed
• Ensure vendor deliverables includes security development life cycle descriptions from design to end of life
• Include vulnerability-disclosure programs in the requirements
• Document whether a Supply Chain Risk Management program is necessary
• Requirement documentation must include integrating authentication and access to the user’s infrastructure, management and operational practices
• Include encryption requirements as necessary
• Include an up-to-date device registry or log in the requirements

GSA informs agencies that the following methodologies can be used to procure 5G: commercial contracts, non-commercial negotiations, or Other Transaction Authorities (OTAs), as long as the agency has OTA authority. Available acquisition vehicles designated as Best-in-Class available for 5G technology acquisition include:

• GSA Enterprise Infrastructure Solutions (EIS)
• GSA Multiple Award Schedule (MAS) Wireless Mobility Solutions SIN 517312
• GSA 2nd Generation IT Blanket Purchase Agreements (2GIT; equipment-only requirements
• NASA Solutions for Enterprise-Wide Procurement (SEWP)
• NITAAC Chief Information Officer – Commodities and Solutions (CIO-CS)

Each year, Deltek identifies and analyzes contract obligations in specific technology areas. The below spending figures reflect obligations with 5G-related descriptions. Though the spending may encompass programs in which 5G is only a portion of the work, or underrepresent 5G contracts without sufficient program description, identified spending does show that 5G spending is on the rise. From FY 2020 to 2022, federal agencies spent $143M on 5G, an increase of 93% or $38M, within the three-year period. The data also reveals that 5G investment is heavily centered within the Defense sector, a known leader in 5G innovation and investment.

Sources: Deltek, FPDS

Contractors take note. Though 5G-related spending remains somewhat small in scale, a combination of the issued GSA guidance, the examples above that help assess the threat of 5G systems, and the upward trend in historical spending trends, are paving the way for agencies to increase 5G investments in the foreseeable future.