The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) released six final publications in its Applying 5G Cybersecurity and Privacy Capabilities white paper series. These publications give organizations a clearer view of how core 5G security and privacy capabilities work, while offering practical, actionable guidance to support more secure 5G network deployments.
The NCCoE series includes several finalized publications focused on strengthening 5G security and privacy. These include NIST CSWP 36: Applying 5G Cybersecurity and Privacy Capabilities, alongside companion volumes such as CSWP 36A on protecting subscriber identifiers using Subscription Concealed Identifier (SUCI), CSWP 36B on ensuring platform integrity through hardware-enabled security, CSWP 36C on the reallocation of temporary identities, CSWP 36D on eliminating SUPI-based paging, and CSWP 36E, which outlines core 5G network security design principles. Together, these documents provide a comprehensive framework for securing 5G systems across identity protection, infrastructure integrity, and network design.
The NCCoE move comes as 5G is moving from specification to real-world deployment, with standards bodies, vendors, operators, and users advancing in parallel. However, current cybersecurity standards are narrowly focused on securing interoperable interfaces between 5G components. They largely overlook the underlying IT systems that run and support these networks. That gap leaves organizations without clear guidance on how to protect critical infrastructure beneath the 5G layer, increasing exposure to cyber risk.
By adopting the solutions outlined in the 5G Cybersecurity Practice Guide, organizations can reduce risk and lower the likelihood of incidents by better understanding the security capabilities built into 5G networks. They can strengthen the supporting infrastructure behind their 5G deployments, improving resistance to compromise while gaining clearer visibility into the trust status of underlying platforms. At the same time, these measures help safeguard the integrity and confidentiality of 5G communications, protecting users from eavesdropping and tampering.
Aimed at technology, security, and privacy program managers seeking to identify, assess, and mitigate cybersecurity and privacy risks in 5G environments, the NCCoE series targets organizations planning to run private 5G networks, helping them apply a risk-based approach to security; commercial mobile operators, giving them insight into additional cloud security capabilities beyond current 5G standards; and enterprises adopting 5G-enabled technologies, guiding them to make informed risk management decisions around deployment, use, and maintenance.
As 5G evolves, its capabilities are simultaneously being specified in standards bodies, implemented by equipment vendors, deployed by network operators, and adopted by consumers. Current standards development primarily focuses on the security of the standards-based, interoperable interfaces between 5G components.
The 5G standards do not specify cybersecurity or privacy protections to deploy on the underlying IT components that support and operate the 5G system, and the security controls that the standards do define are left to implementation and deployment decisions. This lack of specifications increases the complexity for organizations planning to leverage 5G. They are challenged to determine what cybersecurity and privacy capabilities 5G can provide, how they can deploy these features, and what supplementary capabilities they may need to implement to safeguard data and communications.
To address these challenges, the NCCoE is working with 5G operators and technology providers to develop and implement example solutions to safeguard standalone 5G networks. This includes strengthening core architectural components, establishing a trusted and secure cloud-native infrastructure to support 5G core functions and workloads, leveraging standards-based security capabilities for radio access network components, and enabling the cybersecurity and privacy features defined in 5G standards, including continuous monitoring of both signaling and data traffic to detect and prevent threats.
In a white paper on how Subscription Concealed Identifier (SUCI) protection can be enabled in 5G networks, the NCCoE detailed that SUCI protection is defined by 5G standards as an optional security capability for operator deployments. Although it is optional, it provides important security and privacy protections for subscriber identifiers. By enabling SUCI on their 5G networks and subscriber SIMs, and configuring SUCI to use a non-null encryption cipher scheme, 5G network operators can provide their customers with the advantages of SUCI’s protections. The network operators should carefully evaluate the risks of not enabling this critical capability.
Explaining how 5G networks use the Subscription Concealed Identifier to strengthen user privacy, the NCCoE said that in 5G systems, subscribers are identified by a permanent identifier known as the Subscription Permanent Identifier, which, if transmitted in clear text, can be intercepted and exploited to track users or compromise privacy. This creates both cybersecurity risks for organizations and privacy risks for individuals, similar to vulnerabilities seen in earlier generations, such as IMSI-catching in 4G.
To address this, 5G introduces SUCI, which encrypts the permanent identifier using the home network’s public key before transmission. The encrypted identifier is unique and cannot be linked back to the subscriber by attackers, ensuring that only the home network can decrypt and identify the user. This protection relies on elliptic curve cryptography and is supported by compliant 5G devices and networks, though it must be explicitly enabled and configured by operators, including the use of non-null encryption schemes to be effective.
The paper also highlights practical deployment considerations and limitations. SUCI protections apply only within 5G networks and do not extend to legacy connections such as 4G. In certain scenarios, including roaming or emergency access, some elements of subscriber identity may still be exposed, such as home network identifiers or, in rare cases, the permanent identifier itself. Even with these constraints, enabling SUCI significantly improves privacy protections and is positioned as an essential safeguard in 5G environments.
Another white paper on hardware-enabled security examines how to secure the infrastructure underpinning 5G systems as networks shift to cloud-native architectures running on commodity hardware. Unlike earlier generations that relied on dedicated telecom equipment, 5G core functions now operate as distributed software workloads across multiple servers. This transformation expands the attack surface, particularly at lower layers such as firmware and hardware, where traditional software-based security controls are less effective against increasingly sophisticated threats.
To mitigate these risks, the NCCoE paper emphasizes hardware-enabled security mechanisms, particularly hardware roots of trust. These capabilities establish platform integrity by measuring hardware, firmware, and software components during system startup and storing those measurements securely in hardware modules such as Trusted Platform Modules. Through remote attestation, these measurements can be verified centrally, allowing operators to determine whether systems are in a trusted state before deploying or running workloads.
Building on this, the paper describes how integrity verification can be integrated into 5G operations. By combining platform measurements, asset tagging, and orchestration processes, operators can ensure that network functions are deployed only on trusted infrastructure. While these mechanisms do not eliminate all threats, they provide critical visibility into system integrity and prevent compromised platforms from hosting sensitive workloads. This approach addresses a gap in 5G standards, which do not define protections for underlying IT components, and supports a more comprehensive and layered security model for 5G deployments.
In another white paper on reallocation of temporary identities, the NCCoE details how 5G strengthens privacy by ensuring that temporary identifiers assigned to user equipment are regularly refreshed. In earlier generations, temporary identifiers were often reused for extended periods, effectively becoming quasi-permanent and enabling tracking of users over time. This created privacy risks, as attackers could correlate identifiers with specific devices or individuals. The paper highlights how 5G standards address this weakness by requiring that temporary identifiers, such as the 5G Globally Unique Temporary UE Identity, be reallocated under specific conditions.
In 5G, these temporary identifiers are updated during key events such as initial registration, periodic updates, service requests, and paging. This frequent reallocation breaks the link between a device and a long-lived identifier, making it significantly harder for adversaries to track users or infer their location. The mechanism works in conjunction with other identity protection features, ensuring that identifiers used over the air are short-lived and not easily associated with a specific subscriber over time.
The paper also emphasizes the importance of proper implementation and validation. Network operators must ensure that their systems comply with standards and that identifier reallocation occurs as expected. Organizations using 5G services are encouraged to understand how this capability mitigates risk and to verify that service providers are implementing it correctly. While not a complete solution on its own, regular reallocation of temporary identifiers is a key measure in reducing tracking risks and strengthening overall privacy in 5G environments.
The NCCoE white paper on No SUPI-based paging focuses on how 5G protects user identity during the paging process, which is used to notify devices of incoming communications. In earlier cellular systems, paging mechanisms relied on permanent or semi-permanent identifiers, exposing users to privacy risks such as location tracking and identity disclosure. Attackers could exploit these identifiers by monitoring paging channels and correlating them with specific users. The paper outlines how 5G removes this vulnerability by eliminating the use of permanent identifiers in paging altogether.
Instead, 5G uses temporary identifiers, such as the 5G Serving Temporary Mobile Subscriber Identity, for both determining paging timing and identifying devices in paging messages. These identifiers are derived from temporary identities and are refreshed regularly, ensuring there is no long-term association between a device and its paging behavior. By removing any relationship between paging and permanent identifiers, 5G significantly reduces the ability of attackers to track or identify users through paging activity.
The paper also highlights deployment and operational considerations. Operators are expected to verify that paging protocols do not rely on permanent identifiers and that temporary identifiers are reallocated as required by standards. Organizations using 5G technologies should confirm that their service providers implement this capability correctly. While these protections are effective within 5G networks, they may not apply when devices fall back to earlier generations, where legacy vulnerabilities can still exist.
Lastly, the NCCoE white paper on 5G network security design principles outlines how network architecture can be structured to improve cybersecurity and privacy in 5G environments. As 5G systems adopt cloud-native, service-based architectures, multiple network functions operate across distributed infrastructure and share common physical resources. This introduces challenges in managing different types of traffic, each with distinct sensitivity and security requirements. The paper identifies the need to logically separate these traffic types to reduce risk and improve control.
The core principle is the separation of data plane, control plane, and operations and maintenance traffic. Each type serves a different function and carries different levels of sensitivity, from user data to network control signals and administrative access. By isolating these traffic types, operators can limit the spread of attacks, apply tailored security controls, and prevent disruptions in one segment from affecting others. Logical separation also improves performance, manageability, and the ability to detect and isolate issues within the network.
To implement this separation, the paper highlights the use of technologies such as virtual routing and forwarding, which allow multiple isolated routing environments to exist on the same physical infrastructure. This approach enables efficient resource use while maintaining strong isolation between traffic types. The paper also underscores the importance of integrating security and privacy requirements into the early stages of network design, ensuring that infrastructure, configuration, and operational practices collectively support a resilient and secure 5G environment.
Earlier this year, the U.S. Department of Commerce’s NIST kicked off a revision of SP 800-82 Rev. 4, the Initial Preliminary Draft of its Guide to Operational Technology Security, a key document for OT (operational technology) environments. The move will incorporate lessons learned, align with relevant NIST guidance, such as Cybersecurity Framework (CSF) 2.0, NIST IR 8286 Rev. 1, NIST SP 800-53 Rev. 5.2.0, and OT cybersecurity standards and practices, to better address changes in the OT threat landscape.
