The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has issued its final series of 5G cybersecurity practice guides. These documents establish standardized security controls for critical infrastructure operators in sectors such as manufacturing, energy, water, and healthcare. The guidance outlines risk management strategies that extend into operational technology (OT) environments as they integrate 5G networks.
Background
The NCCoE launched its 5G cybersecurity project in 2021 to address security challenges in emerging 5G deployments. With cloud-native functions increasingly exposing OT platforms to risks not present in legacy air-gapped systems, the project published a series of iterative documents. An executive summary (SP 1800-33A) was released in March 2025, followed by a white paper series demonstrating design principles such as logical traffic segregation in 5G. These documents are based on a commercial-grade testbed, highlighting features like secure boot, device identity attestation, and traffic isolation. NCCoE released its 5G Cybersecurity executive summary on March 18, 2025, according to the Department of Commerce. The series includes guidance on isolating data plane, signaling, and operation-and-maintenance traffic through network security design principles published June 17, 2025. Final guidance volumes have now completed the series.
Details
The guides outline critical security domains for 5G-enabled OT environments. They prioritize device identity and secure boot mechanisms to ensure the integrity of OT assets, enforce network slicing to segment and prioritize traffic, and recommend micro-segmentation to contain breaches. The guidance extends to cloud infrastructure supporting 5G core functions, requiring continuous monitoring, remote attestation, and robust configuration management. According to the white paper series, these controls were validated through the NCCoE testbed with commercial and open-source tools. The guides further recommend integrating these controls into procurement to support multi-vendor interoperability and align vendor security practices with OT risk management policies.
Operators should integrate these controls into broader risk management efforts. The guidance aims to reduce friction between IT and OT teams by providing standardized security architectures and baselines. The NCCoE notes that regulatory adoption may follow, as harmonized frameworks often underpin future critical infrastructure mandates.
Outlook
Operators are encouraged to align their 5G security strategies with NCCoE guidance. Within the next 90 days, organizations should review the final volumes, evaluate their 5G asset inventory against the recommended controls, and coordinate with vendors to validate compliance. As 5G adoption grows, adherence to NCCoE guidance is expected to influence industry practices and future regulatory standards.
