Date Published: March 2026
Author(s)
Michael Bartock (NIST), Jeffrey Cichonski (NIST), Murugiah Souppaya (NIST), Karen Kent (Trusted Cyber Annex), Parisa Grayeli (MITRE), Sanjeev Sharma (MITRE)
This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity Center of Excellence (NCCoE). This white paper describes how 5G standards have enhanced the implementation guideline to protect subscriber identities (IDs), specifically how the network reallocates temporary IDs to protect users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators should know how this standards-defined security capability protects their users and subscribers. Operators should ensure that their 5G technologies are refreshing temporary identities as described in the 5G standards.
This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity Center of Excellence (NCCoE). This white...
See full abstract
This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity Center of Excellence (NCCoE). This white paper describes how 5G standards have enhanced the implementation guideline to protect subscriber identities (IDs), specifically how the network reallocates temporary IDs to protect users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators should know how this standards-defined security capability protects their users and subscribers. Operators should ensure that their 5G technologies are refreshing temporary identities as described in the 5G standards.
Hide full abstract
Keywords
3GPP; 5G; cybersecurity; privacy; reallocation of temporary identities (IDs); Subscription Concealed Identifier (SUCI); Subscription Permanent Identifier (SUPI); Globally Unique Temporary user equipment Identity (GUTI)
Control Families
None selected
