Part 8 · Practical Labs and Training Material

The Final 5G Security Master Checklist

The whole book, distilled into lists you can act on

"Thirty-four chapters become five checklists. Pin them by your console. The book was the reasoning; these are the actions." — HOW TO USE THIS FINAL CHAPTER

This closing chapter distills the entire book into five master checklists: end-to-end security, deployment phase-gates, design review, incident response, and 3GPP compliance mapping. Each item links to the chapter that explains the "why." Use them as living documents — the reasoning is in the book; the actions are here.

📘 Standards reference box — Chapter 35

Reference	Title	Note
TS 33.501	5G security architecture (the source of truth)	Rel-18, v18.11.0 (2026-04)
SCAS / NESAS / GSMA FS.40	Assurance & config guidance	current

Checked June 2026 — verify against the latest 3GPP version.

35.1 End-to-End Security Master Checklist

FIGURE 35.1End-to-End 5G Security Master Poster

Purpose: the whole book on one poster. Every item is a protection this book explained; if all are checked and verified, your network runs the security 3GPP designed.

FIGURE 35.2Deployment Phase-Gate Security Checklist

Purpose: security at every phase gate. The integration and pre-launch gates are where misconfigurations are introduced and must be caught — don't let a "temporary" null scheme reach launch.

FIGURE 35.3Design Review Security Checklist

Purpose: the questions to ask before anything is built. A design review that demands these prevents the misconfigurations Chapter 25 catalogs.

FIGURE 35.4Incident Response Quick Card

Purpose: the IR reference for the wall. The two telco-specific musts: triage by failure cause (Chapter 6/26) and contain via the SOC↔NOC handshake (Chapter 27).

FIGURE 35.53GPP Compliance Mapping Wheel

Purpose: prove compliance, mapped to the specs. Each domain links to its governing TS and the evidence (capture/config/SCAS) that demonstrates conformance — the audit's compliance dimension (Chapter 28).

35.2 The Five Checklists in Full

1 · End-to-End Security

SUCI scheme A/B enforced; null scheme emergency-only; GUTI rotation verified (Ch4,19)
5G-AKA with home control; HSM for K; key-refresh policy for long-lived sessions (Ch5,6,7)
No NEA0/NIA0 in normal service; UP integrity required for critical slices; NCC goes vertical at handover (Ch8,9,16)
mTLS on every SBI link; OAuth token validated incl. audience; NRF and UDM hardened (Ch10,11)
IPsec on N2/N3/N4 and backhaul; SEPP filtering on with per-partner allowlist (Ch13,14)
Four-layer slice isolation; NPN onboarding hardened; IT/5G/OT segmented (Ch20,21)
K8s hardened; secrets in vault; K in HSM; image supply chain secured (Ch29)
Security KPI dashboard live; audit on a cadence; drift alarms active (Ch26,28)

2 · Deployment Phase-Gates

Design: threat model built; SCAS/NESAS in RFP (Ch2,24)
Build: PKI automated; NFs hardened; secrets managed (Ch10,11,29)
Integration: no null schemes/bypasses left enabled (Ch25)
Pre-launch: quick-scan run; red-team exercise; all bypasses closed (Ch25)
Launch: KPIs live; SOC ready with playbooks (Ch26,27)
Operate: audit cadence; drift detection; lifecycle hygiene (Ch11,28)

3 · Design Review

SEAF/ARPF/SIDF placement and K location documented (Ch3,11)
Protection named per interface, including N4 (Ch3,14)
Isolation aligned to blast radius (Ch3,29)
Per-slice/NPN security policy, not eMBB defaults (Ch9,20)
SBA mTLS + OAuth audience validation; roaming SEPP policy (Ch10,13)
Monitoring and audit designed in from the start (Ch26,28)

4 · Incident Response

Detect via KPI/anomaly; record the failure cause (Ch26)
Triage by cause: MAC→FBS, sync→DB, API→abuse, SEPP→roaming (Ch6,27)
Contain via the SOC↔NOC handshake — never solo on a live network (Ch27)
Preserve evidence (logs/captures) before remediating (Ch27)
Eradicate, recover, and feed learnings back to detection + threat model (Ch24,26)

5 · 3GPP Compliance Mapping

Identity/auth ↔ TS 33.501 clause 6 — evidence: registration capture (Ch4,6)
SBA ↔ TS 33.501 clause 13 — evidence: token validation test (Ch10)
Roaming ↔ TS 33.501 + TS 29.573 — evidence: SEPP config/capture (Ch13)
Transport ↔ TS 33.210/310 — evidence: IPsec capture, PKI (Ch14)
NF hardening ↔ SCAS (33.117 + 33.51x) — evidence: NESAS report (Ch2,11)
Edge/AKMA ↔ TS 33.558/535 — evidence: config (Ch12,22)
Record the exact spec version per NF; re-verify against the latest 3GPP version (Ch2)

★ Closing

You have reached the end. Across 35 chapters you traced 5G security from the long-term key on a SIM card to the SEPP guarding the roaming border, from the cryptography 3GPP mandated to the misconfigurations that defeat it in the field. The recurring lesson, stated in Chapter 1 and proven in every operational chapter, bears repeating:

The standard gives you the protection. The deployment decides whether it's on. Audit relentlessly.

Keep these checklists by your console. Re-run the quick-scan. Verify against the latest 3GPP version. And when something looks like bureaucracy, remember — it's almost always a patched attack.

🧪 Final exercise — adopt the checklists

Take the five checklists and adapt them to a network you work on: (1) Convert each into an owned, dated tracker. (2) Run the End-to-End and Quick-Scan items, attaching evidence (captures/configs), not assurances. (3) For each gap, link the mechanism chapter and assign a remediation owner and deadline. (4) Schedule the audit cadence and stand up the drift alarms. (5) Pin the Incident Response Quick Card where the SOC can see it. You now hold the complete, operational distillation of this book — turn it into your living security program.