NIST White Paper on 5G Cybersecurity and Privacy Capabilities

NIST Publications

Published March 19th, 2026

Detected March 21st, 2026

Summary

NIST has published a white paper detailing "no Subscription Permanent Identifier (SUPI) based paging," a 5G capability designed to enhance user privacy and security by preventing identification and location by attackers. The paper encourages 5G network operators and organizations to verify the implementation of this privacy-enhancing feature according to 5G standards.

View original document View source feed page

What changed

NIST has released a white paper titled "No SUPI-Based Paging Applying 5G Cybersecurity and Privacy Capabilities." This document explains a 5G feature that protects users by using temporary identifiers for paging instead of the permanent Subscription Permanent Identifier (SUPI), thereby preventing attackers from easily identifying and locating users. The paper emphasizes that 5G standards explicitly define when these temporary identifiers must be refreshed.

Network operators and organizations utilizing 5G technologies are advised to confirm that their systems implement paging in accordance with the described 5G standards. This guidance is part of NIST's ongoing series on applying 5G cybersecurity and privacy capabilities, aimed at improving the security posture of 5G networks.

What to do next

Verify that 5G paging is implemented according to 5G standards, utilizing temporary identifiers as described.
Review internal 5G network configurations for compliance with privacy and cybersecurity best practices outlined in the paper.

Source document (simplified)

PUBLICATIONS

No SUPI-Based Paging Applying 5G Cybersecurity and Privacy Capabilities

Published

March 19, 2026

Author(s)

Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Karen Kent, Parisa Greyeli, Sanjeev Sharma

Abstract

This white paper provides an overview of "no Subscription Permanent Identifier (SUPI) based paging," a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G protect subscriber confidentiality by using a temporary identity (ID) instead of SUPI for the paging protocol, and explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators and organizations using 5G technologies are encouraged to verify that the paging is happening as described in the 5G standards. This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity Center of Excellence (NCCoE). Citation NIST Cybersecurity White Papers (CSWP) - 36D Report Number 36D Pub Type NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.CSWP.36D Local Download

Keywords

3GPP, 5G, cybersecurity, paging, privacy, Subscription Concealed Identifier (SUCI), Subscription Permanent Identifier (SUPI) Information technology, Cybersecurity and privacy and Advanced communications

Citation

Bartock, M.
, Cichonski, J.
, Souppaya, M.
, Kent, K.
, Greyeli, P.
and Sharma, S.

(2026),
No SUPI-Based Paging Applying 5G Cybersecurity and Privacy Capabilities, NIST Cybersecurity White Papers (CSWP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.36D, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=961425       
  (Accessed March 20, 2026)