Open RAN disaggregates the cellular base station into separate Radio Unit, Distributed Unit, and Centralized Unit components communicating over standardized open interfaces. The shift reduces dependence on Huawei and ZTE, and creates attack surfaces that closed proprietary stacks do not expose. Federal agencies, allied governments, and Congress have all weighed in. The policy framework has not caught up with the security evidence.
What O-RAN Architecture Changes
A traditional Radio Access Network bundles the baseband unit and radio unit into a single proprietary stack from one vendor, Ericsson, Nokia, or, before federal prohibition, Huawei or ZTE. Open RAN disaggregates that stack into three discrete functional layers: the O-RU (Open Radio Unit), the O-DU (Open Distributed Unit), and the O-CU (Open Central Unit), potentially from different suppliers. They communicate via standardized open interfaces: the Open Fronthaul between O-RU and O-DU, the F1 interface between O-DU and O-CU, and the E2 interface connecting both to the RAN Intelligent Controller.
The RIC is O-RAN’s defining architectural addition. The near-Real-Time RIC handles radio resource allocation on a 10 millisecond to one second control loop via xApps, third-party software applications executing on the near-RT RIC platform. The non-RT RIC hosts rApps for network analytics, communicating downward via the A1 interface. The O-RAN Alliance: founded in February 2018 by AT&T, China Mobile, Deutsche Telekom, NTT DOCOMO, and Orange, publishes all governing specifications. The Alliance had more than 300 member companies as of 2024.
Multi-vendor interoperability is the policy rationale. If any O-RU connects to any O-DU from a different supplier via the Open Fronthaul spec, carriers escape single-vendor procurement lock-in. That supply-chain argument underpins U.S. federal Open RAN promotion, including the FCC’s rip-and-replace reimbursement program and NTIA’s $1.5 billion Public Wireless Supply Chain Innovation Fund, authorized under Section 9202 of the FY2021 NDAA and financed through the CHIPS and Science Act of 2022. First-round grants totaled $140.4 million across 17 awards in August 2023.
The Security Case Against Disaggregation
A traditional two-vendor RAN deployment exposes a small number of tightly controlled internal interfaces. An O-RAN deployment connecting O-RU, O-DU, O-CU, near-RT RIC, and non-RT RIC, with xApps and rApps on O-Cloud infrastructure: exposes five or more distinct network boundaries, each requiring separate authentication, encryption, and access control. The xApp marketplace is a novel attack vector: it places a third-party application execution environment inside a real-time network control plane where no equivalent existed in closed stacks.
The O-RAN Alliance’s Security Working Group (WG11) identified more than 160 distinct threats across O-RAN interfaces in its 2024 threat model update. Specific CVEs have been published: CVE-2023-40997 documents a routing manager flaw where the E2Term component fails to validate the sender of route table information, allowing an attacker with network access to inject a false routing table; CVE-2023-40998 documents a separate E2Term decoding flaw where malformed packets trigger a memory corruption condition. Trend Micro research published in late 2023 demonstrated that malicious xApps can compromise the entire near-RT RIC subsystem, not just their own execution context, undermining the isolation model the architecture assumes.
Proponents counter that open specifications enable independent security audits, a vendor cannot embed hidden functionality in a publicly reviewable interface. Ericsson, co-leading WG11, characterized Open RAN as “secure and ready for deployment” in 2025, citing WG11’s Zero Trust Architecture framework published in May 2024.
Government Responses: NSA, CISA, and Allied Agencies
CISA and NSA released “Open Radio Access Network Security Considerations” on September 15, 2022, produced by the Enduring Security Framework Open RAN Working Panel. The document assessed five technical areas: multi-vendor management complexity, Open Fronthaul security, the xApp/rApp framework, AI and machine learning in the RIC, and open-source and cloud-based 5G core deployment. It identified unauthorized device access to the Open Fronthaul as enabling denial-of-service attacks against the RAN, and characterized the xApp execution environment as a new software supply chain attack surface with no equivalent in traditional deployments.
The Quad Critical and Emerging Technology Working Group, involving the U.S., Australia, India, and Japan, established at the 2021 inaugural Quad Leaders’ Summit: published a 165-page Open RAN Security Report in May 2023 through NTIA. The Quad report reached a more permissive conclusion: many risks attributed to O-RAN also exist in traditional RAN, and ORAN’s auditable specifications make hidden vendor backdoors harder to conceal. The report identified risk mitigation through certificate management, zero-trust architecture, and WG11 security controls.
The ESF report’s risk emphasis and the Quad report’s optimistic framing have not been formally reconciled by any interagency policy document. NSA, participating in CISA’s 5G Security Evaluation Process Investigation, has consistently flagged the increased interface count in O-RAN as expanding the monitoring burden for operators and creating lateral movement paths not present in closed stacks.
Congressional and NTIA Mandates
Congress has addressed Open RAN through appropriations and authorization provisions rather than a standalone security statute. Section 9202 of the FY2021 NDAA authorized the $1.5 billion Innovation Fund and a Multilateral Telecommunications Security Fund, the legislative basis for NTIA’s Open RAN grants. The intent was supply-chain diversification, not security certification. No enacted statute conditions Innovation Fund grants or FCC reimbursement eligibility on verified security compliance with WG11 specifications.
The FY2025 NDAA, signed December 2024, addressed the rip-and-replace funding shortfall. The program, established by the Secure and Trusted Communications Networks Act (Pub.L. 116-124, enacted March 12, 2020), appropriated $1.9 billion to reimburse carriers with 10 million or fewer subscribers for removing Huawei and ZTE equipment. Applications totaling $4.98 billion created a $3.08 billion gap. The FY2025 NDAA authorized the FCC to borrow $3.08 billion from the U.S. Treasury, repayable through proceeds from AWS-3 Auction 113, which the FCC must conduct by June 23, 2026. The spectrum auction framework governing that proceeding is covered in the FCC Spectrum Auctions Policy Reference Guide.
The Open RAN Outreach Act (H.R. 2037, 119th Congress) directs NTIA to provide technical assistance to small providers considering Open RAN transitions: without establishing security baselines. Broadband infrastructure policy intersecting with Open RAN at the backhaul layer is detailed in the BEAD Program Guide: $42.5B Federal Broadband Deployment Explained.
What’s Next
WG11 is the de facto governance body setting the security floor for a technology the U.S. government is actively subsidizing. Its 2024 Zero Trust Architecture white paper and Coordinated Vulnerability Disclosure process represent concrete progress. Neither is mandatory for domestic carriers deploying O-RAN equipment purchased with NTIA grants or receiving FCC rip-and-replace reimbursements.
The FCC’s 2021 Notice of Inquiry on Promoting 5G Open RAN Deployment (FCC 21-31) addressed supply-chain and interoperability policy without security performance requirements. No pending FCC rulemaking would add security conditions to rip-and-replace eligibility as of May 2026. Two policy paths could close the gap: an FCC rulemaking conditioning reimbursement disbursements on verified WG11 compliance, or NTIA amending Innovation Fund grant terms to require documented WG11 security architecture as a deliverable. Neither proceeding is currently open.
The NIST-led Zero Trust Architecture initiative for O-RAN cloud orchestration, a work item approved by the O-RAN Alliance with AT&T and MITRE participation, aligned to NIST SP 800-207 — may produce a publishable framework in 2025 or 2026. If adopted by WG11 and referenced in FCC or NTIA program terms, it would create the first federally-anchored security baseline for Open RAN in the United States. Until then, the security architecture of disaggregated 5G networks carrying public safety and critical infrastructure traffic rests on voluntary standards compliance.