The Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, is a voluntary scheme defined for the mobile industry. It provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed according to standard guidelines pertaining to vendor development and product lifecycle processes.
There are two distinct elements to the scheme consisting of the following:
1. Accreditation of the security related development and product lifecycle processes of a vendor, which allows each vendor to define its own internal processes that describe how security is integrated into the design, development, implementation, and maintenance processes. An external auditor examines these processes and determines if they are actually applied in practice. If the auditor is satisfied, the vendor will be accredited. The accreditation demonstrates that the vendor is capable of creating secure products. While undergoing the accreditation, the vendor does not have to reveal details about its internal processes to the public and only the auditor sees them. This way, a qualified and recognised auditor can increase trust in a vendor without the vendor having to reveal internal and commercially sensitive information.
2. Security evaluation of network equipment by a competent test laboratory with defined and standardised security tests, which allows security levels to be objectively measured and visualised. That way, new network equipment, as well as upgraded network equipment, can be evaluated. If these tests are performed by a recognised and competent test laboratory, a high quality and consistency of testing can be assured. If, in addition, evaluation reports are made available to prospective customers, efficiencies can be achieved as tests only need to be performed once and do not need to be repeated by and for individual stakeholders.
The first aspect requires the use of auditors by GSMA whereas the second does not. Combined, both elements define the following approach:
The Network Equipment Security Assurance Scheme (NESAS) provides an industry solution to meet the needs of industry and other stakeholders. It is an industry defined voluntary scheme operating through which network equipment vendors subject their product development and lifecycle processes to a comprehensive security audit. Successful vendors are awarded security accreditation for the audited processes in relation to current active NESAS release.
An overview of NESAS, the involved stakeholders and the processes of accreditation and evaluation is provided by the NESAS Overview document that is referenced in the Key documents section below.
The GSMA has developed the security requirements and processes for NESAS in collaboration with 3GPP, operators and vendors. A world-class security auditing company, which will conduct the audits on behalf of the GSMA, is in the process of being selected. Supporting guidelines are available on request to help vendors interpret the security standards. An accreditation board is maintained within the GSMA to oversee and develop the scheme and to formally award accreditation.
The GSMA widely publicises vendors that gain accreditation under the scheme, highlighting to its members the benefits of acquiring infrastructure from such vendors. Accredited vendors may use the special NESAS vendor logo on their promotional materials, increasing visibility of their accredited status among mobile operators.
The Network Equipment Security Assurance Scheme is open to all infrastructure equipment vendors, regardless of location, and the GSMA welcomes the participation of all interested parties.
FS.13 Network Equipment Security Assurance Scheme Overview
FS.14 Network Equipment Security Assurance Scheme Security Test Laboratory Accreditation
FS.15 Network Equipment Security Assurance Scheme Vendor Development and Product Lifecycle Requirements and Accreditation Process
FS.16 Network Equipment Security Assurance Scheme Dispute Resolution Process
Guidelines documents that help participating vendors to interpret the Vendor Development and Product Lifecycle Requirements and Accreditation Process standard are available on request.
NESAS is currently running in pilot mode. The initial set of NESAS documents has been drafted and is now out for review during a pilot of all the processes defined within NESAS. On successful completion of the pilot the first official NESAS Release will be announced.