Security Accreditation Scheme
Increasing security, lowering business risks
The Universal Integrated Circuit Card (UICC) in mobile devices, and its applications and data play a fundamental role in ensuring the security of the network, the subscriber’s account and related services and transactions. To safeguard the integrity of the UICC, of Embedded SIMs with remote provisioning capabilities, and of their applications and data, it is essential that the supplier environment and processes that are used to manufacture and/or manage UICCs and Embedded SIMs are secure.
The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their UICC and Embedded SIM suppliers, and of their Embedded SIM subscription management service providers. Two schemes operate under SAS:
- SAS for UICC Production (SAS-UP): This is a well-established and voluntary scheme operating successfully since 2000 through which UICC manufacturers subject their production sites and processes to a comprehensive security audit. Successful sites are awarded security accreditation for a period of one year, extending to two further years upon each successful renewal. This scheme has accredited some of the industry’s largest UICC suppliers. GSMA also provides advice to its members on how to benefit from SAS-UP. The scope of this scheme has recently been broadened to include the production of Embedded SIMs.
- SAS for Subscription Management (SAS-SM): To ensure industry confidence in the security of remote provisioning for Embedded SIMs, the successful SAS model in place for UICC production has been re-used to enable security auditing and accreditation of the providers of Embedded SIM subscription management services.
Both schemes benefits both suppliers and mobile operators in the following ways:
Advantages to suppliers
- Demonstrates commitment to security and reduces risks for customers
- Means fewer individual operator inspections
- Provides certification from the world’s leading wireless industry representative body
- Delivers a world-class security review of operations
- Offers a uniform approach to security audits
Advantages to mobile operators
- No need to spend money and time conducting individual audits
- Audits are conducted by highly-qualified individuals at no cost to the operator
- The scheme sets a rigorous security standard requiring a high-level of supplier commitment
- Offers peace of mind that suppliers have implemented appropriate security measures
SAS audits of UICC and Embedded SIM manufacturing sites cover the following areas
- Security policy, strategy and documentation
- Security organisation and responsibility
- Information security
- Personnel security
- Physical security
- Certificate and key management
- Sensitive process data management
- Logistics and production management
- Computer and network management
SAS audits of subscription management entities cover these areas, plus service management functions specific to remote SIM provisioning.
The GSMA has developed the auditing standards, requirements and methodologies for SAS in collaboration with SIM suppliers and world-class security auditing companies FML and ChaseWaterford (for SAS-UP) and NCC Group and SRC Security Research & Consulting GmbH (for SAS-SM), which conduct the audits on behalf of the GSMA. Supporting guidelines are available on request to help sites interpret the security standards and requirements. A certification body is maintained within the GSMA to oversee and develop the scheme and to formally award accreditation.
The GSMA widely publicises supplier sites that gain accreditation under the scheme, highlighting to its members the benefits of acquiring UICCs, Embedded SIMs and subscription management services from such sites. Accredited suppliers may use the special SAS supplier logo on their promotional materials, increasing visibility of their accredited status among mobile operators.
The Security Accreditation Scheme is open to all UICC and Embedded SIM suppliers and providers of subscription management services, regardless of location, and the GSMA welcomes the participation of all interested parties.
For further information, or to register an interest in participating in SAS, contact the GSMA by completing an online form or sending email to firstname.lastname@example.org.
SAS for UICC Production
FS.04 SAS-UP Standard v8
FS.05 SAS-UP Methodology v6
SAS for Subscription Management
FS.08 SAS-SM Standard v3
FS.09 SAS-SM Methodology v3
Common document (applies to both schemes)
FS.17 SAS Consolidated Security Requirements v2
A guidelines document that helps participating supplier sites to interpret the consolidated security requirements is available on request.
UICC (Universal Integrated Circuit Card) is the hardware used in mobile devices that contains SIM and/or USIM applications enabling access to GSM, UMTS/3G and LTE networks.
Embedded SIM is a UICC that supports “over the air” provisioning of an initial operator subscription and the subsequent change of subscription from one operator to another in accordance with GSMA specifications.