Increasing security, lowering business risks
The Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, is a voluntary scheme defined for the mobile industry. It provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed according to standard guidelines pertaining to vendor development and product lifecycle processes.
There are two distinct elements to the scheme consisting of the following:
1. Accreditation of the security related development and product lifecycle processes of a vendor, which allows each vendor to define its own internal processes that describe how security is integrated into the design, development, implementation, and maintenance processes. An external auditor examines these processes and determines if they are actually applied in practice. If the auditor is satisfied, the vendor will be accredited. The accreditation demonstrates that the vendor is capable of creating secure products. While undergoing the accreditation, the vendor does not have to reveal details about its internal processes to the public and only the auditor sees them. This way, a qualified and recognised auditor can increase trust in a vendor without the vendor having to reveal internal and commercially sensitive information.
2. Security evaluation of network equipment by a competent test laboratory with defined and standardised security tests, which allows security levels to be objectively measured and visualised. That way, new network equipment, as well as upgraded network equipment, can be evaluated. If these tests are performed by a recognised and competent test laboratory, a high quality and consistency of testing can be assured. If, in addition, evaluation reports are made available to prospective customers, efficiencies can be achieved as tests only need to be performed once and do not need to be repeated by and for individual stakeholders.
The first aspect requires the use of auditors by GSMA whereas the second does not. Combined, both elements define the following approach:
- Vendors define and apply secure design, development, implementation, and product maintenance processes;
- Vendors demonstrate these processes to external auditors;
- Levels of security of network equipment is tested and documented;
- Tests are conducted by competent test laboratories against 3GPP SA3 defined security requirements;
- Documentation can be forwarded to operators together with network equipment being purchased.
The Network Equipment Security Assurance Scheme (NESAS) provides an industry solution to meet the needs of industry and other stakeholders. It is an industry defined voluntary scheme operating through which network equipment vendors subject their product development and lifecycle processes to a comprehensive security audit. Successful vendors are awarded security accreditation for the audited processes in relation to current active NESAS release.
An overview of NESAS, the involved stakeholders and the processes of accreditation and evaluation is provided by the NESAS Overview document that is referenced in the Key documents section below.
Advantages to vendors
- Demonstrates commitment to security and reduces risks for customers
- Means fewer individual audits
- Provides accreditation from the world’s leading mobile industry representative body
- Delivers a world-class security review of security related processes
- Offers a uniform approach to security audits
- Avoids fragmentation and potentially conflicting security assurance requirements in different markets
Advantages to mobile operators
- No need to spend money and time conducting individual vendor audits
- Audits are conducted by highly-qualified individuals at no cost to the operator
- The scheme sets a rigorous security standard requiring a high-level of vendor commitment
- Offers peace of mind that vendors have implemented appropriate security measures and practices
NESAS audits of infrastructure equipment vendors cover the following areas
- Security by design
- Version control systems
- Source code review
- Software security testing
- Vulnerability remedy processes
- Information security management system
- Build tool and environment controls
- Vulnerability information management
- Software integrity protection
- Security fix communications
- Customer Documentation
- Staff education
The GSMA has developed the security requirements and processes for NESAS in collaboration with 3GPP, operators and vendors. A world-class security auditing company, which will conduct the audits on behalf of the GSMA, is in the process of being selected. Supporting guidelines are available on request to help vendors interpret the security standards. An accreditation board is maintained within the GSMA to oversee and develop the scheme and to formally award accreditation.
The GSMA widely publicises vendors that gain accreditation under the scheme, highlighting to its members the benefits of acquiring infrastructure from such vendors. Accredited vendors may use the special NESAS vendor logo on their promotional materials, increasing visibility of their accredited status among mobile operators.
The Network Equipment Security Assurance Scheme is open to all infrastructure equipment vendors, regardless of location, and the GSMA welcomes the participation of all interested parties.
FS.13 Network Equipment Security Assurance Scheme Overview
FS.14 Network Equipment Security Assurance Scheme Security Test Laboratory Accreditation
FS.15 Network Equipment Security Assurance Scheme Vendor Development and Product Lifecycle Requirements and Accreditation Process
FS.16 Network Equipment Security Assurance Scheme Dispute Resolution Process
Guidelines documents that help participating vendors to interpret the Vendor Development and Product Lifecycle Requirements and Accreditation Process standard are available on request.
Current NESAS Status and Release
NESAS is currently running in pilot mode. The initial set of NESAS documents has been drafted and is now out for review during a pilot of all the processes defined within NESAS. On successful completion of the pilot the first official NESAS Release will be announced.