What is NESAS and its scope?

NESAS – Network Equipment Security Assurance Scheme – is a voluntary initiative of the mobile industry to launch an ongoing security improvement programme that is focussed on mobile network infrastructure equipment. In its first incarnation, NESAS covers equipment designed to support functions defined by 3GPP that is deployed by mobile network operators on their networks. NESAS consists of two major elements:

(1) security assessments of vendor development and product lifecycle processes; and
(2) security evaluations of network products.

The combination of both these activities define and introduce a baseline security level that should be reached by the mobile industry. NESAS does not cover shipment and deployment of network equipment nor the configuration and operation of network equipment within mobile networks.

What is the main objective of NESAS?

The overall objective of NESAS is to provide a security assurance framework and security baseline to facilitate improvements in security levels across the whole mobile industry. To achieve this, NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as security test cases for the security evaluation of network equipment.

What are the benefits of NESAS?

NESAS bestows a number of benefits on different stakeholders, including;

Equipment vendors:

  • Demonstrate adherence to security requirements to relevant stakeholders;
  • Illustrate development and maintenance and product security capabilities;
  • Avoid globally inconsistent and conflicting security requirements and conformance fragmentation; and
  • Access a unified set of security requirements which eases network product development and global sales.

Mobile network operators:

  • Have visibility of security capabilities of equipment vendors and their network products prior to purchase;
  • Provided with baseline security requirements that can be fulfilled by network equipment products; and
  • Reduce security testing efforts as security baseline testing is outsourced to accredited test laboratories.

National authorities and regulators:

  • A security assurance scheme readily available for use;
  • Increase effective security while not negatively impacting the industry; and
  • Helps avoid fragmentation of security requirements across the global market.

Who participates in NESAS?

NESAS operations are managed by the GSMA. The NESAS documentation is created by the GSMA’s Fraud and Security Group, which consists of equipment vendors, mobile network operators and national security authorities. Equipment vendor process assessment auditing companies and security test laboratories that undertake network equipment security evaluations have also been involved.

The 3rd Generation Partnership Project (3GPP) – a global standards development organisation (SDO) – creates and maintains the security requirements and test cases for network equipment evaluations. These documents, which are developed and agreed by consensus, are owned by the Security Working Group (called SA3), which welcomes contributions.

NESAS is open to receiving contributions from a range of stakeholders, including from those who are not members of the GSMA, and we encourage them to get involved and to contribute to defining and enhancing all aspects of the scheme.

Is NESAS an accreditation/certification scheme?

No, NESAS does not accredit or certify equipment vendors or their products. Accreditation refers only to the Security Test Laboratories that perform network product evaluations. These Security Test Laboratories must be ISO/IEC 17025 accredited in the context of NESAS in order to perform product evaluations.

Does NESAS cover and secure the entire supply chain?

NESAS covers the part of the supply chain where network equipment vendors and their products are involved. NESAS is focussed on secure product development and maintenance by equipment vendors. Aspects beyond this initial scope are not covered by NESAS but the GSMA is already considering options to widen the scope of the scheme.

What is an equipment vendor process assessment?

Mobile network equipment vendors – like all hardware/software suppliers – have defined internal processes which they follow for product development and maintenance. In order to develop secure products, these processes need to integrate security controls. NESAS requires certain security controls to exist at each equipment vendor and it seeks to verify, through a self-assessment and an independent audit, that the vendor has put these security controls in place and that it adheres to them. Implementing these security requirements ensures the risk of design flaws and implementation errors is mitigated, and security-focused maintenance of developed products (e.g. patch management) is demonstrated to be in place.

Who performs the vendor processes assessment?

NESAS defines how the assessment is performed and it consists of two steps. The first involves the vendor carrying out a self-assessment and, if satisfied that it meets the requirements, it can claim conformance. The second step involves an independent auditing company assessing if the vendor’s processes satisfy the defined security requirements and verifying if the processes have been applied and are complied with. The auditing companies are appointed by GSMA and equipment vendors can choose from those that are shortlisted by GSMA. The GSMA appoints competent auditors based on defined eligibility criteria following a competitive requests for proposal process.

Who are the NESAS auditors?

The NESAS auditors were appointed by GSMA following a rigorous tender process and the current auditing companies that can undertake NESAS vendor process assessments are ATSEC and NCC Group.

Are all vendor process assessments published?

All summary audit reports authorised to be published by the vendor will be available on the GSMA NESAS website following completion of the assessment.

Is there a difference between a NESAS auditor and a security test laboratory?

Yes, the auditors and security test laboratories perform very different roles. The GSMA appointed NESAS auditors carry out the vendor development and product lifecycle process assessment.
The NESAS security test laboratories perform network product evaluations. These consist of security testing of network products and evidence evaluation. The evidence is provided by the equipment vendor and demonstrates that the equipment vendor followed its own development and product lifecycle processes as assessed by the GSMA appointed auditors.

How can an organisation become a NESAS security test laboratory?

Any IT/network security testing laboratory that is experienced in IT, network and telecommunications security testing can apply to become a NESAS test laboratory. The laboratory will have to undergo ISO/IEC 17025 accreditation with a recognised ILAC member ISO/IEC 17025 accreditation body assessing its competence in the context of NESAS. This means that the test laboratory must demonstrate it adheres to ISO/IEC 17025 and demonstrate its proficiency in executing tests as defined in the 3GPP-defined Security Assurance Specifications (SCAS). All security test laboratories that are deemed by an ILAC member to have satisfied the ISO/IEC 17025 and NESAS requirements, and that have been ISO/IEC 17025 accredited, will be considered to have achieved NESAS accreditation. Accredited test laboratories that wish to undertake NESAS product evaluations can inform GSMA of their accredited status and provide a copy of their ISO/IEC 17025 certificates.

Is there a public list of accredited test laboratories?

GSMA maintains a list of accredited NESAS security test laboratories on its website. It is not mandatory for test laboratories to be listed there but if a successfully accredited test laboratory wishes to be listed, the test laboratory needs to inform GSMA and submit its ISO/IEC 17025 accreditation certificate. GSMA will then list the test laboratory for the timeframe the certificate is valid. Should anything change during this timeframe, or should the accreditation have been renewed, it is the responsibility of the test laboratory to update the GSMA with the latest information related to the accreditation and its status.

What happens in the event of a dispute?

The Network Equipment Security Assurance Scheme Dispute Resolution Committee (NESAS DRC) acts to handle disputes that may arise with regards to the interpretation or implementation of NESAS documentation that have not been resolved between two or more parties. The NESAS DRC is appointed on a per dispute basis to ensure each dispute is handled in a non-partisan manner. The NESAS dispute resolution process is defined in detail in FS.13 – Network Equipment Security Assurance Scheme – Overview.