What is NESAS and its scope?

NESAS – Network Equipment Security Assurance Scheme – is a voluntary initiative of the mobile industry to launch an ongoing security improvement program that is focussed on mobile network infrastructure equipment. In its first incarnation, NESAS covers equipment designed to support functions defined by 3GPP that is deployed by mobile network operators on their networks. NESAS consists of two major elements:

(1) security assessments of vendor development and product lifecycle processes and
(2) security evaluations of network products.

The combination of both these activities defines and introduces a baseline security level that should be reached by the mobile industry. NESAS does not cover shipment and deployment of network equipment nor the configuration and operation of network equipment within mobile networks.

What is the main objective of NESAS?

The overall objective of NESAS is to provide an industry-wide security assurance framework and security baseline to facilitate improvements in security levels across the whole mobile industry. To achieve this, NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as security test cases for the security evaluation of network equipment.

What are the benefits of NESAS?

NESAS bestows a number of benefits on different stakeholders, including;

Equipment vendors:

  • Demonstrate adherence to security requirements to relevant stakeholders;
  • Illustration of the vendor’s development and maintenance and product security capabilities;
  • Avoidance of globally inconsistent and conflicting security requirements and conformance fragmentation; and
  • Unified set of security requirements eases network product development and global sales

Mobile network operators:

  • Visibility of security capabilities of equipment vendors and their network products prior to purchase;
  • Baseline of security requirements that can be fulfilled by network equipment products; and
  • Testing of security baseline outsourced to accredited test laboratories reduce security testing efforts for individual operators.

National authorities and regulators:

  • Security assurance scheme readily available for their use;
  • Increase effective security while not negatively impacting the industry; and
  • Help avoids fragmentation of security requirements across the global market.

To what extent is NESAS a security improvement program?

NESAS introduces a security baseline and participating equipment vendors are requested to achieve this baseline by fulfilling the security requirements. NESAS will evolve over time, driven by various factors including a raised baseline and new requirements. Feedback and experience from applying NESAS in practice will help determine what enhancements may be required.

Who participates in NESAS?

NESAS operations are managed by GSMA. The NESAS documentation is created by GSMA’s Fraud and Security Group, which consists of equipment vendors, mobile network operators and national security authorities. Equipment vendor process assessment auditing companies and security test laboratories that undertake network equipment security evaluations have also been involved.

The 3rd Generation Partnership Project (3GPP) – a global standards development organisation (SDO) creates and maintains the security requirements and test cases for network equipment evaluations. These documents, which are developed and agreed by consensus, are owned by the Security Working Group (called SA3), which welcomes contributions

NESAS is open to receiving contributions from a range of stakeholders, regardless of whether they are GSMA members, and we encourage them to get involved and to contribute to defining and enhancing all aspects of the scheme.

Is NESAS an accreditation/certification scheme?

No, NESAS does not accredit or certify equipment vendors or their products. Accreditation refers only to the Security Test Laboratories that perform network product evaluations. These Security Test Laboratories must be ISO 17025 accredited in the context of NESAS in order to perform product evaluations.

Can GSMA NESAS be used as a basis for a certification scheme?

Yes, it can. NESAS is designed to be recognised and adopted by regulatory authorities and the scheme provides the methodology, security requirements and security test cases, necessary to support a robust security framework. In its current construction, NESAS does include the enablers for a certification scheme to be developed. In designing a certification scheme, the existing GSMA NESAS defines:

  • Auditing Organisation appointment;
  • Test Laboratory accreditation;
  • Vendor processes and Network Product related security requirements; and
  • Vendor processes assessment and product evaluation methodologies.

And these can all be used. Thus, the only enabler that would need to be developed to support certification, is the establishment of a certification body and its related functions.

Does NESAS cover and secure the entire supply chain?

NESAS covers the part of the supply chain where network equipment vendors and their products are involved. NESAS is focussed on secure product development and maintenance by equipment vendors. Aspects beyond this initial scope are not covered by NESAS but the GSMA is already considering options to widen the scope of the scheme.

What is an equipment vendor process assessment?

Mobile network equipment vendors – like all hardware/software suppliers – have defined internal processes which they follow for product development and maintenance. In order to develop secure products, these processes need to integrate security controls. NESAS requires certain security controls to exist at each equipment vendor and it seeks to verify, through a self-assessment and an independent audit, that the vendor has put these security controls in place and that it adheres to them. Implementing these security requirements ensures the risk of design flaws and implementation errors is mitigated and security-focused maintenance of developed products (e.g. patch management) is demonstrated to be in place.

Is the vendor development and lifecycle process assessment a documentation only review?

The audit starts with an assessment of the documented processes, which entails a desktop documentation review. Later, an on-site audit will enable the audit team to determine, if the documented processes are applied in practice.

Who, or what event, triggers a vendor processes assessment?

It is solely at the discretion of the equipment vendor to approach one of the GSMA-appointed auditors to request it to conduct an audit of its processes. The vendor may be encouraged to do so by mobile network operator customers that request their vendors to have undergone a NESAS vendor processes assessment.

If the vendor’s processes have undergone a change after the assessment then this should trigger a re-assessment. Additionally, if additional requirements are added to NESAS, this may necessitate a re-assessment.

Who performs the vendor processes assessment?

NESAS defines how the assessment is performed and it consists of two steps. The first involves the vendor carrying out a self-assessment and, if satisfied that it meets the requirements, it can claim conformance. The second step involves an independent auditing company assessing if the vendor’s processes satisfy the defined security requirements and verifying if the processes have been applied and are complied with. The auditing companies are appointed by GSMA and equipment vendors can choose from those that are shortlisted by GSMA. The GSMA appoints competent auditors based on defined eligibility criteria following a competitive requests for proposal process.

How can auditors determine competency requirements to become a NESAS auditor?

Annex E of FS.15 Vendor Development and Product Lifecycle Assessment Methodology contains NESAS Auditor Competency Requirements and Guidelines which, in conjunction with advice and direction from the GSMA, provide a good introduction to understanding the competencies required to becoming a NESAS auditor.

Who are the NESAS auditors?

The NESAS auditors were appointed by GSMA following a rigorous tender process and the current auditing companies that can undertake NESAS vendor process assessments are ATSEC and NCC Group.

Are all vendor process assessments published?

All summary audit reports authorised to be published by the vendor will be available on the GSMA NESAS website following completion of the assessment.

Is there a difference between a NESAS auditor and a security test laboratory?

Yes, the auditors and security test laboratories perform very different roles. The GSMA appointed NESAS auditors carry out the vendor development and product lifecycle process assessment.
The NESAS security test laboratories perform network product evaluations. These consist of security testing of network products and evidence evaluation. The evidence is provided by the equipment vendor and demonstrates that the equipment vendor followed its own development and product lifecycle processes as assessed by the GSMA appointed auditors.

How can an organisation become a NESAS security test laboratory?

Any IT/network security testing laboratory that is experienced in IT, network and telecommunications security testing can apply to become a NESAS test laboratory. The laboratory will have to undergo ISO 17025 accreditation with a recognised ILAC member ISO 17025 accreditation body assessing its competence in the context of NESAS. This means that the test laboratory must demonstrate it adheres to ISO 17025 and demonstrate its proficiency in executing tests as defined in the 3GPP-defined Security Assurance Specifications (SCAS). All security test laboratories that are deemed by an ILAC member to have satisfied the ISO 17025 and NESAS requirements, and that have been ISO 17025 accredited, will be considered to have achieved NESAS accreditation. Accredited test laboratories that wish to undertake NESAS product evaluations can inform GSMA of their accredited status and provide a copy of their ISO 17025 certificates.

How can test labs determine competencies required to become a NESAS Security Test Laboratory?

FS.14 Security Test Laboratory Accreditation Requirements and Process contains NESAS Security Test Laboratory Competency Guidelines which, in conjunction with advice and direction from ISO/IEC 17025 Accreditation Bodies, provide a good introduction to understanding the competencies required to becoming a NESAS Security test laboratory

Is there a public list of accredited test laboratories?

GSMA maintains a list of accredited NESAS security test laboratories on its website. It is not mandatory for test laboratories to be listed there but if a successfully accredited test laboratory wishes to be listed, the test laboratory needs to inform GSMA and submit its ISO/IEC 17025 accreditation certificate. GSMA will then list the test laboratory for the timeframe the certificate is valid. Should anything change during this timeframe, or should the accreditation have been renewed, it is the responsibility of the test laboratory to update the GSMA with the latest information related to the accreditation and its status.

How are vendor processes assessment and network product evaluation linked?

The auditor assesses the vendor’s product development and lifecycle processes. A security test laboratory evaluates the vendor’s network product. For each of these activities, a different set of security requirements exist. NESAS is designed for equipment vendors to have their internal processes assessed for those products they hand on to test laboratories for evaluation. The test laboratory will not only run security tests on the equipment. The laboratory will also examine the evidence, delivered by the equipment vendor, that demonstrates the vendor followed their own assessed processes for producing the product under evaluation. The evaluation report that is produced by the test laboratory, consists of both test results and evidence evaluation results.

Who or what event triggers a network product evaluation?

An equipment vendor that wants its network product(s) to be evaluated, approaches an accredited NESAS security test laboratory and contracts the laboratory to perform product evaluations for individual network products. The vendor may be motivated to do so by mobile network operator customers requesting all products it purchases to be NESAS evaluated.

How can a mobile network operator verify if equipment deployed in its network is NESAS evaluated?

The evaluation report, created by an accredited NESAS Security Test Laboratory, lists the network product(s) and their versions/releases that had been evaluated. The operator should obtain the evaluation report to determine if the network equipment deployed is covered. Some evaluation reports are announced on the public GSMA NESAS web site under NESAS Evaluated Network Products. But since the publication of evaluation reports is optional for equipment vendors, some equipment may be evaluated without being listed. The safest way for the operator is to contact the equipment vendor and to ask for the evaluation report.

Where do test cases used for network product evaluations come from?

Test cases for individual network functions are defined by the 3rd Generation Partnership Project (3GPP), which is an international standards development organisation (SDO), in a Security Assurance Specification (SCAS). Experts from interested stakeholders (e.g. equipment vendors, mobile network operators and regulators) define the test cases that make up the specifications and these are used by the NESAS security test laboratories to undertake product evaluations.

What happens in the event of a dispute?

The Network Equipment Security Assurance Scheme Dispute Resolution Committee (NESAS DRC) acts to handle disputes that may arise with regards to the interpretation or implementation of NESAS documentation that have not been resolved between two or more parties. The NESAS DRC is appointed on a per dispute basis to ensure each dispute is handled in a non-partisan manner. The NESAS dispute resolution process is defined in detail in FS.13 – Network Equipment Security Assurance Scheme – Overview.

Will NESAS be enhanced?

NESAS is designed to be enhanced in a number of ways, including broadening the functions and security requirements defined by 3GPP, improving the processes defined by GSMA and taking into account improvement suggestions from scheme participants and stakeholders such as national authorities.

Are there different assurance levels for vendor assessment?

There are no different assurance levels. Vendors need to fulfil all the security requirements as defined in FS.16 Network Equipment Security Assurance Scheme – Vendor Development and Product Lifecycle Security Requirements. The compliance to each requirement is assessed in order to determine full compliance to FS.16

What is new in Release 2.0?

NESAS Release 2.0 introduced a number of changes across all four scheme documents and the highlights are as follows;

  • A number of definitions and terms were updated
  • Compliance Declaration and Conformance Claim templates introduced
  • NESAS development and product lifecycle management document updated to apply more generically to potential NESAS derivative schemes
  • Auditor competency requirements and guidelines added
  • Interim development and product lifecycle management audits are provided for
  • Evidence evaluation and product evaluation added to the test lab requirements
  • New security requirement on third party components added to the scheme
  • Security requirements grouped and renumbered