After the Process Audit, comes the Product and Evidence Evaluation. Whereas the audit assesses the processes to create the products, the evaluation concerns the resulting products. The vendor’s selected Authorised GSMA NESAS Test Laboratory evaluates and documents the products’ security levels, against requirements and test cases defined by 3GPP.
Vendors can forward the resulting evaluation report to mobile network operators or other stakeholders.
An equipment vendor. Chiefly, because their mobile network operator customer(s) is requesting that all the products they purchase are NESAS evaluated. The vendors can approach an Authorised GSMA NESAS Test Laboratory and contract them to perform product evaluations.
Authorised GSMA NESAS Security Test Laboratories create evaluation reports that list the evaluated network product(s) and their versions/releases. The operator should obtain the evaluation report to determine the status of their network equipment. You can find some evaluation reports on the public GSMA NESAS website, under NESAS Evaluated Network Products. Although publicising evaluation reports is optional for equipment vendors. So, the safest way for the operator is to contact the equipment vendor and ask for the evaluation report.
The 3rd Generation Partnership Project (3GPP) defines test cases for individual network functions. It’s an international Standards Development Organisation (SDO) in Security Assurance Specification (SCAS). Expert stakeholders (e.g. equipment vendors, mobile network operators and regulators) define the test cases that make up the specifications. NESAS security test laboratories then use these to undertake product evaluations.
If you would like to know more or speak to someone about the scheme, please get in touch.