Once a Process Audit has been conducted the manufacturer’s network products, that have been developed in accordance with the audited process, may be assessed. Here, the product security levels are evaluated and documented by an Authorised GSMA NESAS Test Laboratory of choice, against security requirements and test cases defined by 3GPP.
The resulting evaluation report can be forwarded to mobile network operators, or other stakeholders
An equipment vendor that wants its network product(s) to be evaluated, approaches an accredited NESAS security test laboratory and contracts the laboratory to perform product evaluations for individual network products. The vendor may be motivated to do so by mobile network operator customers requesting all products it purchases to be NESAS evaluated.
The evaluation report, created by an accredited NESAS Security Test Laboratory, lists the network product(s) and their versions/releases that had been evaluated. The operator should obtain the evaluation report to determine if the network equipment deployed is covered. Some evaluation reports are announced on the public GSMA NESAS website under NESAS Evaluated Network Products. But since the publication of evaluation reports is optional for equipment vendors, some equipment may be evaluated without being listed. The safest way for the operator is to contact the equipment vendor and to ask for the evaluation report.
Test cases for individual network functions are defined by the 3rd Generation Partnership Project (3GPP), which is an international standards development organisation (SDO), in a Security Assurance Specification (SCAS). Experts from interested stakeholders (e.g. equipment vendors, mobile network operators and regulators) define the test cases that make up the specifications and these are used by the NESAS security test laboratories to undertake product evaluations.
If you would like to know more or speak to someone about the scheme, please get in touch.