What is the GSMA Network Equipment Security Assurance Scheme (NESAS)?
The GSMA Network Equipment Security Assurance Scheme (NESAS) is here to facilitate improvements in network equipment security levels, across the mobile industry. Providing one universal and global security assurance framework. Ultimately, raising confidence and trust in mobile network equipment.
The purpose of the scheme is to audit and test network equipment vendors, and their products, against a security baseline. So they can demonstrate to network operators that they are conforming to the desired standard. The scheme has been defined by industry experts through GSMA and 3GPP. Therefore, it reflects the security needs of the entire ecosystem, including governments, mobile network operators and regulators.
In addition, GSMA’s Network Equipment Security Assurance Scheme brings other benefits to equipment vendors and MNOs. Firstly, having one scheme decreases the duplication of work and security testing when serving a variety of markets. Secondly, it increases the transparency and comparability of the products on offer to network operators.
Security by design
In essence, GSMA NESAS highlights the ability of network equipment vendors to meet and maintain rigorous security levels. From product design and development, through to the delivery of the final product and its maintenance. Consequently, driving higher standards of security and resilience across the mobile industry globally.
So that everyone can benefit from what’s achieved through the scheme, GSMA shares a list with its members and other stakeholders. of audited equipment vendors’ product development and lifecycle management processes, along with their evaluated network products. Please note, the scheme is open to all infrastructure equipment vendors, regardless of location.
Security assurance plus
The Audits involve internal and external assessments of the vendor’s processes, using world-class security auditing companies to conduct the reviews on behalf of GSMA. While the Product Evaluations assess the network equipment products that are developed in accordance with these processes, using 3GPP-defined security test cases. The Evaluations are carried out by Authorised GSMA NESAS Test Laboratories. Prior to audits and evaluations, vendors are required to self-assess their processes and product security against defined security requirements — supporting guidelines are available to help on request.
GSMA maintains a NESAS Oversight Board to govern and develop the scheme. A summary of the scheme is contained in our accompanying web pages and full details of the scheme may be found on our Documentation page.
No, NESAS does not accredit or certify equipment vendors or their products. Accreditation refers only to the Security Test Laboratories that perform network product evaluations. These Security Test Laboratories must be ISO 17025 accredited in the context of NESAS, in order to perform product evaluations.
NESAS introduces a security baseline, which participating equipment vendors are requested to achieve by fulfilling the security requirements. NESAS will evolve over time, driven by various factors, including a raised baseline with new requirements. Feedback and experience from applying NESAS in practice will help determine what enhancements may be required.
If you would like to know more or speak to someone about GSMA NESAS, please get in touch.