What is the GSMA Network Equipment Security Assurance Scheme (NESAS)?
The GSMA Network Equipment Security Assurance Scheme (NESAS) provides one universal and global security assurance framework to facilitate improvements in security levels across the mobile industry for network equipment vendors. The purpose of the scheme is to audit and test network equipment manufacturers and their products against a security baseline so that they can demonstrate to network operators their conformance to the desired standard. The scheme reflects the security needs of the entire ecosystem, including governments, mobile network operators and regulators, as it has been defined by industry experts through GSMA and 3GPP.
The common set of security requirements is designed to improve security levels across the mobile industry. Ultimately, raising confidence and trust in mobile network equipment.
In addition, GSMA’s Network Equipment Security Assurance Scheme brings other benefits to equipment vendors and MNOs. Firstly, having one scheme decreases the duplication of work and security testing when serving a variety of markets. Secondly, it increases the transparency and comparability of the products on offer to network operators.
Security by design
In essence, GSMA NESAS highlights the ability of network equipment vendors to meet and maintain rigorous security levels, from product design and development through to the delivery of the final product and its maintenance. Consequently, driving higher standards of security and resilience across the mobile industry globally.
So that everyone can benefit from what’s achieved through the scheme, GSMA shares a list of audited equipment manufacturers’ product development and lifecycle management processes and evaluates network products with its members and other stakeholders. The scheme is open to all infrastructure equipment vendors, regardless of location.
Security assurance plus
The Audits involve internal and external assessments of the vendor’s processes using world-class security auditing companies to conduct the reviews on behalf of GSMA. The Product Evaluations use 3GPP-defined security test cases for the evaluation of the network equipment products that are developed in accordance with the assessed processes. In this case, Authorised GSMA NESAS Test Laboratories carry out the evaluations. Prior to audits and evaluations, vendors are required to self assess their processes and product security against defined security requirements and supporting guidelines are available to help on request.
GSMA maintains a NESAS Oversight Board to govern and develop the scheme. A summary of the scheme is contained in our accompanying web pages and full details of the scheme may be found on our Documentation page.
No, NESAS does not accredit or certify equipment vendors or their products. Accreditation refers only to the Security Test Laboratories that perform network product evaluations. These Security Test Laboratories must be ISO 17025 accredited in the context of NESAS, in order to perform product evaluations.
NESAS introduces a security baseline, which participating equipment vendors are requested to achieve by fulfilling the security requirements. NESAS will evolve over time, driven by various factors including a raised baseline with new requirements. Feedback and experience from applying NESAS in practice will help determine what enhancements may be required.
If you would like to know more or speak to someone about GSMA NESAS, please get in touch.