Enhancing trust in global mobile networks
|Coronavirus COVID-19 Notice
As restrictions relating to COVID-19 continue to impact and evolve, the GSMA is managing and adapting NESAS to enable the scheme to deliver security assurance by allowing equipment vendors participate as fully and safely as possible during the current global pandemic.
As an exceptional arrangement, the GSMA is temporarily waiving the requirement for NESAS audits to be conducted at equipment vendor sites. The GSMA recognises the feasibility of conducting remote audits and the ability of auditors to assess if each of the NESAS security requirements have been satisfied. Consequently, audits may be performed remotely with prior approval from the GSMA.
The Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as using 3GPP defined security test cases for the security evaluation of network equipment.
NESAS provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed in accordance with vendor development and product lifecycle processes that provide security assurance. NESAS is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network. The scheme should be used globally as a common baseline, on top of which individual operators or national IT security agencies may want to put additional security requirements.
Allows each vendor to define its own internal processes that describe how security is integrated into the design, development, implementation, and maintenance processes and to assess how those processes satisfy the GSMA defined security requirements. An external auditor then examines these processes and determines if they are adequate and if they are actually applied in practice. The auditor records its observations in an audit report and fully compliant vendors will have demonstrated their ability to securely develop and maintain products. While undergoing the assessment, the vendor does not have to reveal details about its internal processes to the public and the auditor is the only external third party to see them. This way, a qualified and recognised auditor can increase trust in a vendor without the vendor having to reveal internal and commercially sensitive information.
Allows security levels to be objectively measured and visualised against security requirements defined by 3GPP. Evaluations of new network equipment, as well as upgraded network equipment, are possible and the evaluations are performed by recognised and competent test laboratories. In order to ensure a high quality and consistency of testing, test laboratories must undergo ISO 17025 accreditation in the context of NESAS. Evaluation reports that are produced by these qualified and independent laboratories can be made available to prospective customers by vendors, introducing efficiencies as tests only need to be performed once and do not need to be repeated by, and for, individual stakeholders.
The first aspect requires the use of security auditors selected by GSMA to assess process whereas the second involves the use of security test laboratories that are ISO 17025 accredited and recognised by GSMA as being competent to evaluate products. Combined, both elements define the following approach:
- Vendors define and apply secure design, development, implementation, and product maintenance processes;
- Vendors assess their level of compliance to the GSMA defined Vendor Development and Product Lifecycle Security Requirements;
- Vendors demonstrate these processes to external security auditors who assess compliance to the GSMA security requirements;
- Levels of security of network equipment products are evaluated and documented by security test laboratories against security requirements defined by 3GPP SA3; and
- Documentation can be forwarded to operators together with network equipment being purchased.
The Network Equipment Security Assurance Scheme (NESAS) provides an industry solution to meet the needs of industry and other stakeholders. It is an industry defined voluntary scheme through which network equipment vendors subject their product development and lifecycle processes to a comprehensive security audit against the currently active NESAS release and its security requirements.
An overview of NESAS, the involved stakeholders and the processes of assessment and evaluation is provided in the NESAS Overview document that is referenced in the key documents section below.
NESAS development and product lifecycle assessments are conducted against security requirements that cover the following areas
- Security by design
- Version control systems
- Change tracking
- Source code review
- Security testing
- Staff education
- Vulnerability remedy processes
- Vulnerability remedy independence
- Information security management
- Automated build process
- Build environment control
- Vulnerability information management
- Software integrity protection
- Unique software release identifier
- Security fix communication
- Documentation accuracy
- Security point of contact
- Source code governance
- Continual improvement
- Security documentation
The GSMA has developed the security requirements and processes for NESAS in collaboration with 3GPP, operators and vendors. World-class security auditing companies will conduct the audits on behalf of the GSMA. Supporting guidelines are available on request to help vendors interpret the security standards and GSMA maintains a NESAS Oversight Board to govern and develop the scheme.
The GSMA maintains a list of equipment vendors that participate in the scheme that have undergone security assessments of their development and lifecycle processes and that have had network products security evaluated. GSMA promotes to its members, and other stakeholders, the benefits of acquiring infrastructure from participating vendors.
NESAS is open to all infrastructure equipment vendors, regardless of location, and the GSMA welcomes the participation of all interested parties.
- Raise confidence and trust in mobile network equipment
- Increase transparency and comparability of security levels on offer
- Industry defined requirements decreases the need for individual security requirements to be defined and/or tested
- Provides reference requirements for use in procurement processes
- Common set of assurance requirements
- Lowers duplication of work and security testing needs
- Highlights vendor ability to achieve/maintain security levels
- Encourages security by design culture across the entire vendor community
- Reduces workload responding to operator procurement processes
- Helps avoid security requirement fragmentation across the globe
Regulators and National Security Authorities
- Security assurance scheme entirely funded by industry
- Single scheme that is globally relevant
- Low barrier for innovation and entering markets
- Cost effective scheme that drives security gains
- Extensible as needed
- Reuses mature models to deliver security gains
Current NESAS Release
To find out more about the scheme, the policies, processes and procedures that define NESAS can be found in the following documents:
Monday 7 Oct 2019 | NESAS |
This document provides an overview of the NESAS scheme allowing readers to familiarise themselves with NESAS. The objective of NESAS is to provide an industry-wide security assurance Audience: Senior leadership, ...
Sunday 6 Oct 2019 | NESAS |
NESAS covers the auditing of a vendor's development and lifecycle processes against the security requirements defined under NESAS and the independent testing of manufactured network equipment by a competent test laboratory. This ...
Saturday 5 Oct 2019 | NESAS |
NESAS covers the auditing of a vendor's development and lifecycle processes against the security requirements defined under NESAS and the independent tesing of manufactured network equipment by a competent test laboratory. This ...
Friday 4 Oct 2019 | NESAS |
Within NESAS, the Vendor Development and Product Lifecycle covers specfic aspects potentially impacting the security of manfactured network equipment over its lifetime, including initial planning, design, implementation, delivery, ...
NESAS is designed to be improved iteratively. All the lessons learnt from the application of NESAS will be considered and reflected in future releases. Updated releases will take feedback from the various stakeholders into account and will also strengthen NESAS’ ability to support equipment vendors to deliver continual security improvements.