FS.16 Network Equipment Security Assurance Scheme – Development and Lifecycle Security Requirements
Within NESAS, the Vendor Development and Product Lifecycle covers specfic aspects potentially impacting the security of manfactured network equipment over its lifetime, including initial planning, design, implementation, delivery, in-service updates, and eventual decommissioning.
This document defines security requirements applicable to Equipment Vendor’s Development and Product Lifecycle Processes under NESAS.
Audience: Auditor, Technical security practitioner
Resource technology specifics: Radio access network (RAN), Core network
Resource type: Specification
Resource enforcement: Voluntary
Resource certification type: Self-assessment,
– Demonstrates commitment to security and reduces risks for customers
– May result in fewer individual audits
– Delivers a baseline security review of relevant processes
– Offers a uniform approach to security audits
– Avoids fragmentation and potentially conflicting security assurance requirements in different marketsOperators
– Audits are conducted by qualified individuals at no cost to the operator
– The scheme sets a baseline security standard requiring a high-level of vendor commitment
– Offers peace of mind that vendors have implemented appropriate security procedures
– Up-front and ongoing cost of investment in compliant security controls and certificationOperators:
– Visibility of certification status only; no first-hand view of security controls
– NESAS requirements may not provide coverage of bespoke operator requirements.