Network Equipment Security Assurance Scheme (NESAS)

Friday 1 Nov 2019 | Build | Design and Development | NESAS | Procurement |

The Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as using 3GPP defined security test cases for the security evaluation of network equipment.

NESAS provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed in accordance with vendor development and product lifecycle processes that provide security assurance. NESAS is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network. The scheme should be used globally as a common baseline, on top of which individual operators or national IT security agencies may want to put additional security requirements.

Audience:  Technical security practitioner, Auditor

Resource target industry: Telecommunications

Resource technology specifics: Radio access network (RAN), core network

Resource type: Guideline

Resource enforcement: Voluntary

Resource certification type: Third party audit

Advantage Disadvantage
Network Operators

  • Raise confidence and trust in mobile network equipment
  • Increase transparency and comparability of security levels on offer
  • Industry defined requirements decreases the need for individual security requirements to be defined and/or tested
  • Provides reference requirements for use in procurement processes

Equipment Vendors

  • Common set of assurance requirements
  • Lowers duplication of work and security testing needs
  • Highlights vendor ability to achieve/maintain security levels
  • Encourages security by design culture across the entire vendor community
  • Reduces workload responding to operator procurement processes
  • Helps avoid security requirement fragmentation across the globe

Regulators and National Security Authorities

  • Security assurance scheme entirely funded by industry
  • Single scheme that is globally relevant
  • Low barrier for innovation and entering markets
  • Cost effective scheme that drives security gains
  • Extensible as needed
  • Reuses mature models to deliver security gains
  • GSMA members only
  • May not allow for in depth security requirements
Read more about the NESAS