NESAS Documents
GSMA Network Equipment Security Assurance Scheme documentation
The GSMA NESAS implementation document and the NESAS specifications are on this page. The 3GPP specifications define the scheme. While the scheme’s processes and requirements are from the GSMA.
NESAS improves by iterations. As GSMA maintains these documents, your feedback is appreciated to help make future iterations the best they can be.
NESAS Specifications
The GSMA publishes the following specifications:
| FS.13 – NESAS – Framework | Familiarise yourself with the processes, procedures and application of NESAS specifications. |
| FS.14 – NESAS – Requirements for NESAS Auditing Organisations, NESAS Security Test Laboratories, and Associated Personnel Accreditation | Capabilities required to perform audits and testing |
| FS.15 – NESAS – Assessment methodology for Vendor Development and Product Lifecycle Processes | The methodology equipment vendors and auditors should adhere to during assessment of processes |
| FS.16 – NESAS – Security requirements for Vendor Development and Product Lifecycle Processes | Security requirements that should be adhered to when developing and maintaining network equipment |
| FS.46 – NESAS Audit Guidelines | Additional information for equipment vendors and auditors on how to prepare and carry out an audit. |
| FS.47 – NESAS – Methodology for Product and Evidence Evaluation | Details of how the product and evidence evaluation works. |
| FS.50 – NESAS – Requirements for Security Assurance Specification Development | How standards developing organisations should develop Security Assurance Specifications (SCASes). |
| FS.62 – NESAS – Adoption Procedure for Security Assurance Specifications | The procedures GSMA adheres to when adopting Security Assurance Specifications (SCASes) |
GSMA NESAS Implementation Documents
The GSMA publishes the following scheme documentation:
| FS.51 – GSMA NESAS Implementation | GSMA NESAS implementation, relying on the NESAS specifications |
Adopted Security Assurance Specifications
The GSMA publishes the following document, containing a list of adopted Security Assurance Specifications (SCAS)
| FS.63 – List of adopted Security Assurance Specifications | List of adopted Security Assurance Specifications |
NESAS Maintenance Notes
For each update of a NESAS specification, the changes are summarised in the respective NESAS maintenance note.
| NESAS specification | Changes |
| FS.13 Update from v2.3 to v3.0 | Material changes |
| Role of Scheme Owner and requirements on Scheme Owner defined. Authorisation of NESAS Auditing Organisations newly introduced. Authorisation of NESAS Security Test Laboratories introduced, which makes accreditation one of the possible options to qualify a NESAS Security Test Laboratory for NESAS and introduces more flexibility. | |
| Non-material changes | |
| List of adopted SCASes moved to new FS.63. Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.14 Update from v2.3 to v3.0 | Material changes |
| FS.14 now covers expectations on Auditors, NESAS Auditing Organisations, Evaluators, and NESAS Security Test Laboratories. Requirements on NESAS Auditing Organisations newly introduced. Requirements on NESAS Security Test Laboratories generalised, which makes accreditation one of the possible options to qualify a NESAS Security Test Laboratory for NESAS and introduces more flexibility to Scheme Owners. | |
| Non-material changes | |
| Entire text in FS.15, Annex E on NESAS Auditor competency requirements moved to FS.14 and updated. Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.15 Update from v2.3 to v3.0 | Material changes |
| None. | |
| Non-material changes | |
| More guidance on selection of the site for on-site audits and who is expected to be physically present newly added. Moved text on independence of the NESAS Auditing Organisation from FS.14 to FS.15. Annex E moved to FS.14. Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.16 Update from v2.3 to v3.0 | Material changes |
| None. | |
| Non-material changes | |
| Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.46 Update from v2.1 to v3.0 | Material changes |
| None. | |
| Non-material changes | |
| Clarity of guidance for requirement REQ-GEN-06 improved. Removal of normative language, as the document is informative. Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.47 Update from v2.0 to v3.0 | Material changes |
| None. | |
| Non-material changes | |
| Some requirements on Evaluators for individual evaluations moved from FS.14 to FS.47. New requirement added to put date when vulnerability testing was performed into the Evaluation Report. SCAS adoption process moved to new FS.62. List of adopted SCASes moved to new FS.63. Content on trial evaluations moved to new FS.51. Clarity of descriptions and consistent use of terms improved. Definitions updated. Separation of NESAS specifications from scheme run by GSMA. Details of GSMA NESAS have moved to new FS.51. | |
| FS.50 Update from v1.0 to v2.0 | Material changes |
| None. | |
| Non-material changes | |
| SCAS adoption procedure moved from FS.50 to new FS.62. Clarity of descriptions and consistent use of terms improved. Definitions updated. More consistent use of normative language. | |
| FS.51 New PRD v1.0 | Material changes |
| GSMA NESAS implementation operated by GSMA is defined in this new PRD. Text was mostly moved from other NESAS documents. Changes to the scheme are mainly those described for FS.13 above. | |
| Non-material changes | |
| NOTE: FS.51 is the GSMA NESAS definition. It is not part of the NESAS specifications. | |
| FS.62 New PRD v1.0 | Material changes |
| Clarification that NESAS Group adopts SCASes for all schemes. A Scheme Owner can choose to use all adopted SCASes or a subset of them. | |
| Non-material changes | |
| SCAS adoption procedure moved from FS.50 to new FS.62. | |
| FS.63 New PRD v1.0 | Material changes |
| None. | |
| Non-material changes | |
| List of adopted SCASes has moved from the NESAS website to new FS.63. | |
FS.63 Update from v1.0 to v2.0 | Material changes |
| None. | |
| Non-material changes | |
| List of SCASes has been updated to reflect adoption of new SCASEs from 3GPP and ETSI. |
Want to know more or speak to someone about GSMA NESAS? Then please get in touch here.