NESAS: The vendor perspective

How it’s bringing clarity and confidence for growth

In today’s interconnected and rapidly evolving technology landscape, having one global network security scheme – reflecting the needs of the entire ecosystem – has become vital. Launched in 2019, the Network Equipment Security Assurance Scheme (NESAS) does this, enabling vendors to demonstrate strong baseline security levels through one universal scheme – based on 3GPP and GSMA standards – that continually evolve to meet the needs of the whole industry.

As a GSMA-run scheme, we conduct regular check-ups to understand how well NESAS is working and what can improve. The latest results show that registration by vendors continues to grow, with major vendors including Ericsson, Nokia, Samsung, Huawei, ZTE and Mavenir adopting the scheme, and two key hyperscalers, Microsoft and Oracle, joining more recently.

“All of us have a singular priority – and that is making our digital world safer going forward. We’re really excited to see GSMA step up and assert a much more standardised framework globally.” Matt Bael, GVP, Oracle

How well is NESAS working so far?

There is good consensus about the clarity and assurance NESAS is providing. Rasma Araby, Managing Director of Atsec, one of the scheme’s independent auditors and authorised test labs, believes that NESAS is already having a substantial impact by providing business and regulatory confidence across the industry:

MNOs: “NESAS has not only served as a tool for MNOs to evaluate the security posture of network equipment but has also facilitated informed procurement decisions, contributing to a more secure network ecosystem.”

Regulators: “NESAS aligned itself with security requirements mandated by regulatory bodies, ensuring that network equipment complies with requirements from international regulatory authorities.”

Vendors: “Atsec has witnessed commitment from equipment vendors to regularly undergo NESAS audits and subject themselves to an independent third-party assessment of their development and lifecycle processes.”

The vendor perspective

How does NESAS help?

“NESAS provides us with a unified, standardised way of proving our level of security to external stakeholders.” Anna Kåhre, Product Security Director, Ericsson

With such a vast global ecosystem of network equipment suppliers, as well as an ever-expanding array of critical network assets, having this NESAS not only provides certainty for vendors in developing their end-to-end products and processes, it also drives industry-wide improvement. As Matt Bael, GVP of Oracle says, “Let’s face it, the mobile industry is a patchwork quilt of varying capabilities. With the effort around NESAS and other security mechanisms, we’re really saying there has to be a minimum bar to ensure that we have the trust and credibility.”

Furthermore, vendors gain clarity through the complexity of fast-changing regulation, knowing that NESAS continually evolves in line with documentation published by GSMA and 3GPP. As Anna Kåhre from Ericsson says, “Given our vast portfolio, the NESAS audits and evaluations have given us and our customers a commonly recognised way of proving assurance, which is growing more important given today’s regulatory landscape.”

Effective collaboration between auditors and vendors

“One of the most useful aspects of NESAS is the relationship between auditors and the vendors, enabling dynamic improvement and advice.” Louise Wickström Livijn, Security Strategy and Assurance Lead

NESAS was specifically designed to support vendors with audits and evaluations providing an opportunity for discussion and analysis, enabling them to grow sales with confidence.

Initial research shows that this is working as planned. “For Ericsson it’s been a fantastic experience working with GSMA and the auditors,” says Louise Wickström  Livijn. “We are excited to see that Ericsson is further challenged and requested to provide solid evidence every time, in every audit. And we are happy to receive more in-depth analysis and improvement recommendations as this shows that the standard is continually evolving.”

How is NESAS responding to change? 

“NESAS continues to mature and so does the audit and evaluation processes. Our hope is that NESAS also continues to mirror key requirements and regulations in the market, ensuring NESAS can become the global standard it was intended to be.”

Patrik Palm, Head of Product Security Frameworks, Ericsson 

With the pace of technology and regulatory development, it’s important that vendors receive rapid evaluation as well as clear direction. NESAS has responded by simplifying and accelerating processes. “NESAS has refined its assessment methodologies and criteria to streamline the NESAS audit process,” says Patrik Palm. “These improvements have ensured that assessment procedures are efficient and capable of delivering consistent and reliable results.”

This is something The Network Equipment Security Assurance Scheme Group (NESASG) will continue to monitor and develop in line with industry requirements. Speed and quality will always be fundamental to the scheme and other areas are being considered to meet the needs of the vendor ecosystem. As Anna Kåhre says, “As for the future, we are hopeful that the NESAS standard will be further developed to fit a modern Continuous Integration/Continuous Delivery (CI/CD) reality, accommodating rapid release cycles and connected pipelines.”

GSMA understands that security is the most critical aspect of future networks. We will continue to consult with the entire ecosystem to ensure NESAS evolves to protect networks and customers, while supporting vendors in their growth ambitions.