GSMA Network Equipment Security Assurance Scheme (NESAS) is a set of security requirements defined for an Equipment Vendor’s Development and Product Lifecycle Processes.
GSMA 5G Cybersecurity Knowledge Base
The GSMA’s NESAS scheme is governed by the provisions set out in FS.14, FS.15, and FS.16, while the scope of the scheme has been restricted only to matters pertaining to the Vendor Development and Product Lifecycle Security Requirements.
The number of requirements is kept relatively small to keep evaluation costs reasonable and to focus on critical controls.
NESAS emphasizes on implementing security by design throughout the development and product lifecycles.
In addition, we would cover version control, change tracking, source code review, secure testing, staff education, vulnerability remediation process, and vulnerability remedy independence.
Technical explanation for 5G Security requirements as per GSMA NESAS is explained below:
Requirement 1 – Security “By Design”
The Network Product must implement security by design throughout the entire development and product lifecycles. The architecture and design decisions must be made based on a set of security principles that are tracked throughout the development and product lifecycles.
5G Security architectural principles include domain separation, layering, and encapsulation. 5G Security design principles include least privilege, attack surface minimization, centralized parameter validation and centralized security functionality, preparing for error and exception handling, and privacy by design.
In the design phase, a threat analysis process must be undertaken to identify potential threats and related mitigation measures.
Requirement 2 – Version Control System
During the entire lifetime of a Network Product, the equipment vendor must utilize a version control system on hardware, source code, build tools and environment, binary software, 3rd party components, and customer documentation, ensuring accountability, authorization, and integrity of all changes.
The goal is to be able to trace all the above elements together in a finished Network Product.
Requirement 3 – Change Tracking
The equipment vendor must establish a comprehensive, documented, and cross-network product line procedure to ensure that all requirements and design changes that may arise at any time during the development and product lifecycles and which impact the Network Product(s) are managed and tracked in a systematic and timely manner appropriate to the life cycle stage of all affected product components in all Network Products.
The goal is to ensure that all changes are made in a consistent way through the development of all affected Network Product components in all Network Products.
Requirement 4 – Source Code Review
The equipment vendor must ensure that new and changed source code dedicated for a Network Product is appropriately reviewed in accordance with an appropriate coding standard. If feasible, the review should also be implemented by means of utilizing a Source Code Analysis Tool and automation where appropriate. The goal is to help reduce the risk of software issues that could introduce vulnerabilities in the Network Product. An example of a best practice coding standard is Carnegie-Mellon, SEI CERT.
Requirement 5 – Secure Testing
Security testing should include the validation of security functionality, both positive and negative testing, as well as vulnerability testing of the Network Product. Network Products are to be tested from a security perspective within a fair representation of the operational environment. Vulnerability testing shall test for the robustness of the Network Product against undefined/unexpected input. The goal is to ensure that security functionality has been validated and that potential vulnerabilities are detected and mitigated before the Network Product is delivered.
Requirement 6 – Staff Education
Continuous education of all staff involved in Network Product design, engineering, development, implementation, testing, and maintenance shall be provided to ensure knowledge and awareness on security matters, relevant to their roles are up to date. The goal is to ensure that all staff have knowledge and awareness of security matters relevant to their role, maintained to a consistently high level.
Requirement 7 – Vulnerability Remediation Process
The seventh requirement of the NESAS scheme mandates that equipment vendors must establish a process to deal with vulnerabilities found in, or in relation to, released network products, including third-party components.
The process should address vulnerabilities appropriately, and if necessary, patches or software upgrades should be distributed to all affected mobile network operators in a timely manner, as agreed upon in existing maintenance contracts.
The goal is to reduce the impact of potential vulnerabilities on the network product and prevent third-party components from becoming unsupported, unavailable, or vulnerable.
This requirement is crucial in ensuring that vulnerabilities are identified and dealt with promptly, reducing the risk of malicious attacks on the network.
Equipment vendors need to have a clear understanding of the vulnerabilities that may be present in their products, and a remediation process that outlines how they will address these vulnerabilities.
Requirement 8 – Vulnerability Remedy Independence
The eighth requirement of the NESAS scheme mandates that equipment vendors should have the capability to provide patches or software upgrades that address security vulnerabilities independently from unrelated patches or software upgrades that modify the functionality of the network product.
The goal is to ensure that security remedies can be delivered quickly and independently from the functional delivery schedule.
This requirement recognizes the need for a streamlined approach to vulnerability remediation. Equipment vendors need to have the capability to provide security remedies independently of other modifications or upgrades to the network product, so that they can be delivered in a timely and efficient manner.
This ensures that the network product remains secure, even as new features and functionality are introduced.
It also reduces the risk of disruption to the network caused by simultaneous modifications or upgrades.
Reference: GSMA Network Equipment Security Reference