MENU

GSMA NESAS Life Cycle and Product Testing

Cybersecurity for cross-sector mobile phone networks

The Network Equipment Security Assurance Scheme, or NESAS for short, is a cross-industry scheme that is jointly defined by the 3rd Generation Partnership Project (3GPP) and GSM Association (GSMA) in order to strengthen confidence in the IT security of a wide range of mobile phone network components. The testing of these network devices is carried out by independent testing services providers on the basis of firmly defined evaluation frameworks and safety catalogs. In addition to product safety, the aspect of safety over the entire product life cycle is also audited in a complementary procedure.

Lab and auditor – Two sides of the same coin

With over 25 years of experience in IT security, TÜViT is a renowned and strong partner for manufacturers of network components in mobile phone networks of the latest generation.

For many years we have been operating a highly efficient hardware and software laboratory in Essen. Today, this know-how and our testing methodology form the basis for technical product testing according to 3GPP-defined Security Assurance Specifications (SCAS). With respect to NESAS, our laboratory has all the requirements for extended ISO 17025 accreditation at its disposal.

And that is not all. TÜViT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.

GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing
Pioneers wanted!

Contact us now for a pilot evaluation under the NESAS Certification Scheme.
  

Our services

NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services

IT security consulting and support for test preparation services

NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements

Security audits over the product life cycle based on GSMA requirements

NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases

Security evaluation of network components based on 3GPP SCAS test cases

The benefits to network equipment and component manufacturers

  • Proof of IT security compliance with respect to relevant stakeholders such as network integrators and wireless network operators
  • Manufacturers visibly document their development, maintenance and product safety functions
  • Internationally uniform security requirements enable benchmarking in global distribution
  • The avoidance of globally inconsistent security requirements and conformity fragmentation facilitates the development process of secure network products

The audit process in detail

The Network Equipment Security Assurance Scheme (NESAS) is a security framework that consists of two interconnected test aspects. The test focus and approximate procedures relating to how we carry out testing in each section can be found by those who are interested on the following tabs.

Produkt Life Cycle Audits

Produkt Life Cycle Audits

Auditing based on the requirements of the GSM Association (GSMA)

Step 1 – The document review:
Within the framework of the life cycle audit performed by TÜViT as an experienced audit company, all sites of a product manufacturer that are involved in development and production are initially audited on a document basis. The scope of the audit covers a large number of subject areas and comprises the design, development, implementation, testing and maintenance processes of manufacturers.

Step 2 – On-site audits:
As soon as the documentation situation can be certified as sufficient, on-site audits are carried out at all sites involved in the life cycle. Within this framework, the results of the document review are verified in situ.

The audit report: 
The resulting audit report from both evaluation steps provides proof of a successfully completed life cycle audit based on the GSMA requirements. It also serves as input for the following security evaluation of network components based on the 3GPP safety catalogs. TÜViT offers both auditing components from a single source – an efficiency gain for everyone! More on the security evaluation security evaluation.

 

GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits


We review these subject areas: CM System ++ Source Code Checks ++ Employee Training Courses ++ Software Integrity & Security ++ Software Security Tests ++ Security By Design ++ Document Accuracy ++

Security Evaluation of Network Components

Security Evaluation of Network Components

Product testing according to the 3GPP-defined security test cases

Step 1 – The basic test case:
The product testing part is strongly oriented towards the actual test object, i.e. the respective network component. The basic test case catalog TS 33.117 is a fixed test component in all cases. As is the case with the other test case catalogs (SCAS catalogs), it contains detailed instructions on which test scenarios are to be performed as part of the test and how they are to be documented.

Step 2 – The supplementary catalogs:
Depending on the product type, the security evaluation is also carried out on the basis of other supplementary catalogs. Across all product types, NESAS comprises 12 product-specific supplementary case catalogs.

Many years of experience in the testing business, test tools that have been developed in-house and cooperations with renowned partner companies in the 5G environment enable TÜViT to test a wide range of network products in accordance with all test case catalogs anchored in the NESAS scheme. 

 






 



  

 


We test these network products: 5G RAN ++ gNodeB ++ 5G Core UDG ++ UDM ++ UNC ++ UPCF ++ LTE eNodeB ++ and much more

About NESAS

The Network Equipment Security Assurance Scheme (NESAS) is a cross-industry, international security framework penned by the 3rd Generation Partnership Project (3GPP) and the GSM Association (GSMA) with the participation of globally operating telecommunications network operators, manufacturers, vendors and industry partners.

As a common basis, NESAS – together with other mechanisms – is aimed at contributing to an increase in the IT security level across the mobile communications industry by evaluating the security requirements of network components through independent, accredited testing services providers.

The security framework is divided up into two sub-areas that build on one other. Based on the security requirements and an evaluation framework of the GSMA, the entire product development and product lifecycle process of a network component and the manufacturer sites involved in it are audited. In a second stage, the security assessment of network devices is carried out using 3GPP-defined security test cases.

The integration of the first sub-area into the second audit level enables an efficient audit sequence. Measurable results also promote transparency in the security protection levels of the industry.

Frequently asked questions (FAQ):
 

Is NESAS a certification scheme?

No, the NESAS program does not certify any network products. Once the audit has been completed, manufacturers receive a transparent audit report that states whether the audit was successful. On request, companies that display interest in certification are provided with support by the TÜViT test center for the certification process on the basis of other schemes (Common Criteria, Trusted Product and the like).

Do differences exist between the auditor and the security testing laboratory?

Yes, the auditing of the product life cycle and the security audit of the product can be carried out by different laboratories. The NESAS auditors appointed by the GSMA carry out the assessment of the product life cycle. The NESAS laboratories focus on the evaluation of network products based on the SCAS test case catalogs. TÜViT offers both services from a single source. 

How are life cycle reports and product tests related to one another?

The audit report of the life cycle audit is required as input for the test laboratory for product testing. During product testing, the points identified in the audit report are verified and the result is documented together with the test results in a product test report.

Why we are a strong partner for you

Expertise on all security levels

With TÜViT, you have a leading expert in the field of cyber security at your disposal. We are accredited around the globe as a laboratory and auditor for a wide range of testing services at the organizational, system, and component level.

Successful in all branches of industry

Since 1995, our security expertise has ensured confidence in the IT systems of many sectors and branches of industry. The positive aspects: From year to year, our experience grows with a large number of challenging projects.

Tailored to your requirements

We focus on individual test solutions that are perfectly adapted to the company situation and your aims. Would you like to make IT security sustainable? We show you potentials “on top” of the minimum requirements of the criteria works.

International network of experts

Around the globe: We advise and support you both nationally and internationally. Our global network of experts is available to you to provide advice and support on all IT security issues, irrespective of the criticality of the test object, the market requirements and the field of application of the evaluation object.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  

Eric Behrendt

Global Corporate Development Manager Asia-Pacific

+49 30 2007700 66
Fax : +49 30 2007700-99

e.behrendt@tuvit.de

Markus Wagner

Product Manager Software Evaluation

+49 201 8999-645
Fax : +49 201 8999-666

m.wagner@tuvit.de

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜViT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜViT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL7).
Read more

Hardware

Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜViT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more

Software

Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜViT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜViT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

FIPS 140-2

Testing of crypto modules and crypto algorithms: The TÜViT test laboratory is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-2.
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜViT performs these approval procedures in its capacity as an accredited security assessor.
Read more