What is the Network Equipment Security Assurance Group?
NESAG is the acronym for Network Equipment Security Assurance Group. It is an organization of the GSM Association (GSMA). One of NESAG’s tasks is to define the framework for the accreditation of test laboratories within the framework of SECAM (Security Assurance Methodology) and to coordinate the players involved in this process. Thus, NESAG is an important partner of the 3rd Generation Partnership Project (3GPP) in the development and implementation of SECAM.
An important component of SECAM is the Security Assurance Specifications (SCAS). The SECAM accreditation role for NESAG was proposed by the GSM Association. While the 3rd Generation Partnership Project defines the specifications for the security baseline including the test cases for the evaluation process, the Network Equipment Security Assurance Group provides the definition of the framework for the test lab accreditation process.
The resolution of conflicts arising in this context between manufacturers and operators of mobile communications solutions is also one of the tasks of NESAG. The GSM Association itself was founded in 1987. It is a worldwide association of mobile network operators and manufacturers of mobile terminals and network infrastructure. The GSMA develops cross-network standards. It pursues the fundamental goal of advancing the development of mobile communications. The GSMA’s Network Equipment Security Assurance Group was renamed Security Assurance Group (SECAG) in 2015.
Basic information on SECAM and SCAS
NESAG has an important role in the development and implementation of SECAM by defining the accreditation process for test laboratories and resolving conflicts within that process. The following is some basic information about SECAM. The acronym stands for Security Assurance Methodology. Security Assurance Methodology is a security framework developed by 3GPP specifically for network products deployed in the mobile communications domain. The framework allows the evaluation and realization of the security of mobile radio products. For this purpose, it defines general, testable requirements and properties for the various network product classes. In addition, SECAM covers the evaluation of the security of development and lifecycle management processes of the manufacturers.
In principle, SECAM is based on CC (Common Criteria) and CCRA (Common Criteria Recognition Arrangement). Important components of the SECAM framework are the Security Assurance Specifications (SCAS). The SCAS describe the product security requirements and test cases for the various classes of network products. The SCAS are applied in the process of network product evaluation according to SECAM. The content of the SCAS is divided into Network Product Class Description (NPCD), Security Problem Definition (SPD) and Security Requirements (SR).