The present document defines the complete Security Assurance Methodology (SECAM) evaluation process (evaluation, relation to SECAM Accreditation Body, roles, etc.) as well as the components of SECAM that are intended to provide the expected security assurance. It will thus describe the general scheme providing an overview of the entire scheme and explaining how to create and apply the Security Assurance Specifications (SCASs). It will detail the different evaluation tasks (vendor network product development and network product lifecycle management process assessment, Security Compliance Testing, Basic Vulnerability Testing and Enhanced Vulnerability Analysis) and the different actors involved. Enhanced Vulnerability Analysis is outside the scope of the present release of SECAM. The present document will help all involved parties to have a clear understanding of the overall process and the covered threats.
The concrete security requirements will be part of the Security Assurance Specifications (SCASs) for each network product class and not part of this overall process document. Some of the tasks described in the SECAM scheme are meant to be performed by 3GPP, while other tasks are meant to be performed by the SECAM Accreditation Body. This accreditation body has been agreed to be the GSMA. 3GPP maintains the overall responsibility for the SECAM scheme and creates the SCASs. The SECAM Accreditation Body is tasked to develop requirements on vendor network product development, the network product lifecycle management process, and SECAM-accreditation for vendors and test laboratories, and describe these requirements in separate documents that will complement the present document. The SECAM Accreditation Body defines its own scheme that covers all these tasks.
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
GSMA FS.15: "NESAS Development and Lifecycle Assessment Methodology v.2.0", https://www.gsma.com/security/resources/fs-15-network-equipment-security-assurance-scheme-vendor-development-and-product-lifecycle-requirements-and-accreditation-process/
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply.
A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
3GPP Security Assurance Methodology (SECAM):
SECAM is a process used to measure the security features of 3GPP network products studied and described in the present document.
Formal recognition by an accreditation body that a test laboratory is impartial and competent to carry out specific tests or types of assessments.
SECAM Accreditation Body:
the entity responsible for the accreditation process. This entity is the GSMA.
confidence that a network product meets its specific security objectives.
evaluation effort in terms of scope, depth and rigor. For higher assurance level, more information with more details is typically required, and this information will be analysed more rigorously.
Basic Vulnerability Testing (BVT):
The process of running security tools against a network product. BVT is defined by the use of Free and Open Source Software (FOSS) and Commercial off-the-shelf (COTS) security testing tools on the external interfaces of the network product.
confirmation by an independent Certification Authority (CA) that the evaluation has been properly carried out.
Enhanced Vulnerability Testing (EVA):
Evaluation process step described in Clause 7.2.5. This activity takes the output of the earlier Security Compliance Testing (SCT) and Basic Vulnerability Testing (BVT) into account.
the output document delivered by the test laboratory for its evaluation task, in which the test procedures, the test results and other related information may be included. For three specific evaluation tasks defined in SECAM (SCT, BVT, EVA), the according output document is SCT report, BVT report, EVA report respectively.
enityt that evaluates the network product and produces an evaluation report. The vendor, the operator, GSMA, NVIOT, 3GPP, GCF or some other party, could take the test laboratory role.
contributes to the security baseline of a network product, achieved for example by configurations, settings, and protocol restrictions, to decrease the attack surface for a network product. The difference in hardening is one aspect that influences the security baseline of a network product.
A network product is the instantiation of one or more network product class(es).
Network Product Class:
A network product class, in the context of SECAM, is the class of products that all implements a common set of 3GPP defined functionalities.
the name given to the scheme that will provide an administrative framework for implementation of SECAM for security evaluation of 3GPP compliant network equipment.
A SECAM evaluation comprises of the Vendor Network Product Development process evaluation, the product lifecycle management process evaluation and the Network Product evaluation.
Security Assurance Specification (SCAS):
The SCAS for a given network product class provides a description of the security requirements (which are including test cases) pertaining to that network product class.
The security baseline of an evaluated network product is a set of security requirements and environmental assumptions defining its capacity to resist a given attack potential.
Security Compliance Testing (SCT):
Evaluation process step used to describe activities for checking the compliance of a network product with applicable Security Assurance Specifications (SCAS).
Self-declaration is a declaration of the claims made on the network product by the vendor. It means that a vendor provides a self-declaration of its network product based on the evaluation report required by SECAM to the operator without any review of a certification authority of these reports before.
Self-evaluation is an assessment of the network product by the vendor. It means that the vendor has an accredited evaluation lab in its organization that performs the evaluation of the network product. The evaluation lab assesses the network product against defined criteria and produces an evaluation report according to a formalized and standardized procedure.
Third-party-evaluation is an assessment of the network product by an independent third-party. It means that a third-party has an accredited evaluation lab that performs the evaluation of the network product. The evaluation lab assesses the network product against defined criteria and produces an evaluation report according to a formalized and standardized procedure. Third-party evaluation is similar to self-evaluation. The only difference is that the party performing the evaluation is different from the vendor.
An exploitable issue in a network product rendering it unable to withstand attacks. Vulnerabilities create the risk of successful attacks.
Vulnerability Assessment (VA):
The process of assessing the output of SCT or BVT activities to classify the found issues by severity in order to identify those which are relevant vulnerabilities.
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply.
An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.