ZTE Corporation, a major international provider of telecommunications, enterprise and consumer technology solutions for the Mobile Internet, has passed GSMA’s Network Equipment Security Assurance Scheme (NESAS) audit for its development and product lifecycle processes. With the focus on network products of ZTE 5G New Radio (NR) and 5G Common Core (5GC), the security assessment is implemented by ATSEC, a Swedish independent information security company designated by GSMA.
The final report results show that ZTE’s development and lifecycle processes are fully compliant with the security requirements defined in the GSMA NESAS FS.13 and FS.16 specifications, and have been applied in practice, thereby demonstrating the security of ZTE’s 5G development and lifecycle processes.
NESAS, jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvement in security levels across the mobile industry. NESAS defines security requirements and an assessment framework for secure product development and product life-cycle processes, using 3GPP defined security test cases for the security evaluation of network equipment.
NESAS focuses on two aspects of security assessment: the security assessment of the vendor development and product lifecycle processes, as well as the security evaluation of network equipment.
ZTE’s High Performance Product Development (HPPD) process has been proved to be in full compliance with the first aspect of security assessment with respect to the requirements defined in NESAS.
ZTE 5G NR products lay a solid foundation for accelerating large-scale commercial deployments of 5G networks while ZTE 5GC is a fully-converged core network solution meeting full access requirements of 2G/3G/4G/5G/Fixed networks. Based on the two ZTE product categories, ATSEC auditors have conducted a comprehensive security assessment of ZTE product development and life-cycle, covering specific aspects that potentially impact the security of manufactured network equipment over its lifetime, including design, development, implementation and maintenance processes.
The evidence and practical cases demonstrate that ZTE has fully integrated the security requirements into its day-to-day work routine, showcasing a comprehensive understanding of the security development with well-defined processes.