DS TR 133 916 V14.3.0:2018

Universal Mobile Telecommunications System (UMTS); LTE; Security Assurance Methodology (SCAS) for 3GPP network products (3GPP TR 33.916 version 14.3.0 Release 14)

Scope

The present document defines the complete Security Assurance Methodology (SECAM) evaluation process (evaluation,
relation to SECAM Accreditation Body, roles, etc.) as well as the components of SECAM that are intended to provide
the expected security assurance. It will thus describe the general scheme providing an overview of the entire scheme
and explaining how to create and apply the Security Assurance Specifications (SCASs). It will detail the different
evaluation tasks (vendor network product development and network product lifecycle management process assessment,
Security Compliance Testing, Basic Vulnerability Testing and Enhanced Vulnerability Analysis) and the different
actors involved. Enhanced Vulnerability Analysis is outside the scope of the present release of SECAM. The present
document will help all involved parties to have a clear understanding of the overall process and the covered threats.
The concrete security requirements will be part of the Security Assurance Specifications (SCASs) for each network
product class and not part of this overall process document. Some of the tasks described in the SECAM scheme are
meant to be performed by 3GPP, while other tasks are meant to be performed by the SECAM Accreditation Body. This
accreditation body has been agreed to be the GSMA. 3GPP maintains the overall responsibility for the SECAM scheme
and creates the SCASs. The SECAM Accreditation Body is tasked to develop requirements on vendor network product
development, the network product lifecycle management process, and SECAM-accreditation for vendors and test
laboratories, and describe these requirements in separate documents that will complement the present document. The
SECAM Accreditation Body defines its own scheme that covers all these tasks.