Description
Free and Open Source Software (FOSS) within the 3GPP context is not a specific protocol or network element, but a category of software whose licensing and distribution model is addressed from a security and management perspective. The 3GPP specifications, particularly in the 33-series (Security), provide guidelines and requirements for the use of FOSS in network functions and products. This involves establishing security assurance processes to manage the risks associated with incorporating externally developed, openly available code into critical telecommunications systems.
The architectural consideration for FOSS is integrated into the broader Security Assurance Specification (SCAS) framework. When a network function vendor incorporates FOSS components, they must subject the entire product, including those components, to security evaluation. The open nature of the source code means potential vulnerabilities are publicly discoverable, which necessitates robust vulnerability management and patch processes. The network operator or vendor is responsible for maintaining a Software Bill of Materials (SBOM) to track all FOSS dependencies.
Its role in the network is foundational yet indirect, as FOSS components can be part of virtually any network software, from core network functions like the AMF or SMF to management and orchestration (MANO) platforms and even radio access network software. The 3GPP security specifications mandate that the use of FOSS does not compromise the overall security objectives of confidentiality, integrity, and availability. This requires careful integration, continuous monitoring of security advisories for the used FOSS libraries, and the ability to deploy updates or mitigations promptly to address newly discovered flaws.
Purpose & Motivation
The formal treatment of FOSS in 3GPP specifications was motivated by its widespread and increasing adoption in the telecommunications industry. Using FOSS can accelerate development, reduce costs, and foster innovation by leveraging community-driven projects. However, this introduced new security challenges for network operators and regulators accustomed to proprietary, vendor-controlled software stacks where the entire codebase was subject to confidential security evaluations.
Previous approaches often lacked formal policies for open-source software, potentially leading to unmanaged security risks, license compliance issues, and unpredictable support lifecycles. The purpose of defining FOSS guidelines in 3GPP was to create a standardized security framework that allows the industry to benefit from open-source innovation while ensuring it meets the high assurance and reliability requirements of carrier-grade networks. It addresses the problem of how to maintain security accountability in a supply chain that incorporates software components with diverse authorship and transparency.
Key Features
- Governed by 3GPP security assurance specifications (e.g., TS 33.117)
- Requires security evaluation of the final product inclusive of FOSS components
- Mandates vulnerability management processes for publicly disclosed flaws
- Necessitates maintenance of a Software Bill of Materials (SBOM)
- Must comply with relevant open-source licenses
- Supports security patch integration without compromising network stability
Evolution Across Releases
Initial introduction of FOSS considerations within the 3GPP security framework. Specifications began to outline the requirement for security evaluation of network products regardless of containing FOSS, establishing the principle that the integrator bears the security assurance responsibility.
Defining Specifications
| Specification | Title |
|---|---|
| TS 33.117 | 3GPP TR 33.117 |
| TS 33.805 | 3GPP TR 33.805 |
| TS 33.916 | 3GPP TR 33.916 |