FOSS

Free and Open Source Software

Security →
Introduced in Rel-12

FOSS is a type of software whose publicly accessible source code can be freely used, modified, and distributed, with its use in 3GPP governed by security policies to protect network integrity.

Category
Security
Introduced
Rel-12
Where
Security
Specifications
3 specs
FOSS Description Purpose Related Classification Detected Changes Specifications

Description

Free and Open Source Software (FOSS) within the 3GPP context is not a specific protocol or network element, but a category of software whose licensing and distribution model is addressed from a security and management perspective. The 3GPP specifications, particularly in the 33-series (Security), provide guidelines and requirements for the use of FOSS in network functions and products. This involves establishing security assurance processes to manage the risks associated with incorporating externally developed, openly available code into critical telecommunications systems.

The architectural consideration for FOSS is integrated into the broader Security Assurance Specification (SCAS) framework. When a network function vendor incorporates FOSS components, they must subject the entire product, including those components, to security evaluation. The open nature of the source code means potential vulnerabilities are publicly discoverable, which necessitates robust vulnerability management and patch processes. The network operator or vendor is responsible for maintaining a Software Bill of Materials (SBOM) to track all FOSS dependencies.

Its role in the network is foundational yet indirect, as FOSS components can be part of virtually any network software, from core network functions like the AMF or SMF to management and orchestration (MANO) platforms and even radio access network software. The 3GPP security specifications mandate that the use of FOSS does not compromise the overall security objectives of confidentiality, integrity, and availability. This requires careful integration, continuous monitoring of security advisories for the used FOSS libraries, and the ability to deploy updates or mitigations promptly to address newly discovered flaws.

Purpose & Motivation

The formal treatment of FOSS in 3GPP specifications was motivated by its widespread and increasing adoption in the telecommunications industry. Using FOSS can accelerate development, reduce costs, and foster innovation by leveraging community-driven projects. However, this introduced new security challenges for network operators and regulators accustomed to proprietary, vendor-controlled software stacks where the entire codebase was subject to confidential security evaluations.

Previous approaches often lacked formal policies for open-source software, potentially leading to unmanaged security risks, license compliance issues, and unpredictable support lifecycles. The purpose of defining FOSS guidelines in 3GPP was to create a standardized security framework that allows the industry to benefit from open-source innovation while ensuring it meets the high assurance and reliability requirements of carrier-grade networks. It addresses the problem of how to maintain security accountability in a supply chain that incorporates software components with diverse authorship and transparency.

Classification

Part ofSCAS

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (3 CRs across 1 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-18.

Rel-18 3 changes

In Release 18, the FOSS function was enhanced through updates to the Security Assurance Specification (SCAS) general catalogue to incorporate Release 17 features, ensuring the testing framework remains current. The release also included clarifications on SCAS procedures and corrections to its release references, refining the documentation for implementers. These updates solidify the SCAS prerequisites and testing procedures, such as software package integrity validation and GTP message handling, within the established security assurance methodology.

  • SCAS release reference corrections TS 33.117CR0115
  • SCAS updates to the general catalogue for Release 17 features TS 33.117CR0120
  • Clarification on SCAS TS 33.916CR0012

Explore further

Broader topics and technologies where FOSS plays a role.

Topics
Authentication (5G-AKA, EAP)Lawful InterceptManagement & OperationsRadio Access NetworkCore NetworkSecurity

Defining Specifications

3GPP specifications that define or reference FOSS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.117 vk00 Catalogue of General Security Assurance Requirements Rel-20
TS 33.805 vc00 3GPP Network Product Security Assurance Methodology Rel-12
TR 33.916 vj00 3GPP Security Assurance Methodology (SECAM) Rel-19