SCAS

3GPP Security Assurance Specification

Security →
Introduced in Rel-12

SCAS is a suite of 3GPP specifications defining security evaluation and testing methodologies to provide a common assurance framework for verifying network products meet security requirements.

Category
Security
Introduced
Rel-12
Where
Security
Specifications
6 specs
SCAS Description Purpose Related Classification Detected Changes Specifications

Description

The 3GPP Security Assurance Specification (SCAS) is a comprehensive and critical framework within the 3GPP security architecture. It is not a single document but a family of technical specifications (TS) that define the methodology for evaluating the security of specific 3GPP network products. The SCAS framework establishes a standardized set of security requirements, test purposes, and test cases tailored to individual network element types, such as the Home Subscriber Server (HSS), Mobility Management Entity (MME), Serving Gateway (SGW), Packet Data Network Gateway (PGW), and many others, including 5G elements like the AMF and SMF. Its primary goal is to provide assurance that a product implementation conforms to the security provisions outlined in the 3GPP system architecture specifications (e.g., TS 33. series).

The SCAS works by breaking down the high-level security objectives from the architecture specs into concrete, testable assertions. For each defined network product, a dedicated SCAS document (e.g., TS 33.117 for HSS, TS 33.516 for AMF) is created. This document typically contains several key sections: a security problem definition, stating the threats the product must defend against; a set of Security Functional Requirements (SFRs) derived from 3GPP security specs; and a detailed suite of test cases designed to verify each SFR. The test cases specify the test configuration, procedures, expected results, and often the test severity level. This methodology is closely aligned with international common criteria concepts, providing a structured assurance lifecycle.

Architecturally, the SCAS framework sits between the 3GPP system design specifications and the real-world product certification processes conducted by laboratories and industry groups like the GSMA's Network Equipment Security Assurance Scheme (NESAS). Vendors use SCAS documents during their development and internal security testing phases. Independent security evaluation laboratories use them as the basis for formal conformance testing. Mobile network operators reference SCAS compliance when procuring equipment, as it provides a standardized measure of security robustness. The framework covers a wide range of security aspects, including cryptographic algorithm implementation, secure protocols (e.g., NAS, Diameter, HTTP/2), access control, log auditing, resilience against denial-of-service attacks, and the security of operations and maintenance interfaces. By providing this common testing baseline, SCAS reduces ambiguity, prevents vendor lock-in due to proprietary security claims, and elevates the overall security baseline of global mobile networks.

Purpose & Motivation

The SCAS framework was created to address a critical gap in the early deployment of 3G and 4G networks: the lack of a standardized, objective means to verify the security implementation of network equipment. While 3GPP specifications meticulously defined *what* security features a system should have (e.g., mutual authentication, ciphering), they did not originally specify *how* to test if a vendor's product correctly and robustly implemented those features. This led to potential vulnerabilities due to implementation flaws, configuration errors, or incomplete feature support, which could be exploited to compromise network integrity and subscriber privacy.

The motivation for SCAS stemmed from growing operator and regulatory concerns about supply chain security and the need for mutual recognition of security evaluations across different markets. Before SCAS, operators had to conduct their own, often duplicative and inconsistent, security assessments of vendor equipment. This was costly, time-consuming, and did not guarantee a consistent security bar. SCAS solves this by providing a unified, 3GPP-defined assurance methodology. It allows vendors to design to a known set of testable requirements, enables labs to perform evaluations consistently, and gives operators confidence that certified equipment has undergone rigorous, standardized testing. Its development was historically aligned with and supports broader industry initiatives like NESAS, which uses SCAS as its technical basis. SCAS addresses the limitations of the previous ad-hoc approach by introducing predictability, repeatability, and transparency into the security evaluation of network products, which is foundational for building trust in increasingly software-defined and virtualized 5G networks.

Classification

Part ofNESAS
Specific typesCVEFOSSGNP
Related approachesHSSAMF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (15 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-16.

Rel-16 1 change

In Release 16, the SCAS function introduced a new security problem description related to the AMF (Access and Mobility Management Function). This addition was part of expanding the catalogue of security requirements and test cases applicable to various network product classes. The specification details that these requirements aim to guarantee network product confidentiality, integrity, and availability by countering security threats identified in the associated technical report.

  • Addition of AMF-related Security Problem Descriptions: Not implemented as it was intended as draft CR (MCC). TS 33.926CR0006
Rel-17 3 changes

In Release 17, the SCAS framework was expanded by adding new, specific threat and asset catalogues for additional network product classes. This included creating a dedicated annex for the Service Communication Proxy (SCP) and providing assets, descriptions, and threats for the Network Data Analytics Function (NWDAF). Furthermore, the threat catalogue for the IP Multimedia Subsystem (IMS) was updated as a living document.

  • Adding asset, description and threats to TR 33.926 for NWDAF SCAS TS 33.926CR0041
  • IMS SCAS: living doc for the threats TS 33.926CR0044
  • New Annex with Assets and Threats specific to SCAS SCP TS 33.926CR0049
Rel-18 8 changes

In Release 18, the SCAS function was updated to address threats and assets for features introduced in Release 17, ensuring the security assurance specifications kept pace with the evolving 5G system. This included adding a specific threat for incorrectly encoded UE 5G security capabilities on the AMF NG interface and introducing a new threat related to VM traffic isolation for virtualized network products. Furthermore, the release included necessary corrections and clarifications to SCAS release references and the general catalogue.

  • Threat reference for incorrectly encoded UE 5G security capabilities on the AMF NG interface TS 33.926CR0067
  • SCAS updates to threats and assets for Release 17 features TS 33.926CR0074
  • SCAS release reference corrections TS 33.117CR0115
  • SCAS updates to the general catalogue for Release 17 features TS 33.117CR0120
  • SCAS release reference corrections TS 33.515CR0010
  • Clarification on SCAS TS 33.916CR0012

+ 2 more changes

Rel-19 3 changes

In Release 19, the SCAS framework was extended by incorporating security assurance specifications specific to the SMSF (Session Management Function) network product class. This addition involved creating new clauses and an annex detailing the threats and critical assets unique to the SMSF. The update integrates these specific requirements into the general catalogue of security requirements outlined in the specification.

  • Add annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0085
  • Security Assurance Specification (SCAS) threats specific to SMSF TS 33.926CR0099
  • Add a new clause in annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0105

Explore further

Broader topics and technologies where SCAS plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)EPC (Evolved Packet Core)NAS (Non-Access Stratum)Encryption & IntegrityTesting & Conformance
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference SCAS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.117 vk00 Catalogue of General Security Assurance Requirements Rel-20
TS 33.515 vk00 5G SMF Security Assurance Specification Rel-20
TS 33.805 vc00 3GPP Network Product Security Assurance Methodology Rel-12
TR 33.916 vj00 3GPP Security Assurance Methodology (SECAM) Rel-19
TR 33.926 vk00 Security Assurance Specification (SCAS) Rel-20
TR 33.927 vj00 Security Assurance for Virtualized Network Products Rel-19