As part of its ongoing effort to strengthen national cybersecurity and regulate the deployment of network-connected devices, India’s National Centre for Communication Security (NCCS) has released a series of Indian Telecom Security Assurance Requirements (ITSARs). These documents outline mandatory security controls under the MTCTE (Mandatory Testing and Certification of Telecom Equipment) framework for various categories of telecom, broadband, and consumer IoT devices.
Group-I Devices: Core 5G Network Functions
The ITSAR702012504 document defines Common Security Requirements (CSR) for Group-I devices, which comprise 23 key network functions fundamental to 5G architecture. These include network functions such as the Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Unified Data Management (UDM), and Authentication Server Function (AUSF). These elements form the backbone of 5G network infrastructure, handling subscriber access, mobility, traffic routing, and authentication.
The ITSAR mandates robust security measures such as secure boot, cryptographic integrity validation, mutual authentication, secure software updates, role-based access control, audit logging, and resistance to distributed denial-of-service (DDoS) attacks. These controls ensure that each network function is protected from exploitation, and they serve as a mandatory benchmark for certification labs (TSTLs) conducting conformance assessments.
Click here to view the original document.
Group-IV Devices: Consumer and Enterprise Networking Equipment
ITSAR702042504 addresses Group-IV devices, which span commonly used networking products such as Wi-Fi Customer Premises Equipment (CPE), IP Routers, Cell Broadcast Centres (CBC), and Private Automatic Branch Exchanges (PABX). These devices are widely deployed in both residential and enterprise environments, where they support broadband connectivity, IP telephony, and emergency alert dissemination.
The document outlines security controls to safeguard device configuration, ensure confidentiality of transmitted data, and mitigate unauthorized access. Specific requirements include mutual device-user authentication, secure command-line and web-based interfaces, encrypted management traffic, firmware integrity validation, and protection against brute-force login attempts. The ITSAR ensures that all Group-IV devices enforce a consistent security posture while allowing flexibility for product-specific adaptations.
Click here to view the original document.
Group-V Devices: Fiber-Based Broadband Equipment
ITSAR702052504 focuses on Group-V devices, namely Optical Line Terminals (OLT) and Optical Network Terminals (ONT), which are integral to Passive Optical Networks (PON) that deliver high-speed fiber broadband services. These devices manage the optical distribution of data between a central office and end-user premises. The ITSAR requires strong access control mechanisms, encrypted control plane traffic (e.g., via SSH and TLS), secure firmware updates, and the enforcement of unique device identities.
Particular attention is paid to authentication between OLTs and ONTs and the prevention of rogue ONT attacks through certificate-based authorization and MAC address binding. These controls are designed to maintain the integrity and availability of fiber networks, which are increasingly critical for India’s digital economy and smart city initiatives.
Click here to view the original document.
Feedback Devices: IoT-Based User Interfaces
ITSAR309042504 outlines the security requirements for feedback devices—compact IoT-enabled products that collect user responses in physical environments such as retail stores, airports, and government service centers. These devices often use wireless technologies like LTE-M, NB-IoT, Zigbee, BLE, or LoRa to transmit data to backend servers.
The ITSAR introduces a graded security model, classifying devices into four levels (1 to 4) based on technical capabilities and threat exposure. Even the most basic devices must support secure identity management, encrypted communication channels, tamper detection, secure firmware updates, and hardening against known vulnerabilities. Level 3 and 4 devices are expected to demonstrate compliance with international standards such as ISO 27001 and undergo third-party vulnerability assessments. This ITSAR ensures that even low-power, cost-sensitive devices conform to essential cybersecurity practices.
Click here to view the original document.
Vehicle Tracking Devices: Real-Time Mobile Telemetry
ITSAR309072504 establishes the cybersecurity framework for Vehicle Tracking Devices (VTDs), which are mandated in commercial and private transport systems to support real-time location monitoring, route analysis, and regulatory enforcement. These devices typically use GNSS (Global Navigation Satellite System) receivers paired with LTE, GSM, or LoRa communication modules to transmit telemetry data.
The ITSAR prescribes a minimum of Level 3 security certification, requiring encrypted data transmission, SIM-based or hardware token authentication, and secure OTA (over-the-air) firmware updates. Additional requirements include device identity protection, role-based access, audit logging, and strict controls on data storage and retention. Wireless interfaces like Wi-Fi and Bluetooth must be isolated or disabled unless required, and only after passing relevant security checks. These guidelines aim to protect both user privacy and national transport infrastructure from malicious manipulation or data leakage.
Click here to view the original document.
Smart Electricity Meters: Critical Infrastructure for Energy Monitoring
ITSAR309052504 applies to Smart Electricity Meters, core components of India’s Advanced Metering Infrastructure (AMI) used in residential and commercial settings. These meters support real-time energy usage tracking, remote provisioning, and dynamic pricing adjustments through two-way communication protocols over LTE, RF Mesh, or PLC.
The ITSAR mandates a minimum of Level 2 security, with some use cases requiring Level 3 based on deployment scale and grid sensitivity. Required controls include secure boot, data encryption at rest and in transit, mutual authentication between meter and data concentrator, anti-tampering protections, and secure firmware lifecycle management. The document also enforces compliance with national encryption policies and calls for periodic security audits to maintain system integrity. The secure functioning of these meters is vital to grid reliability, billing accuracy, and user trust.
Click here to view the original document.
Smart Cameras: Surveillance and Multimedia Analysis Devices
ITSAR309062504 governs smart cameras—IoT-enabled visual monitoring systems used in homes, enterprises, and public surveillance networks. These devices combine real-time video capture with intelligent processing such as motion detection, facial recognition, and audio analytics. Given their expansive connectivity footprint, including Wi-Fi, LTE, Bluetooth, and Zigbee, smart cameras are classified as Level 3 security devices under the ITSAR.
The document specifies detailed protections including secure streaming (e.g., SRTP), encryption of stored footage, identity management for user and device access, tamper alerts, and remote device lockdown capabilities. Smart cameras must also implement secure provisioning practices, disallow factory default credentials, and support audit trails for forensic analysis. These requirements are crucial to safeguarding visual data and preventing unauthorized surveillance or cyber-physical intrusions.
Click here to view the original document.
For this article’s source information and any product certification guidance, please contact Global Validity.
Quick Country Facts
India
Certification Body: Ministry of IT and Communications, Wireless Planning & Coordination Wing
Certification Type: Mandatory
License Validity: Indefinite
Application Language: English
Legal License Holder: Local Representative
In-Country Testing Requirement: Testing Not Required
Access in-depth regulatory knowledge on over 200 countries and territories with Global Validity’s free proprietary product certification management software, Access Manager. Learn more about the platform here or fill our quick contact form!
Global Validity is your partner for global certification success
Want to learn more about regulatory compliance and how we can help? Simply fill out the form below and we’ll be in touch!