2025年供应链工具箱报告

About theGSMA The GSMA is a globalorganisation unifying themobile ecosystem to unlockthe full power of connectivityso that people, industry andsociety thrive. Unlock the benefits ofGSMA membership As a member of the GSMA, you join a vibrantcommunity of industry leaders and visionaries – helpingto shape the future of mobile technology and itstransformative impact on societies worldwide. Our unique position at the heart of the mobile industrymeans you get exclusive access to our technical experts,data and analysis – as well as unrivalled opportunities fornetworking, innovation support and skills acceleration. Led by our members, we represent the interests ofover 1,100 operators and businesses in the broaderecosystem. The GSMA also unites the industry atworld-leading events, such as MWC (in Barcelona,Kigali, Las Vegas and Shanghai) and the M360 Series. For more information, please visit:http://www.gsma.com/membership/ Security Classification:Non-confidential Antitrust Notice The information contained herein is in full compliancewith the GSM Association’s antitrust compliancepolicy. Access to and distribution of this document isrestricted to the persons permitted by the securityclassification. This document is subject to copyrightprotection. This document is to be used only forthe purposes for which it has been supplied andinformation contained in it must not be disclosedor in any other way made available, in whole or inpart, to persons other than those permitted underthe security classification without the prior writtenapproval of the Association. Copyright Notice Copyright © 2025 GSM Association Disclaimer The GSM Association (“Association”) makes norepresentation, warranty or undertaking (expressor implied) with respect to and does not accept anyresponsibility for, and hereby disclaims liability forthe accuracy or completeness or timeliness ofthe information contained in this document. Theinformation contained in this document may besubject to change without prior notice. Contents Executive summary5Product and development lifecycle6Product and service development stages7Secure-by-design7Secure software development8Open-source software8Software composition analysis9DevSecOps9Toolchain protection9SBOM and HBOM10Regulation11GSMA NESAS12GSMA SAS12GSMA eUICC Security Assurance13Playing a long game13Managed service provider security13MSP advisories14MSP security practices14Cloud security15Remote access15 Contents Lifecycle stages from procurement, through in-life and todecommission16Procurement17GSMA FS.31 Baseline Security Controls17Contractual flow-down of security requirements18Secure-by-default18In-life product and service operation19Fraud and security working group19Mobile Cybersecurity Knowledgebase19Securing the 5G Era20GSMA Mobile Telecommunications SecurityThreat Landscape20GSMA Telecommunications ISAC21GSMA Co-ordinated Vulnerability Disclosure (CVD)21GSMA International Revenue Share Fraud(IRSF) Prevention21GSMA Device Registry21GSMA Device Check22Other in-life considerations22Decommission22Layered defences23Final thoughts24 Supply Chain Toolbox04 / 25Supply Chain Toolbox04/25 Executive summary This report is intended for those interested in thesecurity aspects involved in the development orprocurement of mobile products and services. Thereport presents a series of ‘tools’ that can be used bysuppliers to demonstrate their security credentials orby mobile network operators to consider during vendorselection during the procurement stage. The tools in this‘toolbox’ include both GSMA services and best practiceand wider security considerations, each presentedwithin an example lifecycle. Readers are invited toconsider how their own supply chain security practicesalign to those presented within this document andreview any gaps or variances. A mobile telecom supply chain can be broken downinto the components of a network that go together todeliver a resilient operational service. Operational andsupporting IT infrastructure networks are composedof a variety of products and services procured from awide range of suppliers. A full assessment of the supplychain might contain technical compliance and morecommercial considerations, such as value-for-money,budget allocation, agreement of commercial terms,invitation to tenders (ITTs), shortlisting, best and finaloffers (BAFO), supplier due diligence and financial risk.However, the Supply Chain Toolbox focuses solely onthe security aspects relating to supplier selection. The classification of mobile infrastructure as criticalnational infrastructure in many jurisdictions, andconcerns about national security have increased focuson the security posture of network equipment and theproviders of it. National government responses varyfrom restricting use of certain vendors, implementingnew defensive regulations and security requirements,through to attempts to broaden existing vendorarrangements via open networking and wider initiatives.A European Union rep