The Manufacturer’s Association of Information Technology (MAIT) have asked for an extension of a minimum of two years for mandatory security testing of Wi-Fi customer premises equipment (CPE) and internet protocol (IP) routers. It has also requested the government to keep security certification on a voluntary basis for now.

In a submission to the Department of Telecommunications (DoT), MAIT has highlighted that there are only three labs accredited by the National Centre for Communication Security (NCCS) to perform security testing on Wi-Fi CPE. Due to the limited labs, the cost of security testing is very high (Rs 4-6 million per model).

The call for extension comes after the DoT in December 2023 extended the start date for accepting applications from July 1, 2023 to January 1, 2024, later extending it to July 1, 2024 for models that have not undergone mandatory testing and certification of telecom equipment (MTCTE) certification, and October 1, 2024 for models that have already got MTCTE certificates.

According to MAIT, as per NCCS procedure, the time required for security testing and certification is 6-7 months, which is further accentuated by activities such as contractual agreement time, time slot availability, logistics for equipment and competent resource availability, increasing the time frame to 10-12 months. It also highlighted several ambiguities in the Indian Telecommunication Security Assurance Requirements (ITSAR) document released by DoT in 2022, requesting the department to not mandate security testing and certification until the issues highlighted are resolved.

As per MAIT, the testing of different hardware models using the same software, as mandated by ITSAR, is a redundant exercise, leading to a multifold increase in compliance cost for gear makers and significant delays in product certification due to repeated retesting.

Further, MAIT called out the ITSAR mandate of cryptographic algorithm modules to be compliant with FIPS 140.x, which is a certification needed for defence or military deployment, stating that crypto algorithms in telecom products are sourced from open source and having it FIPS-140 certified will require considerable amount of effort, causing delays in product roll out.