is a security assessment standard published by the GSMA (Groupe Spéciale Mobile Association), the body that represents the interests of mobile network operators worldwide. The "FS" stands for "Fraud and Security," and the number 38 denotes its position within the series of GSMA security documents.
Historically, telecom signaling security focused heavily on legacy protocols. The GSMA previously introduced frameworks like for SS7 networks and FS.19 for Diameter networks. However, as global mobile operators phased out legacy 2G and 3G circuit-switched networks, the landscape shifted dramatically toward all-IP networks.
The GSMA's FS.38 is far more than just another document on a shelf. It is a comprehensive and timely response to the evolving threat landscape in telecommunications. By championing a defence-in-depth strategy, moving beyond outdated "trust but verify" models, and providing a detailed guide to threats and countermeasures, FS.38 has become an indispensable tool for mobile network operators, fixed-line providers, and any organisation that relies on SIP. For anyone responsible for securing modern telecoms infrastructure, from the handset to the core network, FS.38 is essential reading and a critical foundation for building a resilient, secure, and trustworthy communications future.
: Beyond just signaling, it includes recommendations for related infrastructure like SIP endpoint provisioning servers, customer portals, and back-end databases. gsma fs.38
: It suggests deploying signaling firewalls that can perform deep packet inspection (DPI) of SIP headers and SDP payloads to detect anomalies.
The GSMA FS.38 standard consists of several key components:
┌─────────────────────────────────────────┐ │ GSMA FS.38 Framework │ └────────────────────┬────────────────────┘ │ ┌─────────────────────────────┼─────────────────────────────┐ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ 1. Access Edge │ │ 2. Core Network │ │ 3. Interconnect │ │ (SBC/User UA) │ │ (IMS Hardening) │ │ (IPX Peering) │ └──────────────────┘ └──────────────────┘ └──────────────────┘ 1. Access Security (The User Domain) Interworking Security - GSMA is a security assessment standard published by the
: Historically, many carriers operated under the assumption that a Session Border Controller (SBC) acts as an impenetrable firewall. If an SBC is misconfigured or a parameter is bypassed, the internal core network is left exposed.
The adoption of GSMA FS.38 offers numerous benefits for mobile network operators, device manufacturers, and application developers:
Compliance with is not a "self-certify" checkbox. It requires a formal assessment by an authorized GSMA Security Assessment Lab . These are independent, accredited testing facilities. The GSMA previously introduced frameworks like for SS7
For years, telecom equipment manufacturers and software vendors defaulted to an all-inclusive answer during the procurement process: when asked if their systems were secure and optimized for performance, the response was nearly always a simple "Yes".
: Security profiles for both SIM-enabled customer equipment (smartphones, IoT devices) and non-SIM endpoints (such as hosted corporate voice solutions).
: Testing must include SIP endpoints, SBCs (which act as "SIP firewalls"), and even non-SIP nodes like provisioning servers.