NCCS Releases Updated ITSAR for IP Routers – Version 2.0.0 (Effective 01 December 2025)
The National Centre for Communication Security (NCCS), under the Department of
Telecommunications (DoT), Government of India, has officially released the updated Indian
Telecom Security Assurance Requirements (ITSAR) for IP Routers, identified as
ITSAR201012512, Version 2.0.0, dated 01.12.2025.
This latest release replaces earlier versions (2018 & 2024) and establishes enhanced,
comprehensive, and country-specific security requirements for all categories of IP routers used
across telecom and enterprise networks in India. The notification is issued under the Mandatory
Testing and Certification of Telecom Equipment (MTCTE) framework.
What This ITSAR Covers
The newly released ITSAR sets security requirements applicable to all kinds of routers,
including:
- Comprehensive audit trails covering login attempts, configuration changes, password resets, and service activities
- Protection of logs against deletion, even by administrators
- Secure log export mechanisms
- Minimum two-day local storage for logs
Key Highlights of the ITSAR Update (Version 2.0.0)
1. Strengthened Access & Authentication Controls
The ITSAR enforces:
- Mutual authentication for all management interfaces
- Mandatory use of approved cryptographic controls
- Strict role-based access control (RBAC)
- Multi-factor authentication for user and machine accounts
- Strict restrictions on remote root access
2. Robust Password & Account Security
New requirements include:
- Strong password enforcement (minimum 8 characters with uppercase, lowercase, digits, and special characters)
- Protection against brute-force attacks
- Password history and expiry policies
- Automatic suspension of inactive accounts
- Mandatory removal or change of default credentials
3. Enhanced Software & Firmware Integrity
OEMs must ensure:
- Secure updates and upgrades with cryptographic validation
- Protection against malware and backdoors
- Removal of unused software and services
- Compliance with secure coding practices
- No support for deprecated or vulnerable services (FTP, Telnet, SNMPv1/2, HTTP, etc.)
4. Improved Data Protection & Cryptographic Security
The revision mandates:
- Secure communication using only approved cryptographic standards
- FIPS 140-2 or later compliance for cryptographic modules
- Protection of sensitive system data and stored information
- Measures to prevent data exfiltration through overt or covert channels
5. Detailed Logging & Auditing
Routers must now support:
- Comprehensive audit trails covering login attempts, configuration changes, password resets, and service activities
- Protection of logs against deletion, even by administrators
- Secure log export mechanisms
- Minimum two-day local storage for logs
6. Advanced Network Security Requirements
The ITSAR also defines:
- Detailed traffic filtering and packet-level security
- Anti-spoofing and DDoS protection guidelines
- VLAN security, routing update security, and BGP hijack prevention measures
- DHCP snooping with enriched logging
- ARP poisoning and routing table poisoning protections
7. Virtualization, SDN, API & CNF/VNF Security Enhancements
Modern deployments are extensively covered with:
- SDN controller authentication
- API access token lifecycle security
- Secure VNF and CNF instantiation
- Cloud-native image security
- Container breakout prevention
- NFVI-level CPU pinning, workload isolation, and root-of-trust controls
Why This ITSAR Update Matters
With the growing complexity of telecom networks and increased cloud-based router deployments, this revised ITSAR ensures:
- Higher resilience of telecom infrastructure
- Protection against evolving cyber threats
- Strong compliance expectations for OEMs
- A unified national security framework for router products
The updated requirements also prepare Indian networks for future-ready architectures such as 5G, SDN, NFV, and cloud-native infrastructures.
What OEMs and Telecom Licensees Should Do
- Start aligning IP Router products with ITSAR Version 2.0.0 requirements
- Prepare documentation, undertakings, vulnerability assessments, and secure coding declarations
- Ensure readiness for MTCTE testing and certification under NCCS guidelines
- Update internal configurations and compliance processes for deployed router products
