What the Wi-Fi CPE ITSAR is
ITSAR — Indian Telecom Security Assurance Requirements — are the per-category security standards issued by the National Centre for Communication Security (NCCS). The Wi-Fi CPE ITSAR is the document that applies to WiFi customer-premises equipment — the category that includes access points and WiFi routers. It converts "is this access point secure?" from a marketing claim into a testable specification: a defined list of security requirements the specific model must demonstrate at a designated security test lab before it can be security-certified for Indian networks.
What the requirements cover
The requirement areas an ITSAR for WiFi equipment addresses read like a checklist of how real-world WiFi compromises happen:
- Secure defaults and credentials — no universal default passwords; forced credential change; controlled password policy.
- Firmware integrity — secure boot behaviour, signed firmware images and protected update mechanisms, so a compromised update path cannot own the device.
- Management-plane hardening — encrypted management access, insecure legacy services disabled, protection of configuration interfaces.
- Wireless security behaviour — support for current WPA generations and protection of management traffic, so the air interface meets modern expectations.
- Access control and roles — authenticated, role-based administrative access rather than a single all-powerful login.
- Logging and audit — security-relevant events recorded in a usable, protectable form.
- Known-vulnerability hygiene — the product and process for addressing published vulnerabilities.
The exact clauses and versions evolve as NCCS updates the document — which is itself a reason buyers should ask vendors which ITSAR version their testing addressed.
How testing and certification work
Security certification runs under the NCCS scheme: the OEM applies for the equipment category, the specific model is tested against the applicable ITSAR at a designated security test lab, and successful testing leads to security certification for that model. Three practical properties matter to buyers: certification is model-specific (a certified sibling does not cover the model you are buying), it is version-anchored (tested against a specific ITSAR release), and it is verifiable — a vendor claiming certification can show the paper. The mandate is being phased in category by category through DoT notifications, so the binding question in any given tender is the current status for Wi-Fi CPE at that date.
Why WiFi equipment gets special scrutiny
Access points hold a uniquely exposed position: they sit on the network edge, speak to unmanaged client devices over the air, are deployed in physically accessible locations, and are administered in bulk. A fleet of compromised APs is simultaneously a surveillance platform and a lateral-movement springboard — which is why the security regime treats WiFi CPE as its own category rather than lumping it with wired gear, and why network-security monitoring and certified hardware are complements, not alternatives.
What buyers should ask vendors
- Which ITSAR version applies to the quoted access points, and what is the certification status for those exact models?
- Show MTCTE certificates and WPC approvals for the same models, in the OEM's name — the MTCTE explainer covers how to verify them.
- Is the vendor a Trusted Source with products on the Trusted Telecom Portal?
- Who owns the firmware, and what is the security-patch commitment in writing?
- Does the device ship under the vendor's own IEEE MAC block — a thirty-second provenance check anyone can run?
Where this sits in the Indian compliance stack
For a WiFi access point, the full file is: MTCTE (technical conformance, TEC), WPC (radio authorisation), ITSAR-based security certification (NCCS), and — for licensed operators — procurement from a Trusted Source. Each answers a different question; the framework explainer maps them, and our certifications page shows the file Immunity maintains.
The Immunity position
NetWave (Lotus Alpha) WiFi 6 access points are MTCTE certified (and CE, FCC & RoHS compliant), carry WPC approvals for their radios, and ship from a Trusted Source with products on the Trusted Telecom Portal — under Immunity's own IEEE MAC block (OUI 50:48:2C:3), with firmware developed and supported in India. For the security-certification status of specific models against the current Wi-Fi CPE ITSAR, ask us — we answer with documents, not adjectives.
Frequently asked questions
Does CE or FCC certification cover ITSAR requirements?
No. CE and FCC are foreign regimes; ITSAR-based security certification is Indian and separate. Well-certified products hold the international marks alongside the Indian stack, not instead of it.
My deployment is a private campus, not a telecom network. Should I care?
The mandate binds licensed operators, but the requirements describe what a securely engineered access point looks like. Enterprises increasingly reference them in RFPs for exactly that reason.
Can a vendor self-declare ITSAR compliance?
Certification requires testing at designated labs under the NCCS scheme. A self-declaration is a claim; a certificate is evidence. Ask for the evidence.
What if the quoted model's certification is "in process"?
Then the tender decision is about dates: make certification (or a contractual commitment with penalties) a condition of award or delivery, and verify before acceptance.
