New framework streamlines approval of PON ONT variants while maintaining telecom security
The National Centre for Communication Security (NCCS), operating under the Department of Telecommunications (DoT), has rolled out a risk-based security certification framework for Passive Optical Network (PON) Optical Network Terminal (ONT) devices, a key component of India’s fibre broadband infrastructure.
The move marks a significant shift from the earlier certification approach, under which manufacturers were required to conduct full security testing for every ONT product variant, even when multiple models were based on the same System-on-Chip (SoC) and core software stack. Given that many product portfolios include 10 to 20 variants derived from a single platform, this resulted in extended approval timelines, higher compliance costs, and minimal incremental security benefit.
“By aligning security testing with actual risk points, this framework can reduce certification timelines from months to weeks without weakening telecom security,” said Rishikesh Mishra, CEO, JR Compliance.
Under the revised framework, mandatory security testing will now be carried out once per unique SoC–SDK platform. Manufacturers can introduce additional ONT variants built on the same certified platform through certificate modification and an updated Self Declaration of Conformity (SDoC). However, any change to the SoC or SDK will continue to require full re-testing, ensuring that core platform security remains uncompromised.
According to NCCS’s assessment, the greatest security risks in ONT devices lie at the hardware and core software layers, while changes at the variant level generally have limited impact on the overall security posture. The updated framework aligns certification effort with these real risk points.
Industry observers say the new approach is expected to significantly improve time-to-market for fibre broadband equipment, supporting India’s rapid expansion of high-speed connectivity while preserving strong security controls.
The revised certification regime applies only to PON ONT devices. All other telecom equipment categories will continue to be governed by existing ITSAR requirements.
The decision is being seen as a pragmatic step that balances regulatory efficiency with national telecom security, benefiting manufacturers, service providers, and the broader digital ecosystem alike.