News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. What we do
  3. Regulations and standards
  4. TICSA telecommunications network security
  5. Preparing your notification 

Ngā kaiwhakahaere whatunga - te whakarite i tō whakamōhiotanga Preparing your notification 

All notifications and enquiries are treated as commercial-in-confidence and are not publicly disclosed without permission or unless the network operator has already publicly released the information.

Disclaimer: This section is for information only. Please contact the Regulatory Unit at ticsa@ncsc.govt.nz for specific questions about preparing your notification.

Information we hold may be subject to a request for disclosure under the Official Information Act 1982 (OIA). We will consult with you prior to releasing any information under an OIA request.

We have means of accepting notifications and/or supporting information using public encryption methods. 

Please contact us at ticsa@ncsc.govt.nz for assistance.

Information required in your proposal

To give you a better understanding about what you need to include in your proposal, take some time to read the content on this page.

We will begin assessing your notification when we have all relevant and necessary information from you.  

You will need to include the following information in your proposal.

Network operator contact details

This includes the name, contact details, clearance status and other relevant information for the point(s) of contact.

Section notification

Which section the notification is made under:

  • section 48 (proposed decisions, courses of action or changes affecting areas of specified security interest), or
  • section 46(1) (network operator has identified a potential network security risk regarding any part of their network). 

The type of change – standard build or bulk change

A standard build may be a consistently procured equipment build or network addition, which is replicated throughout the network. Notification of the standard build is only required in the first instance, provided the build does not change to a type of equipment that has not been previously submitted by that network operator. 

In instances where a standard build is used, notification should also include details of the geographic locations in which it is intended to be deployed. 

An example of a standard build would be a build that is replicated across the country. In such a case, a notification of proposal that specifies which equipment will be used, the oversight and control mechanisms, and the geographic locations that the build will be deployed in would be sufficient notification for all deployments of the same build (provided no network security risks are identified). 

Should the standard build change from that notified, a new notification would need to be submitted that outlines what is changing in the new build. 

A bulk change could include all versions of a certain type of networking equipment, and the software/firmware builds that are likely to be deployed on it. Notification could also be supplied for a specific product range that may change incremental versions over time. 

Once the NCSC has considered the proposal covering the product range, the equipment would be able to be deployed on the network without the need to submit a new notification. 

One example of a bulk change would be a notification of proposal that outlines a product range of network cards to be deployed in a network switch. Once assessed, provided no network security risks were identified, the equipment would be able to be deployed without needing a new notification (such as a capacity upgrade). 

There are some practical limitations to notifications of bulk changes. A notification with an excessive number of equipment types or for an entire vendor’s product range does not amount to notification of a bulk change.

An overview of the proposal

This includes information such as the nature of the proposal, objectives, what it is replacing or if it is a new system, the service or function, and an outline of the design and security considerations (self-identified).

What and who is involved

Information such as hardware, software, vendors, services used, and any subcontractors expected to be involved in or considered under the proposal (if known). If this is a change notification, outline the current state.

Please note, NCSC does not have an approved or accepted list of vendors, and no vendor is prohibited. Our assessment will be done on a case-by-case basis.

Change to service information

When providing notification about a change to services, network operators will need to provide sufficient information to understand:

  • the service that will be provided,
  • how the effective ownership, oversight and control is exercised, and
  • the security controls that will be employed.

Timeframes

This include the timeframes you are working to such as:

  • proposed dates of Request for Proposal (RFP) or similar process, and 
  • decision-making timeframes. 

Security risks

Here you must include additional relevant information for context, including current security considerations.

Details of any attachments you provide

Any additional information relevant to assess the proposal which can include material taken from: 

  • business cases,
  • security/risk assessments,
  • details of any applicable standards used, and 
  • network architecture diagrams.

Related information

The notification process

Download the TICSA Notification of Proposal template [DOCX, 107 KB]

Guidelines for Network Operators  [PDF, 464 KB]