TM Forum Community

Friends, 

Is there any specific guidance, framework adaptions or insights, as to how Frameworx with its Business Process Framework (eTOM), the Information Framework (SID), and the Application Framework (TAM), can and should be adapted towards the specific requirements of the UK TSA?

Kind Regards,

David.

#BusinessAssurance
#General

------------------------------
J David Sharples
BT Group plc
------------------------------

------------------------------
Chirag Raval
Lead Consultant
Infosys Ltd
------------------------------

The need to support Critical Infrastructure Regulation came up in the ODA Security and Privacy team ( now closed) we are expecting to pick up Telecom and other regulation in the AI and Data Security and GRC ( Governance Regulation Compliance) team.

In addition to comments from  Chirag Raval.

• ODA Component team has identified the need for separate Configuration Component for (service and) networks as these functions from part of the the critical infrastructure. Configuration rules need to be under the control /governance of network architects and designers  not IT ( noting that a number of well publicised network failures are network configuration based e.g. BGP configuration errors). Working document: 
  IG1242 ODA Component Inventory v22.0.0 (TAC-1279) - Components and Canvas - TM Forum Confluence diagram in 

  4.2. Production Components and interactions also published at ODA Component Inventory v21.0.0 (IG1242) – TM Forum

• ODA Component accelerator  ODA Canvas has some mechanism in place to enforce Role Based Access Control (RBAC) and Identity Management access to individual components or collections of components: 
  oda-canvas/README.md at main · tmforum-oda/oda-canvas
  oda-canvas/SecurityPrinciples.md at main · tmforum-oda/oda-canvas
  oda-canvas/Authentication-video.png at main · tmforum-oda/oda-canvas
• There are general Zero trust principles documented in: 
  IG1306 Zero Trust Architecture and Implications to Enterprise Security v3.0.0 – TM Forum and 
  TR303A Federated Identity and Authentication Management for Multi-Domain Zero Trust Architecture v4.0.0 – TM Forum

------------------------------
Dave Milham
TM Forum, Chief Architect
------------------------------

Original Message:
Sent: Sep 23, 2025 17:07
From: Chirag Raval
Subject: UK Telecommunications Security Act (TSA) & Frameworx

There is emerging guidance and community insight on how TM Forum's Framework-including eTOM, SID, and TAM-can be adapted to meet the specific requirements of the UK Telecommunications Security Act (TSA). 

points:

 

1. Alignment of Framework with UK TSA Layers

The UK TSA introduces a three-layer security framework:

 

Layer 1: Overarching security duties (via amendments to the Communications Act 2003)

Layer 2: Specific security measures (Electronic Communications Security Measures Regulations 2022)

Layer 3: Technical guidance (Code of Practice issued by DCMS and NCSC) 1

Framework adaptation can support these layers as follows:

 

eTOM (Business Process Framework)

Can be mapped to TSA's operational and governance requirements.

Processes like Security Management, Risk Management, and Service Assurance are directly relevant.

eTOM's Operations Support & Readiness (OSR) and Enterprise Management domains can be extended to include TSA-specific controls such as patching, monitoring, and incident response.

SID (Information Framework)

Helps define and manage security-related data entities, such as:

Network elements

Access controls

Vulnerability records

SID can be extended to model security posture, compliance status, and audit trails-critical for TSA reporting and oversight.

TAM (Application Framework)

Useful for identifying and categorizing applications that support TSA compliance (e.g., SIEM, PAM, vulnerability scanners).

TAM can be adapted to highlight security-critical applications and their interdependencies, aiding in risk assessment and remediation planning.

------------------------------
Chirag Raval
Lead Consultant
Infosys Ltd
------------------------------

Hi David,

There is emerging guidance on aligning Frameworx with the UK TSA. For example, eTOM can map to operational and governance requirements, SID can manage security-related data, and TAM can categorize security-critical applications. You may also find this related internal resource helpful: Frameworx Security & Guaranteed Rent UK Compliance Best Practices.

------------------------------
Keara will
TO BE VERIFIED
------------------------------

Thank you for this feedback. In the material i mentioned in the earlier post is based on ETOM and SID. The link you posted seems to be broken so i was unable to check that material.

------------------------------
Dave Milham
TM Forum, Chief Architect
------------------------------

Original Message:
Sent: Sep 29, 2025 07:13
From: Keara will
Subject: UK Telecommunications Security Act (TSA) & Frameworx

Hi David,

There is emerging guidance on aligning Frameworx with the UK TSA. For example, eTOM can map to operational and governance requirements, SID can manage security-related data, and TAM can categorize security-critical applications. You may also find this related internal resource helpful: Frameworx Security & Guaranteed Rent UK Compliance Best Practices.

------------------------------
Keara will
TO BE VERIFIED
------------------------------

I should have mentioned that we have just kicked off under the AI-Native Blueprint project  a Security and Governance team whcih likely will look at both AI and Data Governance and Critical Infrastructure Regulations including TSA.

 Members can join AI Native Blueprint project by registering at TM Forum - Site Content - Page - Collaboration projects  
meeting are 23:00BST Mondays(late)  and 08:00BST Tuesdays  and you can join either. Calendar entries are on the project pages which you can reach after registering.

------------------------------
Dave Milham
TM Forum, Chief Architect
------------------------------

Original Message:
Sent: Oct 02, 2025 16:24
From: David Milham
Subject: UK Telecommunications Security Act (TSA) & Frameworx

Thank you for this feedback. In the material i mentioned in the earlier post is based on ETOM and SID. The link you posted seems to be broken so i was unable to check that material.

------------------------------
Dave Milham
TM Forum, Chief Architect
------------------------------


Original Message:
Sent: Sep 29, 2025 07:13
From: Keara will
Subject: UK Telecommunications Security Act (TSA) & Frameworx

Hi David,

There is emerging guidance on aligning Frameworx with the UK TSA. For example, eTOM can map to operational and governance requirements, SID can manage security-related data, and TAM can categorize security-critical applications. You may also find this related internal resource helpful: Frameworx Security & Guaranteed Rent UK Compliance Best Practices.

------------------------------
Keara will
TO BE VERIFIED