On November 22, 2024, the FCC released an Eighth Report and Order (Eighth R&O) addressing telecom carriers' ability to use the STIR/SHAKEN capabilities of a third party provider as a means of compliance with FCC regulations intended to prevent illegally spoofed robocalls. By the Eighth R&O, the Commission seeks to strengthen its caller ID authentication requirements by establishing clear rules of the road for the use of third parties in the caller ID authentication process and ensuring that the party with the implementation obligation remains accountable for meeting STIR/SHAKEN standards.
Specifically, the new rules define “third-party authentication” to refer to scenarios in which a provider with a STIR/SHAKEN obligation enters into an agreement with a third party to perform the technological act of “signing” calls – that is, use of a STIR/SHAKEN certificate to populate the Identity header with encrypted information which can be decrypted by a downstream provider to verify the identity of the authenticating provider. This definition does not include instances in which a provider with a STIR/SHAKEN obligation authenticates its own traffic, and simply has a customer that is not the end user that initiated the call.
The Eighth R&O permits a provider to engage third parties to perform the act of signing calls as required by the STIR/SHAKEN standards, subject to two conditions: (1) the provider must make all attestation-level decisions, consistent with the requirements of ATIS technical standards; and (2) all calls must be signed using the certificate of the provider with the implementation obligation. Relying on third parties to sign traffic without complying with these requirements will constitute a violation of the FCC's caller ID authentication rules.
Further, the Eighth R&O requires a provider with a STIR/SHAKEN obligation to: (1) obtain an SPC Token and digital certificate; (2) certify complete or partial implementation in the FCC Robocall Mitigation Database only if it has obtained an SPC token and digital certificate and sign calls with its certificate; and (3) memorialize and maintain records of any third-party authentication agreement it has entered into. A written agreement with the third party must specify the specific tasks the third party will perform on the provider's behalf and confirm that the provider will (1) make all attestation-level decisions for calls signed pursuant to the agreement, and (2) ensure that all calls will be signed using the provider's certificate.
The compliance deadline for the new rules is 30 days after publication of the Eighth R&O in the Federal Register following OMB approval, or 210 days after release of the Eighth R&O, whichever is later.
Comments
There are no comments for this post. Be the first and Add your Comment below.
Leave a Comment