Je veux savoir à propos de…

khammond on DSKJM1Z7X2PROD with RULES

48512

Federal Register / Vol. 86, No. 166 / Tuesday, August 31, 2021 / Rules and Regulations
the authentication and verification of caller ID information for calls carried over IP networks. The result of their efforts is the STIR/SHAKEN caller ID
authentication framework, which allows for the caller ID information to securely travel with the call itself throughout the entire length of the call path. A key component of the STIR/SHAKEN
framework is the transmission of a digital certificate along with the call.
This certificate essentially states that the voice service provider authenticating the caller ID information is the voice service provider it claims to be, it is authorized to authenticate this information and, thus, the voice service providers claims about the caller ID
information can be trusted. To maintain trust and accountability in the voice service providers that vouch for the caller ID information, a neutral governance system issues the certificates.
The STIR/SHAKEN governance system is comprised of several different entities fulfilling specialized roles. The Governance Authority, managed by a board consisting of representatives from across the voice service industry, defines the policies and procedures for which entities can issue or acquire certificates. The Policy Administrator applies the rules the Governance Authority establishes, confirms that Certification Authorities are authorized to issue certificates, and confirms that voice service providers are authorized to request and receive certificates.
Certification Authorities, of which there are several, issue the certificates that voice service providers use to authenticate and verify calls. Finally, the voice service providers, when acting as call initiators, select an approved Certification Authority from which to request a certificate, and when acting as call recipients, check with Certification Authorities to ensure that the certificates they receive were issued by the correct Certification Authority.
To receive a digital certificate, a voice service provider must first apply to the Policy Administrator for a Service Provider Code SPC token. To obtain a token, the Governance Authority policy requires that a voice service provider must 1 have a current FCC Form 499A
on file with the Commission, 2 have been assigned an Operating Company Number OCN, and 3 have certified with the FCC that they have implemented STIR/SHAKEN or comply with the Commissions Robocall Mitigation Program requirements and are listed in the FCC Robocall Mitigation Database. The token then permits the voice service provider to obtain the digital certificates it will use
VerDate Sep<11>2014

19:07 Aug 30, 2021

Jkt 253001

to authenticate calls from one of the approved Certification Authorities. The token, therefore, is a prerequisite for a voice service provider to participate in the STIR/SHAKEN ecosystem endorsed by section 4 of the TRACED Act and the Commissions implementing rules, and management of token access is the mechanism by which the Policy Administrator and Governance Authority protect the system from abuse and misuse.
The Policy Administrator grants tokens to voice service providers that meet the three eligibility criteria conditioned on the execution of a signed agreement with each voice service provider, stating that the voice service provider will follow the ATIS
SHAKEN specifications. This agreement establishes that if the Policy Administrator deems the voice service provider to be in breach of the agreement, it has the authority to suspend or revoke a voice service providers token. The Policy Administrator may revoke a service providers service token on its own initiative in certain circumstances or when directed by the Governance Authority. In the SPC Token Revocation Policy, the Governance Authority lists the reasons for which a token may be revoked: 1 In the situation of compromised credentials, i.e., a voice service providers private key has been lost, stolen, or compromised, or a certification authority has been compromised; 2 the voice service provider exits the STIR/SHAKEN
ecosystem and closes its account with the Policy Administrator; 3 the voice service provider failed to adhere to the policy and technical requirements of the STIR/SHAKEN ecosystem, including the SPC Token Access Policy, funding requirements, or technical specifications regarding the use of STIR/SHAKEN; or 4 when directed by a court, the Commission, or another body with relevant legal authority due to a violation of Federal law related to caller ID authentication. When a service providers credentials are compromised or it exits the ecosystem the former two scenarios, the Policy Administrator may revoke a service providers token without prior direction from the Governance Authority because in either circumstance revocation is clearly appropriate. However, when revocation is because a service provider failed to adhere to a policy or technical requirement, or is effected at the direction of a governmental body the latter two scenarios, the Governance Authority conducts the revocation process according to the process
PO 00000

Frm 00030

Fmt 4700

Sfmt 4700

outlined in the SPC Token Revocation Policy.
Token Revocation Procedure. Before the Governance Authority revokes a token due to a voice service providers violation of a policy, technical, or legal requirement, the Governance Authority follows a multi-step process described by the SPC Token Revocation Policy, which allows the voice service provider to respond to the alleged infraction and appeal any adverse decision according to the Governance Authoritys operating procedures. According to the SPC Token Revocation Policy, the revocation review process is triggered when a voice service provider, the Policy Administrator, a Certification Authority, or a regulatory authority such as the Commission reports a potential issue to the Governance Authority, generally via a complaint. After a preliminary review of the complaint, the Governance Authority decides whether or not to move forward with the review process.
If the Governance Authority determines there is sufficient information to move forward, notice of the complaint will be sent to the Governance Authority Board.
After the Governance Authority Board receives notice of the complaint, additional notices are sent to the complainant and to all other parties in the investigation process notifying them of the confidentiality requirements of the revocation proceeding. The Governance Authority also sends notice to the subject of the complaintwhich has five business days to provide a preliminary responseand to the Policy Administrator who, after consulting with the Certification Authority if necessary, provides further information on facts related to the complaint and a proposed recommendation to the Governance Authority Board on whether to move forward with the complaint review. The Governance Authority Board then decides to either reject the complaint review, agrees review is necessary and accepts the complaint for review, or, if required, assigns it to the Technical Committee for further review.
If the Governance Authority Board decides to accept the complaint for review, it will reach out to the entity that is the subject of the complaint to provide another notification, this time stating that the complaint is being investigated and requesting a substantive written response. If the Governance Authority Board determines that additional review by the Technical Committee is also necessary, it will send the complaint to the Technical Committee, which will review the complaint and provide a recommendation to the Governance
E:FRFM31AUR1.SGM

31AUR1