Call Authentication Trust Anchor

<RULE> FEDERAL COMMUNICATIONS COMMISSION <CFR>47 CFR Part 64</CFR> <DEPDOC>[WC Docket No. 17-97; FCC 24-120; FR ID 304848]</DEPDOC> <SUBJECT>Call Authentication Trust Anchor</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Communications Commission. <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> In this document, the Federal Communications Commission (Commission) adopts rules that strengthen the Commission's caller ID authentication requirements by establishing clear practices for providers that rely on third parties to fulfill their STIR/SHAKEN implementation obligations. The rules authorize providers with a STIR/SHAKEN implementation obligation to engage third parties to perform the technological act of digitally “signing” calls consistent with the requirements of the STIR/SHAKEN technical standards so long as: the provider with the implementation obligation makes the “attestation-level” decisions for authenticating caller ID information; and all calls are signed using the certificate of the provider with the implementation obligation—not the certificate of a third party. The rules also explicitly require all providers with a STIR/SHAKEN implementation obligation to obtain a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator and present that token to a STIR/SHAKEN Certificate Authority to obtain a digital certificate. Additionally, the rules include recordkeeping requirements for third-party authentication arrangements to enable the Commission to monitor compliance with and enforce Commission rules. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> These rules are effective September 18, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> For further information about the <E T="03">Notice of Proposed Rulemaking,</E> contact Emily Caditz, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at <E T="03">Emily.Caditz@fcc.gov.</E> For additional information concerning the Paperwork Reduction Act proposed information collection requirements contained in this document, send an email to <E T="03">PRA@fcc.gov</E> or contact Nicole Ongele at (202) 418-2991. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> This is a summary of the Commission's Report and Order in WC Docket No. 17-97, FCC 24-120, adopted on November 21, 2024 and released on November 22, 2024. The complete text of this document is available for download at <E T="03">https://docs.fcc.gov/public/attachments/FCC-24-120A1.pdf.</E> <HD SOURCE="HD1">Synopsis</HD> <HD SOURCE="HD1">I. Discussion</HD> In this <E T="03">Report and Order,</E> we take a number of steps to support the STIR/SHAKEN framework and promote trust in our country's voice networks. We do so by authorizing providers with a STIR/SHAKEN implementation obligation to work with third parties to perform the technological act of signing calls to fulfill their compliance obligations under the Commission's rules, but establishing clear limits to ensure that such third-party arrangements neither undermine adherence to the requirements of the STIR/SHAKEN technical standards nor allow providers to avoid accountability for noncompliance. By “STIR/SHAKEN implementation obligation,” we mean the applicable requirement under the Commission's rules that a provider implement STIR/SHAKEN in the IP portions of their networks by a date certain, subject to certain exceptions. When referencing those providers “without” a STIR/SHAKEN implementation obligation, we mean those providers that are subject to an implementation extension, such as a provider with an entirely non-IP network or one that is unable to obtain the necessary SPC token to authenticate caller ID information, or that are exempted from our caller ID authentication requirements because they lack control over the network infrastructure necessary to implement STIR/SHAKEN. First, we define “third-party authentication” for the purposes of the rules we adopt today. Next, we limit the third-party authentication arrangements authorized under the Commission's rules to those in which the provider with the STIR/SHAKEN implementation obligation: (1) makes all attestation level decisions, consistent with the STIR/SHAKEN technical standards; and (2) ensures that all calls are signed using its own certificate obtained from a STIR/SHAKEN Certificate Authority—not the certificate of a third party. Utilizing a third party to sign traffic without complying with the requirements we adopt today will constitute a violation of the Commission's caller ID authentication rules. We further require that any provider certifying to partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database must be registered with the STIR/SHAKEN Policy Administrator, obtain its own SPC token from the Policy Administrator, use that token to generate a certificate with the Certificate Authority, and authenticate all its calls with that certificate, whether directly or through a third party. We also adopt recordkeeping requirements regarding third-party authentication arrangements to ensure compliance with the rules we adopt today and promote accountability in the event that any such arrangement leads to abuse of the voice network. Based on our review of the record, we find that taking these steps will enable providers to obtain the economic and other benefits of utilizing third-party technical solutions for STIR/SHAKEN implementation without compromising the integrity of the STIR/SHAKEN technical standards and governance model. This, in turn, will protect consumers by promoting more ubiquitous and accurate caller ID authentication. <HD SOURCE="HD2">A. Authorizing Third-Party Authentication Subject to Limitations To Prevent Abuse</HD> <HD SOURCE="HD3">1. Defining the Scope of Third-Party Authentication</HD> We first define “third-party authentication” for the purposes of the rules we adopt today, and also delineate the types of providers that are covered by the rules. In the <E T="03">Sixth Caller ID Authentication Further Notice</E> (88 FR 29035, May 5, 2023), we sought comment on the types of third-party arrangements being used by providers, including whether providers are entering into agreements with third parties to perform all or part of their authentication responsibilities. We sought specific comment on the solutions detailed in the 2021 Small Providers Report produced by the NANC, which described third-party solutions that providers could engage to perform the technological act of signing calls, including “hosted SHAKEN” services offered in a public or private cloud and “carrier SHAKEN” services in which calls are signed by an intermediate provider. As described in the NANC Report, in both of these scenarios, the provider with the STIR/SHAKEN implementation obligation determines the appropriate attestation level for a call and the third-party solution signs the call using the obligated provider's token. We also sought comment on several scenarios addressed in the ATIS-1000088 Technical Report in which a provider with a STIR/SHAKEN implementation obligation lacks a direct relationship with the end user of the voice service. These scenarios involve circumstances where the end user of the voice service is not the same as the “customer,” as defined by the ATIS-1000088 Technical Report, such as when a wholesale provider originates a call onto the public network for its reseller customer that initiated the call on behalf of an end user. ATIS-1000088 defines “customer” as “[t]ypically a service provider's subscriber, which may or may not be the ultimate end-user of the telecommunications service.” Under this definition, a customer “may be a person, enterprise, reseller, or value-added service provider.” An “end-user” is defined as “[t]he entity ultimately consuming the VoIP-based telecommunications service,” which may be “the direct customer of [an originating] service provider or may indirectly use the VoIP-based telecommunications service through another entity such as a reseller or value-added service provider.” ATIS-1000088, therefore, makes clear that, in some cases, the “customer” and “end user” are not the same. We additionally sought comment on whether we should limit any rule authorizing third-party authentication to the scenarios discussed by the Small Providers Report or those in the ATIS-1000088 Technical Report, or take a broader approach. Based on our review of the record, and for the purposes of the rules we adopt today, we define “third-party authentication” to refer to scenarios in which a provider with a STIR/SHAKEN implementation obligation under the Commission's rules enters into an agreement with another party—a “third party”—to perform the technological act of signing calls on the provider's behalf. This definition of third-party authentication includes, for example, the “hosted SHAKEN” and “carrier SHAKEN” solutions that are described in the Small Providers Report. It excludes instances in which a provider with a STIR/SHAKEN implementation obligation authenticates its own traffic, and simply has a customer that is not the end user that initiated the call. We find that this definition is consistent with the caller ID authentication roles defined by the Commission's rules and the ATIS standards, and will establish a clear scope for the third-party authentication practices we authorize herein. The Commission's rules establish three categories of providers with STIR/SHAKEN caller ID authentication obligations: (1) voice service providers that originate calls; (2) non-gateway intermediate providers that carry or process the calls without originating or terminating them; and (3) gateway providers that receive calls from foreign originating or intermediate providers at their US facilities and transmit them downstream. The Commission's rules further s ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 115k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━