CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006
Agenda Key dates Requirements Review of forms to be filed Resources for forms, explanations, examples, cover letters Other recommended internal policies DISCLAIMER This presentation in no way should be considered legal advice. It is a review of Merit’s understanding of and plans for CALEA filings.
Three Key Dates February 12, 2007 –Entities that the FCC believes need to be CALEA compliant must file the FCC form 445 –File with FCC and with FBI March 12, 2007 –Entities filing form 445 file a Systems Security and Integrity Plan –File with FCC and Homeland Security Bureau May 14, 2007 –Entities must have network compliance, –Unless on form 445 another date, and rationale was noted
Form 445 due February 12 th Pretty Simple Name, state, contact info, parent company (e.g.,R&E net that is part of a university) FCC Registration number (FRN) –Must get one at CORES link which is COmmission REgistration Systemwww.fcc.gov –FCC Registration is required to conduct business with the FCC –Merit has FRN because of USF work –This number will be used to uniquely identify you in all transactions with the FCC cont.
Form 445, cont. Filer’s 499 ID –Form 499 is only required if a network pays into Universal Service, Telecommunications Relay Service, Number Administration, Local Number Portability Support Mechanisms –Merit doesn’t, and likely no R&E nets do; universities, libraries certainly don’t Filer checks whether it will be compliant by 5/14/07 or not cont.
Form 445, cont. Compliance method is identified by a checkbox –Proprietary/Custom or 3 rd party Write the standard used (Draft Standard PTSC-LAES R6) Proprietary/custom solution –Merit will get legal advice, but the assumption is that our solution is neither –Check if DOJ has been consulted -- Merit has not Check if Filer is using a Trusted Third Party, and if so, who;
Form 445, cont. Trusted Third Parties (TTPs) Can: Assist in meeting filer’s CALEA obligations Provide LEAs the electronic surveillance information those agencies require – In an acceptable format Services include: processing requests for intercepts, conducting electronic surveillance, and delivering relevant information to LEAs. The entity (not the TTP) remains responsible for, –Ensuring the timely delivery of call-identifying information and call content –And for protecting subscriber privacy, as required by CALEA. cont.
Form 445, cont. If filer won’t be compliant by 5/14, state why: –Equipment – identify equipment by model type/manufacturer that is responsible for the delay –Network installation – brief description of circumstances contributing to delay –Manufacturer support -- brief description of circumstances contributing to delay –Other – any other circumstances Also describe Mediation actions – what steps being taken to resolve the circumstances causing delay cont.
Form 445, cont. Note: “Lack of final standard” isn’t on the list of reasons for delay in compliance –FBI quote: “Their [telecom standards organizations] previous foot-dragging was one of the complaints of the Joint Law Enforcement Petition for Expedited Rulemaking that resulted in the FCC's Second Report and Order.” –“An entity does not need to know the exact specifics of a standard to comply with the FCC's SS&I and Monitoring Report requirement. Solutions vendors know which standard they will build to and only minor Software changes will be required.” (!) Finally, a company officer of the Filer signs FCC Form 445 and it’s filed
System Security and Integrity Plan Purpose Ensure that interception can be activated only in accordance with appropriate legal authorization With affirmative intervention of an individual officer of the entity In accordance with regulations prescribed by FCC And to ensure LEAs get the information Also, apparently not onerous
Very Different SSI Examples Printouts in workshop binder Blank “templates” at Educause website –Highly recommended because they take 2 nd R&O and incorporate terms into plan 2-page plan by U.S. LEC 4-page plan by Honeybee Networks 15-page plan by MetroPCS Merit plans to be brief –Will draft a plan by end of February and circulate to the community for comment/reference
SSI Components - General Appoint a senior officer or employee to ensure that activation only in accordance with lawful authorization –Name and job function –24/7 contact information Merit plans to identify our CEO and an alternate, and have our NOC be the 24/7 contact point Process to report any act of compromise of lawful intercept or unlawful surveillance
SSI Components – Record Retention Must maintain secure and accurate record of interception of communications –Legal or not –In the form of a “Certification” Certification includes: –Identifying number/address –Start date –Identify of LEA officer –Name of person signing the legal authorization –Type of interception –Name of employee overseeing –Signed by employee overseeing Must maintain records for a reasonable period of time as determined by entity
So…Required Forms Not Onerous What may be more difficult is to actually act on a subpoena –Few and far between –People change jobs –CALEA and other laws differ Merit recommends that every network organization have a network “abuse” policy –Recommend that it be reviewed annually, e.g., at budget time –Or pick a time – like changing batteries in the home smoke detector with daylight savings time changes
Merit’s Network Abuse Policy Example Topics Included Triaging abuse complaints – Serious is: –Life or physical well being is threatened –Data could be destroyed, or confidential data exposed –DDOS attack Actions –Refer complainant to his ISP if not serious (e.g., spam) –Open incident report –Open NOC trouble ticket, escalate –Management approval for some action
Network Abuse Policy Being Revised CALEA requires new procedures Today, we “only release information about individuals to the organization with which they are associated, not to third parties” –Today, LEAs are always 3 rd parties –If there is a CALEA request, this doesn’t fit –In fact, we can’t let the organization know Today we have a management approval chain, and no one employee makes a decision or takes action –If there is a CALEA request, this doesn’t fit We will revise our internal network abuse policies and share with the community –Perhaps in parallel with the SSI draft
References – Public Notice - Compliance Monitoring Report –DA , December 14, 2006 –OMB Control Number Public Notice - Systems Security and Integrity Filing Requirement –DA , December 14, 2006 –OMB Control Number Systems Security and Integrity Plans components –CALEA of 1994 – Pub.L. No , 108 Stat –FCC 64 FR 51469, Sept. 23, 1999 –FCC 2 nd Report and Order, May 12, 2006, Appendix B, page 44, for SSI (useful definitions)
References, cont. Easiest source: Educause CALEA resource page – NT_ID=698http:// NT_ID=698 –Includes FCC public notices, forms, example cover letter for SSI, other background (FBI site)