Rule2025-15809
Call Authentication Trust Anchor
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
August 19, 2025
Effective
September 18, 2025
Issuing agencies
Federal Communications Commission
Abstract
In this document, the Federal Communications Commission (Commission) adopts rules that strengthen the Commission's caller ID authentication requirements by establishing clear practices for providers that rely on third parties to fulfill their STIR/SHAKEN implementation obligations. The rules authorize providers with a STIR/ SHAKEN implementation obligation to engage third parties to perform the technological act of digitally "signing" calls consistent with the requirements of the STIR/SHAKEN technical standards so long as: the provider with the implementation obligation makes the "attestation- level" decisions for authenticating caller ID information; and all calls are signed using the certificate of the provider with the implementation obligation--not the certificate of a third party. The rules also explicitly require all providers with a STIR/SHAKEN implementation obligation to obtain a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator and present that token to a STIR/SHAKEN Certificate Authority to obtain a digital certificate. Additionally, the rules include recordkeeping requirements for third- party authentication arrangements to enable the Commission to monitor compliance with and enforce Commission rules.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 158 (Tuesday, August 19, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 158 (Tuesday, August 19, 2025)]
[Rules and Regulations]
[Pages 40241-40256]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-15809]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[WC Docket No. 17-97; FCC 24-120; FR ID 304848]
Call Authentication Trust Anchor
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission) adopts rules that strengthen the Commission's caller ID
authentication requirements by establishing clear practices for
providers that rely on third parties to fulfill their STIR/SHAKEN
implementation obligations. The rules authorize providers with a STIR/
SHAKEN implementation obligation to engage third parties to perform the
technological act of digitally ``signing'' calls consistent with the
requirements of the STIR/SHAKEN technical standards so long as: the
provider with the implementation obligation makes the ``attestation-
level'' decisions for authenticating caller ID information; and all
calls are signed using the certificate of the provider with the
implementation obligation--not the certificate of a third party. The
rules also explicitly require all providers with a STIR/SHAKEN
implementation obligation to obtain a Service Provider Code (SPC) token
from the STIR/SHAKEN Policy Administrator and present that token to a
STIR/SHAKEN Certificate Authority to obtain a digital certificate.
Additionally, the rules include recordkeeping requirements for third-
party authentication arrangements to enable the Commission to monitor
compliance with and enforce Commission rules.
DATES: These rules are effective September 18, 2025.
FOR FURTHER INFORMATION CONTACT: For further information about the
Notice of Proposed Rulemaking, contact Emily Caditz, Attorney Advisor,
Competition Policy Division, Wireline Competition Bureau, at
<a href="/cdn-cgi/l/email-protection#0f4a62666376214c6e6b667b754f696c6c21686079"><span class="__cf_email__" data-cfemail="9adff7f3f6e3b4d9fbfef3eee0dafcf9f9b4fdf5ec">[email protected]</span></a>. For additional information concerning the
Paperwork Reduction Act proposed information collection requirements
contained in this document, send an email to <a href="/cdn-cgi/l/email-protection#366664777650555518515940"><span class="__cf_email__" data-cfemail="43131102032520206d242c35">[email protected]</span></a> or contact
Nicole Ongele at (202) 418-2991.
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report
and Order in WC Docket No. 17-97, FCC 24-120, adopted on November 21,
2024 and released on November 22, 2024. The complete text of this
document is available for download at <a href="https://docs.fcc.gov/public/attachments/FCC-24-120A1.pdf">https://docs.fcc.gov/public/attachments/FCC-24-120A1.pdf</a>.
Synopsis
I. Discussion
In this Report and Order, we take a number of steps to support the
STIR/SHAKEN framework and promote trust in our country's voice
networks. We do so by authorizing providers with a STIR/SHAKEN
implementation obligation to work with third parties to perform the
technological act of signing calls to fulfill their compliance
obligations under the Commission's rules, but establishing clear limits
to ensure that such third-party arrangements neither undermine
adherence to the requirements of the STIR/SHAKEN technical standards
nor allow providers to avoid accountability for noncompliance. By
``STIR/SHAKEN implementation obligation,'' we mean the applicable
requirement under the Commission's rules that a provider implement
STIR/SHAKEN in the IP portions of their networks by a date certain,
subject to certain exceptions. When referencing those providers
``without'' a STIR/SHAKEN implementation obligation, we mean those
providers that are subject to an implementation extension, such as a
provider with an entirely non-IP network or one that is unable to
obtain the necessary SPC token to authenticate caller ID information,
or that are exempted from our caller ID authentication requirements
because they lack control over the network infrastructure necessary to
implement STIR/SHAKEN. First, we define ``third-party authentication''
for the purposes of the rules we adopt today. Next, we limit the third-
party authentication arrangements authorized under the Commission's
rules to those in which the provider with the STIR/SHAKEN
implementation obligation: (1) makes all attestation level decisions,
consistent with the STIR/SHAKEN technical standards; and (2) ensures
that all calls are signed using its own certificate obtained from a
STIR/SHAKEN Certificate Authority--not the certificate of a third
party. Utilizing a third party to sign traffic without complying with
the requirements we adopt today will constitute a violation of the
Commission's caller ID authentication rules. We further require that
any provider certifying to partial or complete STIR/SHAKEN
implementation in the Robocall Mitigation Database must be registered
with the STIR/SHAKEN Policy
[[Page 40242]]
Administrator, obtain its own SPC token from the Policy Administrator,
use that token to generate a certificate with the Certificate
Authority, and authenticate all its calls with that certificate,
whether directly or through a third party. We also adopt recordkeeping
requirements regarding third-party authentication arrangements to
ensure compliance with the rules we adopt today and promote
accountability in the event that any such arrangement leads to abuse of
the voice network. Based on our review of the record, we find that
taking these steps will enable providers to obtain the economic and
other benefits of utilizing third-party technical solutions for STIR/
SHAKEN implementation without compromising the integrity of the STIR/
SHAKEN technical standards and governance model. This, in turn, will
protect consumers by promoting more ubiquitous and accurate caller ID
authentication.
A. Authorizing Third-Party Authentication Subject to Limitations To
Prevent Abuse
1. Defining the Scope of Third-Party Authentication
We first define ``third-party authentication'' for the purposes of
the rules we adopt today, and also delineate the types of providers
that are covered by the rules. In the Sixth Caller ID Authentication
Further Notice (88 FR 29035, May 5, 2023), we sought comment on the
types of third-party arrangements being used by providers, including
whether providers are entering into agreements with third parties to
perform all or part of their authentication responsibilities. We sought
specific comment on the solutions detailed in the 2021 Small Providers
Report produced by the NANC, which described third-party solutions that
providers could engage to perform the technological act of signing
calls, including ``hosted SHAKEN'' services offered in a public or
private cloud and ``carrier SHAKEN'' services in which calls are signed
by an intermediate provider. As described in the NANC Report, in both
of these scenarios, the provider with the STIR/SHAKEN implementation
obligation determines the appropriate attestation level for a call and
the third-party solution signs the call using the obligated provider's
token. We also sought comment on several scenarios addressed in the
ATIS-1000088 Technical Report in which a provider with a STIR/SHAKEN
implementation obligation lacks a direct relationship with the end user
of the voice service. These scenarios involve circumstances where the
end user of the voice service is not the same as the ``customer,'' as
defined by the ATIS-1000088 Technical Report, such as when a wholesale
provider originates a call onto the public network for its reseller
customer that initiated the call on behalf of an end user. ATIS-1000088
defines ``customer'' as ``[t]ypically a service provider's subscriber,
which may or may not be the ultimate end-user of the telecommunications
service.'' Under this definition, a customer ``may be a person,
enterprise, reseller, or value-added service provider.'' An ``end-
user'' is defined as ``[t]he entity ultimately consuming the VoIP-based
telecommunications service,'' which may be ``the direct customer of [an
originating] service provider or may indirectly use the VoIP-based
telecommunications service through another entity such as a reseller or
value-added service provider.'' ATIS-1000088, therefore, makes clear
that, in some cases, the ``customer'' and ``end user'' are not the
same. We additionally sought comment on whether we should limit any
rule authorizing third-party authentication to the scenarios discussed
by the Small Providers Report or those in the ATIS-1000088 Technical
Report, or take a broader approach.
Based on our review of the record, and for the purposes of the
rules we adopt today, we define ``third-party authentication'' to refer
to scenarios in which a provider with a STIR/SHAKEN implementation
obligation under the Commission's rules enters into an agreement with
another party--a ``third party''--to perform the technological act of
signing calls on the provider's behalf. This definition of third-party
authentication includes, for example, the ``hosted SHAKEN'' and
``carrier SHAKEN'' solutions that are described in the Small Providers
Report. It excludes instances in which a provider with a STIR/SHAKEN
implementation obligation authenticates its own traffic, and simply has
a customer that is not the end user that initiated the call. We find
that this definition is consistent with the caller ID authentication
roles defined by the Commission's rules and the ATIS standards, and
will establish a clear scope for the third-party authentication
practices we authorize herein.
The Commission's rules establish three categories of providers with
STIR/SHAKEN caller ID authentication obligations: (1) voice service
providers that originate calls; (2) non-gateway intermediate providers
that carry or process the calls without originating or terminating
them; and (3) gateway providers that receive calls from foreign
originating or intermediate providers at their US facilities and
transmit them downstream. The Commission's rules further state that the
STIR/SHAKEN implementation obligation applies to providers with control
over the network infrastructure necessary to implement STIR/SHAKEN.
Providers that meet these criteria are obligated to implement STIR/
SHAKEN and are thus the entities that would be the ``first parties'' in
any third-party authentication arrangement authorized by our rules,
i.e., they are the parties with the ultimate compliance obligation.
That compliance obligation does not change simply because the provider
has an upstream customer (e.g., a reseller or a value-added service
provider) that is not the ultimate end user of the voice service and
does not itself have a STIR/SHAKEN implementation obligation, e.g., a
reseller that qualifies for the STIR/SHAKEN exemption or a value-added
service provider (VASP) that provides communications services that are
ancillary to the voice service. A VASP may provide services such as
arranging for telephone number assignments from a service provider to a
particular customer of the VASP or for the VASP's use irrespective of
customer. As is often true with respect to resellers, an ``originating
[service provider] typically knows the VASP customer and does not have
direct knowledge'' of the VASP's end users. In these scenarios, the
Technical Report provides guidance on the steps a provider with STIR/
SHAKEN implementation obligation must take to verify its customer's
identity and right to use a number, as required to provide an A- or B-
level attestation. For instance, in the context of voice service
providers, we agree with CCA that ``[w]here, consistent with ATIS
standards, an originating service provider provides an attestation for
calls from its own reseller or [VASP] customer, it is not engaging in
third party authentication[; i]t is instead using its certificate to
provide an appropriate attestation to traffic from its own customers.''
Stated differently, the originating service provider in that example is
performing its own STIR/SHAKEN implementation obligation and is not
acting as a third party for its upstream customer. Thus, if a wholesale
provider originates a call onto the public network on behalf of a
reseller customer that lacks control over the network infrastructure
necessary to implement STIR/SHAKEN, it is the wholesale provider that
has the STIR/SHAKEN implementation obligation, not the reseller. In
this scenario, the wholesale provider is obligated to use
[[Page 40243]]
STIR/SHAKEN to authenticate the caller ID pursuant to its own
obligation under the Commission's rules, not as a third party for the
reseller that is exempt from STIR/SHAKEN implementation requirements.
Our framework authorizes all providers with a STIR/SHAKEN
implementation obligation, regardless of their position in the call
path, and subject to the limitations we set in place, to engage a third
party for the technological act of signing calls. Therefore, where an
intermediate provider (either a non-gateway intermediate provider or
gateway provider) has a STIR/SHAKEN implementation obligation, it may
fulfill that obligation through a third party subject to these same
rules.
We find that any other interpretation would be inconsistent with
the requirements for making attestation-level decisions when
authenticating calls in the ATIS standards and reference documents.
ATIS-1000074 only permits A- and B-level attestations to be made by
providers that originate calls onto the IP-based service provider
network. Although not defined in ATIS-1000074, that standard uses the
term originating service provider, or OSP, consistent with related
standards documents, such as ATIS-1000089, which defines originating
service provider as: ``[t]he service provider that handles the outgoing
calls from a customer at the point at which they are entering the
public network. The OSP performs the SHAKEN Authentication function.''
Thus, when an originating service provider authenticates a call based
on what it knows about its customer and its customer's right to use a
telephone number, it is performing its own STIR/SHAKEN implementation
obligation, not that of its upstream customer in a third-party
capacity. In these circumstances, it is the responsibility of the
originating service provider to utilize reasonable ``Know Your
Customer'' (KYC) protocols to establish a credible evidentiary basis
for a ``direct authenticated relationship with [its] customer'' and/or
verification of its customer's right to use the telephone number
appearing in the caller ID field, sufficient to apply an A- or B-level
attestation under the ATIS standards. USTelecom, CTIA, and Numeracle
urge us to adopt a definition of the term ``customer'' that is narrower
than the one employed by the ATIS standards and reference documents.
Specifically, they ask that we define ``customer'' to mean solely the
end user that initiated the voice service, whether an individual or
organizational entity. We decline to do so at this time because it is
not necessary for the purposes of the third-party authentication rules
we adopt today. We make clear above that the ``first party'' within any
third-party arrangement is the entity with a STIR/SHAKEN implementation
obligation, which under our existing rules and precedent, will
necessarily be a voice service provider, intermediate provider, or
gateway provider with control over the network infrastructure necessary
to implement STIR/SHAKEN. As explained herein, whether the provider's
customer is the ultimate end user of the voice service or another
upstream entity is not dispositive of whether the provider has a STIR/
SHAKEN implementation obligation and whether it may enter into an
agreement with a third-party to perform the technological act of
signing calls in fulfillment of that obligation subject to the
requirements we adopt today. Further, we agree with NCTA, CCA,
INCOMPAS, and ACA Connects that narrowing the definition of
``customer'' to mean solely the entity that initiates the voice service
would be a significant departure from a plain reading of the ATIS
standards and reference documents, and could be disruptive to the use
cases that those standards and reference documents clearly contemplate
as functioning within the STIR/SHAKEN ecosystem. ZipDX asks us to
provide clarification as to the operation of our rules, including
applicable KYC requirements, in a variety of hypothetical caller ID
authentication arrangements. We decline to do so at this time, and find
that commenting further on any given permutation of an authentication
arrangement absent a more focused record on these matters would be
unproductive. As we have explained above, the guidance we provide in
this Order aligns with the text of the ATIS standards, including those
which contemplate more complex calling arrangements between resellers
and wholesalers such as those ZipDX describes.
We thus decline ZipDX's suggestion that we incorporate providers
that lack control over the network infrastructure necessary to
implement STIR/SHAKEN as first parties under this framework when they
``hold [themselves] out as the originating service provider (even
though [they] do[ ] not actually `touch' the call)'' and ``arrange for
somebody (the infamous third party) to sign the calls'' for them. For
the reasons discussed above, such a fluid conception of ``originating
service provider'' would conflict with the text of the Commission's
rules establishing the scope of providers subject to a STIR/SHAKEN
implementation obligation and would be inconsistent with how the ATIS
standards and technical reports use that term. We similarly reject
other commenters' understanding of ``third-party authentication'' that
describe scenarios in which a provider without a STIR/SHAKEN
implementation obligation, such as a provider that lacks control over
the network infrastructure necessary to implement STIR/SHAKEN, would be
considered the ``first party.'' We understand that there are currently
voice service resellers that are voluntarily attempting to authenticate
caller ID information despite not having control over the network
infrastructure necessary to implement STIR/SHAKEN and, thus, lacking a
STIR/SHAKEN implementation obligation under the Commission's rules. We
understand that they often do so by relying on their wholesale
providers to sign their calls. As explained above, such arrangements do
not fall within the definition of third-party authentication that we
adopt today, except insofar as the wholesale provider with the STIR/
SHAKEN implementation obligation opts to use a third party to perform
the technological act of signing calls on its behalf. We nevertheless
encourage voice service resellers engaged in any form of authentication
arrangement with wholesalers to provide such wholesalers with enough
information to enable them to determine the appropriate attestation
level of the calls initiated by the resellers' end users, pursuant to
the wholesaler's obligations under the Commission's rules and the STIR/
SHAKEN standards.
2. Authorized Third-Party Authentication Practices
We next authorize providers with a STIR/SHAKEN implementation
obligation to enlist the help of a third-party subject to certain
conditions. In the Sixth Caller ID Authentication Further Notice (88 FR
29035, May 5, 2023), we sought comment on whether we should amend the
Commission's rules to explicitly authorize third-party authentication
and what, if any, limitations we should place on that authorization to
ensure compliance with authentication requirements and the reliability
of the STIR/SHAKEN framework. Based on the evidence in the record, we
permit providers with a STIR/SHAKEN implementation obligation under the
Commission's rules to engage third parties to perform the technological
act of signing calls as required by the STIR/SHAKEN standards, subject
to two conditions: (1) the provider with the implementation
[[Page 40244]]
obligation must make all attestation-level decisions, consistent with
the requirements of the technical standards; and (2) all calls must be
signed using the certificate of the provider with the implementation
obligation. Relying on third parties to sign traffic without complying
with these requirements will constitute a violation of the Commission's
caller ID authentication rules. The rules we adopt today are not
limited to arrangements based on a ``Hosted SHAKEN'' model or the
``Carrier SHAKEN'' model, or any other particular technological
solution. We agree with TransNexus that limiting third-party
authentication to currently existing technical solutions is unnecessary
and may even inadvertently prevent innovation should new solutions be
developed in the future. We will monitor any new solutions that may
develop and may revisit this subject should action to address new risks
be warranted. As explained below, we find that this approach will
ensure the accountability necessary to maintain trust in the STIR/
SHAKEN framework and will promote accurate and reliable A- and B-level
attestations.
Commenters broadly agree that there are benefits to third-party
authentication. Numeracle notes that third-party authentication is
``necessary and beneficial for the timely and efficient implementation
of STIR/SHAKEN.'' INCOMPAS adds that, ``[e]ngaging in third-party
caller ID authentication benefits the STIR/SHAKEN ecosystem by
increasing the number of calls that are signed with a SHAKEN signature
and by expanding the variety of signing options available to voice
service providers and their customers.'' According to USTelecom, ``for
some providers, including smaller providers with limited resources,
relying on third parties is essential to deploy STIR/SHAKEN in a cost-
effective way. In addition, for certain equipment, including legacy IP
equipment, third-party signing can be an effective and efficient means
to deploy signing capabilities that otherwise would be cost-
prohibitive.'' USTelecom's assertion accords with the NANC Small
Providers Report, which concludes that third-party authentication may
benefit small providers by reducing the costs associated with STIR/
SHAKEN implementation.
The record also indicates, however, that certain types of third-
party authentication practices can undermine confidence in the STIR/
SHAKEN framework, and that guardrails are necessary. TransNexus argues
that arrangements in which a ``downstream transit provider
authenticates calls using its own STI certificate and its specific
means to determine the attestation level'' present serious problems by
``undermin[ing] STIR/SHAKEN and robocall prevention,'' and ``enabl[ing]
bad actors . . . to hide illegal robocalls amidst other calls
authenticated by the transit provider.'' ACA Connects adds that
``[t]hird-party call authentication could raise serious concerns in
some contexts, including in situations where a provider employs a
third-party for call authentication as a ploy to avoid scrutiny and
accountability.'' NTCA similarly argues that, ``[w]hile [third-party
services] are a valuable option for providers' compliance with the
Commission's caller-ID authentication rules, the potential for bad
actors to utilize certain variations of these arrangements in a way
that could undermine the integrity of the STIR/SHAKEN ecosystem cannot
be overlooked.'' NTCA and USTelecom agree that safeguards ``are
necessary to maintain trust in the STIR/SHAKEN ecosystem and allow
these arrangements to function as intended for legitimate providers.''
We thus balance the benefits and concerns associated with third-
party authentication by adopting a rule that allows the practice
subject to the two conditions specified above: (1) the provider with
the STIR/SHAKEN implementation obligation must make all attestation-
level decisions, consistent with the requirements of the technical
standards; and (2) all calls must be signed using the certificate of
the provider with the implementation obligation. We disagree with
TransNexus's argument that we should simply issue a declaratory ruling
to clarify that the Commission's rules already require voice service
providers and intermediate providers to ensure that calls that they
initiate onto the voice network are signed with their certificate, and
to make all attestation-level decisions, regardless of which entity
actually performs the act of signing. We instead find that codifying
the rules through this Eighth Report and Order will not only ensure
that all parties are the same page regarding their STIR/SHAKEN
implementation obligations moving forward, but will also give us
additional enforcement tools in the event a bad actor originating
service provider attempts to hide behind a third party to obscure its
identity. These key guardrails will allow providers to realize the
benefits of third-party authentication without compromising the
integrity of the trust and governance structure upon which STIR/SHAKEN
relies. They will ensure that responsibility for properly
authenticating a call's caller ID information--including complying with
the attestation requirements of the ATIS standards--remains with the
party assigned the STIR/SHAKEN implementation obligation under the
Commission's rules, and will prevent providers from shirking their due-
diligence duties by shifting STIR/SHAKEN authentication procedures to
third parties. Under this approach, originating service providers that
rely on delegate certificates to establish a customer's right to use a
telephone number, as required for an A-level attestation, may continue
to do so to the extent permitted by the ATIS standards. These delegate
certificates ``provid[e] an end user or other VoIP entity with the
ability to create and sign a PASSporT on its calls using a set of
credentials . . . associated with [the] delegate certificate that is
specific to the telephone number resources [which] that end user or
other VoIP entity is authorized to use,'' though originating service
providers may choose to ``ignor[e] all PASSporTs signed with delegate
certificate credentials.'' Because the originating service provider is
ultimately responsible for making all attestation-level decisions and
providing that information to a third-party performing the
technological act of signing a call, the originating service provider
remains responsible for vetting their customers and the criteria for
applying A-level attestations, whether or not a delegate certificate is
accepted. We decline SOMOS' suggestion that we should mandate
acceptance of delegate certificates by providers in this Eighth Report
and Order, as such a mandate is beyond the scope of the third-party
authentication rules that we adopt today and the record in this
proceeding is insufficient to weigh the benefits and burdens of
imposing such a requirement. By requiring calls to be signed using the
certificate of the provider with the implementation obligation, the
STIR/SHAKEN governance model will be able to function as intended by
making it easier to identify providers responsible for any
authentication information transmitted with a call and facilitating
enforcement remedies that may be needed for failures to comply with
authentication requirements, including, for example, revocation of a
provider's SPC token by the Secure Telephone Identity Governance
Authority (STI-GA). We agree with commenters that the sharing of a
provider's certificate with a third-
[[Page 40245]]
party authenticator for the purpose of populating the identity header
of a call does not create a security risk or undermine the STIR/SHAKEN
trust model. As TransNexus states, STIR/SHAKEN certificates are similar
to other secure certificates used extensively on the internet: ``Most
certificate holders provision their certificates and private keys to be
hosted by third parties. These companies are experts in securing
digital assets, and they use technology best practices and systems to
minimize risks.'' Further, we conclude that a provider's direction to a
third-party authenticator as to which attestation level to apply to a
given call does not raise concerns about privacy or confidentiality. As
Numeracle confirms, ``the service provider should be able to pass its
direction for attestation on to systems maintained by vendors used for
technical support to apply the appropriate attestation level to the
service provider's own calls without having to also supply its [third-
party authenticator] with contextual data related to its decision.''
NCTA states that any information that may need to be shared ``is
typically no more information than would be shared in connection with
other robocall mitigation efforts, such as traceback or other
initiatives to combat abusive calling practices . . . .'' No commenter
argues third-party authentication practices, or specifically the
sharing of information and certificates with third parties to perform
the technological act of signing calls, presents security, privacy, or
confidentiality concerns. A few commenters note that the STI-GA is
working on ways to address ``improper attestations,'' and last year
published a document providing guidance regarding what it considers to
be ``improper attestation,'' to ``support STI GA processes and
policies,'' including its token revocation process. By adopting
guardrails on third-party authentication practices and ensuring that
all calls are signed with the token of the provider with the STIR/
SHAKEN implementation obligation, rather than a third party that may
perform the technological functions of signing a call for that
provider, we assist in the STI-GA's effort to address improper
attestation by increasing transparency.
We find that this approach will also guard against improper A- and
B-level attestations by parties that are not originating service
providers. Under the ATIS standards, an A- or B-level attestation can
only be applied if the provider authenticating the call originates it
onto the public network. That ATIS criterion can be satisfied in the
context of a third-party arrangement where the originating service
provider either: (1) arranges with a third party to perform the
technological act of signing a call before the provider originates the
call onto the public network; or (2) originates the call onto the
public network with an agreement in place for a downstream intermediate
provider to perform the technological act of signing the call. The
second requirement of A- and B-level attestation, i.e., confirmation
that an originating service provider has a ``direct authenticated
relationship'' with its customer and can identify the customer, is a
determination that cannot be made by a third party with no relationship
to that customer. The last requirement for an A-level attestation,
i.e., confirmation that the originating service provider has
established that the customer has a legitimate right to use the
telephone number that appears in the caller ID, also necessarily
requires due diligence by the originating service provider. We thus
agree with commenters in the record that it is inconsistent with the
Commission's rules and the ATIS standards to allow third parties to
make such determinations. Since, as discussed above, the calls will
need to be signed using the originating service provider's certificate,
the rules we adopt today will ensure that such originating service
providers are held accountable for improper attestation-level decisions
for the calls they originate onto the public network, even if the
technological act of signing the calls is performed by a third party.
Commenters generally support our adoption of these guardrails. CTIA
and Numeracle argue that this approach ``is consistent with the
existing [ATIS] standards and the FCC's regulatory framework for STIR/
SHAKEN implementation.'' CTIA also notes that requiring the use of ``an
originating [service] provider's [certificate] will better achieve the
goals of the STIR/SHAKEN framework to promote a trusted voice ecosystem
and increase transparency and integrity of caller ID information.''
USTelecom contends that, ``when calls are signed with the originating
[service] provider's token, the Commission, the provider community, and
analytics providers will have the information they need to take action
should an originating [service] provider prove to routinely originate
and authenticate illegal robocalls . . . .'' TransNexus argues that
such limitations will, inter alia, ``improve the quality of caller [ID]
authentication information available to terminating providers,'' and
thereby improve their call analytics.
We are not persuaded, however, by the arguments advanced by the few
commenters that oppose the guardrails we adopt today. INCOMPAS argues
that we should not adopt any rules governing third-party
authentication, and specifically opposes requiring providers to ensure
that third-party authenticators sign calls using the provider's
certificate. INCOMPAS implies that third-party authentication
arrangements using the third party's certificate, rather than the
originating service provider's, do not impede traceback efforts because
``domestic originating providers . . . typically are identified to the
Industry Traceback Group (`ITG') by the signing company'' in such
arrangements, and use of an origination identifier or ``origID'' by
third-party signing providers would be sufficient to ``ensure that the
Commission or ITG can identify the source of any illegal robocalls.''
We disagree. The origID field is an ``opaque identifier'' that ``does
not convey any [service provider] or customer information in and of
itself.'' Moreover, use of the origID field is permitted, but not
required, by the ATIS standards, which do not establish detailed
specifications regarding its use by providers. The approach described
by INCOMPAS requires the ITG to obtain the cooperation of a third-party
signing provider before it can identify the originator of an illegal
call. In contrast, requiring third-party signers to use the originating
service provider's token will allow the ITG to directly identify the
originating service provider, thereby improving the efficiency of the
traceback process and accountability within the STIR/SHAKEN ecosystem.
INCOMPAS argues that instead we should ``rely on the authority of the
Enforcement Bureau to address those instances when an illegal
robocaller is attempting to evade accountability through third-party
authentication[, and] . . . rely on the [STI-GA] to address any ongoing
issues or gaps in the standards that lead to attestation abuse.'' We
are committed to enforcing the Commission's rules against illegal
robocallers and agree that the STI-GA should exercise its authority to
hold providers accountable for non-compliance with the ATIS standards.
That does not mean, however, that we should not proactively adopt
common-sense guardrails to prevent abuse of third-party authentication
arrangements. By codifying these new rules, we give more certainty to
providers seeking to comply with our caller ID
[[Page 40246]]
authentication framework, establish clear standards that the
Enforcement Bureau can apply when investigating misconduct, and enable
the STIR/SHAKEN ecosystem to realize additional benefits, such as
making authentication information more valuable for call analytics. We
thus reject INCOMPAS's inference that it is sufficient to simply rely
on providers to voluntarily establish appropriate parameters for the
application of STIR/SHAKEN technical standards in commercial
arrangements with third parties. As discussed below, we require all
third-party authentication arrangements to be memorialized in written
agreements that comport with the rules we adopt today. INCOMPAS and VON
also argue that changes to the Commission's rules may risk creating
regulatory conflict with foreign jurisdictions, but provide no detail
as to why imposing guardrails on third-party authentication would cause
such an issue. While we acknowledge that maintaining ``interoperability
among SHAKEN systems internationally'' is certainly important in
protecting domestic consumers from illegal robocalls originating
abroad, our action today eliminates the risk of such regulatory
conflict by remaining consistent with the ATIS standards.
B. Implementation and Compliance Requirements
In this Section, we adopt several implementation requirements for
providers that utilize third-party authentication and amend certain
rules to comport with those requirements. In the Sixth Caller ID
Authentication Further Notice (88 FR 29035, May 5, 2023), the
Commission sought comment on whether any other rules would need to be
amended if it explicitly authorized third-party authentication.
Specifically, and as described below, we require all providers with a
STIR/SHAKEN implementation obligation to: (1) obtain an SPC Token and
digital certificate; (2) certify to complete or partial implementation
in the Robocall Mitigation Database only if they have obtained an SPC
token and digital certificate and sign calls with their certificate;
and (3) memorialize and maintain records of any third-party
authentication agreement(s) they have entered into, subject to certain
limitations.
Requirement to Obtain a Token and Digital Certificate. Consistent
with the third-party authentication rule we adopt today, all providers
with a STIR/SHAKEN implementation obligation under the Commission's
rules will now be explicitly required to obtain an SPC token from the
Policy Administrator and present that token to a STIR/SHAKEN
Certificate Authority to obtain a digital certificate. This requirement
is necessary now that all calls, whether technologically signed
directly by the provider with the STIR/SHAKEN implementation obligation
or by a third party, must be signed with the former's certificate,
thereby ensuring that accountability for compliance with our caller ID
authentication rules remains with the party required to implement STIR/
SHAKEN under the Commission's rules. The record indicates that
requiring all providers with a STIR/SHAKEN implementation obligation to
obtain their own SPC tokens and digital certificates will also result
in other benefits, such as ``encourag[ing] continued innovation''
within the existing STIR/SHAKEN framework and ensuring that providers
with STIR/SHAKEN implementation obligations under the Commission's
rules ``have a fair and proportionate financial stake in the STIR/
SHAKEN ecosystem.'' We believe the positive effects of this requirement
will be far-reaching, as the record indicates that many providers
claiming to have implemented STIR/SHAKEN have not obtained their own
tokens and certificates. Indeed, TransNexus estimates ``that about 64%
of providers'' in the Robocall Mitigation Database that claim STIR/
SHAKEN implementation are not registered with the Policy Administrator.
We disagree with INCOMPAS that ``requiring all providers to obtain
a token that could be used by a third-party authenticator would
necessitate changes with both the industry's token access policies and
the Commission's current administration of voice service providers.''
In support of its arguments, INCOMPAS merely lists the STI-GA's SPC
token access standards, including the requirement to obtain an
Operating Company Number (OCN), and states that many providers ``do not
operate a business model that allows them to get an OCN.'' INCOMPAS
does not, however, explain why this would be the case for any provider
with a STIR/SHAKEN implementation obligation, much less ``many''
providers with STIR/SHAKEN implementation obligations. In fact, in
recent years, the Wireline Competition Bureau has repeatedly found that
few providers are currently unable to obtain an SPC token due to
revisions made to the STI-GA token access policy in May 2021.
Consistent with this finding, the record in this proceeding evidences
that the barriers to and costs associated with obtaining and
maintaining SPC tokens and digital certificates are low, including for
small providers. Moreover, the compliance deadline we adopt below
provides ample time for all sizes of providers to come into compliance
with our newly adopted rules, thereby minimizing any compliance
burdens. While INCOMPAS states that some providers are unable to get an
OCN ``from the Commission,'' OCNs are assigned by the National Exchange
Carrier Association (NECA). INCOMPAS also states that ``voice service
providers are required to provide the STI Policy Administrator with
all-associated IP addresses as part of acquiring a Service Provider
Code token,'' and claims that this is a highly burdensome step.
INCOMPAS does not explain why supplying IP addresses to the Policy
Administrator is highly burdensome, however, or why any burden of
submitting the information would outweigh the benefits of requiring
providers with a STIR/SHAKEN implementation obligation to register with
the Policy Administrator. We note that the Policy Administrator states
that it collects IP addresses from providers for the purpose of
whitelisting. According to the National Institute of Standards and
Technology's Computer Security Resource Center (CSRC), a whitelist can
be defined as ``[a]n approved list or register of entities that are
provided a particular privilege, service, mobility, access or
recognition.'' We note that providers that cannot obtain an SPC token
after diligently pursuing one from the Policy Administrator may still
claim an implementation extension under the Commission's existing
rules. While the Commission sought comment on whether to eliminate the
SPC token extension in the Sixth Caller ID Authentication Further
Notice (88 FR 29035, May 5, 2023), we decline to do so at this time. In
March 2023, the Commission updated its requirements for submissions to
the Robocall Mitigation Database, including a new requirement that
providers claiming a STIR/SHAKEN implementation extension or exemption
explicitly state the rule that excepts it from compliance and why the
provider qualifies for the extension or exemption. All providers were
required to file submissions to the Robocall Mitigation Database that
comply with this and additional content requirements by February 26,
2024. These filings are currently under review. As part of that
assessment, the Wireline Competition Bureau will determine the number
of providers still relying on the SPC token extension and the merit of
the justifications submitted by those claiming the extension. We
[[Page 40247]]
will be better able to determine whether to retain or eliminate the SPC
token extension at that time.
Robocall Mitigation Database Certifications. Consistent with the
foregoing requirements, we update the Commission's rules to prohibit
any provider with a STIR/SHAKEN implementation obligation from
certifying to complete or partial implementation in the Robocall
Mitigation Database unless they have obtained an SPC token and digital
certificate and sign calls with their certificate, either themselves or
when working with a third party to perform the technological act of
signing calls having met the necessary conditions we impose in this
Order. In the Sixth Caller ID Authentication Further Notice (88 FR
29035, May 5, 2023), the Commission sought comment on whether it should
``prohibit providers from certifying to having implemented STIR/SHAKEN
in the Robocall Mitigation Database unless their calls are signed with
their own SPC token, whether directly or through a third party.'' For
all of the reasons discussed above, we agree with TransNexus that
providers that have a STIR/SHAKEN implementation obligation but rely on
third-party authentication arrangements using the third party's
certificate are not in compliance with the governance model established
by STIR/SHAKEN technical standards, which require providers to obtain
an SPC token and digital certificate to authenticate calls. Such
providers should not, therefore, claim to have implemented STIR/SHAKEN
pursuant to the technical standards required by the Commission's rules
in the Robocall Mitigation Database. While we recognize that some of
these providers may have relied on third-party SPC tokens and
certificates out of a good faith belief that such arrangements are
permissible under the Commission's rules in the past, such practices
will now be expressly prohibited by our rules, and providers that have
relied on third-party tokens and digital certificates in the past will
now need to obtain their own SPC tokens and certificates and use them
to sign calls, consistent with the requirements of the STIR/SHAKEN
standards and the compliance deadlines we set below. Providers that do
not obtain and use an SPC token and certificate must update their
Robocall Mitigation Database certifications to state that they have not
fully or partially implemented STIR/SHAKEN to avoid being referred to
the Enforcement Bureau for violations of the Commission's rules,
including the rules governing certifications submitted to the Robocall
Mitigation Database and the obligation to submit information to the
Commission that is true, accurate, and up-to-date. Providers that
qualify for a STIR/SHAKEN implementation extension because they cannot
satisfy the requirements to obtain an SPC token can claim the extension
in their Robocall Mitigation Database submissions at this time.
We decline to adopt new content requirements for Robocall
Mitigation Database certifications at this time. In the Sixth Caller ID
Authentication Further Notice (88 FR 29035, May 5, 2023), the
Commission sought comment on requiring providers to submit additional
information to the Robocall Mitigation Database, ``including the
identity of the third party providing [their authentication] solution,
any requirements the provider has imposed on the third party to ensure
compliance with the requirements of the ATIS technical standards and
the Commission's rules, and what the provider itself does to ensure
compliance with those requirements under the third-party
arrangement[.]'' In response to the Further Notice, commenters suggest
that we should require providers to submit a variety of additional
information to the Robocall Mitigation Database, including evidence of
registration with the Policy Administrator, the identity of any third-
party authentication solutions they use, and information that details
their Know Your Customer standards.
We conclude that any value of requiring providers to submit this
information at this time is minimal, and does not warrant the
additional operational and administrative burdens of requiring
providers to update their Robocall Mitigation Database submissions. For
instance, now that we require all providers with a STIR/SHAKEN
implementation obligation to obtain their own SPC token from the Policy
Administrator and a digital certificate from a Certification Authority,
we conclude it unnecessary for providers to make a further showing at
this time that they are registered with the Policy Administrator, as
TransNexus suggests. Moreover, as Numeracle points out, the Policy
Administrator's list of providers authorized to participate in STIR/
SHAKEN is publicly available, allowing Commission staff to easily
verify a provider's registration status without further expanding the
Robocall Mitigation filing requirements. We also believe it is
unnecessary to require providers to identify any third-party
authentication solutions they use in their Robocall Mitigation Database
submissions, as NCTA suggests. Under the rules we adopt today, which
require calls to be signed using the digital certificate of the
provider with the STIR/SHAKEN implementation obligation, responsibility
and accountability for compliance with the STIR/SHAKEN standards will
be traced back to that provider, not a third-party entity that
technologically signs the call. Further, we agree with INCOMPAS that
requiring providers to identify the specific third-party solutions that
they may employ to perform the technological act of signing calls could
require providers to update their Robocall Mitigation Database
submissions more frequently if such solutions change, thereby
increasing administrative burdens for providers with minimal benefit.
Lastly, providers are already required to describe in their robocall
mitigation plans how they comply with their existing obligation to know
their customers under the Commission's rules. We, thus, decline to
further amend our requirements for Robocall Mitigation Database
certifications at this time, but we will closely observe how providers
comply with the requirements we adopt today to determine whether
additional information would assist our compliance reviews and
enforcement activities in the future. ZipDX proposes that ``[n]ew
[Robocall Mitigation Database] registrations should not immediately
become active. Instead, FCC staff should vet the registration to ensure
that the applicant has a token from the STI-PA and if not, that the
filed RMP contain a thorough, credible explanation as to why not.'' In
August 2024, we launched a separate proceeding to consider procedural
measures for improving the overall quality of information submitted to
the Robocall Mitigation Database. We believe that addressing ZipDX's
procedural proposal would be more appropriate in the context of that
proceeding, and thus decline to do so here. ACA Connects argues that
the ``Commission could further require reseller providers to disclose
to the Commission (on a confidential basis), the identity of any
wholesale provider that authenticates some or all of their calls.'' As
discussed above, however, in the context of a wholesale provider
originating a call onto the public network for a reseller which lacks
control over the network infrastructure necessary to implement STIR/
SHAKEN, it is the wholesale provider that has the STIR/SHAKEN
implementation obligation, that must authenticate the calls using its
own digital certificate.
[[Page 40248]]
Recordkeeping. To ensure compliance with the requirements we adopt
herein for third-party authentication, and to enable the Commission to
monitor such compliance and enforce its rules, we require that
providers that choose to work with a third party to perform
technological act of signing calls do so pursuant to a written
agreement. In the Sixth Caller ID Authentication Further Notice (88 FR
29035, May 5, 2023), the Commission sought comment on the measures it
would ``need to implement to monitor compliance with its rules if
third-party authentication arrangements are employed.'' No commenter
raises arguments for or against recordkeeping requirements. The
required written agreement must specify the specific tasks that the
third party will perform on the provider's behalf and confirm that
provider will: (1) make all attestation-level decisions for calls
signed pursuant to the agreement, and (2) ensure that all calls will be
signed using the provider's certificate. Providers may be required to
submit a copy of the agreement to the Commission in connection with a
review of the provider's compliance with the Commission's rules or an
investigation by the Enforcement Bureau. To the extent that an
agreement between a provider with the STIR/SHAKEN implementation
obligation and a third party contains confidential information,
providers may seek confidential treatment for that information. We
require that a current agreement be in place for as long as any third-
party authentication arrangement exists, and that all copies of third-
party agreements be maintained for a period of two years from the end
or termination of the agreement. We emphasize that there must be a
memorialized agreement between the provider with the STIR/SHAKEN
implementation obligation and the third party performing the
technological act of signing a call for the arrangement to be
considered third-party authentication under the rules we adopt today.
For example, the Commission's rules require voice service providers to
authenticate the traffic that they originate, and, if they fail to do
so, non-gateway intermediate providers must themselves authenticate any
unauthenticated calls they receive directly from originating providers.
Consequently, an intermediate provider that receives an unauthenticated
call from an originating provider does not engage in third-party
authentication simply because it is the entity that uses STIR/SHAKEN to
authenticate the call. In such an instance, the intermediate provider
is discharging its own authentication obligation under the Commission's
rules by signing the unsigned traffic. For this reason, we do not share
ZipDX's concern about a lack of accountability for calls in the event
that a wholesale provider might claim that it should be ``deemed an
intermediate provider'' in relation to a reseller customer. If,
however, the originating service provider has executed an agreement for
its immediate downstream intermediate provider to perform the
technological act of signing a call on the originating provider's
behalf, subject to the conditions adopted in this Eighth Report and
Order, that would qualify as a third-party authentication arrangement.
We thus reject INCOMPAS's argument that our definition of third-party
authentication should apply when downstream providers are merely
``signing calls that were not signed up-stream,'' even if the
downstream provider ``may not be offering signing service per se.''
Compliance Deadline. The new third-party authentication guardrails
we adopt in this Report and Order include recordkeeping and Robocall
Mitigation Database certification requirements under 47 CFR
64.6301(b)(3)-(b)(5), 64.6302(f)(3)-(f)(5), and 64.6305(d)-(f), which
may contain new or modified information collections subject to review
by the Office of Management and Budget (OMB) under the Paperwork
Reduction Act (PRA). While the remaining amendments to Sec. Sec.
64.6301 through 64.6305 adopted in this Report and Order do not
themselves require OMB approval, in practice, compliance with the
requirements of these provisions will likely entail compliance with the
provisions of 64.6301(b)(3) through (5), 64.6302(f)(3) through (5), and
64.6305(d) through (f), respectively. Therefore, we set a compliance
deadline for all our newly adopted requirements of 30 days after
publication of this Report and Order in the Federal Register following
OMB approval, or 210 days after release of this Report and Order,
whichever is later.
We expect that requiring providers to comply with all of the
obligations we adopt in the Report and Order on the same date will
facilitate compliance with our rules, and consequently we elect to
delay the effectiveness of the entirety of the modifications to
Sec. Sec. 64.6301 through 64.6305 pending OMB approval of Sec. Sec.
64.6301(b)(3) through (5), 64.6302(f)(3) through (5), and 64.6305(d)
through (f). Consistent with the Commission's approach in prior
rulemakings, we direct the Wireline Competition Bureau to announce
effective dates for 47 CFR 64.6301 through 64.6305 through Public
Notice. Any provider with a STIR/SHAKEN implementation obligation that
has failed to both: (1) obtain an SPC token from the Policy
Administrator and a digital certificate from a Certificate Authority;
and (2) ensure that all calls that it is required to authenticate are
signed using its own digital certificate, will be required to update
their certifications in the Robocall Mitigation Database to state that
they have not fully or partially implemented STIR/SHAKEN by the
effective date of the rules listed in this paragraph as announced by
Public Notice.
The record reflects support for our adoption of a single compliance
deadline for our third-party authentication obligations based on the
schedule above. Commenters explain that providers using third-party
authentication solutions may have to make a number of commercial and
network changes to comply with the newly adopted authentication and
robocall mitigation requirements, such as creating new commercial
arrangements with customers or third-party vendors, taking the steps
needed to obtain a token and certificate, determining the process for
assigning an attestation level, and making changes to their network to
sign calls with their own token. We agree with NCTA that adopting a
transition period would ``promote fairness and avoid exposing providers
relying on good faith on non-conforming third-party solutions to the
threat of immediate liability.'' We also agree with INCOMPAS that
``[w]hile the evolution toward broad token access should be encouraged,
expecting a flash-cut'' to such a change would not be practical.
Therefore, we grant providers a reasonable amount of time to adjust
their third-party call authentication practices to comply with the
rules we adopt today, and will not require compliance with these rules
sooner than 210 days after release of this Report and Order. Although
we find that this approach will allow sufficient time for providers to
adjust their third-party authentication practices, providers should
comply with our new rules as soon as reasonably practicable. In this
instance, we agree with INCOMPAS and CCA that a period of at least 210
days following the release of this Report and Order will ensure that
providers have sufficient time to achieve compliance with our new
rules.
C. Summary of Cost-Benefit Analysis
We find that the benefits of the third-party authentication rules
we adopt today will greatly exceed the costs they will impose on
providers. In the Sixth Caller ID Authentication Report and
[[Page 40249]]
Order (88 FR 29035, May 5, 2023), the Commission confirmed the
conclusion that ``our STIR/SHAKEN rules are likely to result in, at a
minimum, $13.5 billion in annual benefits,'' and that the benefits
associated with the rules will greatly outweigh the costs imposed on
providers. We again affirm this conclusion, and find that ``[l]imiting
the ability of illegal robocallers to evade existing rules will
preserve and extend the benefits of STIR/SHAKEN.''
Benefit: Preserving the Structural Integrity of the STIR/SHAKEN
Regime. Establishing clear rules of the road for providers using third
parties to authenticate voice service calls will increase the STIR/
SHAKEN framework's benefits. Our new third-party authentication
requirements will increase compliance with the Commission's caller ID
authentication rules, promote accountability and trust within the STIR/
SHAKEN framework, and improve the accuracy of A- and B- level
attestations. As a result, more illegal robocalls will be identified
and stopped before they can reach American consumers, helping increase
confidence in the U.S. telephone network. In adopting these
requirements, we strike a balance that allows providers to realize the
benefits of third-party authentication while preventing abuses that
could undermine the STIR/SHAKEN standards. The new rules will increase
the number of calls signed with a SHAKEN signature, give providers and
their customers more signing options, and make it more cost-effective
for all providers to implement STIR/SHAKEN. Indeed, the record reflects
that third-party authentication may ``confer[ ] substantial benefits,''
particularly for small providers, as deploying STIR/SHAKEN in the IP
portion of their voice service network may otherwise be cost-
prohibitive. The cost savings that make third-party authentication a
worthwhile, cost-effective investment for small providers is an added
benefit.
Benefit: Ensuring Reliable Access to Emergency and Healthcare
Communications. In the First Caller ID Authentication Report and Order
(85 FR 22029, Apr. 21, 2020), the Commission noted that ``hospitals and
911 dispatch centers have reported that robocall surges have disabled
or disrupted their communications network, and such disruptions have
the potential to impede communications in life-or-death emergency
situations. In one instance, Tufts Medical Center in Boston received
more than 4,500 robocalls in a two-hour period. In another, the phone
lines of several 911 dispatch centers in Tarrant County, Texas, were
disabled because of an hourlong surge in robocalls.'' Although the
Commission declined then to estimate the considerable public safety
benefits of reduced robocalling, in the wake of subsequent Commission
orders estimating the public safety benefits of reduced emergency
response delays, we elect to do so now. In the Location-Based Routing
Report and Order (89 FR 18488, Mar. 13, 2024), we estimated that a one-
minute reduction in average emergency response times would save 13,837
lives, a mortality risk reduction worth $173 billion annually. Based on
that figure, any reduction in emergency response delays caused by
robocalls could confer large benefits. For example, if unwanted and
illegally spoofed robocalls caused only a one-second delay in average
emergency response times, the potential mortality risk-reduction
benefit would be worth $2.88 billion annually (i.e., 173/60 = 2.88).
Assuming a linear relationship between prevalence of robocalling and
possible emergency response delays, a one-tenth reduction in
robocalling and the accompanying tenth-of-a-second reduction in
emergency response time, which could be achieved by better third-party
authentication, would be worth $288 million annually. A more modest
one-twentieth reduction in robocalling and one-twentieth-of-a-second
reduction emergency response times would be worth $144 million
annually. To achieve $100 million in annual public safety benefits, our
third-party authentication rules would only have to reduce unwanted and
illegal robocalls such that average emergency response times were
improved by a mere 0.035 seconds, or about one-thirtieth of a second.
Given the prevalence of robocalls and their ability to disrupt
communications and cause network congestion, it is highly likely that
implementing third-party authentication rules to strengthen the STIR/
SHAKEN ecosystem will reduce robocalls by at least this much, resulting
in life-saving benefits.
Benefit: Reducing Network Congestion and Consumer Complaints. The
Commission has noted previously that unwanted and illegal robocalls
increase network congestion and the labor costs of handling numerous
customer complaints. Third-party-authenticated traffic that does not
currently meet STIR/SHAKEN technical standards and results in illegal
or unwanted robocalls terminates on the networks of unwitting carriers,
forcing them to bear the costs of unwanted call traffic in the form of
increased customer complaints and network congestion. Tightening third-
party authentication requirements will generate savings for voice
service providers, which may pass them on to consumers in the form of
lower rates.
Costs. While some argue that limitations on third-party
authentication may be costly without concomitant benefits, the record
more broadly reflects that the costs of requiring providers that use
third-party solutions to authenticate calls with their own token and
applying their attestation level to their calls will be minimal for all
providers, including small providers. As explained above, by adopting a
minimum compliance period for our third-party authentication
requirements of 210 days following release of this Report and Order, we
take a balanced approach that maximizes the benefits to providers using
third-party authentication solutions while minimizing its costs. And,
though we acknowledge that our adopted third-party authentication
requirements will have implementation and recordkeeping costs, we
conclude that explicitly authorizing third-party authentication with
our adopted limitations will produce significant benefits, including
increased trust in the STIR/SHAKEN framework and the accuracy of A- and
B-level attestations.
D. Legal Authority
Consistent with our proposals, we adopt the foregoing obligations
pursuant to the legal authority that the Commission relied on in prior
caller ID authentication and call blocking orders. We note that no
commenter questioned our proposed legal authority.
Third-Party Authentication. We conclude that Section 251(e) of the
Act and the Truth in Caller ID Act provide us with the authority to
authorize providers to engage in third-party authentication practices
subject to certain limits. Specifically, we find that our Section
251(e) numbering authority and the Truth in Caller ID Act each provide
the Commission with independent authority to require providers that use
third parties to authenticate calls to adhere to two limitations: (1)
the provider with the STIR/SHAKEN implementation obligation under the
Commission's rules must be the entity that determines whether A-, B-,
or C- level attestation should be applied to the call; and (2) all
calls must be signed using the SPC token of the provider with the
implementation obligation.
As the Commission explained in the First Caller ID Authentication
Report and Order (85 FR 22029, Apr. 21, 2020), Section 251 provides the
Commission with exclusive, independent jurisdiction over numbering
issues in the United States and ``enables us to act
[[Page 40250]]
flexibly and expeditiously with regard to important numbering
matters[,]'' including ``[w]hen bad actors unlawfully spoof the caller
ID that appears on a subscriber's phone[.]'' Further, the Truth in
Caller ID Act provides us with authority to adopt rules that are
``necessary to . . . protect voice service subscribers from scammers
and bad actors.'' As the Commission has found in several caller ID
authentication and call blocking orders, we again find that Section
251(e) and the Truth in Caller ID Act provide the Commission with the
authority ``to prescribe rules to prevent the unlawful spoofing of
caller ID and abuse of NANP resources by all voice service
providers[.]'' The record reflects that the limitations on third-party
authentication we adopt today are necessary to ensure the integrity of
and trust in the STIR/SHAKEN ecosystem and will help shield customers
from the scourge of illegal robocalls. Adopting rules for third-party
authentication practices will also help prevent the fraudulent
exploitation of the NANP by ensuring that the parties responsible for
implementing STIR/SHAKEN under the Commission's rules remain
accountable for meeting the STIR/SHAKEN standards. We thus find that
Section 251(e) of the Act and the Truth in Caller ID Act provide us
with the authority to adopt the foregoing third-party authentication
rules.
Implementation and Compliance Measures. We conclude that the TRACED
Act provides additional, independent authority to require providers to
obtain an SPC token and sign their calls with their own certificate in
order to satisfy a STIR/SHAKEN implementation obligation under the
Commission's rules. Congress expressly required the Commission to
require voice service providers to implement the STIR/SHAKEN caller ID
authentication framework in the TRACED Act. Consistent with the
Commission's prior call blocking and caller ID authentication orders,
we find that Sections 201(b) and 201(a) of the Act, and the
Commission's ancillary authority in Section 4(i) of the Act, provide us
with additional sources of authority to adopt these robocall mitigation
requirements. Requiring providers to acquire their own SPC token from
and register with the Policy Administrator, obtain a digital
certificate from a STIR/SHAKEN Certificate Authority, and sign calls
with their digital certificate will better ensure that providers are
meeting their responsibilities to properly authenticate calls and
comply with the requirements of the ATIS standards. Our third-party
authentication rules will therefore help maintain the integrity of the
trust and governance structure upon which STIR/SHAKEN relies, as these
rules will better ensure that providers are held accountable for
properly implementing STIR/SHAKEN. Adopting these requirements will
thus increase the efficacy and trust of the call authentication
framework that the TRACED Act required.
We also find that Section 251(e) of the Act and the Truth in Caller
ID Act also provide us with the authority to adopt the implementation
and compliance measures for the third-party authentication rules that
we adopt in this Report and Order. Specifically, we conclude that
Section 251(e) of the Act and the Truth in Caller ID Act authorize us
to: (1) prohibit any provider from certifying to full or partial
implementation in the Robocall Mitigation Database unless they have
obtained their own SPC token and sign calls with their own digital
certificate; (2) require that any third-party authentication
arrangement be memorialized in an agreement between the party with the
STIR/SHAKEN implementation obligation under the Commission's rules and
the third-party signer; and (3) require the memorialized agreement be
in place for as long as any third-party authentication arrangement
exists, and that all copies of third-party agreements be maintained for
a period of two years from the end or termination of the agreement. As
explained above with respect to our third-party authentication rules,
these measures will help providers realize the benefits of third-party
authentication while providing greater mechanisms for accountability
that will ensure that providers are complying with their STIR/SHAKEN
implementation obligations. Consequently, we find that these
requirements will also prevent the fraudulent abuse of North American
Numbering Plan (NANP) resources as directed in Section 251(e) of the
Act, as well as protect voice service subscribers as directed in the
Truth in Caller ID Act by increasing trust in the STIR/SHAKEN
standards.
II. Final Regulatory Flexibility Analysis
As required by the Regulatory Flexibility Act of 1980 (RFA), as
amended, an Initial Regulatory Flexibility Analysis (IRFA) was
incorporated into the Call Authentication Trust Anchor Further Notice
of Proposed Rulemaking released in March 2023 (Sixth Caller ID
Authentication Further Notice) (88 FR 29035, May 5, 2023). The Federal
Communications Commission (Commission) sought written public comment on
the proposals in the Sixth Caller ID Authentication Further Notice (88
FR 29035, May 5, 2023), including comment on the IRFA. The comments
received are discussed below. This Final Regulatory Flexibility
Analysis (FRFA) conforms to the RFA.
A. Need for, and Objectives of, the Order
The Eighth Report and Order takes important steps in the fight
against illegal robocalls by explicitly authorizing providers to use
third-party authentication solutions to comply with their existing
STIR/SHAKEN implementation obligations and adopting associated
implementation and compliance measures. The decisions we make here
protect consumers from unwanted and illegal calls while balancing the
legitimate interests of callers placing lawful calls. First, the Eighth
Report and Order requires a provider that uses a third-party solution
for signing calls to satisfy its STIR/SHAKEN implementation obligation
under the Commission's rules to make the attestation-level decisions
itself, and ensure that its calls are signed with its own certificate,
rather than that of a downstream provider or other third party. Second,
it requires all providers with a STIR/SHAKEN implementation obligation
to: (1) obtain an SPC Token and digital certificate; (2) certify to
complete or partial implementation in the Robocall Mitigation Database
only if they have obtained an SPC token and digital certificate and
ensure their calls are signed with their own certificate; and (3)
memorialize any third-party authentication arrangement in an agreement
and maintain a record of such agreement(s) for two years from the end
or termination of the agreement, alongside certain additional
requirements. These guardrails for third-party authentication
arrangements will help to ensure providers remain accountable for
complying with their STIR/SHAKEN implementation requirements and are
transparent regarding their caller ID authentication practices.
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
Though there were no comments raised that specifically addressed
the proposed rules and policies presented in the Sixth Caller ID
Authentication Further Notice (88 FR 29035, May 5, 2023) IRFA, the
Commission did receive comments addressing the burdens on small
providers. There is general agreement that the barriers to and costs
[[Page 40251]]
associated with obtaining and maintaining SPC tokens and digital
certificates are low for small providers. A few commenters argued that
a compliance period of at least 210 days following release of this
Report and Order would give the industry time to comply with any rules
limiting third-party authentication. The Commission found that the
commenters provided sufficient evidence to support adoption of a
minimum 210-day compliance period for purposes of these rules.
C. Response to Comments by the Chief Counsel for Advocacy of the Small
Business Administration
Pursuant to the Small Business Jobs Act of 2010, which amended the
RFA, the Commission is required to respond to any comments filed by the
Chief Counsel for Advocacy of the Small Business Administration (SBA),
and to provide a detailed statement of any change made to the proposed
rules as a result of those comments. The Chief Counsel did not file any
comments in response to the proposed rules in this proceeding.
D. Description and Estimate of the Number of Small Entities to Which
Rules Will Apply
The RFA directs agencies to provide a description of, and where
feasible, an estimate of the number of small entities that may be
affected by the rules adopted herein. The RFA generally defines the
term ``small entity'' as having the same meaning as the terms ``small
business,'' ``small organization,'' and ``mall governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small-business concern'' under the Small Business
Act. A ``small-business concern'' is one which: (1) is independently
owned and operated; (2) is not dominant in its field of operation; and
(3) satisfies any additional criteria established by the SBA.
Small Businesses, Small Organizations, Small Governmental
Jurisdictions. Our actions, over time, may affect small entities that
are not easily categorized at present. We therefore describe, at the
outset, three broad groups of small entities that could be directly
affected herein. First, while there are industry specific size
standards for small businesses that are used in the regulatory
flexibility analysis, according to data from the Small Business
Administration's (SBA) Office of Advocacy, in general a small business
is an independent business having fewer than 500 employees. These types
of small businesses represent 99.9% of all businesses in the United
States, which translates to 33.2 million businesses.
Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2022, there were
approximately 530,109 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2022 Census of Governments indicate there were
90,837 local governmental jurisdictions consisting of general purpose
governments and special purpose governments in the United States. Of
this number, there were 36,845 general purpose governments (county,
municipal, and town or township) with populations of less than 50,000
and 11,879 special purpose governments (independent school districts)
with enrollment populations of less than 50,000. Accordingly, based on
the 2022 U.S. Census of Governments data, we estimate that at least
48,724 entities fall into the category of ``small governmental
jurisdictions.''
Wired Telecommunications Carriers. The U.S. Census Bureau defines
this industry as establishments primarily engaged in operating and/or
providing access to transmission facilities and infrastructure that
they own and/or lease for the transmission of voice, data, text, sound,
and video using wired communications networks. Transmission facilities
may be based on a single technology or a combination of technologies.
Establishments in this industry use the wired telecommunications
network facilities that they operate to provide a variety of services,
such as wired telephony services, including VoIP services, wired
(cable) audio and video programming distribution, and wired broadband
internet services. By exception, establishments providing satellite
television distribution services using facilities and infrastructure
that they operate are included in this industry. Wired
Telecommunications Carriers are also referred to as wireline carriers
or fixed local service providers.
The SBA small business size standard for Wired Telecommunications
Carriers classifies firms having 1,500 or fewer employees as small.
U.S. Census Bureau data for 2017 show that there were 3,054 firms that
operated in this industry for the entire year. Of this number, 2,964
firms operated with fewer than 250 employees. Additionally, based on
Commission data in the 2022 Universal Service Monitoring Report, as of
December 31, 2021, there were 4,590 providers that reported they were
engaged in the provision of fixed local services. Of these providers,
the Commission estimates that 4,146 providers have 1,500 or fewer
employees. Consequently, using the SBA's small business size standard,
most of these providers can be considered small entities.
Local Exchange Carriers (LECs). Neither the Commission nor the SBA
has developed a size standard for small businesses specifically
applicable to local exchange services. Providers of these services
include both incumbent and competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with an SBA small business size standard. Wired Telecommunications
Carriers are also referred to as wireline carriers or fixed local
service providers. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2022 Universal Service
Monitoring Report, as of December 31, 2021, there were 4,590 providers
that reported they were fixed local exchange service providers. Of
these providers, the Commission estimates that 4,146 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
Incumbent Local Exchange Carriers (Incumbent LECs). Neither the
Commission nor the SBA have developed a small business size standard
specifically for incumbent local exchange carriers. Wired
Telecommunications Carriers is the closest industry with an SBA small
business size standard. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees
[[Page 40252]]
as small. U.S. Census Bureau data for 2017 show that there were 3,054
firms in this industry that operated for the entire year. Of this
number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 1,227 providers
that reported they were incumbent local exchange service providers. Of
these providers, the Commission estimates that 929 providers have 1,500
or fewer employees. Consequently, using the SBA's small business size
standard, the Commission estimates that the majority of incumbent local
exchange carriers can be considered small entities.
Competitive Local Exchange Carriers (LECs). Neither the Commission
nor the SBA has developed a size standard for small businesses
specifically applicable to local exchange services. Providers of these
services include several types of competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with a SBA small business size standard. The SBA small business size
standard for Wired Telecommunications Carriers classifies firms having
1,500 or fewer employees as small. U.S. Census Bureau data for 2017
show that there were 3,054 firms that operated in this industry for the
entire year. Of this number, 2,964 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 3,956
providers that reported they were competitive local exchange service
providers. Of these providers, the Commission estimates that 3,808
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
Interexchange Carriers (IXCs). Neither the Commission nor the SBA
have developed a small business size standard specifically for
Interexchange Carriers. Wired Telecommunications Carriers is the
closest industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms that operated in this
industry for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 151 providers that reported they were engaged in the
provision of interexchange services. Of these providers, the Commission
estimates that 131 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of providers in this industry
can be considered small entities.
Cable System Operators (Telecom Act Standard). The Communications
Act of 1934, as amended, contains a size standard for a ``small cable
operator,'' which is ``a cable operator that, directly or through an
affiliate, serves in the aggregate fewer than one percent of all
subscribers in the United States and is not affiliated with any entity
or entities whose gross annual revenues in the aggregate exceed
$250,000,000. For purposes of the Telecom Act Standard, the Commission
determined that a cable system operator that serves fewer than 677,000
subscribers, either directly or through affiliates, will meet the
definition of a small cable operator based on the cable subscriber
count established in a 2001 Public Notice. Based on industry data, only
six cable system operators have more than 677,000 subscribers.
Accordingly, the Commission estimates that the majority of cable system
operators are small under this size standard. We note however, that the
Commission neither requests nor collects information on whether cable
system operators are affiliated with entities whose gross annual
revenues exceed $250 million. Therefore, we are unable at this time to
estimate with greater precision the number of cable system operators
that would qualify as small cable operators under the definition in the
Communications Act.
Other Toll Carriers. Neither the Commission nor the SBA has
developed a definition for small businesses specifically applicable to
Other Toll Carriers. This category includes toll carriers that do not
fall within the categories of interexchange carriers, operator service
providers, prepaid calling card providers, satellite service carriers,
or toll resellers. Wired Telecommunications Carriers is the closest
industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms in this industry that
operated for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 115 providers that reported they were engaged in the
provision of other toll services. Of these providers, the Commission
estimates that 113 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 797
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 715
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
Satellite Telecommunications. This industry comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $35 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 71 providers that reported they were
engaged in the provision of satellite telecommunications services. Of
these
[[Page 40253]]
providers, the Commission estimates that approximately 48 providers
have 1,500 or fewer employees. Consequently using the SBA's small
business size standard, a little more than of these providers can be
considered small entities.
Local Resellers. Neither the Commission nor the SBA have developed
a small business size standard specifically for Local Resellers.
Telecommunications Resellers is the closest industry with a SBA small
business size standard. The Telecommunications Resellers industry
comprises establishments engaged in purchasing access and network
capacity from owners and operators of telecommunications networks and
reselling wired and wireless telecommunications services (except
satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 293
providers that reported they were engaged in the provision of local
resale services. Of these providers, the Commission estimates that 289
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
Toll Resellers. Neither the Commission nor the SBA have developed a
small business size standard specifically for Toll Resellers.
Telecommunications Resellers is the closest industry with an SBA small
business size standard. The Telecommunications Resellers industry
comprises establishments engaged in purchasing access and network
capacity from owners and operators of telecommunications networks and
reselling wired and wireless telecommunications services (except
satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 518
providers that reported they were engaged in the provision of toll
services. Of these providers, the Commission estimates that 495
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
Prepaid Calling Card Providers. Neither the Commission nor the SBA
has developed a small business size standard specifically for prepaid
calling card providers. Telecommunications Resellers is the closest
industry with a SBA small business size standard. The
Telecommunications Resellers industry comprises establishments engaged
in purchasing access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. Mobile
virtual network operators (MVNOs) are included in this industry. The
SBA small business size standard for Telecommunications Resellers
classifies a business as small if it has 1,500 or fewer employees. U.S.
Census Bureau data for 2017 show that 1,386 firms in this industry
provided resale services for the entire year. Of that number, 1,375
firms operated with fewer than 250 employees. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 58 providers that reported they were
engaged in the provision of payphone services. Of these providers, the
Commission estimates that 57 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g., dial-up ISPs) or voice over internet protocol
(VoIP) services, via client-supplied telecommunications connections are
also included in this industry. The SBA small business size standard
for this industry classifies firms with annual receipts of $35 million
or less as small. U.S. Census Bureau data for 2017 show that there were
1,079 firms in this industry that operated for the entire year. Of
those firms, 1,039 had revenue of less than $25 million. Based on this
data, the Commission estimates that the majority of ``All Other
Telecommunications'' firms can be considered small.
E. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
The Eighth Report and Order requires providers that choose to
engage in third-party authentication to do so subject to certain
limitations. These changes affect small and large companies and apply
to all the classes of regulated entities identified above.
Specifically, the Eighth Report and Order authorizes providers to
engage third parties to perform the technological act of signing calls,
as required by the STIR/SHAKEN standards, provided that providers with
a STIR/SHAKEN implementation obligation make all attestation-level
decisions for calls authenticated by third-parties, and ensure that all
calls authenticated using third-party solutions are signed using the
certificate of the provider with the STIR/SHAKEN implementation
obligation under the Commission's rules.
The Eighth Report and Order also adopts implementation and
compliance requirements, consistent with the above requirements for
third-party authentication. First, providers with a STIR/SHAKEN
implementation obligation must acquire their own SPC token and digital
certificate. Second, these providers may only certify to complete or
partial implementation in the Robocall Mitigation Database if they have
obtained an SPC token and digital certificate and sign calls with their
certificate, whether by themselves or through a third party.
Finally, the Eighth Report and Order also adopts a recordkeeping
requirement for providers with a STIR/SHAKEN implementation obligation
that enter into an arrangement with a third party to authenticate the
provider's calls. It
[[Page 40254]]
requires that any third-party authentication arrangement be
memorialized in an agreement between the party with the STIR/SHAKEN
implementation obligation under the Commission's rules and the third-
party signer, and include information that will help the Commission
monitor compliance with our third-party authentication rules. The
agreement must specify the specific tasks that the third party will
perform on the behalf of the provider with the STIR/SHAKEN
implementation obligation, and confirm that the provider with the STIR/
SHAKEN implementation obligation will: (1) make all attestation-level
decisions for calls signed pursuant to the agreement, and (2) ensure
that all calls will be signed using this provider's certificate.
Providers may be required to submit a copy of the agreement to the
Commission in connection with a review of the provider's compliance
with these requirements or an investigation by the Enforcement Bureau.
Under this rule, a current agreement must be in place for as long as
any third-party authentication arrangement exists, and all copies of
third-party agreements must be maintained for a period of two years
from the end or termination of the agreement. The record reflects that
third-party authentication may particularly benefit small providers
that may be burdened by the costs of deploying STIR/SHAKEN in the IP
portion of their voice service network. The benefits of the third-party
authentication rules adopted in the Eighth Report and Order will
greatly exceed the minimal costs imposed on small providers.
F. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
The RFA requires an agency to provide, ``a description of the steps
the agency has taken to minimize the significant economic impact on
small entities . . . including a statement of the factual, policy, and
legal reasons for selecting the alternative adopted in the final rule
and why each one of the other significant alternatives to the rule
considered by the agency which affect the impact on small entities was
rejected.''
The Eighth Report and Order considered alternatives that may
minimize the economic impact on small providers. We authorize providers
with a STIR/SHAKEN implementation obligation under the Commission's
rules to engage in third-party authentication to comply with that
obligation, subject to certain limitations. Our third-party
authentication rules thus impose guardrails solely on those providers
choosing to make use of a third party to comply with their obligation.
Given evidence in the record that third-party authentication may help
to reduce costs for small providers, we find that our explicit
authorization of the practice, subject to certain guardrails, will
enable those providers to accrue those benefits while remaining
compliant with the Commission's STIR/SHAKEN implementation obligations.
We also find that our action explicitly requiring all providers,
regardless of whether they choose to engage in third-party
authentication, to obtain an SPC token, use that token to obtain a
certificate, and ensure that all calls are signed using that
certificate, will be minimally burdensome for small providers, as
evidenced by the record.
We also adopt an approach to authorizing third-party authentication
that will ensure that our requirements do not unduly burden all
providers, including small providers. Recognizing arguments in the
record that providers could be required to make a number of commercial
and network changes to comply with the newly adopted authentication
requirements, we grant providers a minimum of 210 days following
release of this Report and Order to comply with our rules. Finally, we
also considered and decline to require providers to submit additional
information to the Robocall Mitigation Database, which should thus
reduce burdens on all providers.
G. Report to Congress
The Commission will send a copy of the Eighth Report and Order,
including this FRFA, in a report to be sent to Congress pursuant to the
Congressional Review Act. In addition, the Commission will send a copy
of the Eighth Report and Order, including this FRFA, to the Chief
Counsel for Advocacy of the SBA. A copy of the Eighth Report and Order
(or summaries thereof) will also be published in the Federal Register.
III. Procedural Matters
Paperwork Reduction Act. This document may contain new or modified
information collection requirements subject to the Paperwork Reduction
Act of 1995 (PRA), Public Law 104-13. All such new or modified
information collection requirements will be submitted to the Office of
Management and Budget (OMB) for review under the PRA. OMB, the general
public, and other Federal agencies will be invited to comment on new or
substantively modified information collection requirements contained in
this proceeding. Any non-substantive modification to a previously
approved information collection will be submitted to OMB for review
pursuant to OMB's process for non-substantive changes. In addition, we
note that pursuant to the Small Business Paperwork Relief Act of 2002,
Public Law 107-198, see 44 U.S.C. 3506(c)(4), we previously sought
specific comment on how the Commission might further reduce the
information collection burden for small business concerns with fewer
than 25 employees. In this present document, we have assessed the
effects of: (1) requiring that any third-party authentication
arrangement be memorialized in an agreement between the party with the
STIR/SHAKEN implementation obligation under the Commission's rules and
the third-party signer; and (2) allowing providers to certify to
complete or partial implementation in the Robocall Mitigation Database
only if they have obtained an SPC token and digital certificate and
sign calls with their certificate. We find that small providers have
had ample time to develop processes to allow them to respond within the
appropriate time and that providers for which this presents a
significant burden, either due to their size or for some other reason,
may request a waiver. With respect to any non-substantive modification
to a previously approved information collection, such changes are non-
substantive and do not give rise to new or substantively modified
information collection burdens for small business concerns with fewer
than 25 employees pursuant to the Small Business Paperwork Relief Act
of 2002.
Congressional Review Act. The Commission has determined, and the
Administrator of the Office of Information and Regulatory Affairs,
Office of Management and Budget, concurs, that this rule is ``major''
under the Congressional Review Act, 5 U.S.C. 804(2). The Commission
will send a copy of this Eighth Report and Order to Congress and the
Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).
IV. Ordering Clauses
Accordingly, pursuant to Sections 4(i), 4(j), 201, 202, 217, 227,
227b, 251(e), 303(r), 403, 501, 502, and 503 of the Communications Act
of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 214, 217, 227,
227b, 251(e), 303(r), 403, 501, 502, and 503, it is ordered that this
Eighth Report and Order is adopted.
[[Page 40255]]
It is further ordered that part 64 of the Commission's rules is
amended as set forth in Appendix A.
It is further ordered that, pursuant to Sec. Sec. 1.4(b)(1) and
1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), this
Eighth Report and Order, including the rule revisions and
redesignations described in Appendix A, shall be effective 30 days
after its publication in the Federal Register following OMB approval.
The Commission directs the Wireline Competition Bureau to announce the
completion of any review by the Office of Management and Budget that
the Wireline Competition Bureau determines is required under the
Paperwork Reduction Act and the relevant effective date by subsequent
public notice.
It is further ordered that the Office of the Managing Director,
Performance & Program Management, shall send a copy of this Eighth
Report and Order in a report to Congress and the Government
Accountability Office pursuant to the Congressional Review Act, see 5
U.S.C. 801(a)(1)(A).
It is further ordered that the Commission's Office of the
Secretary, shall send a copy of this Eighth Report and Order, including
the Final Regulatory Flexibility Analysis, to the Chief Counsel for
Advocacy of the Small Business Administration.
List of Subjects in 47 CFR Part 64
Carrier equipment, Communications common carriers, Reporting and
recordkeeping requirements, Telecommunications, and Telephone.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Final Rules
For the reasons discussed in the preamble, the Federal
Communications Commission amends 47 CFR part 64 as follows:
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
Subpart HH--Caller ID Authentication
0
1. The authority citation for part 64 continues to read as follows:
Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220,
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 255, 262,
276, 403(b)(2)(B), (c), 616, 620, 716, 1401-1473, unless otherwise
noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091; Pub.
L. 117-338, 136 Stat. 6156.
0
2. Amend Sec. 64.6301 by revising paragraphs (a)(1) and (2) and adding
paragraph (b) to read as follows:
Sec. 64.6301 Caller ID Authentication.
(a) * * *
(1) Obtain an SPC token from the Secure Telephone Identity Policy
Administrator and use that token to obtain a Secure Telephone Identity
certificate from a Secure Telephone Identity Certificate Authority;
(2) Using the certificate obtained pursuant to paragraph (a)(1) of
this section:
(i) Authenticate and verify caller identification information for
all SIP calls that exclusively transit its own network;
(ii) Authenticate caller identification information for all SIP
calls it originates and that it will exchange with another voice
service provider or intermediate provider and, to the extent
technically feasible, transmit that call with authenticated caller
identification information to the next voice service provider or
intermediate provider in the call path; and
* * * * *
(b) A voice service provider may fulfill its obligations to
authenticate caller identification information under paragraph (a)(2)
of this section by entering into an agreement with a third-party
authentication service, provided that the voice service provider.
(1) Requires the third party to sign all calls using the
certificate obtained by the voice service provider in accordance with
paragraph (a)(1);
(2) Makes all attestation-level decisions regarding the caller
identification information of each SIP call it originates;
(3) Memorializes the agreement between it and the third party for
the authentication service in writing, which:
(i) Specifies the specific tasks that the third-party authenticator
will perform on the voice service provider's behalf, and
(ii) Confirms that the voice service provider shall make all
attestation-level decisions for calls signed pursuant to the agreement,
and that all calls shall be signed using the voice service provider's
Secure Telephone Identity certificate;
(4) Maintains any agreement entered into pursuant to paragraph (b)
of this section for as long as any third-party authentication
arrangement exists; and
(5) Retains a copy of any agreement entered into pursuant to
paragraph (b) of this section for a period of two (2) years from the
end or termination of the agreement.
0
3. Amend Sec. 64.6302 by:
0
a. Redesignating paragraphs (a) through (d) as paragraph (b) through
(e);
0
b. Adding new paragraphs (a) and (f); and
0
c. Revising newly redesignated paragraphs (c) introductory text, (d),
and (e).
The additions and revisions read as follows:
Sec. 64.6302 Caller ID authentication by intermediate providers.
* * * * *
(a) Obtain an SPC token from the Secure Telephone Identity Policy
Administrator and use that token to obtain a Secure Telephone Identity
certificate from a Secure Telephone Identity Certificate Authority;
* * * * *
(c) Authenticate caller identification information for all calls it
receives for which the caller identification information has not been
authenticated and which it will exchange with another provider as a SIP
call using the Secure Telephone Identity certificate it received from
the Secure Telephone Identity Certificate Authority pursuant to
paragraph (a) of this section, except that the intermediate provider is
excused from such duty to authenticate if it:
* * * * *
(d) Notwithstanding paragraph (c) of this section, a gateway
provider must authenticate caller identification information using the
Secure Telephone Identity certificate it received pursuant to paragraph
(a) of this section for all calls it receives that use North American
Numbering Plan resources that pertain to the United States in the
caller ID field and for which the caller identification information has
not been authenticated and which it will exchange with another provider
as a SIP call, unless that gateway provider is subject to an applicable
extension in Sec. 64.6304.
(e) Notwithstanding paragraph (c) of this section, a non-gateway
intermediate provider must authenticate caller identification
information using the Secure Telephone Identity certificate it received
pursuant to paragraph (a) of this section for all calls it receives
directly from an originating provider and for which the caller
identification information has not been authenticated and which it will
exchange with another provider as a SIP call, unless that non-gateway
intermediate provider is subject to an applicable extension in Sec.
64.6304.
(f) An intermediate provider may fulfill its obligations to
authenticate caller ID information under paragraphs (d) and (e) of this
section by entering into an agreement with a third-party authentication
service, provided that the intermediate provider:
(1) Requires the third party to sign all calls using the
certificate obtained by
[[Page 40256]]
the intermediate provider in accordance with paragraph (a) of this
section;
(2) Makes all attestation-level decisions regarding the caller
identification information of each SIP call it originates;
(3) Memorializes the agreement between it and the third party for
the authentication service in writing, which:
(i) Specifies the specific tasks that the third-party authenticator
will perform on the intermediate provider's behalf, and
(ii) Confirms that the intermediate provider shall make all
attestation-level decisions for calls signed pursuant to the agreement,
and that all calls shall be signed using the voice service provider's
Secure Telephone Identity certificate;
(4) Maintains any agreement entered into pursuant to paragraph (f)
of this section for as long as any third-party authentication
arrangement exists; and
(5) Retains a copy of any agreement entered into pursuant to
paragraph (f) of this section for a period of two (2) years from the
end or termination of the agreement.
0
4. Amend Sec. 64.6303 by revising paragraphs (b)(1) and (c)(1) to read
as follows:
Sec. 64.6303 Caller ID authentication in non-IP networks.
* * * * *
(b) * * *
(1) Upgrade its entire network to allow for the processing and
carrying of SIP calls and fully implement the STIR/SHAKEN framework as
required in Sec. 64.6302(d) throughout its network; or
* * * * *
(c) * * *
(1) Upgrade its entire network to allow for the processing and
carrying of SIP calls and fully implement the STIR/SHAKEN framework as
required in Sec. 64.6302(e) throughout its network; or
* * * * *
0
5. Amend Sec. 64.6304 by revising paragraph (b) to read as follows:
Sec. 64.6304 Extension of implementation deadline.
* * * * *
(b) Voice service providers, gateway providers, and non-gateway
intermediate providers that cannot obtain an SPC token. Voice service
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6301 until they are capable of obtaining an SPC token. Gateway
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6302(d) regarding call authentication. Non-gateway intermediate
providers that are incapable of obtaining an SPC token due to
Governance Authority policy are exempt from the requirements of Sec.
64.6302(e) regarding call authentication.
* * * * *
0
6. Amend Sec. 64.6305 by revising paragraphs (d)(1)(i) and (ii),
(e)(1)(i) and (ii), and (f)(1)(i) and (ii) to read as follows:
Sec. 64.6305 Robocall Mitigation and Certification.
* * * * *
(d) * * *
(1) * * *
(i) It has fully implemented the STIR/SHAKEN authentication
framework across its entire network and all calls it originates are
compliant with Sec. 64.6301;
(ii) It has implemented the STIR/SHAKEN authentication framework on
a portion of its network and all calls it originates on that portion of
its network are compliant with Sec. 64.6301(a) and (b); or
* * * * *
(e) * * *
(1) * * *
(i) It has fully implemented the STIR/SHAKEN authentication
framework across its entire network and all calls it carries or
processes are compliant with Sec. 64.6302;
(ii) It has implemented the STIR/SHAKEN authentication framework on
a portion of its network and calls it carries or processes on that
portion of its network are compliant with Sec. 64.6302; or
* * * * *
(f) * * *
(1) * * *
(i) It has fully implemented the STIR/SHAKEN authentication
framework across its entire network and all calls it carries or
processes are compliant with Sec. 64.6302;
(ii) It has implemented the STIR/SHAKEN authentication framework on
a portion of its network and calls it carries or processes on that
portion of its network are compliant with Sec. 64.6302; or
* * * * *
[FR Doc. 2025-15809 Filed 8-18-25; 8:45 am]
BILLING CODE 6712-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on August 19, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.