FCC proposes new STIR/SHAKEN rules on third-party signing

The FCC published a draft Eighth Report and Order on STIR/SHAKEN Call Authentication with proposed rules for third-party signing. The Commission will vote on these rules in their open meeting on November 21, 2024. Let’s have a look.

The most important takeaway from this new order is that any provider claiming a STIR/SHAKEN implementation in their robocall mitigation certification must register with the STI Policy Administrator, obtain a Service Provider Code token, and use it to obtain a SHAKEN certificate.

Background

This document is in response to the Commission’s call for comments on third-party authentication in publications:

• Fifth Further Notice of Proposed Rulemaking on Call Authentication (May 2022)
• Reviewing Policies for Caller ID Authentication on Non-IP Networks (October 2022)
• Sixth Further Notice of Proposed Rulemaking on Call Authentication (March 2023).

Eighth order

The Eighth STIR/SHAKEN order responds to the record gathered in these proceedings with the following:

• Defines third-party authentication as a scenario in which a provider with a SHAKEN obligation enters into an agreement with a third party to perform the technological act of signing calls on the provider’s behalf.
• Authorizes providers with a SHAKEN obligation to engage third parties to sign calls per STIR/SHAKEN, with two conditions:
  1. The provider with the SHAKEN obligation must make the attestation level decisions.
  2. The calls must be signed using the certificate of the provider with the SHAKEN obligation—not the certificate of a third party.
• Requires all providers with a SHAKEN obligation to obtain a Service Provider Code (SPC) token from the STI Policy Administrator and present the SPC to an STI Certificate Authority to obtain a SHAKEN certificate.
• Requires any provider certifying to either a partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database to have obtained an SPC token, SHAKEN certificate, and either sign its calls or have them signed by a third party using its SHAKEN certificate.
• Requires a provider using third-party authentication to have a written agreement with the third party. This agreement must confirm that the provider will make attestation-level decisions and that the third party will use the provider’s SHAKEN certificate to authenticate calls.

More information

Further details and discussion are available in the Eighth Report and Order on STIR/SHAKEN, WC Docket No. 17-97.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 25 years of experience in providing telecom software solutions including branded calling, toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

TransNexus solutions