Transcript CALEA Filings and Procedural Steps

CALEA Filings
and Procedural Steps
Mary Eileen McLaughlin
Merit – Director Technical Operations
January 31, 2006
Agenda





Key dates
Requirements
Review of forms to be filed
Resources for forms, explanations, examples,
cover letters
Other recommended internal policies
DISCLAIMER
This presentation in no way should be
considered legal advice. It is a review of
Merit’s understanding of and plans for CALEA
filings.
Three Key Dates

February 12, 2007
– Entities that the FCC believes need to be CALEA
compliant must file the FCC form 445
– File with FCC and with FBI

March 12, 2007
– Entities filing form 445 file a Systems Security and
Integrity Plan
– File with FCC and Homeland Security Bureau

May 14, 2007
– Entities must have network compliance,
– Unless on form 445 another date, and rationale
was noted
Form 445 due February 12th
Pretty Simple


Name, state, contact info, parent company
(e.g.,R&E net that is part of a university)
FCC Registration number (FRN)
– Must get one at www.fcc.gov, CORES link which is
COmmission REgistration System
– FCC Registration is required to conduct business
with the FCC
– Merit has FRN because of USF work
– This number will be used to uniquely identify you
in all transactions with the FCC
cont.
Form 445, cont.

Filer’s 499 ID
– Form 499 is only required if a network
pays into Universal Service,
Telecommunications Relay Service,
Number Administration, Local Number
Portability Support Mechanisms
– Merit doesn’t, and likely no R&E nets do;
universities, libraries certainly don’t

Filer checks whether it will be compliant
by 5/14/07 or not
cont.
Form 445, cont.

Compliance method is identified by a
checkbox
– Proprietary/Custom or 3rd party


Write the standard used (Draft Standard
PTSC-LAES-2006-084R6)
Proprietary/custom solution
– Merit will get legal advice, but the assumption is
that our solution is neither
– Check if DOJ has been consulted -- Merit has not

Check if Filer is using a Trusted Third Party,
and if so, who;
Form 445, cont.
Trusted Third Parties (TTPs) Can:


Assist in meeting filer’s CALEA obligations
Provide LEAs the electronic surveillance
information those agencies require
– In an acceptable format


Services include: processing requests for
intercepts, conducting electronic surveillance,
and delivering relevant information to LEAs.
The entity (not the TTP) remains responsible
for,
– Ensuring the timely delivery of call-identifying
information and call content
– And for protecting subscriber privacy, as required
by CALEA.
cont.
Form 445, cont.

If filer won’t be compliant by 5/14, state
why:
– Equipment – identify equipment by model
type/manufacturer that is responsible for
the delay
– Network installation – brief description of
circumstances contributing to delay
– Manufacturer support -- brief description of
circumstances contributing to delay
– Other – any other circumstances

Also describe Mediation actions – what
steps being taken to resolve the
circumstances causing delay
cont.
Form 445, cont.

Note: “Lack of final standard” isn’t on the list of
reasons for delay in compliance
– FBI quote: “Their [telecom standards organizations]
previous foot-dragging was one of the complaints of
the Joint Law Enforcement Petition for Expedited
Rulemaking that resulted in the FCC's Second Report
and Order.”
– “An entity does not need to know the exact specifics of
a standard to comply with the FCC's SS&I and
Monitoring Report requirement. Solutions vendors
know which standard they will build to and only minor
Software changes will be required.” (!)

Finally, a company officer of the Filer signs FCC
Form 445 and it’s filed
System Security and Integrity Plan
Purpose
 Ensure that interception can be
activated only in accordance with
appropriate legal authorization
 With affirmative intervention of an
individual officer of the entity
 In accordance with regulations
prescribed by FCC
 And to ensure LEAs get the information
 Also, apparently not onerous
Very Different SSI Examples
Printouts in workshop binder
 Blank “templates” at Educause website

– Highly recommended because they take
2nd R&O and incorporate terms into plan
2-page plan by U.S. LEC
 4-page plan by Honeybee Networks
 15-page plan by MetroPCS
 Merit plans to be brief

– Will draft a plan by end of February and
circulate to the community for
comment/reference
SSI Components - General

Appoint a senior officer or employee to
ensure that activation only in accordance with
lawful authorization
– Name and job function
– 24/7 contact information


Merit plans to identify our CEO and an
alternate, and have our NOC be the 24/7
contact point
Process to report any act of compromise of
lawful intercept or unlawful surveillance
SSI Components – Record Retention



Must maintain secure and accurate record of
interception of communications
– Legal or not
– In the form of a “Certification”
Certification includes:
– Identifying number/address
– Start date
– Identify of LEA officer
– Name of person signing the legal authorization
– Type of interception
– Name of employee overseeing
– Signed by employee overseeing
Must maintain records for a reasonable period of time
as determined by entity
So…Required Forms Not Onerous

What may be more difficult is to actually act
on a subpoena
– Few and far between
– People change jobs
– CALEA and other laws differ

Merit recommends that every network
organization have a network “abuse” policy
– Recommend that it be reviewed annually, e.g., at
budget time
– Or pick a time – like changing batteries in the
home smoke detector with daylight savings time
changes
Merit’s Network Abuse Policy
Example Topics Included
 Triaging abuse complaints – Serious is:
– Life or physical well being is threatened
– Data could be destroyed, or confidential
data exposed
– DDOS attack

Actions
– Refer complainant to his ISP if not serious
(e.g., spam)
– Open incident report
– Open NOC trouble ticket, escalate
– Management approval for some action
Network Abuse Policy Being Revised


CALEA requires new procedures
Today, we “only release information about
individuals to the organization with which they
are associated, not to third parties”
– Today, LEAs are always 3rd parties
– If there is a CALEA request, this doesn’t fit
– In fact, we can’t let the organization know

Today we have a management approval
chain, and no one employee makes a
decision or takes action
– If there is a CALEA request, this doesn’t fit

We will revise our internal network abuse
policies and share with the community
– Perhaps in parallel with the SSI draft
References – www.fcc.gov

Public Notice - Compliance Monitoring Report
– DA 06-2512, December 14, 2006
– OMB Control Number 3060-0809

Public Notice - Systems Security and Integrity
Filing Requirement
– DA 06-2512, December 14, 2006
– OMB Control Number 3060-0809

Systems Security and Integrity Plans
components
– CALEA of 1994 – Pub.L. No. 103-414, 108 Stat.
4279
– FCC 64 FR 51469, Sept. 23, 1999
– FCC 2nd Report and Order, May 12, 2006,
Appendix B, page 44, for SSI (useful definitions)
References, cont.

Easiest source: Educause CALEA
resource page
– http://www.educause.edu/Browse/645?PARE
NT_ID=698
– Includes FCC public notices, forms, example
cover letter for SSI, other background

www.askcalea.gov (FBI site)