CALEA-Filings-and-Procedural-Steps by akgame


More Info
									           CALEA Filings
        and Procedural Steps

Mary Eileen McLaughlin
Merit – Director Technical Operations
January 31, 2006
   Key dates
   Requirements
   Review of forms to be filed
   Resources for forms, explanations, examples,
    cover letters
   Other recommended internal policies

      This presentation in no way should be
      considered legal advice. It is a review of
    Merit’s understanding of and plans for CALEA
              Three Key Dates
   February 12, 2007
    – Entities that the FCC believes need to be CALEA
      compliant must file the FCC form 445
    – File with FCC and with FBI
   March 12, 2007
    – Entities filing form 445 file a Systems Security and
      Integrity Plan
    – File with FCC and Homeland Security Bureau
   May 14, 2007
    – Entities must have network compliance,
    – Unless on form 445 another date, and rationale
      was noted
       Form 445 due February 12th
                   Pretty Simple
   Name, state, contact info, parent company
    (e.g.,R&E net that is part of a university)
   FCC Registration number (FRN)
    – Must get one at, CORES link which
      is COmmission REgistration System
    – FCC Registration is required to conduct business
      with the FCC
    – Merit has FRN because of USF work
    – This number will be used to uniquely identify you
      in all transactions with the FCC
              Form 445, cont.
   Filer’s 499 ID
    – Form 499 is only required if a network
      pays into Universal Service,
      Telecommunications Relay Service,
      Number Administration, Local Number
      Portability Support Mechanisms
    – Merit doesn’t, and likely no R&E nets do;
      universities, libraries certainly don’t
   Filer checks whether it will be compliant
    by 5/14/07 or not
                Form 445, cont.
   Compliance method is identified by a
    – Proprietary/Custom or 3rd party
   Write the standard used (Draft Standard
   Proprietary/custom solution
    – Merit will get legal advice, but the assumption is
      that our solution is neither
    – Check if DOJ has been consulted -- Merit has not
   Check if Filer is using a Trusted Third Party,
    and if so, who;
                 Form 445, cont.
      Trusted Third Parties (TTPs) Can:
   Assist in meeting filer’s CALEA obligations
   Provide LEAs the electronic surveillance
    information those agencies require
    – In an acceptable format
   Services include: processing requests for
    intercepts, conducting electronic surveillance,
    and delivering relevant information to LEAs.
   The entity (not the TTP) remains responsible
    – Ensuring the timely delivery of call-identifying
      information and call content
    – And for protecting subscriber privacy, as required
      by CALEA.
              Form 445, cont.
   If filer won’t be compliant by 5/14, state
    – Equipment – identify equipment by model
      type/manufacturer that is responsible for
      the delay
    – Network installation – brief description of
      circumstances contributing to delay
    – Manufacturer support -- brief description of
      circumstances contributing to delay
    – Other – any other circumstances
   Also describe Mediation actions – what
    steps being taken to resolve the
    circumstances causing delay
                   Form 445, cont.
   Note: “Lack of final standard” isn’t on the list of
    reasons for delay in compliance
    – FBI quote: “Their [telecom standards organizations]
      previous foot-dragging was one of the complaints of
      the Joint Law Enforcement Petition for Expedited
      Rulemaking that resulted in the FCC's Second Report
      and Order.”
    – “An entity does not need to know the exact specifics of
      a standard to comply with the FCC's SS&I and
      Monitoring Report requirement. Solutions vendors
      know which standard they will build to and only minor
      Software changes will be required.” (!)
   Finally, a company officer of the Filer signs FCC
    Form 445 and it’s filed
 System Security and Integrity Plan
 Ensure that interception can be
  activated only in accordance with
  appropriate legal authorization
 With affirmative intervention of an
  individual officer of the entity
 In accordance with regulations
  prescribed by FCC
 And to ensure LEAs get the information
 Also, apparently not onerous
      Very Different SSI Examples
 Printouts in workshop binder
 Blank “templates” at Educause website
    – Highly recommended because they take
      2nd R&O and incorporate terms into plan
 2-page plan by U.S. LEC
 4-page plan by Honeybee Networks
 15-page plan by MetroPCS
 Merit plans to be brief
    – Will draft a plan by end of February and
      circulate to the community for
        SSI Components - General
   Appoint a senior officer or employee to
    ensure that activation only in accordance with
    lawful authorization
    – Name and job function
    – 24/7 contact information
   Merit plans to identify our CEO and an
    alternate, and have our NOC be the 24/7
    contact point
   Process to report any act of compromise of
    lawful intercept or unlawful surveillance
SSI Components – Record Retention
   Must maintain secure and accurate record of
    interception of communications
     – Legal or not
     – In the form of a “Certification”
   Certification includes:
     – Identifying number/address
     – Start date
     – Identify of LEA officer
     – Name of person signing the legal authorization
     – Type of interception
     – Name of employee overseeing
     – Signed by employee overseeing
   Must maintain records for a reasonable period of time
    as determined by entity
    So…Required Forms Not Onerous
   What may be more difficult is to actually act
    on a subpoena
     – Few and far between
     – People change jobs
     – CALEA and other laws differ
   Merit recommends that every network
    organization have a network “abuse” policy
     – Recommend that it be reviewed annually, e.g., at
       budget time
     – Or pick a time – like changing batteries in the
       home smoke detector with daylight savings time
      Merit’s Network Abuse Policy
         Example Topics Included
 Triaging abuse complaints – Serious is:
    – Life or physical well being is threatened
    – Data could be destroyed, or confidential
      data exposed
    – DDOS attack
   Actions
    – Refer complainant to his ISP if not serious
      (e.g., spam)
    – Open incident report
    – Open NOC trouble ticket, escalate
    – Management approval for some action
Network Abuse Policy Being Revised
   CALEA requires new procedures
   Today, we “only release information about
    individuals to the organization with which they
    are associated, not to third parties”
    – Today, LEAs are always 3rd parties
    – If there is a CALEA request, this doesn’t fit
    – In fact, we can’t let the organization know
   Today we have a management approval
    chain, and no one employee makes a
    decision or takes action
    – If there is a CALEA request, this doesn’t fit
   We will revise our internal network abuse
    policies and share with the community
    – Perhaps in parallel with the SSI draft
        References –
   Public Notice - Compliance Monitoring Report
    – DA 06-2512, December 14, 2006
    – OMB Control Number 3060-0809
   Public Notice - Systems Security and Integrity
    Filing Requirement
    – DA 06-2512, December 14, 2006
    – OMB Control Number 3060-0809
   Systems Security and Integrity Plans
    – CALEA of 1994 – Pub.L. No. 103-414, 108 Stat.
    – FCC 64 FR 51469, Sept. 23, 1999
    – FCC 2nd Report and Order, May 12, 2006,
      Appendix B, page 44, for SSI (useful definitions)
             References, cont.
   Easiest source: Educause CALEA
    resource page
    – Includes FCC public notices, forms, example
      cover letter for SSI, other background
 (FBI site)

To top