180 likes | 403 Views
CALEA Filings and Procedural Steps. Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006. Agenda. Key dates Requirements Review of forms to be filed Resources for forms, explanations, examples, cover letters Other recommended internal policies DISCLAIMER
E N D
CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006
Agenda • Key dates • Requirements • Review of forms to be filed • Resources for forms, explanations, examples, cover letters • Other recommended internal policies DISCLAIMER This presentation in no way should be considered legal advice. It is a review of Merit’s understanding of and plans for CALEA filings.
Three Key Dates • February 12, 2007 • Entities that the FCCbelieves need to be CALEA compliant must file the FCC form 445 • File with FCC and with FBI • March 12, 2007 • Entities filing form 445 file a Systems Security and Integrity Plan • File with FCC and Homeland Security Bureau • May 14, 2007 • Entities must have network compliance, • Unless on form 445 another date, and rationale was noted
Form 445 due February 12thPretty Simple • Name, state, contact info, parent company (e.g.,R&E net that is part of a university) • FCC Registration number (FRN) • Must get one at www.fcc.gov, CORES link which is COmmission REgistration System • FCC Registration is required to conduct business with the FCC • Merit has FRN because of USF work • This number will be used to uniquely identify you in all transactions with the FCC cont.
Form 445, cont. • Filer’s 499 ID • Form 499 is only required if a network pays into Universal Service, Telecommunications Relay Service, Number Administration, Local Number Portability Support Mechanisms • Merit doesn’t, and likely no R&E nets do; universities, libraries certainly don’t • Filer checks whether it will be compliant by 5/14/07 or not cont.
Form 445, cont. • Compliance method is identified by a checkbox • Proprietary/Custom or 3rd party • Write the standard used (Draft Standard PTSC-LAES-2006-084R6) • Proprietary/custom solution • Merit will get legal advice, but the assumption is that our solution is neither • Check if DOJ has been consulted -- Merit has not • Check if Filer is using a Trusted Third Party, and if so, who;
Form 445, cont.Trusted Third Parties (TTPs) Can: • Assist in meeting filer’s CALEA obligations • Provide LEAs the electronic surveillance information those agencies require • In an acceptable format • Services include: processing requests for intercepts, conducting electronic surveillance, and delivering relevant information to LEAs. • The entity (not the TTP) remains responsible for, • Ensuring the timely delivery of call-identifying information and call content • And for protecting subscriber privacy, as required by CALEA. cont.
Form 445, cont. • If filer won’t be compliant by 5/14, state why: • Equipment – identify equipment by model type/manufacturer that is responsible for the delay • Network installation – brief description of circumstances contributing to delay • Manufacturer support -- brief description of circumstances contributing to delay • Other – any other circumstances • Also describe Mediation actions – what steps being taken to resolve the circumstances causing delay cont.
Form 445, cont. • Note: “Lack of final standard” isn’t on the list of reasons for delay in compliance • FBI quote: “Their [telecom standards organizations] previous foot-dragging was one of the complaints of the Joint Law Enforcement Petition for Expedited Rulemaking that resulted in the FCC's Second Report and Order.” • “An entity does not need to know the exact specifics of a standard to comply with the FCC's SS&I and Monitoring Report requirement. Solutions vendors know which standard they will build to and only minor Software changes will be required.” (!) • Finally, a company officer of the Filer signs FCC Form 445 and it’s filed
System Security and Integrity PlanPurpose • Ensure that interception can be activated only in accordance with appropriate legal authorization • With affirmative intervention of an individual officer of the entity • In accordance with regulations prescribed by FCC • And to ensure LEAs get the information • Also, apparently not onerous
Very Different SSI Examples • Printouts in workshop binder • Blank “templates” at Educause website • Highly recommended because they take 2nd R&O and incorporate terms into plan • 2-page plan by U.S. LEC • 4-page plan by Honeybee Networks • 15-page plan by MetroPCS • Merit plans to be brief • Will draft a plan by end of February and circulate to the community for comment/reference
SSI Components - General • Appoint a senior officer or employee to ensure that activation only in accordance with lawful authorization • Name and job function • 24/7 contact information • Merit plans to identify our CEO and an alternate, and have our NOC be the 24/7 contact point • Process to report any act of compromise of lawful intercept or unlawful surveillance
SSI Components – Record Retention • Must maintain secure and accurate record of interception of communications • Legal or not • In the form of a “Certification” • Certification includes: • Identifying number/address • Start date • Identify of LEA officer • Name of person signing the legal authorization • Type of interception • Name of employee overseeing • Signed by employee overseeing • Must maintain records for a reasonable period of time as determined by entity
So…Required Forms Not Onerous • What may be more difficult is to actually act on a subpoena • Few and far between • People change jobs • CALEA and other laws differ • Merit recommends that every network organization have a network “abuse” policy • Recommend that it be reviewed annually, e.g., at budget time • Or pick a time – like changing batteries in the home smoke detector with daylight savings time changes
Merit’s Network Abuse PolicyExample Topics Included • Triaging abuse complaints – Serious is: • Life or physical well being is threatened • Data could be destroyed, or confidential data exposed • DDOS attack • Actions • Refer complainant to his ISP if not serious (e.g., spam) • Open incident report • Open NOC trouble ticket, escalate • Management approval for some action
Network Abuse Policy Being Revised • CALEA requires new procedures • Today, we “only release information about individuals to the organization with which they are associated, not to third parties” • Today, LEAs are always 3rd parties • If there is a CALEA request, this doesn’t fit • In fact, we can’t let the organization know • Today we have a management approval chain, and no one employee makes a decision or takes action • If there is a CALEA request, this doesn’t fit • We will revise our internal network abuse policies and share with the community • Perhaps in parallel with the SSI draft
References – www.fcc.gov • Public Notice - Compliance Monitoring Report • DA 06-2512, December 14, 2006 • OMB Control Number 3060-0809 • Public Notice - Systems Security and Integrity Filing Requirement • DA 06-2512, December 14, 2006 • OMB Control Number 3060-0809 • Systems Security and Integrity Plans components • CALEA of 1994 – Pub.L. No. 103-414, 108 Stat. 4279 • FCC 64 FR 51469, Sept. 23, 1999 • FCC 2nd Report and Order, May 12, 2006, Appendix B, page 44, for SSI (useful definitions)
References, cont. • Easiest source: Educause CALEA resource page • http://www.educause.edu/Browse/645?PARENT_ID=698 • Includes FCC public notices, forms, example cover letter for SSI, other background • www.askcalea.gov (FBI site)