CALEA Filings and Procedural Steps


1
CALEA Filings and Procedural Steps

• Mary Eileen McLaughlin
• Merit Director Technical Operations
• January 31 2006

2
Agenda

• Key dates
• Requirements
• Review of forms to be filed
• Resources for forms explanations examples
  cover letters
• Other recommended internal policies
• DISCLAIMER
• This presentation in no way should be considered
  legal advice. It is a review of Merits
  understanding of and plans for CALEA filings.

3
Three Key Dates

• February 12 2007
• Entities that the FCC believes need to be CALEA
  compliant must file the FCC form 445
• File with FCC and with FBI
• March 12 2007
• Entities filing form 445 file a Systems Security
  and Integrity Plan
• File with FCC and Homeland Security Bureau
• May 14 2007
• Entities must have network compliance
• Unless on form 445 another date and rationale
  was noted

4
Form 445 due February 12thPretty Simple

• Name state contact info parent company
  (e.g.RE net that is part of a university)
• FCC Registration number (FRN)
• Must get one at www.fcc.gov CORES link which is
  COmmission REgistration System
• FCC Registration is required to conduct business
  with the FCC
• Merit has FRN because of USF work
• This number will be used to uniquely identify you
  in all transactions with the FCC
• cont.

5
Form 445 cont.

• Filers 499 ID
• Form 499 is only required if a network
• pays into Universal Service Telecommunications
  Relay Service Number Administration Local
  Number Portability Support Mechanisms
• Merit doesnt and likely no RE nets do
  universities libraries certainly dont
• Filer checks whether it will be compliant by
  5/14/07 or not
• cont.

6
Form 445 cont.

• Compliance method is identified by a checkbox
• Proprietary/Custom or 3rd party
• Write the standard used (Draft Standard
  PTSC-LAES-2006-084R6)
• Proprietary/custom solution
• Merit will get legal advice but the assumption
  is that our solution is neither
• Check if DOJ has been consulted -- Merit has not
• Check if Filer is using a Trusted Third Party
  and if so who

7
Form 445 cont.Trusted Third Parties (TTPs) Can

• Assist in meeting filers CALEA obligations
• Provide LEAs the electronic surveillance
  information those agencies require
• In an acceptable format
• Services include processing requests for
  intercepts conducting electronic surveillance
  and delivering relevant information to LEAs.
• The entity (not the TTP) remains responsible for
  
• Ensuring the timely delivery of call-identifying
  information and call content
• And for protecting subscriber privacy as
  required by CALEA.
• cont.

8
Form 445 cont.

• If filer wont be compliant by 5/14 state why
• Equipment identify equipment by model
  type/manufacturer that is responsible for the
  delay
• Network installation brief description of
  circumstances contributing to delay
• Manufacturer support -- brief description of
  circumstances contributing to delay
• Other any other circumstances
• Also describe Mediation actions what steps
  being taken to resolve the circumstances causing
  delay
• cont.

9
Form 445 cont.

• Note Lack of final standard isnt on the list
  of reasons for delay in compliance
• FBI quote Their telecom standards
  organizations previous foot-dragging was one of
  the complaints of the Joint Law Enforcement
  Petition for Expedited Rulemaking that resulted
  in the FCCs Second Report and Order.
• An entity does not need to know the exact
  specifics of a standard to comply with the FCCs
  SSI and Monitoring Report requirement. Solutions
  vendors know which standard they will build to
  and only minor Software changes will be
  required. (!)
• Finally a company officer of the Filer signs FCC
  Form 445 and its filed

10
System Security and Integrity PlanPurpose

• Ensure that interception can be activated only in
  accordance with appropriate legal authorization
• With affirmative intervention of an individual
  officer of the entity
• In accordance with regulations prescribed by FCC
• And to ensure LEAs get the information
• Also apparently not onerous

11
Very Different SSI Examples

• Printouts in workshop binder
• Blank templates at Educause website
• Highly recommended because they take 2nd RO and
  incorporate terms into plan
• 2-page plan by U.S. LEC
• 4-page plan by Honeybee Networks
• 15-page plan by MetroPCS
• Merit plans to be brief
• Will draft a plan by end of February and
  circulate to the community for comment/reference

12
SSI Components - General

• Appoint a senior officer or employee to ensure
  that activation only in accordance with lawful
  authorization
• Name and job function
• 24/7 contact information
• Merit plans to identify our CEO and an alternate
  and have our NOC be the 24/7 contact point
• Process to report any act of compromise of lawful
  intercept or unlawful surveillance

13
SSI Components Record Retention

• Must maintain secure and accurate record of
  interception of communications
• Legal or not
• In the form of a Certification
• Certification includes
• Identifying number/address
• Start date
• Identify of LEA officer
• Name of person signing the legal authorization
• Type of interception
• Name of employee overseeing
• Signed by employee overseeing
• Must maintain records for a reasonable period of
  time as determined by entity

14
SoRequired Forms Not Onerous

• What may be more difficult is to actually act on
  a subpoena
• Few and far between
• People change jobs
• CALEA and other laws differ
• Merit recommends that every network organization
  have a network abuse policy
• Recommend that it be reviewed annually e.g. at
  budget time
• Or pick a time like changing batteries in the
  home smoke detector with daylight savings time
  changes

15
Merits Network Abuse PolicyExample Topics
Included

• Triaging abuse complaints Serious is
• Life or physical well being is threatened
• Data could be destroyed or confidential data
  exposed
• DDOS attack
• Actions
• Refer complainant to his ISP if not serious
  (e.g. spam)
• Open incident report
• Open NOC trouble ticket escalate
• Management approval for some action

16
Network Abuse Policy Being Revised

• CALEA requires new procedures
• Today we only release information about
  individuals to the organization with which they
  are associated not to third parties
• Today LEAs are always 3rd parties
• If there is a CALEA request this doesnt fit
• In fact we cant let the organization know
• Today we have a management approval chain and
  no one employee makes a decision or takes action
• If there is a CALEA request this doesnt fit
• We will revise our internal network abuse
  policies and share with the community
• Perhaps in parallel with the SSI draft

17
References www.fcc.gov

• Public Notice - Compliance Monitoring Report
• DA 06-2512 December 14 2006
• OMB Control Number 3060-0809
• Public Notice - Systems Security and Integrity
  Filing Requirement
• DA 06-2512 December 14 2006
• OMB Control Number 3060-0809
• Systems Security and Integrity Plans components
• CALEA of 1994 Pub.L. No. 103-414 108 Stat.
  4279
• FCC 64 FR 51469 Sept. 23 1999
• FCC 2nd Report and Order May 12 2006 Appendix
  B page 44 for SSI (useful definitions)

18
References cont.

• Easiest source Educause CALEA resource page
• http//www.educause.edu/Browse/645PARENT_ID698
• Includes FCC public notices forms example cover
  letter for SSI other background
• www.askcalea.gov (FBI site)