1 / 18

CALEA Filings and Procedural Steps

CALEA Filings and Procedural Steps. Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006. Agenda. Key dates Requirements Review of forms to be filed Resources for forms, explanations, examples, cover letters Other recommended internal policies DISCLAIMER

teneil
Télécharger la présentation

CALEA Filings and Procedural Steps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006

  2. Agenda • Key dates • Requirements • Review of forms to be filed • Resources for forms, explanations, examples, cover letters • Other recommended internal policies DISCLAIMER This presentation in no way should be considered legal advice. It is a review of Merit’s understanding of and plans for CALEA filings.

  3. Three Key Dates • February 12, 2007 • Entities that the FCCbelieves need to be CALEA compliant must file the FCC form 445 • File with FCC and with FBI • March 12, 2007 • Entities filing form 445 file a Systems Security and Integrity Plan • File with FCC and Homeland Security Bureau • May 14, 2007 • Entities must have network compliance, • Unless on form 445 another date, and rationale was noted

  4. Form 445 due February 12thPretty Simple • Name, state, contact info, parent company (e.g.,R&E net that is part of a university) • FCC Registration number (FRN) • Must get one at www.fcc.gov, CORES link which is COmmission REgistration System • FCC Registration is required to conduct business with the FCC • Merit has FRN because of USF work • This number will be used to uniquely identify you in all transactions with the FCC cont.

  5. Form 445, cont. • Filer’s 499 ID • Form 499 is only required if a network pays into Universal Service, Telecommunications Relay Service, Number Administration, Local Number Portability Support Mechanisms • Merit doesn’t, and likely no R&E nets do; universities, libraries certainly don’t • Filer checks whether it will be compliant by 5/14/07 or not cont.

  6. Form 445, cont. • Compliance method is identified by a checkbox • Proprietary/Custom or 3rd party • Write the standard used (Draft Standard PTSC-LAES-2006-084R6) • Proprietary/custom solution • Merit will get legal advice, but the assumption is that our solution is neither • Check if DOJ has been consulted -- Merit has not • Check if Filer is using a Trusted Third Party, and if so, who;

  7. Form 445, cont.Trusted Third Parties (TTPs) Can: • Assist in meeting filer’s CALEA obligations • Provide LEAs the electronic surveillance information those agencies require • In an acceptable format • Services include: processing requests for intercepts, conducting electronic surveillance, and delivering relevant information to LEAs. • The entity (not the TTP) remains responsible for, • Ensuring the timely delivery of call-identifying information and call content • And for protecting subscriber privacy, as required by CALEA. cont.

  8. Form 445, cont. • If filer won’t be compliant by 5/14, state why: • Equipment – identify equipment by model type/manufacturer that is responsible for the delay • Network installation – brief description of circumstances contributing to delay • Manufacturer support -- brief description of circumstances contributing to delay • Other – any other circumstances • Also describe Mediation actions – what steps being taken to resolve the circumstances causing delay cont.

  9. Form 445, cont. • Note: “Lack of final standard” isn’t on the list of reasons for delay in compliance • FBI quote: “Their [telecom standards organizations] previous foot-dragging was one of the complaints of the Joint Law Enforcement Petition for Expedited Rulemaking that resulted in the FCC's Second Report and Order.” • “An entity does not need to know the exact specifics of a standard to comply with the FCC's SS&I and Monitoring Report requirement. Solutions vendors know which standard they will build to and only minor Software changes will be required.” (!) • Finally, a company officer of the Filer signs FCC Form 445 and it’s filed

  10. System Security and Integrity PlanPurpose • Ensure that interception can be activated only in accordance with appropriate legal authorization • With affirmative intervention of an individual officer of the entity • In accordance with regulations prescribed by FCC • And to ensure LEAs get the information • Also, apparently not onerous

  11. Very Different SSI Examples • Printouts in workshop binder • Blank “templates” at Educause website • Highly recommended because they take 2nd R&O and incorporate terms into plan • 2-page plan by U.S. LEC • 4-page plan by Honeybee Networks • 15-page plan by MetroPCS • Merit plans to be brief • Will draft a plan by end of February and circulate to the community for comment/reference

  12. SSI Components - General • Appoint a senior officer or employee to ensure that activation only in accordance with lawful authorization • Name and job function • 24/7 contact information • Merit plans to identify our CEO and an alternate, and have our NOC be the 24/7 contact point • Process to report any act of compromise of lawful intercept or unlawful surveillance

  13. SSI Components – Record Retention • Must maintain secure and accurate record of interception of communications • Legal or not • In the form of a “Certification” • Certification includes: • Identifying number/address • Start date • Identify of LEA officer • Name of person signing the legal authorization • Type of interception • Name of employee overseeing • Signed by employee overseeing • Must maintain records for a reasonable period of time as determined by entity

  14. So…Required Forms Not Onerous • What may be more difficult is to actually act on a subpoena • Few and far between • People change jobs • CALEA and other laws differ • Merit recommends that every network organization have a network “abuse” policy • Recommend that it be reviewed annually, e.g., at budget time • Or pick a time – like changing batteries in the home smoke detector with daylight savings time changes

  15. Merit’s Network Abuse PolicyExample Topics Included • Triaging abuse complaints – Serious is: • Life or physical well being is threatened • Data could be destroyed, or confidential data exposed • DDOS attack • Actions • Refer complainant to his ISP if not serious (e.g., spam) • Open incident report • Open NOC trouble ticket, escalate • Management approval for some action

  16. Network Abuse Policy Being Revised • CALEA requires new procedures • Today, we “only release information about individuals to the organization with which they are associated, not to third parties” • Today, LEAs are always 3rd parties • If there is a CALEA request, this doesn’t fit • In fact, we can’t let the organization know • Today we have a management approval chain, and no one employee makes a decision or takes action • If there is a CALEA request, this doesn’t fit • We will revise our internal network abuse policies and share with the community • Perhaps in parallel with the SSI draft

  17. References – www.fcc.gov • Public Notice - Compliance Monitoring Report • DA 06-2512, December 14, 2006 • OMB Control Number 3060-0809 • Public Notice - Systems Security and Integrity Filing Requirement • DA 06-2512, December 14, 2006 • OMB Control Number 3060-0809 • Systems Security and Integrity Plans components • CALEA of 1994 – Pub.L. No. 103-414, 108 Stat. 4279 • FCC 64 FR 51469, Sept. 23, 1999 • FCC 2nd Report and Order, May 12, 2006, Appendix B, page 44, for SSI (useful definitions)

  18. References, cont. • Easiest source: Educause CALEA resource page • http://www.educause.edu/Browse/645?PARENT_ID=698 • Includes FCC public notices, forms, example cover letter for SSI, other background • www.askcalea.gov (FBI site)

More Related