Search:

System Security and Integrity Requirements

Section 105 of CALEA requires telecommunications carriers to "ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance with regulations prescribed by the [FCC]." To facilitate compliance with, and FCC oversight of, the requirements of Section 105 of CALEA, Congress amended the Communications Act of 1934 to add Sections 229(b) and (c).

Section 229(b) directs the FCC to prescribe rules to implement the requirements of Section 105 of CALEA that require CALEA-covered carriers to:

  1. Establish appropriate policies and procedures for the supervision and control of its officers and, employees to require appropriate authorization to activate interception of communications or access to call-identifying information, and prevent any such interception or access without such authorization;
  2. Maintain secure and accurate records of any interception or access with or without such authorization; and
  3. Submit the policies and procedures adopted to comply with these requirements to the FCC.

Section 229(c) directs the FCC to review the policies and procedures submitted by CALEA-covered carriers, and order a CALEA-covered carrier to modify any policy or procedure established by that carrier if the FCC determines it does not comply with FCC regulations. Section 229(c) also directs the FCC to conduct such investigations as may be necessary to insure compliance by CALEA-covered carriers with the requirements of FCC regulations prescribed pursuant to Section 229(b). Pursuant to the directive in Section 229(b), in 1999, the FCC adopted a set of system security and integrity rules to implement the requirements of Section 105 of CALEA. The rules adopted by the FCC requiring carriers to establish policies and procedures for employee supervision and control, maintain secure and accurate records, and submit their policies and procedures to the FCC in the form of a "System Security & Integrity Plan" (SS&I Plan) for FCC review. The specific requirements concerning policies and procedures for employee supervision and control, maintaining secure and accurate records, and submitting SS&I Plans can be found in Sections 1.20003 - 1.20005 the FCC's rules. The FCC's rules require all CALEA-covered carriers must maintain up-to-date SS&I Plans.

The FCC has subsequently deemed that facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service are "telecommunications carriers" for purposes of CALEA (see Second Report and Order ), and must comply with CALEA's requirements and associated FCC rules - including the FCC's system security and integrity rules (see Second Report and Order ). In an FCC Public Notice released in December 2006, the FCC directed facilities-based broadband Internet access providers and providers of interconnected VoIP service to file their initial SS&I Plans with the FCC by March 12, 2007 (see FCC SS&I Public Notice ).

Last Updated: February 1, 2011