System Security and Integrity Requirements
Section 105 of CALEA requires telecommunications carriers to "ensure that any interception of communications or access to
call-identifying information effected within its switching premises can be activated only in accordance with a court order or other
lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance
with regulations prescribed by the [FCC]." To facilitate compliance with, and FCC oversight of, the requirements of Section
105 of CALEA, Congress amended the Communications Act of 1934 to add Sections 229(b) and (c).
Section 229(b) directs the FCC to prescribe rules to implement the requirements of Section 105 of CALEA that require CALEA-covered carriers to:
Establish appropriate policies and procedures for the supervision and control of its officers and, employees to require
appropriate authorization to activate interception of communications or access to call-identifying information,
and prevent any such interception or access without such authorization;
Maintain secure and accurate records of any interception or access with or without such authorization; and
Submit the policies and procedures adopted to comply with these requirements to the FCC.
Section 229(c) directs the FCC to review the policies and procedures submitted by CALEA-covered carriers,
and order a CALEA-covered carrier to modify any policy or procedure established by that carrier if the FCC determines it
does not comply with FCC regulations. Section 229(c) also directs the FCC to conduct such investigations as may be necessary
to insure compliance by CALEA-covered carriers with the requirements of FCC regulations prescribed pursuant to Section 229(b).
Pursuant to the directive in Section 229(b), in 1999, the FCC adopted a set of system security and integrity rules to implement the
requirements of Section 105 of CALEA. The rules adopted by the FCC requiring carriers to establish policies and procedures for
employee supervision and control, maintain secure and accurate records, and submit their policies and procedures to the FCC in the
form of a "System Security & Integrity Plan" (SS&I Plan) for FCC review. The specific requirements concerning policies and procedures
for employee supervision and control, maintaining secure and accurate records, and submitting SS&I Plans can be found in
Sections 1.20003 - 1.20005
the FCC's rules.
The FCC's rules require all CALEA-covered carriers must maintain up-to-date SS&I Plans.
The FCC has subsequently deemed that facilities-based broadband Internet access providers and providers of interconnected
Voice over Internet Protocol (VoIP) service are "telecommunications carriers" for purposes of CALEA (see
Second Report and Order
and must comply with CALEA's requirements and associated FCC rules - including the FCC's system security and integrity rules
Second Report and Order
). In an FCC Public Notice released in December 2006, the FCC directed
facilities-based broadband Internet access providers and providers of interconnected VoIP service to file their initial SS&I Plans with the
FCC by March 12, 2007 (see
FCC SS&I Public Notice