Checkmate! CSPs Must Implement STIR/SHAKEN by June 2021
If you’re a Communications Service Provider (CSP), then STIR/SHAKEN implementation is now at the top of your to-do list. With the FCC using its power under the Pallone-Thune TRACED Act to enforce a June 2021 deadline, CSPs now have less than a year to prepare.
What’s more, STIR/SHAKEN is new enough that unexpected technical and bureaucratic hurdles can still crop up. You need to build a lot of slack into your process to ensure that unintended delays don’t cause you to miss the deadline. Good news – we created a CSP Checklist to keep you on track, and we’ll walk you through some of the key points.
First, you need to lay the groundwork.
Laying the groundwork for STIR/SHAKEN.
For many carriers, you may have already completed these prerequisite steps. To ensure you can participate, you must have completed the following steps to participate in the STIR/SHAKEN ecosystem:
- Ensure your 2020 FCC 499-A Form, indicating whether you need to contribute revenues to the Universal Service Fund, is on file with the Federal Communications Commission (FCC).
- Get an Operating Company Number (OCN). This number registers your company within the National Exchange Carrier Association (NECA), and is an important prerequisite that allows you to obtain a STIR/SHAKEN token. Make sure you allow plenty of lead time, as carriers are reporting a backlog with this process.
- Obtain access to phone numbers from the North American Numbering Plan Administrator and/or the National Pooling Administrator. Follow the steps on the NANPA website.
Steps for STIR/SHAKEN setup.
Once you meet the prerequisites above, you’ll be eligible to register with the STIR/SHAKEN Policy Administrator (STI-PA). This authority will verify that you’ve possess the information and permissions seen above. As of writing, the STI-PA is iconectiv.
You also need to register with a STIR/SHAKEN Certification Authority (STI-CA). This entity provides you with a certificate after confirming that you’re registered with the STI-PA. (P.S., You’re more than welcome to work with Neustar on this, as we’re an approved Certification Authority.)
Once you sign up with a CA, the STI-PA provides you with a Service Provider Code (SPC) that’s tied to your OCNs and/or your Service Provider Identifier (SPID). The SPC token allows you to request a certificate. This means that you can finally request a certificate by sending your SPC token to your chosen CA along with a certificate signing request, allowing you to sign and authenticate calls under the STIR/SHAKEN framework.
STIR/SHAKEN software implementation.
A critical step is the deployment of STIR/SHAKEN are the necessary software services that perform core functions associated with the specification, including STI-AS, STI-VS, SP-KMS, SKS, SI-CR.
- STI-AS – Authentication Server
This hosts the API that signs authentication requests made under STIR/SHAKEN. If a third party wants to know whether calls made by your network are legitimate, STI-AS is the service that activates.
- STI-VS – Verification Server
If your network needs to verify that a call made by a third party is genuine, the API within the server verifies its public key.
- SP-KMS – Key Management Server
This server interacts with the CA to receive certificates and the PA to receive tokens, then generates a public key pair to sign and verify requests.
- SKS – Secure Key Store
This is among the most important components of your STIR/SHAKEN implementation, as it contains the key pair generated by the SP-KMS and serves it via the application server. If this server is ever breached, attackers could use these keys to make spam calls without being detected.
- STI-CR – Certificate Repository
This hosts public keys for verification purposes. These keys are freely available to third parties as a counterpart to the secure SKS.
These core functions all need to interact with one another in an orchestrated manner to properly sign and verify calls made under the STIR/SHAKEN framework. Since their interactions may require network upgrades and are complex, they need to be thoroughly tested.
Testing, testing, 1, 2, 3.
Testing usually takes three stages. The first stage is internal, contained in a lab environment, using simulated calls. The contained environment is important—if STIR/SHAKEN goes live with errors, it could result in service disruptions where legitimate calls are blocked and marked as spam.
“Do as much testing as possible. It’s very effective,” recommends Linda Vandeloop AVP of External Affairs/Regulatory at AT&T, and the Chair of the Secure Telephone Identity Governance Authority Board, “and then you’ll be ready to effectively exchange traffic when you’re going live.”
Supporting STIR/SHAKEN in production.
In the second stage, Carriers should then venture out of the lab environment, experimentally signing and verifying calls that originate and end within their own network. Once CSPs can pull this off without difficulty, it’s time to move on to the final stage of testing calls that end and originate with third party networks. Although successful tests will allow your STIR/SHAKEN implementation to go live, this doesn’t mean that you’re out of the woods.
Moving STIR/SHAKEN from a lab environment to a production environment is more than just flipping a switch. By implementing STIR/SHAKEN, you have affected a transformation of your company, one that will affect your engineers, your operators, and your customers.
Your STIR/SHAKEN implementation will materially affect the way that enterprises and consumers make and receive calls. Your customers will receive new warning messages when receiving potential spam calls, and your business customers need to be briefed on the pitfalls of attestation when making calls that could potentially be marked as spam.
Here at Neustar, we recognize the enormity of the changes that STIR/SHAKEN will involve, and we’re here to assist. Not only are we a Certification Authority (CA) in the US and Canada, we provide customers STIR/SHAKEN solutions supported by a robust User Acceptance Test environment. View the complete CSP Checklist and contact Neustar today