Compliance with the Federal Communications Commission’s (“FCC”) requirements set forth in its the Eighth Report and Order (“Order”) on the STIR/SHAKEN Caller ID Authentication Framework1 related to use of third-party authentication by providers with a STIR/SHAKEN implementation obligation will become effective on September 18, 2025. Specifically, providers that have a fully IP network or a partially IP network2 and that use third parties to perform the technological act of signing calls to fulfill STIR/SHAKEN requirements must comply with the new rules the FCC adopted to guard against improper A- and B- level attestations by parties that are not originating service providers.

While many providers with a STIR/SHAKEN obligation may have already been using a third party to sign their calls, now the FCC specifically authorizes use of third-party authentication, subject to two conditions: (1) providers must make all attestation-level decisions, consistent with the requirements of the technical standards; and (2) all calls must be signed using the certificate of the provider with the implementation obligation. The FCC cautions that relying on third parties to sign traffic without complying with these requirements will constitute a violation of the FCC’s caller ID authentication rules.

The new rules specify that all providers with a STIR/SHAKEN implementation obligation must: (1) obtain an SPC token and digital certificate; (2) certify to complete or partial implementation in the Robocall Mitigation Database (“RMD”) only if they have obtained an SPC token and digital certificate and sign calls with their certificate; and (3) memorialize and maintain records of any third-party authentication agreement(s) they have entered into.

Providers that have not obtained and begun using their own SPC token and certificate prior to the effective date for the requirements to use third-party authentication must update their RMD certification to state they have not fully or partially implemented STIR/SHAKEN to avoid being referred to the FCC’s Enforcement Bureau for violations of the FCC’s rules, but such providers will need to come into compliance with the requirements to obtain and use their own SPC token and digital certificate. Providers that already have and already are using their own SPC token and certificate prior to such effective date need not revise their RMD certification.

Providers using a third party to perform the technological act of signing calls must have a written agreement with the third party that includes the specific tasks the third party will perform on the provider’s behalf and confirms that the provider will: (1) make all attestation-level decisions for calls signed pursuant to the agreement, and (2) ensure that all calls will be signed using the provider’s certificate. Providers are required to have a current agreement in place for as long as they are using a third-party authentication arrangement and they must keep copies of third-party agreements for a period of two years from the end or termination of such agreements. Providers may be required to submit a copy of a third-party agreement to the FCC in a review of the provider’s compliance with the FCC’s rules or in an investigation by the Enforcement Bureau.

Please contact Robin Tuttle at [email protected] or Dee Herman at [email protected] if you have any questions about these new third party authentication requirements for STIR/SHAKEN compliance.
_____________________________________________________________

1 Call Authentication Trust Anchor, Eighth Report and Order, WC Docket No. 17-97, FCC 24-120 (rel. Nov. 22, 2024).
2 The requirements set forth in the Order do not apply to providers that remain subject to an implementation extension, notably those providers that have an entirely non-IP network; that are unable to obtain the necessary SPC token to authenticate caller ID information; or that are exempted from call ID authentication requirements because they lack control over the network infrastructure necessary to implement STIR/SHAKEN.

Herman & Whiteaker, LLC | 6720B Rockledge Drive, Suite 150, Bethesda, MD 20817