STIR/SHAKEN

Understanding US Regulatory Mandates and Addressing Caller ID Spoofing

STIR/SHAKEN Brochure
Request a Quote

Spam and illegal robocalls are currently the number one source of consumer complaints at the FCC. What was once an annoyance has become a plague to US consumers receiving billion of robocalls every month. In the United States, both the FCC, through rule-making, and Congress, through legislative initiatives, have been active to stop this problem.  

Below is a timeline and the highlights of these efforts.

event

On March 17, 2023, the FCC issued FCC 23-18.

  • The first non-gateway Intermediate provider that receives unauthenticated IP calls, directly from domestic originating providers, is now required to use STIR/SHAKEN to authenticate those calls. This obligation goes into effect as of December 21, 2023
  • Robocall mitigation requirements have been expanded. All providers, regardless of their STIR/SHAKEN implementation status, will now be required to take “reasonable steps” to mitigate illegal robocall traffic and submit a certification and mitigation plan to the FCC’s Robocall Mitigation Database.
  • Violations of the FCC’s mandatory blocking rules could result in substantial fines using per call forfeiture calculations. New rules also apply procedures for removal from the Robocall Mitigation Database to all intermediate providers and an expedited removal process for providers submitting facially deficient certifications.
event

On May 20, 2022, the FCC issued FCC 22-37.

  • Required gateway providers who bring foreign calls into the United States to:
    • develop and submit traffic mitigation plans to the Robocall Mitigation Database
    • implement STIR/SHAKEN and authenticate foreign-originated SIP calls using US North American Number Plan numbers by June 30, 2023
    • respond to traceback requests in 24 hours, block calls where it is clear they are conduits for illegal traffic, and implement “know your upstream provider” obligations.
  • Required all voice service providers only accept calls carrying U.S. NANP numbers from foreign-originating providers listed in the Robocall Mitigation Database
event

On December 14, 2021, the FCC issued FCC 21-126.

  • FCC grants a waiver to allow voice service providers terminating a call on an IP network to use SIP Code 603 in addition to SIP Code 607 or 608 from January 1, 2022.
    • The FCC agreed with industry requests that voice service providers be allowed to use SIP Code 603 for notification of call blocking because this is known in the industry and was already in use by many service providers for this purpose. 
event

On April 20, 2021, the FCC issued DA 21-454.

  • Announced the availability of the Robocall Mitigation Database. Voice service providers were required to:
    • file certifications by June 30, 2021, providing detailed information regarding their implementation of the STIR/SHAKEN caller ID authentication framework and/or a robocall mitigation program.
    • certify that some or all of the calls they originate are subject to a robocall mitigation program if not signed with STIR/SHAKEN
    • make a commitment to respond to traceback requests
  • Intermediate providers and terminating voice service providers were prohibited from accepting traffic, starting September 28, 2021, from voice service providers not listed in the Robocall Mitigation Database
event

On December 29, 2020, the FCC issued FCC 20-187.

  • Expanded safe harbor based on reasonable analytics to cover network-based blocking if it incorporated caller ID authentication information
  • Required a terminating voice service provider to
    • ensure its network-based blocking targeted only calls highly likely to be illegal
    • immediately notify callers, using specific SIP or ISUP response codes, when a call was blocked, starting after January 1, 2022
    • At time of this ruling, the FCC expected that most blocking offered by IP-based voice service providers will use SIP code 608, indicating a call was rejected by an intermediary, with the initial use case being calls rejected by an analytics engine, as opposed to the called party. However, they also recognized it may be appropriate to use SIP Code 607 when the called party plays a role in the rejection.
event

On September 29, 2020, the FCC issued FCC 20-136.

  • Expanded STIR/SHAKEN requirements to include all voice service providers, including over-the-top providers
  • Granted a two-year extension to the implementation deadline for:
    • small, rural voice service providers with fewer than 100,000 subscriber lines
    • any voice service provider who cannot obtain a certificate from the STIR/SHAKEN Governance Authority
    • any voice service provider which materially relies on a non-IP (TDM) network for the provision of voice services
  • Voice service providers, subject to the extension, are required to have an appropriate robocall mitigation program to prevent unlawful originating robocalls. Also required to respond fully to all traceback requests
  • Intermediate carriers are required to pass any Identity header (unaltered) that they receive to the terminating voice service provider or subsequent intermediate provider in the call path. Also mandated intermediate carriers to participate in the traceback program
event

On July 16, 2020, The FCC issued FCC 20-96.

  • Provided a call-by-call safe harbor for unintended or inadvertent blocking of wanted calls if the blocking is based on reasonable analytics that includes caller ID authentication information and the consumer is given the opportunity to opt-out
  • Voice service providers allowed block calls from certain bad-actor upstream voice service providers, when notified that the upstream provider is carrying bad traffic and has failed to implement effective measures to prevent its network from being used to originate illegal calls
event

On March 31, 2020, the FCC issued FCC 20-42. 

  • Mandated all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021
event

On December 31, 2019, the TRACED Act was signed into law.

  • Gave the Federal Communications Commission (FCC) more authority to go after the scammers by extending the statute of limitations and allowing increased financial penalties against robocallers.
  • Encouraged Justice Department criminal prosecution by requiring the FCC to provide the DOJ with evidence of criminal robocall violations.
  • Required all carriers to eventually implement new technologies to authenticate caller-ID information (at no additional line-item cost to the consumer)
event

On June 6. 2019, the FCC issued FCC 19-51.

  • Voice service providers may offer opt-out call blocking programs based on any reasonable analytics designed to identify unwanted calls. They can also offer their customers “allow list” programs, which only allow certain calls to be completed, requiring informed, opt-in consent.
event

On November 17, 2017, the FCC issued FCC 17-151. 

  • Voice service providers are allowed to block calls from phone numbers on a Do-Not-Originate (DNO) list and those that purport to be from invalid, unallocated, or unused

STIR/SHAKEN Standards

To overcome the influx of unwanted calls in the service providers network, the industry has created two new standards: STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards. Together, these two standards, create the framework to ensure every SIP-signaled call has a certificate of authenticity attached to it — a digital signature — that allows service providers verify caller ID to mitigate unwanted robocalls and prevents bad actors from using Caller ID spoofing. With STIR/SHAKEN, service providers can restore their end customer’s trust in validity of caller ID.

STIR/SHAKEN Brochure   Folleto STIR/SHAKEN

STIR-SHAKEN-Unknown-Call

Ribbon Support for STIR/SHAKEN

Service providers can choose between two Ribbon STIR/SHAKEN solutions:

settings_input_antenna

Service provider owned and deployed within the service provider’s network

cloud

Ribbon hosted STIR/SHAKEN
as a Service (S/SaaS)

Ribbon STIR/SHAKEN Solution - Deployed By Service Provider

A part of Ribbon's Call Trust® portfolio, Ribbon offers voice service providers a complete STIR/SHAKEN solution.  This solution encompasses all the components that are integral to, and required for, caller identity authentication, signing, verification and certificate management.

  • Call controllers, session border controllers, and policy & routing servers that initiate call authentication or call verification requests and handle the responses from the Secure Telephone Identity (STI) domain
  • Secure Telephone Identity - Authentication Service (STI-AS) and the associated functions of Service Provider Key Management Service (SP-KMS) and Secure Key Store (SKS) to process originating network requests for signed assertion of caller’s identity
  • Secure Telephone Identity - Verification Service (STI-VS) and the associated function of Secure Telephone Identity Certificate Repository (STI-CR) to process terminating network requests for certificate verification of a caller’s identity.  Note: Ribbon provides the STI-CR function as a cloud-hosted service on Ribbon Identity Hub
  • Secure Telephone Identity – Certificate Authority (STI-CA) providing the following capabilities:
    • Accept SHAKEN Certificate Signing Requests (CSRs) for new certificates
    • Automatically validate Service Provider Code (SPC) Tokens and issue standards-compliant SHAKEN signing certificates that include the required Telephone Number Authorization List extension.
    • Revoke certificates if needed and notify the Secure Telephone Identity – Policy Administrator (STI-PA).
    • Note:  Ribbon provides the STI-CA function as a cloud-hosted service on Ribbon Identity Hub

Ribbon STI is compliant with ATIS-1000082 and RFC8224/8225/8226. Ribbon STI implements the ATIS-82 server side specifications and can be deployed within a service provider’s network When deployed in an originating voice service provider’s network, Ribbon’s STI solution will receive call authentication requests, provide all the steps necessary to process these requests and respond with signed assertion of caller’s identity. Following STI authentication and signing, the signature information will be passed back to the authentication request originator to be forward to the next network hop.

When deployed in a terminating voice service provider’s network, Ribbon’s STI solution will receive call verification requests, provide all the steps necessary to process these requests and respond with the appropriate verification of caller’s identity. Following STI certificate verification, the verification information will be passed back to the verification request originator.

 

Ribbon-STI-diagram

Request a STIR/SHAKEN Quote

Request a Quote

Identity Assurance Explained

Ribbon STIR/SHAKEN as a Service

Select Ribbon’s STIR/SHAKEN (S/SaaS) solution to take advantage of a cloud-hosted managed service instead of implementing a STIR/SHAKEN-compliant Secure Telephone Identity solution within your own network. Allow Ribbon to take care of all the STIR/SHAKEN authentication, signing, verification, and certificate management services as described above. The service provider’s only obligation is to have a Session Border Controller (SBC) for interworking with the Ribbon hosted service. As part of the response to the SBC, Ribbon’s S/SaaS can instruct the SBC to perform a specific call validation treatment, based on the verification information.

This hosted service is offered by Ribbon in a standard SaaS model where the service is consumed on a usage basis.

STIR/SHAKEN as a Service

Hosted-STI-diagram

Controlled Networks chooses Ribbon STIR/SHAKEN

Related Pages

cloud

Policy and Routing Software Edition (PSX SWe)
policy

Ribbon Call Trust Services
policy

Ribbon Secure Telephone Identity (STI)
settings_system_daydream

SBC Software Edition (SBC SWe)