Skip to content
LexBuild

Call Authentication Trust Anchor 

---
identifier: "/us/fr/2023-09543"
source: "fr"
legal_status: "authoritative_unofficial"
title: "Call Authentication Trust Anchor"
title_number: 0
title_name: "Federal Register"
section_number: "2023-09543"
section_name: "Call Authentication Trust Anchor"
positive_law: false
currency: "2023-05-05"
last_updated: "2023-05-05"
format_version: "1.1.0"
generator: "[email protected]"
agency: "Federal Communications Commission"
document_number: "2023-09543"
document_type: "proposed_rule"
publication_date: "2023-05-05"
agencies:
  - "Federal Communications Commission"
cfr_references:
  - "47 CFR Part 0"
  - "47 CFR Part 1"
  - "47 CFR Part 64"
fr_citation: "88 FR 29035"
fr_volume: 88
docket_ids:
  - "WC Docket No. 17-97"
  - "FCC 23-18"
  - "FR ID 139316"
effective_date: "2023-06-05"
comments_close_date: "2023-07-05"
fr_action: "Proposed rule."
---

#  Call Authentication Trust Anchor

**AGENCY:**

Federal Communications Commission.

**ACTION:**

Proposed rule.

**SUMMARY:**

In this document, the Federal Communications Commission (Commission) seeks comment on additional measures to strengthen its caller ID authentication framework and further stem the tide of illegally spoofed calls. Specifically, this document seeks comment on the use of third-party caller ID authentication solutions, including whether any changes should be made to the Commission's rules to permit, prohibit, or limit their use. It also seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for providers that cannot obtain Service Provider Code (SPC) tokens, which are necessary to participate in the STIR/SHAKEN caller ID authentication framework.

**DATES:**

Comments are due on or before June 5, 2023, and reply comments are due on or before July 5, 2023. Written comments on the Paperwork Reduction Act proposed information collection requirements must be submitted by the public, Office of Management and Budget (OMB), and other interested parties on or before July 5, 2023.

**ADDRESSES:**

Pursuant to §§ 1.415 and 1.419 of the Commission's rules, 47 CFR 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission's Electronic Comment Filing System (ECFS). *See Electronic Filing of Documents in Rulemaking Proceedings,* 63 FR 24121 (1998). You may submit comments, identified by WC Docket No. 17-97, by any of the following methods:

*Electronic Filers:* Comments may be filed electronically using the internet by accessing the ECFS: *http://apps.fcc.gov/ecfs/.*

*Paper Filers:* Parties who choose to file by paper must file an original and one copy of each filing.

Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission's Secretary, Office of the Secretary, Federal Communications Commission.

• Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.

• U.S. Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street NE, Washington, DC 20554.

• Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19. *See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy,* Public Notice, DA 20-304 (March 19, 2020), *https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.*

*People with Disabilities:* To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to *[email protected]* or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).

**FOR FURTHER INFORMATION CONTACT:**

Jonathan Lechter, Attorney Advisor, Competition Policy Division, Wireline Competition Bureau, at *[email protected]* or at (202) 418-0984. For additional information concerning the Paperwork Reduction Act proposed information collection requirements contained in this document, send an email to *[email protected]* or contact Nicole Ongele at (202) 418-2991.

**SUPPLEMENTARY INFORMATION:**

This is a summary of the Commission's Sixth Further Notice of Proposed Rulemaking ( *FNPRM* ) in WC Docket No. 17-97, FCC 23-18, adopted on March 16, 2023, and released on March 17, 2023. The full text of this document is available for public inspection at the following internet address: *https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.*

The proceeding this document initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's *ex parte* rules. Persons making *ex parte* presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral *ex parte* presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the *ex parte* presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during *ex parte* meetings are deemed to be written *ex parte* presentations and  must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written *ex parte* presentations and memoranda summarizing oral *ex parte* presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format ( *e.g.,* .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's *ex parte* rules.

This document may contain potential new or revised information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. Public and agency comments are due July 5, 2023.

Comments should address: (a) whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information shall have practical utility; (b) the accuracy of the Commission's burden estimates; (c) ways to enhance the quality, utility, and clarity of the information collected; (d) ways to minimize the burden of the collection of information on the respondents, including the use of automated collection techniques or other forms of information technology; and (e) way to further reduce the information collection burden on small business concerns with fewer than 25 employees. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, *see* 44 U.S.C. 3506(c)(4), the Commission seeks specific comment on how it might further reduce the information collection burden for small business concerns with fewer than 25 employees.

**Synopsis**

**I. Sixth Further Notice of Proposed Rulemaking**

**A. Third-Party Caller ID Authentication**

1. The Commission's rules require that a voice service provider “[a]uthenticate caller identification information for all SIP calls it originates and . . . to the extent technically feasible, transmit that call with authenticated caller identification information to the next voice service provider or intermediate provider in the call path.” In the *Fifth Caller ID Authentication Further Notice,* 87 FR 42916 (July 18, 2022), the Commission sought comment on whether it should amend its rules to address whether originating voice service providers may use third parties to perform their third-party authentication obligations. The resulting record confirms that third-party authentication is occurring. It does not, however, provide sufficient information to fully assess the impact that explicitly authorizing or prohibiting third-party authentication may have on the STIR/SHAKEN ecosystem. For instance, the record before the Commission is not sufficient for it to understand the full scope of the various arrangements that exist between providers and third parties that authenticate their calls. Nor does it allow the Commission to determine whether these third-party arrangements satisfy the requirements of its authentication rules, how and what information is shared within those arrangements, whether that information sharing implicates privacy, security, or other legal concerns, and whether they have a net positive or negative effect on the reliability of the STIR/SHAKEN framework and its objective to curtail illegal spoofing. The Commission thus seeks further comment on the use of third-party solutions to authenticate caller ID information and whether any changes should be made to its rules to permit, prohibit, or limit their use.

2. The Commission starts by seeking comment on the types of third-party authentication solutions being used by providers. Are originating or other providers entering into agreements with third parties to perform their authentication obligations under the Commission's rules and the Alliance for Telecommunications Industry Solutions (ATIS) technical standards? If so, who are these third parties, what is the nature of their relationship to the provider that has retained them, and how does any agreement between the provider and the third-party purport to assign responsibility for compliance with the Commission's authentication rules and the ATIS standards? The Commission notes that the ATIS technical standards acknowledge several scenarios in which providers may authenticate calls where they lack a direct relationship with the end user of a voice service. These cases—including those involving providers serving enterprise, communications reseller, and value-added service provider customers—generally involve an authenticating service provider that originates calls on behalf of a customer that itself maintains the direct relationship with the end user of the communications service. Are third-party authentication arrangements limited to these types of situations or are providers outside of these limited scenarios contracting with third parties to perform all or part of their authentication responsibilities? For instance, are providers that originate calls themselves entering into arms-length agreements with third parties for authentication services? Are there third parties marketing caller ID authentication services for originating and other providers? The Commission asks that commenters detail the different types of third-party authentication arrangements that are currently being employed by providers, address how prevalent each type of third-party authentication arrangement is in the STIR/SHAKEN ecosystem, and provide any available data substantiating how effective they are at facilitating the authentication of caller ID information.

3. Along those lines, the Commission seeks comment on whether, and under what circumstances, a third party may authenticate calls on behalf of a provider with A- or B-level attestations consistent with the ATIS standards. Pursuant to ATIS-1000074, in order to apply a B-level attestation for a call, the signing party must originate the call onto the IP-based service network and have a direct authenticated relationship with the customer An A-level attestation additionally requires the signing provider to establish a verified association with the telephone number used for the call. Can a third-party authenticating a call on behalf of an originating provider satisfy all or any these criteria, and if so, how? Does the answer to that question depend on the nature of the relationship between the originating provider and the third party? For instance, is it possible for a third party that is a wholesale provider for a reseller, or an intermediate provider, to apply A- or B-level attestations on behalf of an originating provider in a manner that complies with the ATIS attestation-level criteria, but not a different type of third party? Are there third parties authenticating calls on behalf of originating providers that can only apply C-level attestations under the ATIS criteria? If commenters contend that third parties can meet the ATIS criteria for signing calls with A- and B-level attestations because they effectively stand in the shoes of the originating provider with the direct relationship with the customer, the Commission asks that they specify the legal bases for that conclusion, *e.g.,* the  specific grounds for an agency theory, if any, and/or how the terms of the ATIS standards may be construed to include the third-party arrangement.

4. To the extent commenters contend that third parties may satisfy the criteria to sign calls with A- or B-level attestations, what information must be shared between originating providers and third parties for those attestation levels to be applied, is that information sharing occurring, and does it implicate any legal or public interest concerns, including privacy concerns? For instance, does any of the information shared constitute customer proprietary network information? Should any action taken by the Commission to explicitly authorize third-party authentication solutions be conditioned upon any particular restrictions or protections related to that information sharing? Should any explicit authorization of third-party authentication practices be conditioned upon providers ensuring that third parties have the information needed to apply A- or B-level attestations consistent with the ATIS standards?

5. The Commission seeks comment on whether there is a distinction between scenarios in which a third-party entity is retained to authenticate calls on behalf of a provider and the technical solutions described in the October 13, 2021, Deployment by Small Voice Service Providers Report, produced by the North American Numbering Council (NANC) Call Authentication Anchor Working Group (NANC Small Providers Report). In that report, the NANC stated that small service providers may wish to “leverage [a] number of vendor solutions” offering third-party call signing services in order to comply with their STIR/SHAKEN implementation obligations under the Commission's rules, identifying three options: (1) “hosted SHAKEN;” (2) “carrier SHAKEN;” and (3) “SHAKEN software.” Although each option involves different features, they each require the originating provider to “determin[e] the proper `A' `B,' or `C' level attestation” for a given call and to use the third-party platform to sign the call using the originating provider's SPC token. The NANC states that these options offer a cost-effective means for providers—particularly small providers—to implement STIR/SHAKEN consistent with the ATIS standards. The Commission seeks comment on these technical solutions and the extent to which they are currently in use by providers. If commenters agree that they satisfy the criteria for signing calls under the ATIS standards, is that because the solutions require the originating provider to make the attestation level determinations and sign calls using the originating provider's SPC token, as opposed to arrangements in which a third party is allowed to make attestation level determinations and sign calls using a different SPC token? Do these technical solutions, in fact, result in A- B-, and C-level attestations being accurately applied?

6. The record developed in response to the *Fifth Caller ID Authentication Further Notice* indicates that there could be benefits to explicitly authorizing third-party authentication arrangements. For instance, some commenters suggest that third-party authentication can strengthen the caller ID authentication regime by enabling STIR/SHAKEN to be applied to calls that would otherwise be transmitted without authentication. The Commission seeks comment on the full range of benefits that could result from authorization of different third-party authentication arrangements. The Commission also seeks comment on the potential pitfalls of third-party authentication. For example, some commenters suggest that improper third-party signing practices are resulting in misleading and improper attestations, which in turn undermine the efficacy of the STIR/SHAKEN framework and impair the analytics tools that rely on accurate attestation data to make blocking and labelling recommendations to their clients.

7. Accordingly, the Commission seeks comment on whether it should amend its rules to explicitly authorize third-party authentication and what, if any, limitations it should place on that authorization to ensure compliance with authentication requirements and the reliability of the STIR/SHAKEN framework. For instance, should the Commission limit third-party authentication to scenarios akin to those described in the ATIS standards, where the entity authenticating the call is originating the call for a customer, such as a reseller or an enterprise customer? ATIS-1000088 defines “customer” as “[t]ypically a service provider's subscriber, which may or not be the ultimate end-user of the telecommunications service,” and which “may be a person, enterprise, reseller, or value added service provider;” and defines “end user” as “[t]he entity ultimately consuming the VoIP-based telecommunications service.” Notwithstanding the definitions provided by the ATIS standards, should the Commission “clarify that, for the purposes of the STIR/SHAKEN standard, a `customer' means an end user and not a wholesale upstream provider” as USTelecom suggests? Should the Commission limit an authorization to the technical solutions described in the NANC Small Providers Report? Alternatively, should the Commission explicitly authorize third-party authentication more broadly but require the provider with the authentication obligation to make attestation-level determinations, rather than allowing them to rely on the third-party to make those determinations? If the Commission were to explicitly authorize third-party authentication, should the Commission also require third parties to sign calls using the provider's SPC token? Should the Commission prohibit providers from certifying to having implemented STIR/SHAKEN in the Robocall Mitigation Database unless their calls are signed with their own SPC token, whether directly or through a third party? Would such a requirement improve accountability by third-party authenticators? Is the ability to obtain SPC tokens likely to present a barrier to providers' compliance with such a requirement? If so, in what circumstances? Are there security or other concerns implicated by a provider sharing its SPC token with another entity for the purpose of signing calls? Would that undermine trust in the STIR/SHAKEN regime?

8. The Commission asks that commenters address the specific costs that would be incurred and gains that would be realized if it were to explicitly authorize or prohibit specific third-party authentication practices. Are there any other rules that the Commission would need to change if it were to explicitly authorize certain third-party authentication practices? What measures would the Commission need to implement to monitor compliance with the Commission's rules if third-party authentication arrangements are employed? For instance, should the Commission amend its rules to explicitly require providers to identify any third-party solutions they rely upon in their Robocall Mitigation Database certifications and robocall mitigation plans, including the identity of the third party providing the solution, any requirements the provider has imposed on the third party to ensure compliance with the requirements of the ATIS technical standards and the Commission's rules, and what the provider itself does to ensure compliance with those requirements under the third-party arrangement? Are there any other compliance or enforcement measures that the  Commission should adopt if it explicitly authorizes third-party authentication?

9. The Commission also invites comment on whether a rulemaking is necessary to address third-party authentication or if another procedural device would be appropriate. For instance, to the extent commenters argue that third-party authentication is already authorized in the limited scenarios described in the ATIS standards, and no other third-party authentication arrangement should be permitted, should the Commission instead address these issues through a declaratory ruling? To the extent commenters advocate for imposing rules on third parties that authenticate calls on behalf of providers, rather than upon the providers themselves, the Commission seeks comment on its legal authority to do so.

10. Lastly, if the Commission were to explicitly authorize the use of third parties to authenticate caller ID information, the Commission seeks comment on whether it should require providers that are not currently required to implement STIR/SHAKEN because they do not have the facilities necessary to do so or are subject to an implementation extension to engage a third-party authentication solution for the SIP calls they originate. Would this significantly increase the number of calls authenticated with STIR/SHAKEN or is the impact likely to be minimal given the authentication obligation the Commission adopted in the *Sixth Report and Order* (FCC 23-18), published elsewhere in this issue of the of the *Federal Register* , for the first intermediate provider in the path of a SIP call and the fact that the implementation extension for facilities-based small providers will lapse on June 30, 2023?

**B. Eliminating the Implementation Extension for Providers Unable To Obtain an SPC Token**

11. The Commission seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for providers that cannot obtain an SPC token. To participate in STIR/SHAKEN, a voice service provider must obtain an SPC token issued through the STIR/SHAKEN governance system. In the *Second Caller ID Authentication Report and Order,* 85 FR 73360 (November 17, 2020), the Commission granted voice service providers that are incapable of obtaining an SPC token due to Governance Authority policy a STIR/SHAKEN implementation extension until they are capable of obtaining said token.

12. The Commission seeks comment on whether it should eliminate this extension. What are the benefits of, or drawbacks to, retaining the extension? Given changes in token access policy since the *Second Caller ID Authentication Report and Order* making it easier to obtain an SPC token, which, if any, providers are likely to qualify for this extension today, and under what circumstances? Assuming some providers remain unable to obtain an SPC token, are there other ways the Commission could account for these providers in its rules, apart from an implementation extension? Alternatively, would the Commission's standard waiver provisions be sufficient protection for any providers unable to obtain an SPC token? Are there other solutions that would allow any providers who remain unable to obtain an SPC token to participate in the STIR/SHAKEN framework? The Commission seeks comment on these and any alternative approaches to eliminating the SPC token extension.

**C. Legal Authority**

13. The Commission proposes to rely upon section 251(e) of the Communications Act of 1934 (the Act) and the Truth in Caller ID Act to require providers to meet any such requirements it adopts. The Commission seeks comment on this approach and whether there are any alternative sources of authority that it should consider.

14. The Commission proposes to rely on the TRACED Act to require originating providers to ensure that their calls are signed with their own token. To eliminate the extension for token access, the Commission proposes to rely on its authority under the TRACED Act to revise any granted extensions. The Commission seeks comment on these proposals. The Commission also seeks specific comment on its authority to eliminate an existing TRACED Act extension by Commission action outside of the annual extension reevaluation process mandated by the TRACED Act. Are there any other sources of authority the Commission should consider?

**D. Digital Equity and Inclusion**

15. The Commission, as part of its continuing effort to advance digital equity for all, including people of color and others who have been historically underserved, marginalized, and adversely affected by persistent poverty and inequality, invites comment on any equity-related considerations and benefits (if any) that may be associated with the proposals and issues discussed herein. The Commission defines the term “equity” consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. *See* Exec. Order No. 13985, 86 FR 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (Jan. 20, 2021). Specifically, the Commission seeks comment on how its proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility.

**II. Initial Regulatory Flexibility Analysis**

16. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on small entities by the policies and rules proposed in this *FNPRM.* The Commission requests written public comments on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments provided on the first page of the Further Notice. The Commission will send a copy of the Further Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). In addition, the *FNPRM* and IRFA (or summaries thereof) will be published in the *Federal Register* .

**A. Need for, and Objectives of, the Proposed Rules**

17. In order to continue the Commission's work of protecting American consumers from illegal calls, the *FNPRM* seeks comment on the use of third-party caller ID authentication solutions and whether any changes should be made to the Commission's rules to permit, prohibit, or limit their use. It also seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for voice service providers that cannot obtain an SPC token.

**B. Legal Basis**

18. The *FNPRM* proposes to find authority largely under those provisions through which it has previously adopted rules. Specifically, the *FNPRM* proposes to find authority under section 251(e) of the Communications Act of 1934, as amended, the Truth in Caller ID Act, and the TRACED Act. The *FNPRM* solicits comment on these proposals.

**C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply**

19. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and by the rule revisions on which the Notice seeks comment, if adopted. The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small-business concern” under the Small Business Act. A “small-business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.

20. *Small Businesses, Small Organizations, Small Governmental Jurisdictions.* The Commission's actions, over time, may affect small entities that are not easily categorized at present. The Commission therefore describes, at the outset, three broad groups of small entities that could be directly affected herein. First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the SBA's Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. These types of small businesses represent 99.9% of all businesses in the United States, which translates to 32.5 million businesses.

21. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS.

22. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” U.S. Census Bureau data from the 2017 Census of Governments indicate there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. Of this number there were 36,931 general purpose governments (county, municipal and town or township) with populations of less than 50,000 and 12,040 special purpose governments—independent school districts with enrollment populations of less than 50,000. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.”

23. *Wired Telecommunications Carriers.* The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet services. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers.

24. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 5,183 providers that reported they were engaged in the provision of fixed local services. Of these providers, the Commission estimates that 4,737 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

25. *Local Exchange Carriers (LECs).* Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include both incumbent and competitive local exchange service providers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 5,183 providers that reported they were fixed local exchange service providers. Of these providers, the Commission estimates that 4,737 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

26. *Incumbent Local Exchange Carriers (Incumbent LECs).* Neither the Commission nor the SBA have developed a small business size standard specifically for incumbent local exchange carriers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 1,227 providers that reported they were incumbent local exchange service providers. Of these providers, the Commission estimates that 929 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, the  Commission estimates that the majority of incumbent local exchange carriers can be considered small entities.

27. *Competitive Local Exchange Carriers (LECs).* Neither the Commission nor the SBA has developed a size standard for small businesses specifically applicable to local exchange services. Providers of these services include several types of competitive local exchange service providers. Wired Telecommunications Carriers is the closest industry with an SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 3,956 providers that reported they were competitive local exchange service providers. Of these providers, the Commission estimates that 3,808 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

28. The Commission has included small incumbent LECs in this present RFA analysis. As noted above, a “small business” under the RFA is one that, *inter alia,* meets the pertinent small-business size standard ( *e.g.,* a telephone communications business having 1,500 or fewer employees) and “is not dominant in its field of operation.” The SBA's Office of Advocacy contends that, for RFA purposes, small incumbent LECs are not dominant in their field of operation because any such dominance is not “national” in scope. The Commission therefore included small incumbent LECs in this RFA analysis, although it emphasizes that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts.

29. *Interexchange Carriers (IXCs).* Neither the Commission nor the SBA have developed a small business size standard specifically for Interexchange Carriers. Wired Telecommunications Carriers is the closest industry with a SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 151 providers that reported they were engaged in the provision of interexchange services. Of these providers, the Commission estimates that 131 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, the Commission estimates that the majority of providers in this industry can be considered small entities.

30. *Cable System Operators (Telecom Act Standard).* The Communications Act of 1934, as amended, contains a size standard for a “small cable operator,” which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” For purposes of the Telecom Act Standard, the Commission determined that a cable system operator that serves fewer than 677,000 subscribers, either directly or through affiliates, will meet the definition of a small cable operator based on the cable subscriber count established in a 2001 Public Notice. Based on industry data, only six cable system operators have more than 677,000 subscribers. Accordingly, the Commission estimates that the majority of cable system operators are small under this size standard. The Commission notes however, that the it neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. Therefore, the Commission is unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act.

31. *Other Toll Carriers.* Neither the Commission nor the SBA has developed a definition for small businesses specifically applicable to Other Toll Carriers. This category includes toll carriers that do not fall within the categories of interexchange carriers, operator service providers, prepaid calling card providers, satellite service carriers, or toll resellers. Wired Telecommunications Carriers is the closest industry with a SBA small business size standard. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. Of this number, 2,964 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 115 providers that reported they were engaged in the provision of other toll services. Of these providers, the Commission estimates that 113 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

32. *Wireless Telecommunications Carriers (except Satellite).* This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. Of that number, 2,837 firms employed fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 797 providers that reported they were engaged in the provision of wireless services. Of these providers, the Commission estimates that 715 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

33. *Satellite Telecommunications.* This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $35 million or less in annual receipts as small. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. Of this number, 242 firms had revenue of less than $25 million. Additionally, based on Commission data in the 2021 Universal Service  Monitoring Report, as of December 31, 2020, there were 71 providers that reported they were engaged in the provision of satellite telecommunications services. Of these providers, the Commission estimates that approximately 48 providers have 1,500 or fewer employees. Consequently using the SBA's small business size standard, a little more than of these providers can be considered small entities.

34. *Local Resellers.* Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with a SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 293 providers that reported they were engaged in the provision of local resale services. Of these providers, the Commission estimates that 289 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

35. *Toll Resellers.* Neither the Commission nor the SBA have developed a small business size standard specifically for Toll Resellers. Telecommunications Resellers is the closest industry with a SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 518 providers that reported they were engaged in the provision of toll services. Of these providers, the Commission estimates that 495 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

36. *Prepaid Calling Card Providers.* Neither the Commission nor the SBA has developed a small business size standard specifically for prepaid calling card providers. Telecommunications Resellers is the closest industry with a SBA small business size standard. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual network operators (MVNOs) are included in this industry. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. Of that number, 1,375 firms operated with fewer than 250 employees. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 58 providers that reported they were engaged in the provision of payphone services. Of these providers, the Commission estimates that 57 providers have 1,500 or fewer employees. Consequently, using the SBA's small business size standard, most of these providers can be considered small entities.

37. *All Other Telecommunications.* This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Providers of internet services ( *e.g.* dial-up ISPs) or voice over internet protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. Of those firms, 1,039 had revenue of less than $25 million. Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small.

**D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities**

38. The *FNPRM* seeks comment on imposing several obligations on various providers, many of whom may be small entities. Specifically, the *FNPRM* seeks comment on the types of third-party authentication solutions being used by providers and the nature of any agreements or relationships with third parties, including whether providers are entering into agreements with third parties to perform their authentication obligations under the Commission's rules and the ATIS technical standards.

39. The *FNPRM* seeks comment on whether, and under what circumstances, a third party may authenticate calls on behalf of a provider with A- or B-level attestations consistent with the ATIS standards. To the extent that commenters contend that third parties can meet the ATIS standards for signing calls with A- and B-level attestations, the *FNPRM* seeks comment on the specific legal bases for that conclusion and the information that must be shared between originating providers and third parties for such attestation levels to be applied. It also seeks comment on whether the Commission should condition any explicit authorization of third-party authentication solutions upon any particular restrictions or protections related to information sharing, including ensuring that third parties have the information needed to apply A-  or B-level attestations consistent with the ATIS standards.

40. The *FNPRM* further seeks comment on whether the Commission should amend its rules to explicitly permit third-party authentication and any limitations the Commission should place on any such authorization, including: (1) whether to limit authorization to scenarios akin to those described in the ATIS standards; (2) whether to limit authorization to the technical solutions described in the NANC's 2021 Small Providers Report; (3) whether to only permit third-party authentication if the third party signs the call using the provider's SPC token; (4) whether to require providers with the authentication obligation to make attestation-level determinations; and (5) whether to prohibit providers from certifying that they have implemented STIR/SHAKEN in the Robocall Mitigation Database unless their calls are singed with their own SPC token, whether directly or through a third-party.

41. The *FNPRM* seeks comment on whether the Commission should change any other rules if certain third-party authentication practices are explicitly authorized. In particular, it seeks comment on whether the Commission should require providers to explicitly identify certain additional information in their Robocall Mitigation Database certifications and plans, including: (1) any third-party solutions; (2) the identity of the third party providing the solution; and (3) any requirements the provider has imposed on the third party to ensure compliance with the requirements of the of the ATIS technical standards and Commission's rules, and any action taken by the provider to ensure compliance with those requirements.

42. The *FNPRM* seeks comment on whether there are any other compliance or enforcement measures that the Commission should adopt if it explicitly authorizes third-party authentication. It also seeks comment on whether a rulemaking is necessary to address third-party authentication or if another procedural device would be appropriate. To the extent that third-party caller ID authentication is explicitly authorized, the *FNPRM* seeks comment on whether the Commission should require providers that are not currently required to implement STIR/SHAKEN because they do not have the facilities necessary to do so or are subject to an implementation extension to engage a third-party authentication solution for the SIP calls they originate.

43. Lastly, the *FNPRM* also seeks comment on whether to eliminate the STIR/SHAKEN implementation extension for providers that cannot obtain an SPC token.

**E. Steps Taken To Minimize the Significant Economic Impact on Small Entities and Significant Alternatives Considered**

44. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rules for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.

45. The *FNPRM* seeks comment on the particular impacts that the proposed rules may have on small entities. In particular, it seeks comment regarding the different types of third-party authentication arrangements currently being employed by providers, the prevalence of each type of third-party authentication arrangement in the STIR/SHAKEN ecosystem, and any available data substantiating how effective they are at facilitating the authentication of caller ID information.

46. The *FNPRM* seeks comment on whether third-party authentication providers are able to satisfy all or any of the ATIS standards, and whether the answer to such question is dependent on the nature of the relationship between the originating provider and the third party.

47. The *FNPRM* seeks comment on the information that must be shared between originating providers and third parties for A- or B-level attestations to be applied and whether information sharing practices implicate any legal or public interest concerns. It seeks comment on whether the Commission should condition any explicit authorization of third-party authentication practices upon providers ensuring that third parties have the information needed to apply A- or B-level attestations consistent with the ATIS standards.

48. The *FNPRM* seeks comment on whether there is a distinction between scenarios in which third parties authenticate calls on behalf of a provider and the technical solutions described in the 2021 Small Providers Report produced by the NANC. The *FNPRM* notes that the NANC described the technical solutions as a cost-effective means for providers—particularly small providers—to implement STIR/SHAKEN consistent with the ATIS standards, and sought comment on these solutions. The *FNPRM* seeks comment on whether the Commission should limit any authorization of third-party authentication to the technical solutions described in the NANC's 2021 Small Provider Report. It also seeks comment on only permitting third-party authentication if the third party signs the call using the provider's SPC token and prohibiting providers from certifying that they have implemented STIR/SHAKEN in the Robocall Mitigation Database unless their calls are signed with their own SPC token. In so doing, it specifically seeks comment on whether the ability to obtain an SPC token is likely to present a barrier to providers' compliance with such a requirement.

49. The *FNPRM* further seeks comment on the full range of potential benefits that could result from authorization of different third-party authentication arrangements, as well as the potential pitfalls of third-party authentication. It also seeks comment on the specific costs that would be incurred and gains that would be realized if the Commission were to explicitly authorize or prohibit specific third-party authentication practices. In addition, the *FNPRM* seeks comment on whether there are any other rules that the Commission would need to change if it were to explicitly authorize certain third-party authentication practices. Moreover, if third-party caller ID authentication is explicitly permitted, the *FNPRM* seeks comment on whether to require providers that are not currently required to implement STIR/SHAKEN because they do not have the facilities necessary to do so or are subject to an implementation extension to engage a third-party authentication solution for the SIP calls they originate.

50. Lastly, the *FNPRM* seeks comment on whether to eliminate the STIR/SHAKEN implementation for providers that cannot obtain an SPC token, as well as any benefits or drawbacks to retaining the extension.

51. Small entities may provide input in these areas addressing, among other considerations, any particular implementation challenges faced by small entities. The Commission expects to evaluate the economic impact on small entities, as identified in comments filed in response to the *Further Notice* and this IRFA, in reaching its final conclusions and taking action in this proceeding.

**F. Federal Rules That May Duplicate, Overlap, or Conflict With the Proposed Rules**

52. None.

**III. Procedural Matters**

53. *Initial Regulatory Flexibility Analysis.* As required by the Regulatory Flexibility Act of 1980 (RFA), the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on small entities of the policies and rules addressed in this *FNPRM.* The IRFA is set forth above. Written public comments are requested on the IRFA. Comments must be filed by the deadlines for comments on the *FNPRM* indicated on the first page of this document and must have a separate and distinct heading designating them as responses to the IRFA. The Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, will send a copy of this *FNPRM,* including the IRFA, to the Chief Counsel for Advocacy of the SBA.

54. *Paperwork Reduction Act.* The *FPRM* may contain proposed new and revised information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and OMB to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, *see* 44 U.S.C 3506(c)(4), the Commission seeks specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees.

**IV. Ordering Clauses**

55. Accordingly, *it is ordered* that, pursuant to sections 4(i), 4(j), 201, 202, 217, 227, 227b, 251(e), and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 202, 217, 227, 227b, 251(e), and 303(r), this *FNPRM is adopted.*

56. *It is further ordered* that the Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, *shall send* a copy of this *FNPRM,* including the IRFA analysis, to the Chief Counsel for Advocacy of the SBA.

Federal Communications Commission.

Marlene Dortch,

Secretary.