[Federal Register Volume 88, Number 87 (Friday, May 5, 2023)]
[Proposed Rules]
[Pages 29035-29043]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-09543]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Parts 0, 1, and 64

[WC Docket No. 17-97; FCC 23-18; FR ID 139316]


Call Authentication Trust Anchor

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) seeks comment on additional measures to strengthen its 
caller ID authentication framework and further stem the tide of 
illegally spoofed calls. Specifically, this document seeks comment on 
the use of third-party caller ID authentication solutions, including 
whether any changes should be made to the Commission's rules to permit, 
prohibit, or limit their use. It also seeks comment on whether to 
eliminate the STIR/SHAKEN implementation extension for providers that 
cannot obtain Service Provider Code (SPC) tokens, which are necessary 
to participate in the STIR/SHAKEN caller ID authentication framework.

DATES: Comments are due on or before June 5, 2023, and reply comments 
are due on or before July 5, 2023. Written comments on the Paperwork 
Reduction Act proposed information collection requirements must be 
submitted by the public, Office of Management and Budget (OMB), and 
other interested parties on or before July 5, 2023.

ADDRESSES: Pursuant to Sec. Sec.  1.415 and 1.419 of the Commission's 
rules, 47 CFR 1.415, 1.419, interested parties may file comments and 
reply comments on or before the dates indicated on the first page of 
this document. Comments may be filed using the Commission's Electronic 
Comment Filing System (ECFS). See Electronic Filing of Documents in 
Rulemaking Proceedings, 63 FR 24121 (1998). You may submit comments, 
identified by WC Docket No. 17-97, by any of the following methods:
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the ECFS: http://apps.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
    Filings can be sent by commercial overnight courier, or by first-
class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
     U.S. Postal Service first-class, Express, and Priority 
mail must be addressed to 45 L Street NE, Washington, DC 20554.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020), https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
    People with Disabilities: To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).

FOR FURTHER INFORMATION CONTACT: Jonathan Lechter, Attorney Advisor, 
Competition Policy Division, Wireline Competition Bureau, at 
[email protected] or at (202) 418-0984. For additional 
information concerning the Paperwork Reduction Act proposed information 
collection requirements contained in this document, send an email to 
[email protected] or contact Nicole Ongele at (202) 418-2991.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Sixth 
Further Notice of Proposed Rulemaking (FNPRM) in WC Docket No. 17-97, 
FCC 23-18, adopted on March 16, 2023, and released on March 17, 2023. 
The full text of this document is available for public inspection at 
the following internet address: https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.
    The proceeding this document initiates shall be treated as a 
``permit-but-disclose'' proceeding in accordance with the Commission's 
ex parte rules. Persons making ex parte presentations must file a copy 
of any written presentation or a memorandum summarizing any oral 
presentation within two business days after the presentation (unless a 
different deadline applicable to the Sunshine period applies). Persons 
making oral ex parte presentations are reminded that memoranda 
summarizing the presentation must (1) list all persons attending or 
otherwise participating in the meeting at which the ex parte 
presentation was made, and (2) summarize all data presented and 
arguments made during the presentation. If the presentation consisted 
in whole or in part of the presentation of data or arguments already 
reflected in the presenter's written comments, memoranda or other 
filings in the proceeding, the presenter may provide citations to such 
data or arguments in his or her prior comments, memoranda, or other 
filings (specifying the relevant page and/or paragraph numbers where 
such data or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and

[[Page 29036]]

must be filed consistent with rule 1.1206(b). In proceedings governed 
by rule 1.49(f) or for which the Commission has made available a method 
of electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize themselves with the Commission's ex parte rules.
    This document may contain potential new or revised information 
collection requirements. The Commission, as part of its continuing 
effort to reduce paperwork burdens, invites the general public and the 
Office of Management and Budget (OMB) to comment on the information 
collection requirements contained in this document, as required by the 
Paperwork Reduction Act of 1995, Public Law 104-13. Public and agency 
comments are due July 5, 2023.
    Comments should address: (a) whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information shall have practical 
utility; (b) the accuracy of the Commission's burden estimates; (c) 
ways to enhance the quality, utility, and clarity of the information 
collected; (d) ways to minimize the burden of the collection of 
information on the respondents, including the use of automated 
collection techniques or other forms of information technology; and (e) 
way to further reduce the information collection burden on small 
business concerns with fewer than 25 employees. In addition, pursuant 
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, 
see 44 U.S.C. 3506(c)(4), the Commission seeks specific comment on how 
it might further reduce the information collection burden for small 
business concerns with fewer than 25 employees.

Synopsis

I. Sixth Further Notice of Proposed Rulemaking

A. Third-Party Caller ID Authentication

    1. The Commission's rules require that a voice service provider 
``[a]uthenticate caller identification information for all SIP calls it 
originates and . . . to the extent technically feasible, transmit that 
call with authenticated caller identification information to the next 
voice service provider or intermediate provider in the call path.'' In 
the Fifth Caller ID Authentication Further Notice, 87 FR 42916 (July 
18, 2022), the Commission sought comment on whether it should amend its 
rules to address whether originating voice service providers may use 
third parties to perform their third-party authentication obligations. 
The resulting record confirms that third-party authentication is 
occurring. It does not, however, provide sufficient information to 
fully assess the impact that explicitly authorizing or prohibiting 
third-party authentication may have on the STIR/SHAKEN ecosystem. For 
instance, the record before the Commission is not sufficient for it to 
understand the full scope of the various arrangements that exist 
between providers and third parties that authenticate their calls. Nor 
does it allow the Commission to determine whether these third-party 
arrangements satisfy the requirements of its authentication rules, how 
and what information is shared within those arrangements, whether that 
information sharing implicates privacy, security, or other legal 
concerns, and whether they have a net positive or negative effect on 
the reliability of the STIR/SHAKEN framework and its objective to 
curtail illegal spoofing. The Commission thus seeks further comment on 
the use of third-party solutions to authenticate caller ID information 
and whether any changes should be made to its rules to permit, 
prohibit, or limit their use.
    2. The Commission starts by seeking comment on the types of third-
party authentication solutions being used by providers. Are originating 
or other providers entering into agreements with third parties to 
perform their authentication obligations under the Commission's rules 
and the Alliance for Telecommunications Industry Solutions (ATIS) 
technical standards? If so, who are these third parties, what is the 
nature of their relationship to the provider that has retained them, 
and how does any agreement between the provider and the third-party 
purport to assign responsibility for compliance with the Commission's 
authentication rules and the ATIS standards? The Commission notes that 
the ATIS technical standards acknowledge several scenarios in which 
providers may authenticate calls where they lack a direct relationship 
with the end user of a voice service. These cases--including those 
involving providers serving enterprise, communications reseller, and 
value-added service provider customers--generally involve an 
authenticating service provider that originates calls on behalf of a 
customer that itself maintains the direct relationship with the end 
user of the communications service. Are third-party authentication 
arrangements limited to these types of situations or are providers 
outside of these limited scenarios contracting with third parties to 
perform all or part of their authentication responsibilities? For 
instance, are providers that originate calls themselves entering into 
arms-length agreements with third parties for authentication services? 
Are there third parties marketing caller ID authentication services for 
originating and other providers? The Commission asks that commenters 
detail the different types of third-party authentication arrangements 
that are currently being employed by providers, address how prevalent 
each type of third-party authentication arrangement is in the STIR/
SHAKEN ecosystem, and provide any available data substantiating how 
effective they are at facilitating the authentication of caller ID 
information.
    3. Along those lines, the Commission seeks comment on whether, and 
under what circumstances, a third party may authenticate calls on 
behalf of a provider with A- or B-level attestations consistent with 
the ATIS standards. Pursuant to ATIS-1000074, in order to apply a B-
level attestation for a call, the signing party must originate the call 
onto the IP-based service network and have a direct authenticated 
relationship with the customer An A-level attestation additionally 
requires the signing provider to establish a verified association with 
the telephone number used for the call. Can a third-party 
authenticating a call on behalf of an originating provider satisfy all 
or any these criteria, and if so, how? Does the answer to that question 
depend on the nature of the relationship between the originating 
provider and the third party? For instance, is it possible for a third 
party that is a wholesale provider for a reseller, or an intermediate 
provider, to apply A- or B-level attestations on behalf of an 
originating provider in a manner that complies with the ATIS 
attestation-level criteria, but not a different type of third party? 
Are there third parties authenticating calls on behalf of originating 
providers that can only apply C-level attestations under the ATIS 
criteria? If commenters contend that third parties can meet the ATIS 
criteria for signing calls with A- and B-level attestations because 
they effectively stand in the shoes of the originating provider with 
the direct relationship with the customer, the Commission asks that 
they specify the legal bases for that conclusion, e.g., the

[[Page 29037]]

specific grounds for an agency theory, if any, and/or how the terms of 
the ATIS standards may be construed to include the third-party 
arrangement.
    4. To the extent commenters contend that third parties may satisfy 
the criteria to sign calls with A- or B-level attestations, what 
information must be shared between originating providers and third 
parties for those attestation levels to be applied, is that information 
sharing occurring, and does it implicate any legal or public interest 
concerns, including privacy concerns? For instance, does any of the 
information shared constitute customer proprietary network information? 
Should any action taken by the Commission to explicitly authorize 
third-party authentication solutions be conditioned upon any particular 
restrictions or protections related to that information sharing? Should 
any explicit authorization of third-party authentication practices be 
conditioned upon providers ensuring that third parties have the 
information needed to apply A- or B-level attestations consistent with 
the ATIS standards?
    5. The Commission seeks comment on whether there is a distinction 
between scenarios in which a third-party entity is retained to 
authenticate calls on behalf of a provider and the technical solutions 
described in the October 13, 2021, Deployment by Small Voice Service 
Providers Report, produced by the North American Numbering Council 
(NANC) Call Authentication Anchor Working Group (NANC Small Providers 
Report). In that report, the NANC stated that small service providers 
may wish to ``leverage [a] number of vendor solutions'' offering third-
party call signing services in order to comply with their STIR/SHAKEN 
implementation obligations under the Commission's rules, identifying 
three options: (1) ``hosted SHAKEN;'' (2) ``carrier SHAKEN;'' and (3) 
``SHAKEN software.'' Although each option involves different features, 
they each require the originating provider to ``determin[e] the proper 
`A' `B,' or `C' level attestation'' for a given call and to use the 
third-party platform to sign the call using the originating provider's 
SPC token. The NANC states that these options offer a cost-effective 
means for providers--particularly small providers--to implement STIR/
SHAKEN consistent with the ATIS standards. The Commission seeks comment 
on these technical solutions and the extent to which they are currently 
in use by providers. If commenters agree that they satisfy the criteria 
for signing calls under the ATIS standards, is that because the 
solutions require the originating provider to make the attestation 
level determinations and sign calls using the originating provider's 
SPC token, as opposed to arrangements in which a third party is allowed 
to make attestation level determinations and sign calls using a 
different SPC token? Do these technical solutions, in fact, result in 
A- B-, and C-level attestations being accurately applied?
    6. The record developed in response to the Fifth Caller ID 
Authentication Further Notice indicates that there could be benefits to 
explicitly authorizing third-party authentication arrangements. For 
instance, some commenters suggest that third-party authentication can 
strengthen the caller ID authentication regime by enabling STIR/SHAKEN 
to be applied to calls that would otherwise be transmitted without 
authentication. The Commission seeks comment on the full range of 
benefits that could result from authorization of different third-party 
authentication arrangements. The Commission also seeks comment on the 
potential pitfalls of third-party authentication. For example, some 
commenters suggest that improper third-party signing practices are 
resulting in misleading and improper attestations, which in turn 
undermine the efficacy of the STIR/SHAKEN framework and impair the 
analytics tools that rely on accurate attestation data to make blocking 
and labelling recommendations to their clients.
    7. Accordingly, the Commission seeks comment on whether it should 
amend its rules to explicitly authorize third-party authentication and 
what, if any, limitations it should place on that authorization to 
ensure compliance with authentication requirements and the reliability 
of the STIR/SHAKEN framework. For instance, should the Commission limit 
third-party authentication to scenarios akin to those described in the 
ATIS standards, where the entity authenticating the call is originating 
the call for a customer, such as a reseller or an enterprise customer? 
ATIS-1000088 defines ``customer'' as ``[t]ypically a service provider's 
subscriber, which may or not be the ultimate end-user of the 
telecommunications service,'' and which ``may be a person, enterprise, 
reseller, or value added service provider;'' and defines ``end user'' 
as ``[t]he entity ultimately consuming the VoIP-based 
telecommunications service.'' Notwithstanding the definitions provided 
by the ATIS standards, should the Commission ``clarify that, for the 
purposes of the STIR/SHAKEN standard, a `customer' means an end user 
and not a wholesale upstream provider'' as USTelecom suggests? Should 
the Commission limit an authorization to the technical solutions 
described in the NANC Small Providers Report? Alternatively, should the 
Commission explicitly authorize third-party authentication more broadly 
but require the provider with the authentication obligation to make 
attestation-level determinations, rather than allowing them to rely on 
the third-party to make those determinations? If the Commission were to 
explicitly authorize third-party authentication, should the Commission 
also require third parties to sign calls using the provider's SPC 
token? Should the Commission prohibit providers from certifying to 
having implemented STIR/SHAKEN in the Robocall Mitigation Database 
unless their calls are signed with their own SPC token, whether 
directly or through a third party? Would such a requirement improve 
accountability by third-party authenticators? Is the ability to obtain 
SPC tokens likely to present a barrier to providers' compliance with 
such a requirement? If so, in what circumstances? Are there security or 
other concerns implicated by a provider sharing its SPC token with 
another entity for the purpose of signing calls? Would that undermine 
trust in the STIR/SHAKEN regime?
    8. The Commission asks that commenters address the specific costs 
that would be incurred and gains that would be realized if it were to 
explicitly authorize or prohibit specific third-party authentication 
practices. Are there any other rules that the Commission would need to 
change if it were to explicitly authorize certain third-party 
authentication practices? What measures would the Commission need to 
implement to monitor compliance with the Commission's rules if third-
party authentication arrangements are employed? For instance, should 
the Commission amend its rules to explicitly require providers to 
identify any third-party solutions they rely upon in their Robocall 
Mitigation Database certifications and robocall mitigation plans, 
including the identity of the third party providing the solution, any 
requirements the provider has imposed on the third party to ensure 
compliance with the requirements of the ATIS technical standards and 
the Commission's rules, and what the provider itself does to ensure 
compliance with those requirements under the third-party arrangement? 
Are there any other compliance or enforcement measures that the

[[Page 29038]]

Commission should adopt if it explicitly authorizes third-party 
authentication?
    9. The Commission also invites comment on whether a rulemaking is 
necessary to address third-party authentication or if another 
procedural device would be appropriate. For instance, to the extent 
commenters argue that third-party authentication is already authorized 
in the limited scenarios described in the ATIS standards, and no other 
third-party authentication arrangement should be permitted, should the 
Commission instead address these issues through a declaratory ruling? 
To the extent commenters advocate for imposing rules on third parties 
that authenticate calls on behalf of providers, rather than upon the 
providers themselves, the Commission seeks comment on its legal 
authority to do so.
    10. Lastly, if the Commission were to explicitly authorize the use 
of third parties to authenticate caller ID information, the Commission 
seeks comment on whether it should require providers that are not 
currently required to implement STIR/SHAKEN because they do not have 
the facilities necessary to do so or are subject to an implementation 
extension to engage a third-party authentication solution for the SIP 
calls they originate. Would this significantly increase the number of 
calls authenticated with STIR/SHAKEN or is the impact likely to be 
minimal given the authentication obligation the Commission adopted in 
the Sixth Report and Order (FCC 23-18), published elsewhere in this 
issue of the of the Federal Register, for the first intermediate 
provider in the path of a SIP call and the fact that the implementation 
extension for facilities-based small providers will lapse on June 30, 
2023?

B. Eliminating the Implementation Extension for Providers Unable To 
Obtain an SPC Token

    11. The Commission seeks comment on whether to eliminate the STIR/
SHAKEN implementation extension for providers that cannot obtain an SPC 
token. To participate in STIR/SHAKEN, a voice service provider must 
obtain an SPC token issued through the STIR/SHAKEN governance system. 
In the Second Caller ID Authentication Report and Order, 85 FR 73360 
(November 17, 2020), the Commission granted voice service providers 
that are incapable of obtaining an SPC token due to Governance 
Authority policy a STIR/SHAKEN implementation extension until they are 
capable of obtaining said token.
    12. The Commission seeks comment on whether it should eliminate 
this extension. What are the benefits of, or drawbacks to, retaining 
the extension? Given changes in token access policy since the Second 
Caller ID Authentication Report and Order making it easier to obtain an 
SPC token, which, if any, providers are likely to qualify for this 
extension today, and under what circumstances? Assuming some providers 
remain unable to obtain an SPC token, are there other ways the 
Commission could account for these providers in its rules, apart from 
an implementation extension? Alternatively, would the Commission's 
standard waiver provisions be sufficient protection for any providers 
unable to obtain an SPC token? Are there other solutions that would 
allow any providers who remain unable to obtain an SPC token to 
participate in the STIR/SHAKEN framework? The Commission seeks comment 
on these and any alternative approaches to eliminating the SPC token 
extension.

C. Legal Authority

    13. The Commission proposes to rely upon section 251(e) of the 
Communications Act of 1934 (the Act) and the Truth in Caller ID Act to 
require providers to meet any such requirements it adopts. The 
Commission seeks comment on this approach and whether there are any 
alternative sources of authority that it should consider.
    14. The Commission proposes to rely on the TRACED Act to require 
originating providers to ensure that their calls are signed with their 
own token. To eliminate the extension for token access, the Commission 
proposes to rely on its authority under the TRACED Act to revise any 
granted extensions. The Commission seeks comment on these proposals. 
The Commission also seeks specific comment on its authority to 
eliminate an existing TRACED Act extension by Commission action outside 
of the annual extension reevaluation process mandated by the TRACED 
Act. Are there any other sources of authority the Commission should 
consider?

D. Digital Equity and Inclusion

    15. The Commission, as part of its continuing effort to advance 
digital equity for all, including people of color and others who have 
been historically underserved, marginalized, and adversely affected by 
persistent poverty and inequality, invites comment on any equity-
related considerations and benefits (if any) that may be associated 
with the proposals and issues discussed herein. The Commission defines 
the term ``equity'' consistent with Executive Order 13985 as the 
consistent and systematic fair, just, and impartial treatment of all 
individuals, including individuals who belong to underserved 
communities that have been denied such treatment, such as Black, 
Latino, and Indigenous and Native American persons, Asian Americans and 
Pacific Islanders and other persons of color; members of religious 
minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) 
persons; persons with disabilities; persons who live in rural areas; 
and persons otherwise adversely affected by persistent poverty or 
inequality. See Exec. Order No. 13985, 86 FR 7009, Executive Order on 
Advancing Racial Equity and Support for Underserved Communities Through 
the Federal Government (Jan. 20, 2021). Specifically, the Commission 
seeks comment on how its proposals may promote or inhibit advances in 
diversity, equity, inclusion, and accessibility.

II. Initial Regulatory Flexibility Analysis

    16. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Commission has prepared this Initial Regulatory 
Flexibility Analysis (IRFA) of the possible significant economic impact 
on small entities by the policies and rules proposed in this FNPRM. The 
Commission requests written public comments on this IRFA. Comments must 
be identified as responses to the IRFA and must be filed by the 
deadlines for comments provided on the first page of the Further 
Notice. The Commission will send a copy of the Further Notice, 
including this IRFA, to the Chief Counsel for Advocacy of the Small 
Business Administration (SBA). In addition, the FNPRM and IRFA (or 
summaries thereof) will be published in the Federal Register.

A. Need for, and Objectives of, the Proposed Rules

    17. In order to continue the Commission's work of protecting 
American consumers from illegal calls, the FNPRM seeks comment on the 
use of third-party caller ID authentication solutions and whether any 
changes should be made to the Commission's rules to permit, prohibit, 
or limit their use. It also seeks comment on whether to eliminate the 
STIR/SHAKEN implementation extension for voice service providers that 
cannot obtain an SPC token.

[[Page 29039]]

B. Legal Basis

    18. The FNPRM proposes to find authority largely under those 
provisions through which it has previously adopted rules. Specifically, 
the FNPRM proposes to find authority under section 251(e) of the 
Communications Act of 1934, as amended, the Truth in Caller ID Act, and 
the TRACED Act. The FNPRM solicits comment on these proposals.

C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rules Will Apply

    19. The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules and by the rule revisions on which the 
Notice seeks comment, if adopted. The RFA generally defines the term 
``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small-business concern'' under the Small Business 
Act. A ``small-business concern'' is one which: (1) is independently 
owned and operated; (2) is not dominant in its field of operation; and 
(3) satisfies any additional criteria established by the SBA.
    20. Small Businesses, Small Organizations, Small Governmental 
Jurisdictions. The Commission's actions, over time, may affect small 
entities that are not easily categorized at present. The Commission 
therefore describes, at the outset, three broad groups of small 
entities that could be directly affected herein. First, while there are 
industry specific size standards for small businesses that are used in 
the regulatory flexibility analysis, according to data from the SBA's 
Office of Advocacy, in general a small business is an independent 
business having fewer than 500 employees. These types of small 
businesses represent 99.9% of all businesses in the United States, 
which translates to 32.5 million businesses.
    21. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2020, there were 
approximately 447,689 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    22. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2017 Census of Governments indicate there were 
90,075 local governmental jurisdictions consisting of general purpose 
governments and special purpose governments in the United States. Of 
this number there were 36,931 general purpose governments (county, 
municipal and town or township) with populations of less than 50,000 
and 12,040 special purpose governments--independent school districts 
with enrollment populations of less than 50,000. Accordingly, based on 
the 2017 U.S. Census of Governments data, we estimate that at least 
48,971 entities fall into the category of ``small governmental 
jurisdictions.''
    23. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as establishments primarily engaged in operating 
and/or providing access to transmission facilities and infrastructure 
that they own and/or lease for the transmission of voice, data, text, 
sound, and video using wired communications networks. Transmission 
facilities may be based on a single technology or a combination of 
technologies. Establishments in this industry use the wired 
telecommunications network facilities that they operate to provide a 
variety of services, such as wired telephony services, including VoIP 
services, wired (cable) audio and video programming distribution, and 
wired broadband internet services. By exception, establishments 
providing satellite television distribution services using facilities 
and infrastructure that they operate are included in this industry. 
Wired Telecommunications Carriers are also referred to as wireline 
carriers or fixed local service providers.
    24. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2021 Universal Service 
Monitoring Report, as of December 31, 2020, there were 5,183 providers 
that reported they were engaged in the provision of fixed local 
services. Of these providers, the Commission estimates that 4,737 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    25. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses specifically 
applicable to local exchange services. Providers of these services 
include both incumbent and competitive local exchange service 
providers. Wired Telecommunications Carriers is the closest industry 
with an SBA small business size standard. Wired Telecommunications 
Carriers are also referred to as wireline carriers or fixed local 
service providers. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2021 Universal Service 
Monitoring Report, as of December 31, 2020, there were 5,183 providers 
that reported they were fixed local exchange service providers. Of 
these providers, the Commission estimates that 4,737 providers have 
1,500 or fewer employees. Consequently, using the SBA's small business 
size standard, most of these providers can be considered small 
entities.
    26. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the 
Commission nor the SBA have developed a small business size standard 
specifically for incumbent local exchange carriers. Wired 
Telecommunications Carriers is the closest industry with an SBA small 
business size standard. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms in this industry that operated for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2021 Universal Service 
Monitoring Report, as of December 31, 2020, there were 1,227 providers 
that reported they were incumbent local exchange service providers. Of 
these providers, the Commission estimates that 929 providers have 1,500 
or fewer employees. Consequently, using the SBA's small business size 
standard, the

[[Page 29040]]

Commission estimates that the majority of incumbent local exchange 
carriers can be considered small entities.
    27. Competitive Local Exchange Carriers (LECs). Neither the 
Commission nor the SBA has developed a size standard for small 
businesses specifically applicable to local exchange services. 
Providers of these services include several types of competitive local 
exchange service providers. Wired Telecommunications Carriers is the 
closest industry with an SBA small business size standard. The SBA 
small business size standard for Wired Telecommunications Carriers 
classifies firms having 1,500 or fewer employees as small. U.S. Census 
Bureau data for 2017 show that there were 3,054 firms that operated in 
this industry for the entire year. Of this number, 2,964 firms operated 
with fewer than 250 employees. Additionally, based on Commission data 
in the 2021 Universal Service Monitoring Report, as of December 31, 
2020, there were 3,956 providers that reported they were competitive 
local exchange service providers. Of these providers, the Commission 
estimates that 3,808 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
    28. The Commission has included small incumbent LECs in this 
present RFA analysis. As noted above, a ``small business'' under the 
RFA is one that, inter alia, meets the pertinent small-business size 
standard (e.g., a telephone communications business having 1,500 or 
fewer employees) and ``is not dominant in its field of operation.'' The 
SBA's Office of Advocacy contends that, for RFA purposes, small 
incumbent LECs are not dominant in their field of operation because any 
such dominance is not ``national'' in scope. The Commission therefore 
included small incumbent LECs in this RFA analysis, although it 
emphasizes that this RFA action has no effect on Commission analyses 
and determinations in other, non-RFA contexts.
    29. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA have developed a small business size standard specifically for 
Interexchange Carriers. Wired Telecommunications Carriers is the 
closest industry with a SBA small business size standard. The SBA small 
business size standard for Wired Telecommunications Carriers classifies 
firms having 1,500 or fewer employees as small. U.S. Census Bureau data 
for 2017 show that there were 3,054 firms that operated in this 
industry for the entire year. Of this number, 2,964 firms operated with 
fewer than 250 employees. Additionally, based on Commission data in the 
2021 Universal Service Monitoring Report, as of December 31, 2020, 
there were 151 providers that reported they were engaged in the 
provision of interexchange services. Of these providers, the Commission 
estimates that 131 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, the 
Commission estimates that the majority of providers in this industry 
can be considered small entities.
    30. Cable System Operators (Telecom Act Standard). The 
Communications Act of 1934, as amended, contains a size standard for a 
``small cable operator,'' which is ``a cable operator that, directly or 
through an affiliate, serves in the aggregate fewer than one percent of 
all subscribers in the United States and is not affiliated with any 
entity or entities whose gross annual revenues in the aggregate exceed 
$250,000,000.'' For purposes of the Telecom Act Standard, the 
Commission determined that a cable system operator that serves fewer 
than 677,000 subscribers, either directly or through affiliates, will 
meet the definition of a small cable operator based on the cable 
subscriber count established in a 2001 Public Notice. Based on industry 
data, only six cable system operators have more than 677,000 
subscribers. Accordingly, the Commission estimates that the majority of 
cable system operators are small under this size standard. The 
Commission notes however, that the it neither requests nor collects 
information on whether cable system operators are affiliated with 
entities whose gross annual revenues exceed $250 million. Therefore, 
the Commission is unable at this time to estimate with greater 
precision the number of cable system operators that would qualify as 
small cable operators under the definition in the Communications Act.
    31. Other Toll Carriers. Neither the Commission nor the SBA has 
developed a definition for small businesses specifically applicable to 
Other Toll Carriers. This category includes toll carriers that do not 
fall within the categories of interexchange carriers, operator service 
providers, prepaid calling card providers, satellite service carriers, 
or toll resellers. Wired Telecommunications Carriers is the closest 
industry with a SBA small business size standard. The SBA small 
business size standard for Wired Telecommunications Carriers classifies 
firms having 1,500 or fewer employees as small. U.S. Census Bureau data 
for 2017 show that there were 3,054 firms in this industry that 
operated for the entire year. Of this number, 2,964 firms operated with 
fewer than 250 employees. Additionally, based on Commission data in the 
2021 Universal Service Monitoring Report, as of December 31, 2020, 
there were 115 providers that reported they were engaged in the 
provision of other toll services. Of these providers, the Commission 
estimates that 113 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
    32. Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
SBA size standard for this industry classifies a business as small if 
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show 
that there were 2,893 firms in this industry that operated for the 
entire year. Of that number, 2,837 firms employed fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 797 
providers that reported they were engaged in the provision of wireless 
services. Of these providers, the Commission estimates that 715 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    33. Satellite Telecommunications. This industry comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The SBA small business size standard for this 
industry classifies a business with $35 million or less in annual 
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms 
in this industry operated for the entire year. Of this number, 242 
firms had revenue of less than $25 million. Additionally, based on 
Commission data in the 2021 Universal Service

[[Page 29041]]

Monitoring Report, as of December 31, 2020, there were 71 providers 
that reported they were engaged in the provision of satellite 
telecommunications services. Of these providers, the Commission 
estimates that approximately 48 providers have 1,500 or fewer 
employees. Consequently using the SBA's small business size standard, a 
little more than of these providers can be considered small entities.
    34. Local Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Local 
Resellers. Telecommunications Resellers is the closest industry with a 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 293 
providers that reported they were engaged in the provision of local 
resale services. Of these providers, the Commission estimates that 289 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    35. Toll Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Toll 
Resellers. Telecommunications Resellers is the closest industry with a 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 518 
providers that reported they were engaged in the provision of toll 
services. Of these providers, the Commission estimates that 495 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    36. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
prepaid calling card providers. Telecommunications Resellers is the 
closest industry with a SBA small business size standard. The 
Telecommunications Resellers industry comprises establishments engaged 
in purchasing access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual network operators (MVNOs) are included in this industry. The 
SBA small business size standard for Telecommunications Resellers 
classifies a business as small if it has 1,500 or fewer employees. U.S. 
Census Bureau data for 2017 show that 1,386 firms in this industry 
provided resale services for the entire year. Of that number, 1,375 
firms operated with fewer than 250 employees. Additionally, based on 
Commission data in the 2021 Universal Service Monitoring Report, as of 
December 31, 2020, there were 58 providers that reported they were 
engaged in the provision of payphone services. Of these providers, the 
Commission estimates that 57 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
    37. All Other Telecommunications. This industry is comprised of 
establishments primarily engaged in providing specialized 
telecommunications services, such as satellite tracking, communications 
telemetry, and radar station operation. This industry also includes 
establishments primarily engaged in providing satellite terminal 
stations and associated facilities connected with one or more 
terrestrial systems and capable of transmitting telecommunications to, 
and receiving telecommunications from, satellite systems. Providers of 
internet services (e.g. dial-up ISPs) or voice over internet protocol 
(VoIP) services, via client-supplied telecommunications connections are 
also included in this industry. The SBA small business size standard 
for this industry classifies firms with annual receipts of $35 million 
or less as small. U.S. Census Bureau data for 2017 show that there were 
1,079 firms in this industry that operated for the entire year. Of 
those firms, 1,039 had revenue of less than $25 million. Based on this 
data, the Commission estimates that the majority of ``All Other 
Telecommunications'' firms can be considered small.

D. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    38. The FNPRM seeks comment on imposing several obligations on 
various providers, many of whom may be small entities. Specifically, 
the FNPRM seeks comment on the types of third-party authentication 
solutions being used by providers and the nature of any agreements or 
relationships with third parties, including whether providers are 
entering into agreements with third parties to perform their 
authentication obligations under the Commission's rules and the ATIS 
technical standards.
    39. The FNPRM seeks comment on whether, and under what 
circumstances, a third party may authenticate calls on behalf of a 
provider with A- or B-level attestations consistent with the ATIS 
standards. To the extent that commenters contend that third parties can 
meet the ATIS standards for signing calls with A- and B-level 
attestations, the FNPRM seeks comment on the specific legal bases for 
that conclusion and the information that must be shared between 
originating providers and third parties for such attestation levels to 
be applied. It also seeks comment on whether the Commission should 
condition any explicit authorization of third-party authentication 
solutions upon any particular restrictions or protections related to 
information sharing, including ensuring that third parties have the 
information needed to apply A-

[[Page 29042]]

or B-level attestations consistent with the ATIS standards.
    40. The FNPRM further seeks comment on whether the Commission 
should amend its rules to explicitly permit third-party authentication 
and any limitations the Commission should place on any such 
authorization, including: (1) whether to limit authorization to 
scenarios akin to those described in the ATIS standards; (2) whether to 
limit authorization to the technical solutions described in the NANC's 
2021 Small Providers Report; (3) whether to only permit third-party 
authentication if the third party signs the call using the provider's 
SPC token; (4) whether to require providers with the authentication 
obligation to make attestation-level determinations; and (5) whether to 
prohibit providers from certifying that they have implemented STIR/
SHAKEN in the Robocall Mitigation Database unless their calls are 
singed with their own SPC token, whether directly or through a third-
party.
    41. The FNPRM seeks comment on whether the Commission should change 
any other rules if certain third-party authentication practices are 
explicitly authorized. In particular, it seeks comment on whether the 
Commission should require providers to explicitly identify certain 
additional information in their Robocall Mitigation Database 
certifications and plans, including: (1) any third-party solutions; (2) 
the identity of the third party providing the solution; and (3) any 
requirements the provider has imposed on the third party to ensure 
compliance with the requirements of the of the ATIS technical standards 
and Commission's rules, and any action taken by the provider to ensure 
compliance with those requirements.
    42. The FNPRM seeks comment on whether there are any other 
compliance or enforcement measures that the Commission should adopt if 
it explicitly authorizes third-party authentication. It also seeks 
comment on whether a rulemaking is necessary to address third-party 
authentication or if another procedural device would be appropriate. To 
the extent that third-party caller ID authentication is explicitly 
authorized, the FNPRM seeks comment on whether the Commission should 
require providers that are not currently required to implement STIR/
SHAKEN because they do not have the facilities necessary to do so or 
are subject to an implementation extension to engage a third-party 
authentication solution for the SIP calls they originate.
    43. Lastly, the FNPRM also seeks comment on whether to eliminate 
the STIR/SHAKEN implementation extension for providers that cannot 
obtain an SPC token.

E. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities and Significant Alternatives Considered

    44. The RFA requires an agency to describe any significant 
alternatives that it has considered in reaching its proposed approach, 
which may include the following four alternatives (among others): (1) 
the establishment of differing compliance or reporting requirements or 
timetables that take into account the resources available to small 
entities; (2) the clarification, consolidation, or simplification of 
compliance and reporting requirements under the rules for such small 
entities; (3) the use of performance rather than design standards; and 
(4) an exemption from coverage of the rule, or any part thereof, for 
such small entities.
    45. The FNPRM seeks comment on the particular impacts that the 
proposed rules may have on small entities. In particular, it seeks 
comment regarding the different types of third-party authentication 
arrangements currently being employed by providers, the prevalence of 
each type of third-party authentication arrangement in the STIR/SHAKEN 
ecosystem, and any available data substantiating how effective they are 
at facilitating the authentication of caller ID information.
    46. The FNPRM seeks comment on whether third-party authentication 
providers are able to satisfy all or any of the ATIS standards, and 
whether the answer to such question is dependent on the nature of the 
relationship between the originating provider and the third party.
    47. The FNPRM seeks comment on the information that must be shared 
between originating providers and third parties for A- or B-level 
attestations to be applied and whether information sharing practices 
implicate any legal or public interest concerns. It seeks comment on 
whether the Commission should condition any explicit authorization of 
third-party authentication practices upon providers ensuring that third 
parties have the information needed to apply A- or B-level attestations 
consistent with the ATIS standards.
    48. The FNPRM seeks comment on whether there is a distinction 
between scenarios in which third parties authenticate calls on behalf 
of a provider and the technical solutions described in the 2021 Small 
Providers Report produced by the NANC. The FNPRM notes that the NANC 
described the technical solutions as a cost-effective means for 
providers--particularly small providers--to implement STIR/SHAKEN 
consistent with the ATIS standards, and sought comment on these 
solutions. The FNPRM seeks comment on whether the Commission should 
limit any authorization of third-party authentication to the technical 
solutions described in the NANC's 2021 Small Provider Report. It also 
seeks comment on only permitting third-party authentication if the 
third party signs the call using the provider's SPC token and 
prohibiting providers from certifying that they have implemented STIR/
SHAKEN in the Robocall Mitigation Database unless their calls are 
signed with their own SPC token. In so doing, it specifically seeks 
comment on whether the ability to obtain an SPC token is likely to 
present a barrier to providers' compliance with such a requirement.
    49. The FNPRM further seeks comment on the full range of potential 
benefits that could result from authorization of different third-party 
authentication arrangements, as well as the potential pitfalls of 
third-party authentication. It also seeks comment on the specific costs 
that would be incurred and gains that would be realized if the 
Commission were to explicitly authorize or prohibit specific third-
party authentication practices. In addition, the FNPRM seeks comment on 
whether there are any other rules that the Commission would need to 
change if it were to explicitly authorize certain third-party 
authentication practices. Moreover, if third-party caller ID 
authentication is explicitly permitted, the FNPRM seeks comment on 
whether to require providers that are not currently required to 
implement STIR/SHAKEN because they do not have the facilities necessary 
to do so or are subject to an implementation extension to engage a 
third-party authentication solution for the SIP calls they originate.
    50. Lastly, the FNPRM seeks comment on whether to eliminate the 
STIR/SHAKEN implementation for providers that cannot obtain an SPC 
token, as well as any benefits or drawbacks to retaining the extension.
    51. Small entities may provide input in these areas addressing, 
among other considerations, any particular implementation challenges 
faced by small entities. The Commission expects to evaluate the 
economic impact on small entities, as identified in comments filed in 
response to the Further Notice and this IRFA, in reaching its final 
conclusions and taking action in this proceeding.

[[Page 29043]]

F. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    52. None.

III. Procedural Matters

    53. Initial Regulatory Flexibility Analysis. As required by the 
Regulatory Flexibility Act of 1980 (RFA), the Commission has prepared 
an Initial Regulatory Flexibility Analysis (IRFA) of the possible 
significant economic impact on small entities of the policies and rules 
addressed in this FNPRM. The IRFA is set forth above. Written public 
comments are requested on the IRFA. Comments must be filed by the 
deadlines for comments on the FNPRM indicated on the first page of this 
document and must have a separate and distinct heading designating them 
as responses to the IRFA. The Commission's Consumer and Governmental 
Affairs Bureau, Reference Information Center, will send a copy of this 
FNPRM, including the IRFA, to the Chief Counsel for Advocacy of the 
SBA.
    54. Paperwork Reduction Act. The FPRM may contain proposed new and 
revised information collection requirements. The Commission, as part of 
its continuing effort to reduce paperwork burdens, invites the general 
public and OMB to comment on the information collection requirements 
contained in this document, as required by the Paperwork Reduction Act 
of 1995, Public Law 104-13. In addition, pursuant to the Small Business 
Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C 
3506(c)(4), the Commission seeks specific comment on how we might 
further reduce the information collection burden for small business 
concerns with fewer than 25 employees.

IV. Ordering Clauses

    55. Accordingly, it is ordered that, pursuant to sections 4(i), 
4(j), 201, 202, 217, 227, 227b, 251(e), and 303(r) of the 
Communications Act of 1934, as amended, 47 U.S.C. 154(i), 154(j), 201, 
202, 217, 227, 227b, 251(e), and 303(r), this FNPRM is adopted.
    56. It is further ordered that the Commission's Consumer and 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this FNPRM, including the IRFA analysis, to the Chief Counsel 
for Advocacy of the SBA.

Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2023-09543 Filed 5-4-23; 8:45 am]
BILLING CODE 6712-01-P